Common Assessment Tool Cheatsheets


#1

Hey All!

I have an unhealthy obsession for time savers when i’m doing pentest work. Since a lot of my time is spent on the command line I love cheatsheets. I thought i’d use this thread to post some of the more awesome cheat sheets I find =)

please please please contribute more!

@pwndizzle compiled several tools/techniques (windows, *nix, nmap, metasploit, ++) here in preparation for hs CREST certification:

I’ll add more as separate posts!

happy hacking!


#2

The pwnwiki is a great resource for this! run by:

@mubix
@WebBreacher
@tekwizz123
@jakx_
@TheColonial
@Wireghoul

Just a sample:


#3

John the Ripper Cheat Sheet!


#4

This is my whole set of SQL Injection resources for both attack and defense. I rely on them often!

General or cross-platform SQLi Resources:

W3school’s - SQL injection
SQLZoo’s SQL Injection walkthrough
NTO’s SQLi Cheatsheet
Websec.ca’s SQLi mega-resource (mySQL, MSSQL, ORACLE, ++)
Ferruh Mavituna’s SQLi cheatsheet (mySQL, MSSQL, ORACLE, ++)
The SQL Injection Wiki

DBMS Specific Resources:

mySQL:

PentestMonkey’s mySQL injection cheatsheet
Reiners mySQL injection Filter Evasion Cheatsheet

MSSQL:

EvilSQL’s Error/Union/Blind MSSQL Cheatsheet
PentestMonkey’s MSSQL SQLi injection Cheatsheet

ORACLE:

PentestMonkey’s Oracle SQLi Cheatsheet

POSTGRES:

PentestMonkey’s Postgres SQLi Cheatsheet

Others:

Access SQLi Cheatsheet
PentestMonkey’s Ingres SQL Injection Cheat Sheet
pentestmonkey’s DB2 SQL Injection Cheat Sheet
pentestmonkey’s Informix SQL Injection Cheat Sheet
SQLite3 Injection Cheat sheet
Ruby on Rails (Active Record) SQL Injection Guide

SQLi Prevention Resources:

Bobby-tables.com’s guide to preventing SQLi in almost every language
OWASP’s SQL Prevention Cheatsheet

SQLi Tools Cheatsheets

SQLMap Cheatsheet


#5

If you do assessments professionally (or even for fun) and are not using LAIR to keep all your information in one place you are missing it.

It was written by an Optiv (Fishnet) guy who was doing some work for me and why he hasn’t turned it into a commercial product is beyond me.


#6

@jgamblin I hadn’t seen that! I’ll check it out. How does it compare to Dradis?


#7

Been messing with both lately. LAIR is really great at aggregating network penetration test data, but I do not like it for web apps because it only lists the first vulnerability found, even when importing from several means. For nmap data, LAIR does show the NSE findings, which is insightful.

Dradis is excellent, but also does have its limitations. I intend to try out KvasirSecurity, but was hoping to see it support NSE before giving it a full review. The developers have NSE support as “planned”.

Here is a short summary comparing the three primary FOSS tool aggregators:

  1. KvasirSecurity supports MSF Pro, metasploit-framework, Nessus, SHODAN, Nmap (NSE pending), Hydra, JTR, CANVAS, NeXpose, webshot, and vncshot. Other formats such as pcap, amap, Acunetix, Appscan, Netsparker, Burp, IP360, and OpenVAS data can be imported through MSF Pro or metasploit-framework
  2. LAIR supports imports to blacksheepwall, cookiescan, burp (via drone XML or Burp Extension), metasploit-framework (MSF XML), Nmap and NSE (via gnmap or XML files), Nessus, NeXpose, Nikto, dirb, and tshark. It also supports export to metasploit-framework (MSF XML) which I found to be an incredible feature
  3. Dradis supports burp, msf, nessus, nexpose, nikto, nmap, openvas, w3af, wXf, zap, acunetix, appspider, netsparker, and perhaps others. What is very unique about Dradis is that it supports IPv6, while the others lack this sort of support. Note that nikto, w3af, and many other tools do not support IPv6 but can be proxied through socat. Other favorite tools that support IPv6 include: dnsrecon, amap (especially good with IPv6 UDP), hydra, arachni, and sqlmap.

There is a great webapp-centric solution for aggregating test data here – https://github.com/dorneanu/appvulnms – which supports AppScan Standard Edition, Acunetix WVS, and Burp Suite Professional

For commercial, I’ve always found ProVM Auditor to pleasantly support many of the above, many federal or DoD tools, as well as AppDetective Pro, Imperva Scuba, NGSSoftware Squirrel and Orascan, etc – making it ideal for database-intensive pen tests.

Another tool, LunarLine Vulnerability Scan Converter, I was a bit nonplussed about. The leebaird discover.sh script can handle very similar output, but for free. discover.sh supports Burp, Nmap, Nessus, NeXpose, and Qualys QG XML to CSV conversions.

You know I’ve always been a fan of MaltEgo for aggregating pen test data, such as Sploitego (and many others), but I believe I do prefer the speed of something like LAIR, Dradis, or KvasirSecurity a tad more, as they are not as GUI-reliant. One of my favorite tools for tracking all sorts of data (including threat actor data) is Lumify (above and beyond MaltEgo and plugins). If you are just messing around on Kali Linux and need something to track test data, KeepNote is also great in a pinch.

Many people I know swear by Dradis Pro – which may still be the sweet spot if you can handle cloud-based data protection. What would be great would be to use LAIR for internal, network pen tests and Dradis Pro for external, especially public-web-facing pen tests.

Mobile devices, mobile apps, and IoT can throw a wrench into your gearworks. There are very little standards for either commercial (e.g., Metaintelli, NowSecure Enterprise, FOD, AppScan Mobile Analyzer, et al) or FOSS (e.g., Drozer, idb, repackaging with optool, PonyDebugger [Injected], etc) test data outputs. Perhaps a format similar to the appvulnms system described above would be a good investment?

Other considerations for tracking nmap and webapp pen test data (but these also perform actions such as launching the tools directly or iteratively, such as on a schedule) – https://bitbucket.org/al14s/rawr/wiki/Home – GitHub: sixdub/Minions, aschmitz/nepenthes, milo2012/metasploitHelper, and owtf/owtf


#8

A really great set of CTF related tips and small cheatsheets for cli tools in *nix environs:


#9

I found a useful “offline” resource is the Red Team Field Manual (RTFM) which is a good reference manual for the pentester. It’s basically a list of commands categorised by technology and has no fluff - it’s really just a list of commands

There’s also the Blue Team field manual which is more the forensics side and incident response - more procedural, but also has some great commands.

Most importantly, both books are quite cheap. :smile:


#10

the RTFM is awesome indeed =)


#11

You should look at pentestbox.org.


#12

#13