Penetration Testing Notes - to be update, a bit mess

About this notes

“The mechanic, who wishes to do his work well, must first sharpen his tools.” - the Analects of Confucius · Wei Linggong

Finally find a good place to store the notes in one single place and easy for me to reference. Here, I put every notes I have in this one place for a normal network penetration test. Also, to prepare OSCP and OSCE, hope you also find this convenience during the test.



SAMBA: subterfuge for internal network pentest (MITM) msfconsole /pentest/exploits/set/set /pentest/exploits/fasttrack/ easy-creds ; #Man in the middle, arpspoofing and more /pentest/exploits/isr-evilgrade/evilgrade ; #Upgrade with exploits /pentest/sniffers/ghost-phisher/ ; #Phsing with arpspoofing, dns spoofing, etc. /opt/scripts ; #Convenience scripts #Internal testing: Press s -> ./ (Best framework yet) /pentest/exploits/websploit/websploit ; #Exploits on web (Autopwn and more)

Turn on remote desktop by commands

(may not work properly)

Imagine that you’ve managed to connect to a Windows 2003 server via the command line, but that it isn’t running Remote Desktop. Sounds a little odd I know, but as a dedicated user of Metasploit this will happen to you, believe me. It took some time to work out how to enable the Remote Desktop functionality from the command line. No amount of Googling seemed to provide a solution, so I’ve got one for you here. You’re going to need to gain access to an Administrative (or better System) shell on the server. I’ll describe how this might look elsewhere on this site, but let’s assume that you’ve done this. I also show you how to add a new user here. . Let’s just check whether Remote Desktop Services are available:

c:\ net start

(output cut for brevity) Good. So the Terminal Services service is started. However, this supports the desktop running locally on the server as well as remote connectivity. So let’s check whether the service is listening on port 3389:

c:\ netstat -an

(output cut for brevity) Right, so we’ve confirmed that it’s not listening. We need to enable the remote connectivity portion of the service and restart it. If we had access to the desktop (rendering this article pointless) then we could go to Control Panel -> System -> Remote and turn on Remote Desktop. The command line equivalent is as follows:

reg add “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d “0x0”

After this we need to kill the existing Terminal Server process. This isn’t trivial because, as I said before, it’s actually propping up the live desktop on the server. We hunt out the task ID of the process:

tasklist /svc findstr /C:TermService

Now. This is important. If - and only if - the svchost.exe only lists TermService you can proceed. If there is more than one entry following it, then you’ll break things. The only way to safely get RDP running will be to reboot the server. Hey, if you’re authorised to do this, then go for it.

taskkill /F /PID [from previous] net start “Terminal Services”

Finally, let’s see whether we managed to get RDP listening:

c:\ netstat -an

(output cut for brevity)



Steps to start openvas: openvassd && openvasmd && openvasad && gsad –http-only &&firefox Steps to start nessus: service nessusd start && firefox nessus: merge-nessus

  • parse_nessus_xml.v21 -> parse to perl
  • Sample report for graphs check-registry; #Do registry checking for SAINT / Nessus credential scan #Web scanners made by me scott-web-assessment-server scott-web-assessment-start ####Trustwave Spiderlab stuff#### Trustwave Responder, capture many protocol’s passwords? Beef+ HTTP + arpspoof Thinket automatic session take over tool Flash tool: Monitor network session:

Mount NFS

service state start
mkdir /mnt/nfs
mount -t nfs targetIP:/home /mnt/nfs


/pentest/voip/; # Detect vlan /pentest/voip/isme_v0.6/; # Scans IP phones Some sip tools inside metasploit

Add vlan to do internal pentest on linux:

vconfig add eth0 11


Oracle hacking


checkout pytor hosts tor-new-identity tor-scan-hosts Note: nmap files will be located in ~/


Password used in this VM: =========================================================== generate random passwords: openssl rand -base64 6

Generate passwords

ways to crack pwd password-toolkit /pentest/passwords/password-toolkit/ ; #Generate password /pentest/passwords/captcha ; #Scripts to crack Captchas /pentest/passwords/ tesseract image.tif outputbase nobatch digits Generate creditcards: gen-creditcard Local file password retrieval: Similar to other gen-password:

Windows credential editor: Try it when getting windows control:

/pentest/exploits/framework/tools/wce /pentest/passwords/mimikatz/ ; #As a compliment to wce, a german tool to get passwords from current users

Password and hash cracking

/media/share/passwords/findmyhash/ /media/share/passwords/john/john-x86-64 /pentest/passwords/keimpx ; #This one check password across the windows network through SMB /pentest/passwords/Codetective ; #Check / detect password used /pentest/passwords/iCrackhash ; #Same as previous

Web app

nosqlmap pwn captcha: (looks good) (Known)

webscan: (Drupal, other frameworks…) CMSMap java -jar TestSSLServer.jar sslxxx

file inclusion attack:

** A useful command I forget 100 times **

ls | xargs -n 1 sh -c 'echo $0'

Out of topic


Crack wpa password: python /pentest/wireless/fern-wifi-cracker/ airmon-ng start wlan0 airodump-ng -i mon0 wash reaver /usr/local/bin/AP-packet-capture ;#Man in the middle sniffer with wireless AP setup (Require USB wifi receiver) /pentest/sniffers/fakeap-pwn ways to intercept the traffics: Mallory DNS hijacking: ./ –interface –fakeip –fakedomains *

Internet recon

  • dnsmap + dmistry dns tools, bruteforce / gooogle
  • dnstrail
  • Bluto
  • URLCrazy


Unclassified =========================================================== Pulsar network fuzzer Note for latest pentest stuff: Malware Analysis install cmsmap, Lynis, impacket, serpico pip install pwntools pip install captson upgrade

PHP -open_basedir, diable_function, safe_mode To access aws aws-scout-2


Reverse Engineers book:

Project Zero group:

Books to download; Violent Python

Dataflow in the tor network:

Fuzzing: Boofuzz Web hacks for study:

another pentest course:

Malware analysis course:

Similar to SpiderLab’s product for priviledge escalation: Hotpotato: Privilege escalation: Hot Potato

Summaries from darknet:

Nice android training materials:

yasca Yet another source code scanner

Best cheatsheet ever:

process dump:

Jigsaw social engineer tool:

VPN Server: Softethen VPN manager looks good etherape: Nice to see network transaction

different platform of mobile reverse engineering: su-a-cyder Installed: introspy-analyzer and idb

powerpoint presentation with html:

Try patator to replace medusa


ZARF github network hacking toolkit

Sales point:

Book summary:

25 Startup toolkits helping business

Y Combinator startup course

Programming resources

press s -> pentest (Discovery) download: access to: kali tool for web app scan:

Another bruteforce tool:

Cisco: ike-scan Best pentest IDE: faraday

gen-creditcard (VISA, visa) webview (the tools to capture web with given nmap result) warvox’s make doesn’t work… study cortana Study warvox within metasploit for VoIP stuff! Clearup /media/share, ~ and /mnt/…/client karmisky framework? msf browser auto-pwn? ipv6 cracking sapyto? beef <–> phishing? also update exploitdb through US proxy? mantra -> Web application browser extension Using OWTF! enhance metasploit with different scripts included: Web app scan removal of tracks (MSSQL, events, and etc.) Different custom build from git or famous pentesters. git clone git clone Carn0valxyz ?/pentest/sniffers/fakeap-pwn integrate canvas and core impact to this vm. Integrate Try smb_relay in metasploit, seems good ike-scan…… Web scanning on PHP 5.X + Apache -> exploit #2 on packet storms Linux priviledge escalation: [0] [1] (Observe, Detect, and Investigate Networks) Awesome learning: Copy prod env to local env

XPATH injection: xcat, xxxpwn /pentest/web/citrix ; # Enumerate Citrix hosts python /pentest/web/; Proxy tunnel http to https, don’t know how it run… If the prepare-payload not work, use this one: WEb PHP shell: Upload shell for different languages: One liner reverse shell: /opt/gateway-finder ;# Find any host that do IP forwardding!

Mobile testing VM:

sharepoint scan:

Reporting idea: GeoIP api: (Free)

awesome shits