Sep 14, 2020

7 min read

Tools and Commands learned from PTS → elearnsecurity:-

NOTE:- This write up is just my notes for PTS course. It does not dispense with what is offered by the elearnsecurity.


a. google.com:- site: company.com

b. dnsdumpster.com

c. virustotal.com

4. Nessus:- is vulnerability assessment scan

once we download the nessus tool from https://www.tenable.com/

Open the terminal and type:- sudo dpkg -i the path of downloaded file

To start nessus type:-sudo service nessusd start then open:- https://www.tenable.com/

5. Dirbuster:- is tool to find hidden files and directories of websites.

6. ophcrack:- is rainbow table attack tool.

Commands (linux OS):-

11. To send error message and not viewing it in the output 2>/dev/null

12. To perform ping scan using nmap:-nmap -sn ip-address/range

13. To reed the ip-range for nmap tool:- nmap -iL file path

14. To do offline fingerprinting use:-p0f

15. To do active fingerprinting operating systems use:- nmap -O

16. To limit operating system scan:- nmap -O- -osscan-limit

17. To do scan using nmap without port scan:-nmap -Pn

18. To do TCP scan using nmap:- nmap -sT

19. To do SYN scan using nmap:- nmap -sS

20. To do version detection scan using nmap:- nmap -sV

21. To do port scan and specify the port number using nmap:- nmap -P pors

22. To see the reason why not reported:- nmap- -reason

23. To do scan in large company use:- masscan

24. To do fingerprinting on web servers by signature-based using httprint:-

httprint -P0 -h target -s signature files

HTTP Verbs:-

GET:- to request web pages and pass arguments.
POST: to submit data in web forms.
HEAD: to show only the header of the responses.
PUT: to upload files to web servers.
DELETE: to remove a file from web servers.
OPTIONS: to query the web server for enabled http verbs.

25. To view the size in bytes of a file:- wc -m file

TCP connection between client and server.
UDP connection between client and server.
TCP connection between client and server and executing shell commands.

26. To use command line tool of Dirbuster:- dirb target.

27. To automate sql injection attack GET request using sql map:-

sqlmap –u [url] -p [options]

28. To automate sql injection attack POST request using sql map:-

sqlmap –u [url]- -data=[POST string] -p parameter [options]

29. John the Ripper is an extremely popular password cracking tool

— list=formats → to view john encryption formats → john- -list=formats

To crack password →unshadow passwd shadow > file to crack

To perform pure brute forcing →john -incremental -users:users list file to crack

To display discovered password by john → john- -show cracked file

To perform dictionary attack → john -wordlist[=word list file] file to crack

To do mangling → -rules

30. Tool used in network authentication:-hydra

31. Tool to display information about the target (file share) using samba suit:-nmblookup -A <ip address>

32. Tool to access file share using samba suit:-smbclient -L \\\\<ip address>\\share-name -N

33. To automate Null session exploitation:- enum4linux -n


cd /usr/share/doc/python3-impacket/examples/

python3 samrdump.py


nmap -script=smb-enum-shares → to check for null session

nmap -script=smb-enum-users → to enumerate users

nmap -script=smb-enum-brute →to perform brute force attack

ARP spoofing attack:-

34. To enable linux kernel ip forwarding:- echo 1 > /proc/sys/net/ipv4/ip_forward


sudo bash -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'

35. to intercept traffic on a switched LAN using Dsniff tools (MITM attack) :-arpspoof -i <interface> -t <target> -r <host>

36. To start MSFConsole:- msfconsole

common meterepter configurations:-

38. to update metasploit framework:- sudo apt update ; sudo apt install metasploit-framework

39. To perform faster searches we use postgresql service to startit:-sudo service postgresql start

40. to start metasploit:- sudo msfdb init

41. To check if the machine is vulnerable against known vulnerabilities inside msfconsol:- nmap- -script smb-check-vulns.nse- -script-args=unsafe=1 <ip target>

42. To show the know vulnerability uusing nmap:- sudo nmap -p 445 — script vuln

43. To connect to a machine using telnet:- telnet ip address -l username.


The code in attacker server to save the cookies receive it from victim browser.
Code inserted in web site to infect it.

2. SQL injection

a. or 1=1;- — -

b. ‘ UNION SELECT null, null;- — -

Sometime we need to put ‘ before injection statements sometime not so we better try it both.

Commands (Windows OS):-

2. Tool to enumerate the shares:- NET VIEW <ip target>

3. To connect to a file share with no usernames and passwords to check for null session:- NET USE \\<ip target address> \IPC$ ‘ ’ /u:’ ’

4. To exploit Null session and enumerate file shares:-enum -S

5. To automate Null session exploitation:- winfo -n

6. To escalate the privilege:-getsystem


created in 14 September 2020

edited in 6 October 2020