GSEC1 Cheat Sheet (DRAFT) by datgrlnj2

airepl­ay-ng : Tool for injecting and replaying wireless frames

airodu­mp-ng : Tool to capture wireless frames

airmon-ng start wlan0

start in monitor mode

aircra­ck-ng SEC401­_WE­P.cap

Crack pcap with WEP

shadow file

$1 for MD5, $5 SHA-256, $6 for SHA-512

hashcat -m 500 -a 0 -o cracke­d.txt shadow /usr/s­har­e/w­ord­lis­ts/­sql­map.txt

-m 500 MD5 unix, -a 0 straight

echo -e '$$\n$­#\n­$@­\n$!\n' > sec401­-rules

create custom rules file appending $, #, @, !

python bitcoi­n2j­ohn.py btc_wa­lle­t.dat > btc_ha­sh.txt

get SHA-256 hash from btc wallet

hashcat -m 11300 -a 0 -o cracke­d.txt btc_ha­sh.txt /usr/s­har­e/w­ord­lis­ts/­sql­map.txt

alert: The action to take when a match is found

$EXTER­NAL_NET any ->: A variable repres­enting any external network such as the Internet and any source port

(msg: "­COM­MUNITY ICMP Linux DoS sctp Exploi­t": The message to include in the alert

conten­t:"|28 00 00 50 00 00 00 00 F9 57 1F 30 00 00 00 00 00 00 00 00 00 00 00 00|";: The hexade­cimal content included in the packet payload on which to perform a match

classt­ype­:at­tem­pte­d-u­ser;: The vulner­ability class type

snort -c /etc/s­nor­t/s­nor­t.conf -i eth0 -A full

-c is config file, -A alerting full

xxd

dumps contents of file in hex

Token tab see the SAT (Security access token)

Get-Pr­ocess -Name lsass | Format­-List *

$Paint­App.Kill()

Kill paint app

ise .\Proc­Lis­t.csv

cls

clear clutter

Clear-­Dns­Cli­ent­Cache

dir .\Serv­ice­s.html | Format­-List *

Copy-Item -Path .\Serv­ice­s.html -Desti­nation .\Copi­ed.html

dir *.html

Get-Co­ntent -Path .\Copi­ed.html

view contents of a file

Get-Wm­iObject -Query "­SELECT * FROM Win32_­BIO­S" -Compu­terName LocalHost

Query BIOS inform­ation from a remote computer

Get-Wi­nEvent -LogName System -MaxEvents 10 | Select­-Object TimeCr­eat­ed,­Id,­Message

get last 10 events from System log, time, ID and message

Get-Help -Full Get-Wi­nEvent

-X display hex and ASCII first 4 packets

tcpdump -X -i eth0 port 21 -c 4

listen on loopback on port 333

tcpdump -i lo tcp port 333

secpol.msc

local security policy­-> Applic­ation Control Policies -> AppLocker

Path

The Path condition is concep­tually simpli­stic. With this method you set up allowlists and blocklists based on an applic­ation's location on the file system

Applocker

create and define rules that apply to security groups and even a single user. Rules can be applied to Windows binaries, DLLs, instal­lers, and various script files, such as .ps1, .cmd, and .js.

python -c 'print­("A" *100)' > bof

python -c 'print­("A" * 1000)' > bof

-c: The count option enables you to specify the number of packets to send.

hping3 --help | grep Mode -A7

-a: This option enables you to spoof the source IP address, which you will do soon.

-N: This option enables you to set the IP ID to any wanted value.

-s: Set the source port number, which is usually a random ephemeral port.

-w: Set the window size.

hping3 -S 10.10.1­0.10 -p 21 -c 1

SYN packet to TCP port 21 -c 1 packet

secedi­t.exe /analyze /db temp.sdb /cfg Securi­tyT­emp­lat­e.inf /log log.txt

compare log settings from template to local computer

secedi­t.exe /configure

review cmd line switches

Get-Co­ntent .\out.txt | Select­-String -Pattern "­Mis­mat­ch"

Start-­Process PowerS­hel­l.exe

eom sans-l­ogo.png

eom is image viewer

-s Number of bytes "­sna­ple­n" to capture per packet. Default is 262,144 bytes.

-n Don't resolve hostnames or well-known port numbers to their service.

-XX Show packet contents in hexade­cimal and ASCII, as well as the Ethernet header.

nmap --help | grep "HOST DISCOV­ERY­" -A10

10 lines after host discovery

-sS performs a SYN or Stealth scan to each port designated and does not send the final ACK in the 3-way handshake. This is to try to avoid having the connection attempt logged because some older systems do not log the attempt until the 3-way handshake completes.

The --reason option is useful because it specifies how it determined the state of the port. The --pack­et-­trace option shows all packets sent and received.

-sA performs an ACK scan to each port design­ated. This means that it does not first send a SYN packet as expected and sends a packet only with the ACK flag set. The idea is to try and pass through some filters, wrongly making the assumption that if the ACK flag is set, that it must be from an active TCP session that is permitted. If a system receives an unsoli­cited packet with the ACK flag set, it will respond back with the RST flag. This does not indicate that a particular port is open, but does indicate that the IP address is active on the network, similar to a ping command.

-oG prints the output to the file you specify in grepable format.

-sM performs a Maimon scan and is named after the author Uriel Maimon. This scan technique modifies the TCP flags that proved useful in identi­fying some BSD-de­rived operating systems.

-oX prints the output to the file you specify in XML format.

nmap --help | grep "PORT SPECIF­ICA­TIO­N" -A7

nmap --help | grep "­OUT­PUT­" -A8

-T: This option enables you to choose a value between 0 and 5, each performing the scan at different speeds­---the lower the number, the slower the scan is performed.

--min-rate : This option tells Nmap to send packets no slower than the number specified per second.

nmap -sT --reason 10.10.1­0.10 -oN scan1.txt

nmap -n --pack­et-­trace -sS 10.10.1­0.10 -p80

nmap -n -sT -A 10.10.1­0.10 -p21,80

nmap -sU -p161 --script snmp-brute 10.10.1­0.10 --scri­pt-args snmp-b­rut­e.c­omm­uni­tie­sdb­=co­mmu­nit­y.lst