--- name: Quick Pentest Reference description: This skill should be used when the user asks to "perform quick enumeration", "run directory busting", "enumerate DNS", "discover live hosts", "brute force passwords", or "needs a pentest cheat sheet". It provides rapid reference commands for penetration testing. version: 1.0.0 tags: [pentest, enumeration, reconnaissance, scanning, cheat-sheet, quick-reference] --- # Quick Pentest Reference ## Purpose Provide rapid-access command references for common penetration testing tasks including directory busting, DNS enumeration, host discovery, service scanning, and password brute forcing. This skill serves as a quick reference for CTFs and penetration testing engagements. ## Prerequisites ### Required Tools - Nmap, Gobuster, FFUF - Hydra, Nikto - dig, nslookup, host - SecLists wordlists ### Installation ```bash sudo apt update sudo apt install nmap gobuster ffuf hydra nikto dnsutils sudo apt install seclists ``` ## Core Workflow ### Phase 1: Directory Busting Discover hidden directories and files: **Gobuster Directory Scan** ```bash # Basic directory scan gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirb/common.txt # With extensions gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirb/common.txt -x php,txt,html # With status codes gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s 200,301,302 ``` **FFUF Directory Scan** ```bash # Basic scan ffuf -u http://10.10.10.10/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt # With file extensions ffuf -u http://10.10.10.10/FUZZ -w /usr/share/wordlists/common.txt -e .php,.txt,.html # Filter by response size ffuf -u http://10.10.10.10/FUZZ -w wordlist.txt -fs 4242 # Filter by status code ffuf -u http://10.10.10.10/FUZZ -w wordlist.txt -fc 404 ``` ### Phase 2: VHOST Enumeration Discover virtual hosts and subdomains: **Gobuster VHOST Scan** ```bash gobuster vhost -u http://example.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt ``` **FFUF VHOST Scan** ```bash ffuf -u http://example.com -H "Host: FUZZ.example.com" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt # Filter false positives by size ffuf -u http://example.com -H "Host: FUZZ.example.com" -w wordlist.txt -fs 0 ``` ### Phase 3: Digital Certificate Reconnaissance Passive subdomain discovery via certificates: **Certificate Search Engines** - [crt.sh](https://crt.sh) - Certificate transparency logs - [Censys](https://search.censys.io) - Certificate search - [Entrust](https://www.entrust.com/resources/certificate-solutions/tools/certificate-search) **crt.sh Command Line** ```bash # Query crt.sh via curl curl -s "https://crt.sh/?q=%25.example.com&output=json" | jq -r '.[].name_value' | sort -u ``` ### Phase 4: DNS Enumeration Query DNS records for intelligence: **DNS Record Types** | Type | Purpose | |------|---------| | A | IPv4 address | | AAAA | IPv6 address | | MX | Mail servers | | NS | Name servers | | TXT | Text records | | CNAME | Canonical name | | SOA | Start of authority | **Dig Commands** ```bash # A record dig example.com A # All records dig example.com ANY # MX records dig example.com MX # Name servers dig example.com NS # TXT records (SPF, DKIM) dig example.com TXT # Reverse lookup dig -x 192.168.1.1 # Use specific DNS server dig @8.8.8.8 example.com ``` **Host Command** ```bash # Basic lookup host example.com # Specific record type host -t MX example.com host -t NS example.com # Verbose output host -a example.com ``` **Nslookup** ```bash # Interactive mode nslookup > server 8.8.8.8 > set type=MX > example.com # Direct queries nslookup example.com nslookup -type=MX example.com nslookup -type=NS example.com ``` ### Phase 5: Zone Transfer Attempt DNS zone transfer for full records: ```bash # Dig zone transfer dig @ns1.example.com example.com AXFR # Host zone transfer host -l example.com ns1.example.com # Nslookup zone transfer nslookup > server ns1.example.com > ls -d example.com ``` ### Phase 6: Automated DNS Tools **DNSRecon** ```bash # Standard enumeration dnsrecon -d example.com # Zone transfer attempt dnsrecon -d example.com -t axfr # Brute force subdomains dnsrecon -d example.com -t brt -D /usr/share/wordlists/subdomains.txt ``` **DNSenum** ```bash # Full enumeration dnsenum example.com # With wordlist dnsenum --enum example.com -f /usr/share/wordlists/subdomains.txt ``` **Fierce** ```bash # Subdomain enumeration fierce --domain example.com # With wordlist fierce --domain example.com --subdomain-file wordlist.txt ``` ### Phase 7: Host Discovery Identify live hosts on network: **Netdiscover** ```bash # Active scan netdiscover -i eth0 # Passive mode netdiscover -p -i eth0 # Specific range netdiscover -r 192.168.1.0/24 ``` **ARP Scan** ```bash # Local network arp-scan -l # Specific interface arp-scan -I eth0 -l # Specific range arp-scan 192.168.1.0/24 ``` **Nmap Host Discovery** ```bash # Ping sweep nmap -sn 192.168.1.0/24 # ARP ping (local network) nmap -sn -PR 192.168.1.0/24 # ICMP echo ping nmap -sn -PE 192.168.1.0/24 # TCP SYN ping nmap -sn -PS 192.168.1.0/24 # UDP ping nmap -sn -PU 192.168.1.0/24 # ICMP timestamp nmap -sn -PP 192.168.1.0/24 # Mask ping (bypasses ICMP blocks) nmap -sn -PM 192.168.1.0/24 ``` ### Phase 8: Service and OS Discovery Enumerate ports, services, and operating systems: **Nmap Service Scans** ```bash # SYN scan with version detection nmap -sS -sV 192.168.1.1 # Full TCP scan with OS detection sudo nmap -T4 -p- -A 192.168.1.1 # UDP scan nmap -sU -T4 192.168.1.1 # Top 1000 ports nmap -sS -sV --top-ports 1000 192.168.1.1 # All ports aggressive nmap -sS -sV -sC -O -p- 192.168.1.1 # Banner grabbing nmap --script=banner 192.168.1.1 # Subnet scan nmap 192.168.1.0/24 ``` **Nikto Web Scanner** ```bash # Basic scan nikto -h http://192.168.1.1 # With SSL nikto -h https://192.168.1.1 -ssl # Save output nikto -h http://192.168.1.1 -o nikto_report.html -Format html ``` ### Phase 9: Password Brute Force Attack authentication services: **Hydra** ```bash # SSH brute force hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.1 # FTP brute force hydra -L users.txt -P passwords.txt ftp://192.168.1.1 # HTTP POST form hydra -l admin -P passwords.txt 192.168.1.1 http-post-form "/login.php:user=^USER^&pass=^PASS^:Invalid" # HTTP Basic Auth hydra -l admin -P passwords.txt 192.168.1.1 http-get /admin/ # RDP brute force hydra -l administrator -P passwords.txt rdp://192.168.1.1 # SMB brute force hydra -L users.txt -P passwords.txt smb://192.168.1.1 ``` ### Phase 10: Post Exploitation Actions after gaining access: **Windows Credential Dumping** ```bash # Meterpreter meterpreter> hashdump meterpreter> getsystem meterpreter> load kiwi meterpreter> creds_all # Mimikatz mimikatz# sekurlsa::logonpasswords mimikatz# lsadump::sam ``` **Linux Privilege Escalation** ```bash # Check sudo permissions sudo -l # Find SUID binaries find / -perm -4000 2>/dev/null # Check cron jobs cat /etc/crontab ls -la /etc/cron.* # LinPEAS enumeration ./linpeas.sh ``` ## Quick Reference ### Essential Wordlists | Path | Purpose | |------|---------| | `/usr/share/wordlists/dirb/common.txt` | Common directories | | `/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt` | Medium directory list | | `/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt` | Subdomains | | `/usr/share/wordlists/rockyou.txt` | Passwords | ### Command Quick Reference | Task | Command | |------|---------| | Directory bust | `gobuster dir -u URL -w wordlist` | | VHOST enum | `ffuf -H "Host: FUZZ.domain" -u URL -w wordlist` | | DNS lookup | `dig domain.com ANY` | | Zone transfer | `dig @ns.domain.com domain.com AXFR` | | Host discovery | `nmap -sn 192.168.1.0/24` | | Port scan | `nmap -sS -sV -p- target` | | Brute force | `hydra -l user -P list service://target` | ## Constraints and Limitations ### Authorization - Only test systems you own or have permission to test - Document all testing activities - Stay within scope ### Tool Limitations - Some scans may trigger IDS/IPS - Rate limiting may block aggressive scans - Firewalls may block certain techniques ## Troubleshooting ### Scans Returning No Results **Solutions:** 1. Verify target is reachable 2. Try different scanning techniques 3. Check for firewall blocks 4. Use slower scan rates