I carry a small notebook with me of commands and syntax for various tools. Although I plan to keep this notebook I also want to have a digital version for quick easy access.
One of my favorite Cyber books is the Red Team Field Manual (RTFM) by Ben Clark. RTFM is an affordable, concise collection of commands, syntax, and information needed for any cyber enthusiast.
This listing is not and should never be considered a substitute for –help -h -help –hh or any variation of the help command.
Simply knowing how to run a tool isn’t enough. You also need to understand the fundamental principles of the technology you are testing.
OpenVPN connection: (when using a site like HTB or THM) first download the file for OpenVPN.
sudo OpenVPN /path/to/file.ovpn
If you do not have OpenVPN you need to install it. Linux command for install is: sudo apt install openvpn.
Nmap (links to the nmap reference guide)
-A aggressive -sV version detection -p- ports
-vv very verbose
Example: nmap -sS -p 1000-9999 <Target>
> filename.txt placing this at the end will send to a .txt document
Nmap has 3 output modes -oN (normal) -oX (XML) -oG (grepable) -oA (all three)
nmap -sV -sC {IP} is a good first start for CTF/KOTH enumeration.
There are 6 states for ports
1. Open
2. Closed
3. Filtered
4. Unfiltered
5. Open|Filtered
6. Closed|Filtered
There are 6 TCP headers flags:
1. URG – Urgent Flag
2. ACK – Acknowledgement
3. PSH – Push flag
4. RST – Reset
5. SYN – Synchronize
6. FIN – Finish
SMB – Server Message Block Wikipedia page
SMB uses two ports 445 and 139.
Samba
smbclient
smbclient -? : help command
smbclient -L=[IP] : lists the contents of the share
smbclient //[IP]/anonymous : to check anonymous log-on
smbget -R smb://[IP]/anonymous : recursively download the SMB share
Getting a foothold: smbclient \\\\[IP]\\workgroup
SMB How-To from tldp.org
smbmap
impacket github
FTP – File Transfer Protocol
list of basic FTP commands from Colorado State
login for anonymous is: ftp anonymous@{IP} -p 21 (you do not always need the port)
help will give list of common commands
once in I like to DIR or PWD. If you get 229 Entering Extended Passive Mode (|||#####|) you need to turn off passive mode by simply typing passive.
to get a file us get or mget
WEB HACKING
check the /robots.txt file & /sitemap.xml
CURL is a useful command $ curl HTTP://{IP} -v (provides verbose output)
–this command will output the http headers for the site
What framework is the site using? Is there anything in the framework documentation that can be used?
Wappalyzer – online tool for finding frameworks, CMS payment processors and more.
S3 buckets
Content discovery using FFUF / DIRBUSTER / GOBUSTER
sublist3r – passive info gathering (HackerSploit video)
HTTP Status Codes –
SITE CPFR & SITE CPTO Commands
SITE CPFR /file/path/.ssh/id_rsa
should return 350 File of directory exists, ready for destination name (if run properly)
SITE CPT /var/tmp/id_rsa
should return 250 Copy successful
nikto: used to find web vulnerabilities.
nikto –help gives short list of help options use -Help for full list
Nikto video from Hackersploit on YT
# cowsay++
____________
< metasploit >
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *
msfcolsole will initiate metasploit console. Run with -q for no banner art.
Help will provide list commands and descriptions
Dont forget to update!! updatemsf (this is not supported when Metasploit is part of the OS. You will need to run apt update in your console)
search [name of module or keyword]
use /file/path/to/module
info – displays info about one or more modules
show – shows modules of a specific category
options – lists options that can be set for module
– options will be different for each module
advanced – will provide advanced options
set – set the parameters (Password, Username, RHOSTS…)
– there are a variety of parameters based on the module use -options to see what is available. Below are some common examples.
sessions – show all current running sessions
RHOSTS – sets target host
RPORT – sets target port
LHOST – listen address
LPORT – listen port
RPATH – name of remote file/directory relative to share
SMBUser – smbuser name to auth as
SMBPass – pass for specified user
payload – sets payload to be sent to target machine
-j – set to run in background
-i – interactive mode
RUN – runs the exploit
Meterpreter –
Basic Commands from Offensive Security
Advanced meterpreter documentation
BurpSuite CE documentation
Descriptions below taken from TryHackMe BurpSuite basics module.
- Proxy: The most well-known aspect of Burp Suite, the Burp Proxy allows us to intercept and modify requests/responses when interacting with web applications.
- Repeater: The second most well-known Burp feature — Repeater — allows us to capture, modify, then resend the same request numerous times. This feature can be absolutely invaluable, especially when we need to craft a payload through trial and error (e.g. in an SQLi — Structured Query Language Injection) or when testing the functionality of an endpoint for flaws.
- Intruder: Although harshly rate-limited in Burp Community, Intruder allows us to spray an endpoint with requests. This is often used for bruteforce attacks or to fuzz endpoints.
- Decoder: Though less-used than the previously mentioned features, Decoder still provides a valuable service when transforming data — either in terms of decoding captured information, or encoding a payload prior to sending it to the target. Whilst there are other services available to do the same job, doing this directly within Burp Suite can be very efficient.
- Comparer: As the name suggests, Comparer allows us to compare two pieces of data at either word or byte level. Again, this is not something that is unique to Burp Suite, but being able to send (potentially very large) pieces of data directly into a comparison tool with a single keyboard shortcut can speed things up considerably.
- Sequencer: We usually use Sequencer when assessing the randomness of tokens such as session cookie values or other supposedly random generated data. If the algorithm is not generating secure random values, then this could open up some devastating avenues for attack.
SSH – user@target this should prompt for a password
MySQL – -h [target IP] -u [user] -p
DNSRecon
DirBuster
gobuster
dir: sets directory/file bruteforcing mode
dns: sets dns bruteforcing mode
-U : username -P password -w wordlist -x sets extension
-s status codes -k skip SSL -h HTTP header -u set url
gobuster dir –help will provide list of flags.
example: gobuster dir -u [IP] -w /file/path/to/wordlist.txt -x [extenstion]
in the above example you will brutforce against a chosen wordlist and look for specific file extensions as well.
Hashing & Password Cracking
Properly identifying the has is critical to cracking hashes.
Kali has hashid built in to help identify hashes and can output modes for Hashcat and JohntheRipper. Other hash ID services can be found online.
Hashes.com is one example.
This process can take a lot of time and is dependant on available computing resources. Typically using these tools in a VM will result is degraded performance.
HashCat
list of all modes
-a – sets attack mode -m – sets mode
example: hashcat -a 3 -m 0 [hashstring or /path/to/file.txt]
This will run a brute force attack (-a 3) against an MD5 hash (-m 0) with the hash string placed directly into the command. You can also save the hashes to a .txt file and point the command at the file.
John The Ripper
example1: john –format=[hashtype] –wordlist=[/path/to/wordlist.txt] [path/to/hash.txt]
example2: john –wordlist=[path/to/wordlist.txt] [path/to/hash.txt] this can detect the hash given. If in doubt can be confirmed with hashID or Haiti-hash.
Hydra – will run the hydra tool
-t 16 – number of parallel connections per target
-l [user] – points to user account
-P [path to directory] – points to file/wordlist (ex. rockyou.txt)
-vV – sets to very verbose shows login/pass for each attempt
[machine IP] – set IP of target machine
ssh/protocol – this sets SSH but will set protocol
Example – hydra -t 16 -l USER -P /[filepath]/rockyou.txt -vV [Target IP] ssh
haiti-hash : Hash Identifier
SQL
SQL Basics Cheat Sheet
sqlite – native to kalilinux can be used if you can retrieve a .db file
sqlmap
sqlmap cheat sheet
-u – URL to check -g – googledork -p – parameter -v – verbose
–forms – parse and test forms on URL
–dump – dump table entries (–dump-all)
–os-shell – try to get an interactive os shell
–help or -hh (advanced help)
example sqlmap -u http://%5BURL or IP] –forms –dump
WHOIS [domain or IP] / basic passive recon method
request/response protocol follows RFC 3912. Listens on port 43
NSlookup
nslookup [domain]: used to find IP address of domain
nslookup [options] [domain] [server]
A: IPv4 addresses AAAA: IPv6 addresses CNAME: Canonical Name
MX: Mail Server SOA: Start of Authority TXT: TXT Records
example: nslookup -type=A [domain] [server]
List of Public DNS Servers
DIG (Domain Information Groper)
dig @server [Domain] Type
Server: DNS server that you want to query
Domain: domain you are looking for
TYPE: DNS record type (same as shown in NSlookup)
example: dig [domain] MX or dig @1.1.1.1 [domain] MX
FFUF
ffuf – Fuzz Faster U Fool (github page)
basic command: ffuf -w /path/to/wordlist -u https://target/FUZZ
Username enumeration:
$ ffuf -w /usr/share/wordlists/seclists/Usernames/Names/names.txt -X POST -d “username=FUZZ&email=x&password=x&cpassword=x” -H “Content-Type: application/x-www-form-urlencoded” -u http://{IP}/username/input_page -mr “username already exists”
-w: wordlist :you can use multiple wordlists by adding :W1, :W2, :W3, to the end of the wordlist
-X: request method
-d data we are sending
– H add additional headers to the request
– u: URL making the request to
-mr: text on page we are looking for to validate
Google Dorking
Googledorks
Cheatsheet from GitHub
site:[URL] – search a single URL
numrange:[#] … [#] – search number rage
date:[ #] – search within past [x] months
link:[URL] – find pages that link to [URL]
inurl:[string] – find pages with string in url
intext:[string] – find pages with txt in url
related:[URL] – find pages related to url
filetype:[xls] – find files that are xls (can use most file types)
intitle:[admin] – will return results with admin in title
DNSDumpster – this is a resource. I consider it a tool even though it is not invoked through use of CLI.
Christopher Foote 