Hey All!
I have an unhealthy obsession for time savers when i’m doing pentest work. Since a lot of my time is spent on the command line I love cheatsheets. I thought i’d use this thread to post some of the more awesome cheat sheets I find =)
please please please contribute more!
@pwndizzle compiled several tools/techniques (windows, *nix, nmap, metasploit, ++) here in preparation for hs CREST certification:
I’ll add more as separate posts!
happy hacking!
The pwnwiki is a great resource for this! run by:
@mubix
@WebBreacher
@tekwizz123
@jakx_
@TheColonial
@Wireghoul
Just a sample:
This is my whole set of SQL Injection resources for both attack and defense. I rely on them often!
General or cross-platform SQLi Resources:
• W3school’s - SQL injection
• SQLZoo’s SQL Injection walkthrough
• NTO’s SQLi Cheatsheet
• Websec.ca’s SQLi mega-resource (mySQL, MSSQL, ORACLE, ++)
• Ferruh Mavituna’s SQLi cheatsheet (mySQL, MSSQL, ORACLE, ++)
• The SQL Injection Wiki
DBMS Specific Resources:
mySQL:
• PentestMonkey’s mySQL injection cheatsheet
• Reiners mySQL injection Filter Evasion Cheatsheet
MSSQL:
• EvilSQL’s Error/Union/Blind MSSQL Cheatsheet
• PentestMonkey’s MSSQL SQLi injection Cheatsheet
ORACLE:
• PentestMonkey’s Oracle SQLi Cheatsheet
POSTGRES:
• PentestMonkey’s Postgres SQLi Cheatsheet
Others:
• Access SQLi Cheatsheet
• PentestMonkey’s Ingres SQL Injection Cheat Sheet
• pentestmonkey’s DB2 SQL Injection Cheat Sheet
• pentestmonkey’s Informix SQL Injection Cheat Sheet
• SQLite3 Injection Cheat sheet
• Ruby on Rails (Active Record) SQL Injection Guide
SQLi Prevention Resources:
• Bobby-tables.com’s guide to preventing SQLi in almost every language
• OWASP’s SQL Prevention Cheatsheet
SQLi Tools Cheatsheets
If you do assessments professionally (or even for fun) and are not using LAIR to keep all your information in one place you are missing it.
It was written by an Optiv (Fishnet) guy who was doing some work for me and why he hasn’t turned it into a commercial product is beyond me.
@jgamblin I hadn’t seen that! I’ll check it out. How does it compare to Dradis?
Been messing with both lately. LAIR is really great at aggregating network penetration test data, but I do not like it for web apps because it only lists the first vulnerability found, even when importing from several means. For nmap data, LAIR does show the NSE findings, which is insightful.
Dradis is excellent, but also does have its limitations. I intend to try out KvasirSecurity, but was hoping to see it support NSE before giving it a full review. The developers have NSE support as “planned”.
Here is a short summary comparing the three primary FOSS tool aggregators:
There is a great webapp-centric solution for aggregating test data here – https://github.com/dorneanu/appvulnms – which supports AppScan Standard Edition, Acunetix WVS, and Burp Suite Professional
For commercial, I’ve always found ProVM Auditor to pleasantly support many of the above, many federal or DoD tools, as well as AppDetective Pro, Imperva Scuba, NGSSoftware Squirrel and Orascan, etc – making it ideal for database-intensive pen tests.
Another tool, LunarLine Vulnerability Scan Converter, I was a bit nonplussed about. The leebaird discover.sh script can handle very similar output, but for free. discover.sh supports Burp, Nmap, Nessus, NeXpose, and Qualys QG XML to CSV conversions.
You know I’ve always been a fan of MaltEgo for aggregating pen test data, such as Sploitego (and many others), but I believe I do prefer the speed of something like LAIR, Dradis, or KvasirSecurity a tad more, as they are not as GUI-reliant. One of my favorite tools for tracking all sorts of data (including threat actor data) is Lumify (above and beyond MaltEgo and plugins). If you are just messing around on Kali Linux and need something to track test data, KeepNote is also great in a pinch.
Many people I know swear by Dradis Pro – which may still be the sweet spot if you can handle cloud-based data protection. What would be great would be to use LAIR for internal, network pen tests and Dradis Pro for external, especially public-web-facing pen tests.
Mobile devices, mobile apps, and IoT can throw a wrench into your gearworks. There are very little standards for either commercial (e.g., Metaintelli, NowSecure Enterprise, FOD, AppScan Mobile Analyzer, et al) or FOSS (e.g., Drozer, idb, repackaging with optool, PonyDebugger [Injected], etc) test data outputs. Perhaps a format similar to the appvulnms system described above would be a good investment?
Other considerations for tracking nmap and webapp pen test data (but these also perform actions such as launching the tools directly or iteratively, such as on a schedule) – https://bitbucket.org/al14s/rawr/wiki/Home – GitHub: sixdub/Minions, aschmitz/nepenthes, milo2012/metasploitHelper, and owtf/owtf
A really great set of CTF related tips and small cheatsheets for cli tools in *nix environs:
I found a useful “offline” resource is the Red Team Field Manual (RTFM) which is a good reference manual for the pentester. It’s basically a list of commands categorised by technology and has no fluff - it’s really just a list of commands
There’s also the Blue Team field manual which is more the forensics side and incident response - more procedural, but also has some great commands.
Most importantly, both books are quite cheap. 
the RTFM is awesome indeed =)
You should look at pentestbox.org.
