Show Menu

GSEC1 Cheat Sheet (DRAFT) by

TCPdump and other stuff

This is a draft cheat sheet. It is a work in progress and is not finished yet.


aircra­ck-ng : The primary cracking tool
airepl­ay-ng : Tool for injecting and replaying wireless frames
airmon-ng: Tool to enable and disable wireless interface monitoring
airodu­mp-ng : Tool to capture wireless frames
identify wireless cards
airmon-ng start wlan0
start in monitor mode
airodu­mp-ng wlan0mon
look at available wireless networks and clients
aircra­ck-ng SEC401­_WE­P.cap
Crack pcap with WEP
aircra­ck-ng -w all SEC401­_WP­A2P­SK.pcap
crack WPA2-PSK with dictionary named "­all­"


hashcat --help | grep "­Attack Modes" -A9
show different hash modes
shadow file
$1 for MD5, $5 SHA-256, $6 for SHA-512
hashcat --help |grep "MD5 (Unix)­"
hashcat -m 500 -a 0 -o cracke­d.txt shadow /usr/s­har­e/w­ord­lis­ts/­sql­map.txt
-m 500 MD5 unix, -a 0 straight
cracked hashes stored in hashca­t.p­otfile
echo -e '$$\n$­#\n­$@­\n$!\n' > sec401­-rules
create custom rules file appending $, #, @, !
hashcat -m 500 -r sec401­-rules -a 0 -o cracke­d.txt shadow /usr/s­har­e/w­ord­lis­ts/­sql­map.txt
dictionary with rules
python bitcoi­n2j­ btc_wa­lle­t.dat > btc_ha­sh.txt
get SHA-256 hash from btc wallet
hashcat --help | grep Bitcoin
-m 11300 bitcoi­n/l­itecoin wallet
hashcat -m 11300 -a 0 -o cracke­d.txt btc_ha­sh.txt /usr/s­har­e/w­ord­lis­ts/­sql­map.txt
cat cracke­d.txt | grep bitcoin


sudo tail snort.conf
last 15 lines of file
alert: The action to take when a match is found
icmp: The protocol to match on
$EXTER­NAL_NET any ->: A variable repres­enting any external network such as the Internet and any source port
$HOME_NET any: A variable repres­enting a trusted internal network and any destin­ation port
(msg: "­COM­MUNITY ICMP Linux DoS sctp Exploi­t": The message to include in the alert
icode:2; itype:3;: The ICMP Type and Code on which to match
conten­t:"|28 00 00 50 00 00 00 00 F9 57 1F 30 00 00 00 00 00 00 00 00 00 00 00 00|";: The hexade­cimal content included in the packet payload on which to perform a match
refere­nce­:ne­ssu­s,1­9777;: A reference to a corres­ponding Nessus plugin
classt­ype­:at­tem­pte­d-u­ser;: The vulner­ability class type
sid:10­000­0164; rev:2;): The unique Snort signature ID and revision number
snort -c /etc/s­nor­t/s­nor­t.conf -i eth0 -A full
-c is config file, -A alerting full
alert and snort.log
dumps contents of file in hex
snort -c /etc/s­nor­t/s­nor­t.conf -r /home/­sec­401­/la­bs/­401.4/­sno­rt/­sno­rt.pcap -A full
run against PCAP

Process Hacker

In process, Modules tab shows DLLs can right click send to VT
Token tab see the SAT (Security access token)
Memory tab

Powershell scripting

list of running processes
Get-Pr­ocess -Name lsass | Format­-List *
$PaintApp = Get-Pr­ocess -Name mspaint
add name to variable
Kill paint app
Get-Pr­ocess | Select­-Object Name,I­d,Path | Export-Csv -Path ProcLi­st.csv
Save the Name, Id, and Path properties of all running processes to a comma-­del­imited text file.
ise .\Proc­Lis­t.csv
Get-Pr­ocess | Select­-Object Name,I­d,Path | Out-Gr­idView
output in graphical app
clear clutter
display background service
Get-Se­rvice | Select­-Object Displa­yNa­me,­Status | Conver­tTo­-Html | Out-File -FilePath Servic­es.html
save list of services to HTML file
dir .\Serv­ice­s.html | Format­-List *
dir | Sort-O­bject Creati­onTime | Select­-Object Creati­onT­ime­,Fu­llName
sort the listed files by the date and time they were created
Copy-Item -Path .\Serv­ice­s.html -Desti­nation .\Copi­ed.html
dir *.html
Get-Fi­leHash -Algorithm SHA256 -Path *.html
filehash of all HTML files in current directory
Get-Co­ntent -Path .\Copi­ed.html
view contents of a file
Get-Co­ntent -Path .\Copi­ed.html
Get-Wm­iObject -Query "­SELECT * FROM Win32_­BIO­S" -Compu­terName LocalHost
Query BIOS inform­ation from a remote computer
Get-Wi­nEvent -ListLog * | Select­-Object LogName
see names of all local event logs
Get-Wi­nEvent -LogName System -MaxEvents 10 | Select­-Object TimeCr­eat­ed,­Id,­Message
get last 10 events from System log, time, ID and message
Get-Wi­nEvent -LogName System -MaxEvents 10 -Compu­terName LocalHost | Select­-Object TimeCr­eat­ed,­Id,­Message | Export-Csv -Path LogDat­a.csv
export to csv file
Get-Help -Full Get-Wi­nEvent


FTP and capture first 3 packets
tcpdump -i eth0 port 21 -c 3
-X display hex and ASCII first 4 packets
tcpdump -X -i eth0 port 21 -c 4
-a print ASCII, FTP, specify source
tcpdump -a -i eth0 port 21 and src 10.10.1­0.20
listen on loopback on port 333
tcpdump -i lo tcp port 333


AppIDSvc (Appli­cation Identity)
applocker service
local security policy­-> Applic­ation Control Policies -> AppLocker
For digitally signed apps. More secure than the Path condition and relatively easy to maintain
The Path condition is concep­tually simpli­stic. With this method you set up allowlists and blocklists based on an applic­ation's location on the file system
File Hash
It is seen as a more secure option than using the Path and when the file is not or cannot be digitally signed.
create and define rules that apply to security groups and even a single user. Rules can be applied to Windows binaries, DLLs, instal­lers, and various script files, such as .ps1, .cmd, and .js.

Malware analysis

strings -n 14 trojan1 | more
string 14 characters or longer
python -c 'print­("A" *100)' > bof
python -c 'print­("A" * 1000)' > bof


hping3 --help | more
-c: The count option enables you to specify the number of packets to send.
-i: The interval option enables you to specify the time between sending each packet.
hping3 --help | grep Mode -A7
hping3 --help | grep "­\-­\-sp­oof­" -A7 -B1
hping3 --help | grep "­\-­\-ba­se" -A15 -B1
-a: This option enables you to spoof the source IP address, which you will do soon.
-t: This option enables you to set the TTL to any wanted value.
-N: This option enables you to set the IP ID to any wanted value.
-f: This option enables you to force fragme­ntation of a packet.
-s: Set the source port number, which is usually a random ephemeral port.
-p: Set the destin­ation port number.
-w: Set the window size.
-b: Try sending a packet with a bad checksum.
hping3 -S 10.10.1­0.10 -p 21 -c 1
SYN packet to TCP port 21 -c 1 packet
hping3 -S 10.10.1­0.10 -a 10.11.1­2.13 -p 21 -c 1
spoof IP address


secedi­t.exe /analyze
review cmd line switches
secedi­t.exe /analyze /db temp.sdb /cfg Securi­tyT­emp­lat­e.inf /log log.txt
compare log settings from template to local computer
look for mismatch in the output
secedi­t.exe /configure
review cmd line switches
secedi­t.exe /configure /db temp.sdb /cfg Securi­tyT­emp­lat­e.inf
reconf­igure the computer by applying security template
Get-Co­ntent .\out.txt | Select­-String -Pattern "­Mis­mat­ch"
Get-Help -Full Get-Co­ntent
Get-Help -Full Select­-String
Start-­Process PowerS­hel­l.exe


gpa &
open GNU privacy assistant
eom sans-l­ogo.png
eom is image viewer


-i Specify from which network interface you would like tcpdump to sniff.
-s Number of bytes "­sna­ple­n" to capture per packet. Default is 262,144 bytes.
-c Number of packets to capture before stopping.
-n Don't resolve hostnames or well-known port numbers to their service.
-X Show packet contents in hexade­cimal and ASCII.
-XX Show packet contents in hexade­cimal and ASCII, as well as the Ethernet header.
-e Display Ethernet header data.


nmap --help | more
nmap --help | grep "HOST DISCOV­ERY­" -A10
10 lines after host discovery
nmap --help | grep "SCAN TECHNI­QUE­S" -A8
8 lines after scan techniques
-sS performs a SYN or Stealth scan to each port designated and does not send the final ACK in the 3-way handshake. This is to try to avoid having the connection attempt logged because some older systems do not log the attempt until the 3-way handshake completes.
The --reason option is useful because it specifies how it determined the state of the port. The --pack­et-­trace option shows all packets sent and received.
-sT attempts a TCP connect scan to each port designated and completes the 3-way handshake to see if the port is open
-oA prints the output to the file you specify in normal, XML, and grepable formats.
-sA performs an ACK scan to each port design­ated. This means that it does not first send a SYN packet as expected and sends a packet only with the ACK flag set. The idea is to try and pass through some filters, wrongly making the assumption that if the ACK flag is set, that it must be from an active TCP session that is permitted. If a system receives an unsoli­cited packet with the ACK flag set, it will respond back with the RST flag. This does not indicate that a particular port is open, but does indicate that the IP address is active on the network, similar to a ping command.
-oG prints the output to the file you specify in grepable format.
-sW also performs an ACK scan but also interr­ogates the TCP window size because some systems set the window size to 0 if the port is closed.
-oS prints the output to the file you specify in "­script kiddie­" format, which is mostly for fun.
-sM performs a Maimon scan and is named after the author Uriel Maimon. This scan technique modifies the TCP flags that proved useful in identi­fying some BSD-de­rived operating systems.
-oX prints the output to the file you specify in XML format.
-sU option tells Nmap to scan UDP ports instead of TCP ports. Other scans, such as "­Nul­l", "­FIN­", and "­Xma­s", each use different combin­ations of the TCP flags to try and elicit a response. We will not cover every one of the commands because there are far too many, and they are all well documented in the Nmap docume­nta­tion.
-oN prints the output to the file you specify, exactly how it is displayed on the screen.
nmap --help | grep "PORT SPECIF­ICA­TIO­N" -A7
nmap --help | grep "­OUT­PUT­" -A8
nmap --help | grep "­TIMING AND PERF" -A12
--max-rate : This option tells Nmap to send packets no faster than the number specified per second.
-T: This option enables you to choose a value between 0 and 5, each performing the scan at different speeds­---the lower the number, the slower the scan is performed.
--min-rate : This option tells Nmap to send packets no slower than the number specified per second.
--max-­ret­ries: This option tells Nmap how many times to retransmit probe attempts to a system.
--host­-ti­meout: This option tells Nmap how quickly to give up on a host.
nmap -sT --reason 10.10.1­0.10 -oN scan1.txt
nmap -sU 10.10.1­0.10 -p69,161 -oN scan2.txt
UDP scan
nmap -n --pack­et-­trace -sS 10.10.1­0.10 -p80
nmap -n -sT -O 10.10.1­0.10 -p21,80
OS version scanning
nmap -n -sT -A 10.10.1­0.10 -p21,80
ls /usr/s­har­e/n­map­/sc­rip­ts/p*
scripting engine path
nmap -sU -p161 --script snmp-brute 10.10.1­0.10 --scri­pt-args snmp-b­rut­e.c­omm­uni­tie­sdb­=co­mmu­nit­y.lst
snmpcheck -t 10.10.1­0.10 -c publ1c | grep "User accoun­ts" -A12