Nikto Cheat Sheet

  • The cheat sheet contains info about the following topics: Basic Linux Networking Tools (ip, dig) Information Gathering (whois, CT logs, subdomain enumeration) TCP Tools (ncat) TLS Tools (openssl, ncat, sslyze, socat) HTTP Tools (python webserver, curl, nikto, gobuster) Feb 18, 2014 Nikto is not designed as a stealthy tool.
  • Nmap Nikto Scan. Scans for http (Web) servers on port 80 and pipes into Nikto for scanning. Nmap -p80 10.0.1.0/24 -oG - nikto.pl -h - Scans for http/https servers on port 80 & 443 and pipes into Nikto.
  • Hacking/OSCP Cheatsheet
    • Enumeration
      • Network discoverie
      • Ports discovery (without nmap)
      • Banner grabbing (without nmap)
      • Web directorie/file scanner
      • Samba
    • Exfiltration
      • Samba
      • HTTP
    • Pivoting
      • sshuttle
    • Reverse shells
    • Privilege escalation
      • Windows
      • Linux
    • Good to know (either Windows and/or Linux)
    • Simple Buffer Overflow (32 bits, NO ASLR and NO DEP)
      • Usefull tools (on Kali Linux)

April 8, 2014 Enumeration Masscan (local): masscan -p1-65534 -rate=10000 -oG name.masscan 10.10.10.10. Netdiscover: netdiscover -i eth0. That’s exactly the place where cheat sheets come in handy! Hacking Tools Cheat Sheet. So, I created a cheat sheet that contains lots of commands and tools that we often use during our penetration tests, security assessments or red teaming engagements. The cheat sheet contains info about the following topics: Basic Linux Networking Tools (ip, dig).

Well, just finished my 90 days journey of OSCP labs, so now here is my cheatsheet of it (and of hacking itself), I will be adding stuff in an incremental way as I go having time and/or learning new stuff.But this is basically the tools I tend to relie and use in this way the most.Hope is helpfull for you!

Enumeration

Network discoverie

Nmap

I tend to run 3 nmaps, an initial one, a full one and an UDP one, all of them in parallel:

Is also possible to specify scripts or ports:

If there are servers that could be not answering (ping), then add the flag -Pn (example of initial one):

Ports discovery (without nmap)

nc + bash

If you get in a machine that doesn’t have nmap installed, you can do a basic discovery of (for example), top 10 ports open in 192.168.30 by doing:

/dev/tcp/ip/port or /dev/udp/ip/port

Alternatively, is possible to do the same than above but by using the special dev files /dev/tcp/ip/port or /dev/udp/ip/port (for example nc is not found):

Taking these last examples, is straightforward to create a dummy script for scan a hole /24 net (for example):

Banner grabbing (without nmap)

If nmap didn’t grab banners (or is not installed), you can do it with /dev/tcp/ip/port/dev/udp/ip/port or by using telnet.

/dev/tcp/ip/port or /dev/udp/ip/port

For doing it with udp ports is the same, but changing tcp for udp

telnet

Web directorie/file scanner

Gobuster

Scan all the directories/files by extension:

For scanning without extensions, just take out the -x

Nikto

Sometimes Nikto shows juicy information, I tend to run it like:

fuff

Web fuzzer, you can get fuff here, it basically bruteforces the dirs.

Most usefull dictionaries (OSCP/HTB)

Samba

smbclient

Check if there is anonymous login enabled:

impacket

Is also possible to use impacket in the same way than smbclient to check for anonymous login (and a lot more as browse the shares) in case of incompatible versions.

smbmap

Check which permissions we have in those shares (if there are):

Version (nmap didn’t detect it)

Sometimes nmap doesn’t show the version of Samba in the remote host, if this happens, a good way to know which version the remote host is running, is to capture traffic with wireshark against the remote host on 445/139 and in parallel run an smbclient -L, do a follow tcp stream and with this we might see which version the server is running.

Exfiltration

Samba

Generate a samba server with Impacket:

Mount in Windows

Mounting it in Windows with Powershell:

Mounting it without Powershell:

Nikto Cheat Sheet Pdf

On windows, to list mounted shares, either Powershell or without it:

Mount in Linux

Is needed to have installed cifs-utils, to install it (in debian based):

To mount it:

To list mounted shares:

HTTP

From your local attacker machine, create a http server with:

It’s also possible to specify which path to share, for example:

Windows

Linux

FTP

If there is an ftp server which we have access, we can upload files there through it, the ' is the same for both, windows or linux:

Sockets

Using nc/ncat is possible to create as a listener to upload/download stuff through them, the syntax for nc and ncat is basically the same.Create the socket with:

RDP

If we have access to a windows machine with a valid user/credentials and this user is in the “Remote Desktop Users”, we can share a local directorie as a mount volume through rdp itself once we connect to the machine:

Pivoting

It’s possible to do pivoting by using proxychains, pure nc’s or in case of linux just some fifo files (I will write them down this another methods down maybe in a future), I have used during all the OSCP an awesome tool called (sshuttle)[https://github.com/sshuttle/sshuttle] (it’s a transparent proxy server that works like “a vpn”, and doesn’t require with super rights, only thing needed is that the bastion server you will use, needs to have installed python) and sometimes some SSH Forwarding. Something worth to mention nmap doesn’t work through sshuttle.

sshuttle

One hop

Let’s say we are in an intranet and we have compromised a firewall that gives us access to the management net (fw.example.mgmt - ips 192.168.20.35 and 192.168.30.253 as the management ip), by using sshuttle we can create a “vpn” to talk directly to those servers, for that, we use:

Multi-hops

Now imagine that after we broke up into the management net after some some enumeration, we ended to compromise a machine that has also access to a production environment (foreman.example.mgmt - ips 192.168.30.40 and 192.168.25.87), we can take advantage of sshuttle + ProxyCommand of ssh to create a “vpn” through this multiple hops, so…putting it down, this will be kind of as follow (the diagram is extremly simplified and just for the sake of illustrate this visually, so it doesn’t intend to provide a 100% precise network diagram):

To have that working, is needed to put the next conf in your ssh conf file (normally ~/.ssh/config. It’s based on the example above, but is easy to extrapolate to different scenarios):

And now to setup the “multiple hop vpn”, run:

Reverse shells

php

bash

sh + nc

Perl (example deploy as cgi-bin)

Java (example to deploy on tomcat)

Windows HTPP download reverse shell

Windows staged reverse TCP

Windows stageless reverse TCP

Linux staged reverse TCP

Linux staged reverse TCP

Privilege escalation

Windows

Run-As

Incorrect permisions in services (sc config binpath)

Binpath is set as running cmd.exe passing a commad to execute to it (so once the process dies, the one executed by it so the command to cmd.exe remains):

SAM + SYSTEM + Security

If those 3 files are in your hands (you could download to your attacker machine), you can dump hashes and crack them:

Linux

/home/user/openssl =ep (empty capabilities)

Make 2 copies of passwd, one as backup of the original, and one that will be used as custom:

Now, a custom user will be created and added to /tmp/passwd.custom with customPassword and as root user (UID = GID = 0):

Now, create a custom key.pem and cert.pem with openssl:

Encrypt the new custom passwd:

Now, decrypt the custom passwd overwritting in the process the real one (/etc/passwd):

And finally, just login with the user created with root privileges by using customPassword:

Command web injection: add user

NFS; no_root_squash,insecure,rw

If /etc/exports has a line like:

NFS is being exported and you and you have ssh access to the machine.From your attacker machine while logged as root user run:

Now from inside a SSH session on the victim machine (in this example 192.168.42.32):

Good to know (either Windows and/or Linux)

Arch cross compile exploit (and diff glibc version)

IP restriction at application level, bypass

Try to send a request modifying the HTTP header by adding:

Windows - check OS information

Windows - check architecture

Powershell running as 32 or 64 bits

Linux LFI - intesresting files to look after

Simple Buffer Overflow (32 bits, NO ASLR and NO DEP)

Summarized steps

  • 0 - Crash the application
  • 1 - Fuzzing (find aprox number of bytes where the crash took place)
  • 2 - Find offset
  • 3 - EIP control
  • 4 - Check for enough space on buffer
  • 5 - Badchars counting
  • 6 - Find return address (JMP ESP)
  • 7 - Create payload

Fuzzing: example with vulnserver + spike on TRUN command

Now, start wireshark filtering on the target IP/PORT below and run the trun.spk:

Once a crash takes place, go to wireshark to locate the crash.

Badchars

From the block below, the next ones were not included (most common badchars):

So…actual list of badchars:

Usefull tools (on Kali Linux)

create_pattern

pattern_offset

nasm_shell

msfvenom

Shellcode POC: calc.exe

port scanning

Nmap

Network exploration tool and security/ port scanner

Unicornscan

A port scanner that utilizes its own userland TCP/IP stack, which allows it to run asynchronous scans. It can scan 65,535 ports in a relatively short time frame.

Netcat

Netcat might not be the best tool to use for port scanning, but it can be used quickly. While Netcat scans TCP ports by default it can perform UDP scans as well.

1.1.3 TCP Scan

For a TCP scan, the format is:

1.1.4 UDP Scan

For a UDP Port Scan, we need to add -u flag which makes the format:

Amap - Application mapper

identify which services are running on a given port

DNS enumeration

DNS Server

If the targeted machine is running a DNS Server and we have a possible domain name, we may try to figure out A, MX, AAAA records or try zone-transfer to figure out other possible domain names.

Nikto Cheat Sheet

Example:

SSL Certificate

If the targeted machine is running an https server and we are getting an apache default webpage on hitting the https://IPAddress, virtual hosts would be probably in use. Check the alt-dns-name on the ssl-certificate, create an entry in hosts file (/etc/hosts) and check what is being hosted on these domain names by surfing to https://alt-dns-name.

nmap service scan result for port 443 (sample)

Scanning Structure

Google-Vulns

It is suggested that whenever you are googling something, you add words such as vulnerability, exploit, ctf, github, python, tool etc. to your search term. For example. Let’s say, you are stuck in a docker or on a specific cms search for docker ctf or <cms_name> ctf/ github etc.

Webservices

Utilize whatweb to find what software stack a server is running.

1.3.3 nikto

nikto - Scans a web server for known vulnerabilities.

It will examine a web server to find potential problems and security vulnerabilities, including:

  • Server and software misconfigurations
  • Default files and programs
  • Insecure files and programs
  • Outdated servers and programs

1.3.4 dirb, wfuzz, dirbuster

Furthermore, we can run the following programs to find any hidden directories.

  • DIRB is a Web Content Scanner. It looks for existing (and/ or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analysing the response.
  • wfuzz - a web application bruteforcer. Wfuzz might be useful when you are looking for webpage of a certain size. For example: Let’s say, when we dirb we get 50 directories. Each directory containing an image. Often, we then need to figure out which image is different. In this case, we would figure out what’s the size of the normal image and hide that particular response with wfuzz.
  • Dirbuster : DirBuster is a multi threaded java application designed to brute force directories and files names on web/ application servers.
  • gobuster : Gobuster is a tool used to brute-force URIs (directories and files) in web sites and DNS subdomains (with wildcard support). (golang can be installed using apt-get).

1.3.5 BurpSuite Spider

There will be some cases when dirb/ dirbuster doesn’t find anything. This happened with us on a Node.js web application. Burpsuite’s spider helped in finding extra-pages which contained the credentials.

1.3.6 PUT Method

Sometimes, it is also a good idea to check the various HTTP verbs that are available such as GET, PUT, DELETE, etc. This can be done by making an OPTIONS request.Curl can be used to check the available options (supported http verbs):

The PUT method allows you to upload a file which can help us to get a shell on the machine. There are multiple methods available for uploading a file with the PUT method mentioned on Detecting and exploiting the HTTP Put Method

A few are:

  • Nmap:
  • curl:

or

1.3.7 Wordpress

When faced with a website that makes use of the wordpress CMS one can run wpscan. Make sure you run –enumerate u for enumerating usernames because by default wpscan doesn’t run it. Also, scan for plugins

We can also use wpscan to bruteforce passwords for a given username

Nikto Cheat Sheet Sans

Secploit Terminal Search Engine

it is web tool made to make it easy to query search using tags search or with exploit name

or we can search for specific vulnerability on specific software easily ,using tags support

searchsploit

Exploit Database offline Archive Search for vulnerable software , shells , papers

Once we have figured out which exploit to check we can read about it by using the file-number. For example: 1997, 2017, 24574 in the above case.

Searchsploit provides an option to read the nmap XML file and suggest vulnerabilities (Requires nmap -sV -x xmlfile).

PHP Web Shell

or

or

which can then be accessed by

If there’s a webpage which accepts phpcode to be executed, we can use curl to urlencode the payload and run it.

  • PHP Meterpreter

We can set the multi-handler in metasploit by

PHP Reverse Shell

The code below assumes that the TCP connection uses file descriptor 3. This worked on my test system. If it doesn’t work, try 4 or 5 or 6.

Ruby

Perl

Python

TCP

UDP

Java

JSP

Bash

If a server (attacker machine) is listening on a port:

then we can use the below to connect

Method 1:

Method 2:

Method 3:

Telnet Reverse Shell

XTerm

To catch the incoming xterm, start an X-Server:

Nikto Cheat Sheet Template

You’ll need to authorize the target to connect to you (command also run on your host):

Lynx

MYSQL

  • If we have MYSQL Shell via sqlmap or phpmyadmin, we can use mysql outfile/ dumpfile function to upload a shell.

or

  • If you have sql-shell from sqlmap/ phpmyadmin, we can read files by using the load_file function.

Reverse Shell from Windows

Executable Meterpreter Payloads

Secploit Online reverse Shells Generator

you can also generate any type by choosing bash or python , ruby ..etc