Useful cheat sheets for scanners found in Kali. OS Detection allows for the scanning a host. For example, when scanning a host you may find out that it is running a very outdated version of Windows 7. Knowing this, you can then start researching that version of Windows 7 exploits.How does it work? N map will send packets to the target machine and expect a response to each packet. Then nmap will grab these details and compare it against it’s database.To run a OS scan you will need to specify the -O option to nmap. Nmap will give you a percentage match when scanning OS’.
It is highly unlikely that it will retrieve a 100% match with every Operating system. SyntaxBasic OS Scansudo nmap -O -sV IPLimits what targets are scanned (good when there’s too many targets)sudo nmap -O –osscan-limit IPFaster and more aggressive scan, however some ports might be missedsudo nmap -O –osscan-guess IPNmap: Scripting EngineNmap Scripting Engine allows user to run custom and community generated scripts.Scripts are identified by the.nse extension.To find scripts already installed in Kali, the locate.nseSpecific types of scripts can be found using keywords, for example: locate.http.nse.Note: it may be necessary to run sudo updatedb first. Cheat SheetBasic Syntaxnmap -sV -sC 192.168.1.1To run a specific script against a target, the name of the script must be specified in the command.nmap -sV –script http-sql-injection.nse 192.168.1.1For help using a particular scriptnmap –script-help http-sql-injection.nseSpecify arguments to achieve the desired behavior. These can be set using the –script-args option.nmap –script http-wordpress-brute.nse –script-args ‘passdb=passwords.txt’ 192.168.1.1Syntax for using mysql-dump-hashes. Nikto is a tool used to identify vulnerabilities in a web/application server.
Web server scanning and IP scanning are often the first steps taken during the enumeration phase of a pen test. Nikto also identifies potential vulnerabilities on the server; these may be displayed as an Open Source Vulnerability Database entry (e.g. OSVDB-0000).The scanners tend to make use of HTTP status codes to determine if a file/dir exists. For domains with custom 404 error pages that return 200 status codes, extra options can be used to determine a missing file.Force browsing is a technique used to brute force directories on a web server via a wordlist. This is useful for discovering hidden files and folders that are not listed or linked from the main domain. Cheat SheetTo scan a particular hostnikto -h IPTo scan a host on multiple portsnikto -h IP -port PORT1, PORT2, PORT3To scan a host and output fingerprinted information to a filenikto -h IP -output OUTPUTFILEto use a proxy while scanning a hostnikto -h IP -useproxy PROXYADDRESSscan and check whether the web server is running the latest version by using-plugin outdated optionWPSCANDefinition.
WordPress has many third party themes and plugins; with this third party code comes the possibility of vulnerabilities.WPScan is a command line tool that is included on pentesting distributions like Kali Linux.It is formed of two parts: wpvulndb & WPScan.WpvulndbThe WPScan Vulnerability Database is a website that lists all known vulnerabilities in WordPress core, plugins and themes. For each vulnerability it lists basic details like the impacted versions and their release dates. It does not contain any exploit code or links to exploit code. There are separate resources for this data (searchsploit and Msfconsole: Exploit).WPScanWPScan is the command line tool that uses the database and other plugins to scan WordPress sites for known vulnerabilities. The main options for WPScan are:wpscan OPTIONS -url Target IPAddress/URLUsersUsing the -e u or –enumerate u option, WPScan can generate a list of usernames. With this list of usernames there is also a bruteforce plugin that will try wordlists against each of the discovered accounts.wpscan -e u -url Target IPAddress/URLPluginsUsing the -e p or –enumerate p option, WPScan will look for installed plugins and attempt to get their version number. The default option is to only scan for common plugins that have a vulnerability.
You can override this with the -e ap option.wpscan -e p -url Target IPAddress/URLThemesUsing the -e t or –enumerate t option, WPScan will look for installed themes and list any vulnerabilities that it finds.wpscan -e t -url Target IPAddress/URLThere are many more options that can be used with WPScan; use the –help option to view them.OpenVASDefinition.
Security cheat sheets for Ethical Hacking and Penetration Testing by sniferl4bs. This cheat sheet is especially for penetration testers/CTF participants/security enthusiasts. Nikto Cheat Sheet: Nikto scanner cheat sheet. Man nikto can also be used on Kali. Sqlmap Cheat Sheet Sqlmap scanner cheat sheet. Man sqlmap can also be used on Kali. Identify the devices by performing a ping scan. Nmap /24 -sn. After finding the devices, perform a service / port scan for each device.
Download backtrack from. Current version at the time of writing is BT4 Pre-Final.This document is based on BT4 pre-final. Ergo, some of the instructions below may not work with other versions of BT.FYI: An excellent guide about Backtrack4 can be found at1. Installing Backtrack to a harddrive (using Ubiquity). Boot from the Backtrack DVD and choose “Start Backtrack in Text Mode”. Backtrack will boot and will automatically end up at a root prompt.
Launch the GUI by running ‘ startx’. Open a konsole and run ‘ ubiquity’. At the “Language crashed” dialog, choose “Continue anyway’”.
Set timezone and choose keyboard layout. Let backtrack partition the disk.
(‘Use entire disk’). Enter new user account information. (Pick a strong password, as this will be the user account used to log on into Backtrack). Review the installation summary and press “install” to start the installation.
Reboot when installation has completed. Log in with the newly created user. change the password for root ( sudo passwd root)Installing VirtualBox guest additions (if you have installed BT on VirtualBox):. In Virtualbox, select “Devices – Install Guest Additions”). open Konsole, mount cdrom (“ mount cdrom”) and run “ sudo /media/cdrom/VBoxLinuxAdditions-x86.run”.
reboot (“ sudo reboot”)2. Running Backtrack from USB (with support for persistent changes)Check out andThis procedure only works for Backtrack 4 Pre-final. You need a 4Gb (or bigger) USB stick to run BT4 Pre-Final. Boot Backtrack and insert the USB. In my test environment, I’m running BT on VirtualBox.
Cd /umount /mnt/sda1. Boot a computer from this newly created USB and verify that BT works, and that changes are written onto the USB.Alternatively, you can create a USB based BT from Windows by using (Windows).Partition the USB drive (as explained above), run UNetbootin, select the BT4 Pre-final ISO file, select the USB drive and install.After the installation, find syslinux.cfg in the root of the first partition on the USB. Edit the file and add the vga=0x317 parameter after “Start Persistent Live CD” (under label ubnentry4)At the top of the file, set default to ubnentry4. Save the file and you’re all set3. Networking and Network ServicesNetworkingBy default, DHCP (or networking for that matter) is disabled. You need to run ‘ /etc/init.d/networking start’ to start networking. Root@bt4-1:/tmp# ls Nessus.al-rw-r-r- 1 root root 3002846 Jul 4 15:46 Nessus-4.0.1-ubuntu810i386.deb-rw-r-r- 1 root root 500624 Jul 4 15:46 NessusClient-4.0.1-ubuntu810i386.debroot@bt4-1:/tmp#root@bt4-1:/tmp# dpkg -install Nessus-4.0.1-ubuntu810i386.debSelecting previously deselected package nessus.(Reading database.
183074 files and directories currently installed.)Unpacking nessus (from Nessus-4.0.1-ubuntu810i386.deb).Setting up nessus (4.0.1).nessusd (Nessus) 4.0.1. For Linux(C) 1998 - 2009 Tenable Network Security, Inc.- Please run /opt/nessus/sbin/nessus-adduser to add a user- Register your Nessus scanner at http: //www.nessus.org/register/ to obtainall the newest plugins- You can start nessusd by typing /etc/init.d/nessusd startroot@bt4-1:/tmp#Install Nessus ClientBefore installing the client, you will need to install some dependencies.
Root@bt4-1:/tmp# apt-get install libqt4-core libqt4-guilibqtcore4 libqt4-network libqt4-script libqt4-xmllibqt4-dbus libqt4-test libqtgui4 libqt4-svg libqt4-opengllibqt4-designer libqt4-assistantReading package lists. DoneBuilding dependency treeReading state information. Root@bt4-1:/tmp# /opt/nessus/sbin/nessus-mkcert-Creation of the Nessus SSL Certificate-This script will now ask you the relevant information to create the SSLcertificate of Nessus. Note that this information will.NOT.
be sent toanybody (everything stays local), but anyone with the ability to connect to yourNessus daemon will be able to retrieve this information.CA certificate life time in days 1460:Server certificate life time in days 365:Your country (two letter code) FR: BEYour state or province name none: WVLYour location (e.g. Town) Paris: DeerlijkYour organization Nessus Users United: CorelanCongratulations. Your server certificate was properly created.The following files were created.
Certification authority:Certificate = /opt/nessus //com/nessus/CA/cacert.pemPrivate key = /opt/nessus //var/nessus/CA/cakey.pem. Nessus Server:Certificate = /opt/nessus //com/nessus/CA/servercert.pemPrivate key = /opt/nessus //var/nessus/CA/serverkey.pemroot@bt4-1:/tmp#Create a Nessus user. Root@bt4-1:/tmp# /opt/nessus/sbin/nessus-adduserLogin: MyGreatNessusAdminUserAuthentication (pass/cert): passLogin password:Login password (again):Do you want this user to be a Nessus 'admin' user? (can upload plugins, etc.) (y/n) n: yUser rules-nessusd has a rules system which allows you to restrict the hoststhat peter has the right to test. For instance, you may wanthim to be able to scan his own host only.Please see the nessus-adduser manual for the rules syntaxEnter the rules for this user, and enter a BLANK LINE once you are done:(the user can have an empty rules set)Aborted by end-user.Register/update pluginsGet yourself a key that will provide access to the free home update feed:You will receive an email that contains the feed code.Install/Register the code with the following command (and update the plugins at the same time). Root@bt4-1:/tmp# /opt/nessus/bin/nessus-fetch -register PUT-YOUR-CODE-HEREYour activation code has been registered properly - thank you.Now fetching the newest plugin set from plugins.nessus.org.Your Nessus installation is now up-to-date.If autoupdate is set to 'yes' in nessusd.conf, Nessus willupdate the plugins by itself.Verify that “autoupdate” in /opt/nessus/etc/nessus/nessusd.conf is set according to the behaviour you want to achieve.
If you want to manually update the plugins, you can run. # Time to wait before reading the airodump output. 23 seconds/sleeps should be safe on default aircrack-ng installation which updates #.csv files every 20 seconds;my $airodumpwait = 23;# Initial airodump scan duration (sleeps) when trying to build target AP listmy $scanduration = 23;8.
Installing/Running in VMWare, but KDE resolution is bad?Run “ fixvmware”9. Log on in KDE with root (dangerous! But if you still want to do it)Edit /etc/kde3/kdm/kdmrc and set the following parameters. Corelan respects your privacy. Most information accessible on or via theCorelan Website is available without the need to provide personal information.In certain cases you may however be requested to submit personal information. Insuch case your personal information shall be treated in accordance with the General Data Protection Regulation and any amendments hereof.b.
All personal information made available by you will be treated solely forthe purpose of making available to you the requested information or services.Your personal information will not be shared with third parties, but it may be used for authentication, support & marketing purposes in relation with services provided by Corelan.c. We will only keep your personal information for as long as is required toprovide you with the requested information or services, or for any longer periodas may legally be required.d. It is our goal to reasonably protect the personal information madeavailable by you from third parties.e. You have the right to consult, correct, adjust or have removed yourpersonal details by written request to Corelan.
If you decide to get your information removed, you understand and accept that you will lose all access to any resources that require the use of these personal details, such as parts of the website that require authentication.f. When using the Corelan Website, cookies may possible be used.
You do not have to accept cookies to be able to use the publicly accessible parts of Corelan Websites. If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.When you log in, we will also set up several cookies to save your login information and your screen display choices. Cookies may be used to display advertisements or to collect statistics about the use of the Corelan website.g. This privacy policy may be amended by Corelan at any time. When using the Corelan Website, cookies may possible be used.
You do not have to accept cookies to be able to use the publicly accessible parts of the Corelan Website. If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser. When you log in, we will also set up several cookies to save your login information and your screen display choices.We may use third party cookies to show ads and to collect anonymous information such as the number of visitors to the site, and the most popular pages. The ability to show ads is an important source of income to cover the hosting fees to keep this website alive.
If you prevent ads from being displayed, this website will eventually disappear.