20/12/2023
## [NMAP hints] ##
https://hackertarget.com/nmap-cheatsheet-a-quick-reference-guide/
Update nmap scripts etc
nmap --script-updatedb
nmap -sC -sV # get protocols and version data runs Safe scripts
nmap -Pn -sV --script vuln # VA type scan
nmap -A #runs like the -sC -sV option
https://github.com/ernw/nmap-parse-output
https://github.com/laconicwolf/Nmap-Scan-to-CSV
Instal vulners from Github
nmap -Pn -sV --script=nmap-vulners x.x.x.x
Install Vulscan from Github
git clone
https://github.com/scipag/vulscan
Run against local CVE database - the supplied CVE are all very old now...
nmap -Pn -sV --script=vulnscan/vulscan.nse --script-args vulscandb=./cve.csv x.x.x.x
Passive scan using Shodan
nmap -sn -Pn -n --script shodan-api.nse <target>
Brute force ssh using nselib/data lst files (edit to add more names/passwd)
nmap -p 22 -Pn --script ssh-brute --script-args userdb=usernames.lst,passdb=passwords.lst <X.X.X.X> --script-args ssh-brute.timeout=4s
Wordpress
nmap --script http-wordpress-enmu x.x.x.x -p 80,443
Ping scan discovery list live ip's
namp -sn 192.168.0.0/16 | awk '/Nmap scan/{gsub(/[()]/,"",$NF); print $NF > "nmap_scanned_ips"}'
nmap -sA -P0 -g 25 -f -oN output.txt fw_ip
-r don't rand ports
try -sA or -sT (if stateful FW) and -vv for verbose o/p
-n don't reverse dns
Use the O/P from a -sV scan (saved as xml) -oX and run it through searchsploit (exploitDB)
searchsploit -x --nmap ./nmap-scan.xml
https://github.com/offensive-security/exploitdb
/opt/exploit-database/searchsploit local (get Vuln/sploits on local machine - or Openssh to get these Vulns)
## [Get SSL CERT] ##
openssl s_client -connect www.google.co.uk:443 -showcerts > outfile.txt
or
echo | openssl s_client -connect google.com:443 2>/dev/null | openssl x509 -noout
-text||dates
Nmap Get Cert dates
nmap -p 443 --script ssl-cert <ip>
scan for TLS/SSL protocol with nmap
nmap -sV --script ssl-enum-ciphers -p 443 <ip>
or
nmap -Pn --script ssl-enum-ciphers x.x.x.x -p
Get sub-domains using google's crt.sh site
nmap -Pn -sn --script=hostmap-crtsh fqdn
Check HTTP Options
nmap -pn -p 443 --script http-security-headers x.x.x.x
nmap -pn -p 443 --script http-headers x.x.x.x
nmap -pn -p 443 --script http-cookie-flags x.x.x.x
curl -I www.ip.addr.here
curl -X OPTIONS www.ip.addr.here -i
Look for VHosts NB the shodan-api get Vhosts info as well.
nmap --script http-vhosts --script-args http-vhosts.collapse=200 -p80,443 x.x.x.x
remove the --script-args to get collapsed results ans it 200 then add back in to see
## Format Nmap output ##
xsltproc nmap-out.xml -o nmap-out.html
#Convert XML scan to CSV only lists main details but good Service/port overview.
# git clone the Nmap-Scan-to-CSV
python3 ../Nmap-Scan-to-CSV/nmap_xml_parser.py -f ./nmap-results.xml -csv nmap-results.csv
# Parse XML output and list ports/services/groups etc, etc
# git clone nmap-parse-output
./nmap-parse-output/nmap-parse-output ./ppte-sites.xml service http
#Get Domain from IP
dig -x ip_address +short
dig +search ip_address +noall +answer
#Find who holds to DNS records
dig ip.domain NS
#Get ANY
dig ip.domain A
# or use Host or Nslookup
## [NetCat] ##
NC proxy
mkfifo 2way
ncat -l 8080 0<2way | ncat target.ip.addr.here 80 1>2way
keeps nc server listerning
nc -l 80 -k
Simple nc scan
nc -v -z -w 2 target.ip.addr port
Simple Proxy with Socat
Socat proxy - Listen 55600/tcp localhost forward to google:80
socat TCP-LISTEN:55600,fork TCP:www.google.co.uk:80
#############################################################################
##################### SHELL SCRIPT ONE LINERS ###############################
#############################################################################
[Shell script checker]
This is a great site that checks the syntax etc of a shell script.
https://www.shellcheck.net
http://mywiki.wooledge.org/FullBashGuide
## [Search for strings from a list file] ##
Simple version,
grep -Fiwf file_1 file_2
or try -
for aa in $(cat ./list_file)
do
grep -i ${aa} Data_file
done
OR BETTER VERSION FOR GETTING "string1 string2"
cat ./list_file | while read -r line
do
grep -i "$line" ./Other_file
#or ping -c 1 "${line}" >>output_file
done
AWK Version (appears to work well)
awk 'NR==FNR{arr[$0];next} $0 in arr' file1 file2
Grep exact string from any location in lines of Text (using Grep Perl func)
good for getting patch numbers etc from a dump
grep -oP 'string.*' in_file
or get matching count
grep -o -f pattern_file log_file | sort | uniq -c
## [Check DUPs] ##
To list the strings that are common to both files
comm -12 x1 x2
or
grep -f x2 x1 items in RED are common to both files
To get just a count of strings that are common over both files
comm -12 x1 x2 | wc
or
grep -f x2 x1 | wc
grep -cf x2 x1
To list new strings that have appeared but were not in the previous dump
comm -13 x1 x2
grep -ivf x2 x1
Sort csv file by column (first) and uniq
sort -t "," -k 1,1 -u file_name
## [GREP] ##
Either or string
grep 'string1\|string2\|string3' <file_name>
Find string and print 2 lines before and after the sting match
grep -A 2 -B 2 PATTERN file_name
Get the match and (10) chars after it note the '.' after the string
grep -oP 'CVE.{0,10}'
Get the (3) chars before the string
grep -oP '.{0,3}CVE'
or grep CVE- and the next . chars
grep -oP '(CVE-)..........' ./file_name
Get just the string with wild card - so to get CVE-2022-1234
grep -oh "\w*CVE-2022-\w*" file_name
Get Email addresses from text files (full of crap)
grep -o '[[:alnum:]+\.\_\-]*@[[:alnum:]+\.\_\-]*' file_name
Get IP address(s) from text file
grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' file_name
Get IP addresses with 10 as the first octet
grep -Eo '10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
This is a fudge - but works :)
grep '10\. ' ./input_file
Grep text between two quotes "
grep -o '".*"' <file_name> | sed 's/"//g'
Convert file of text (column) to CSV comma seperated output
cat file_name | tr '\n' ',' > out_file
same but puts a space after the comma
perl -p -e 's/\n/, /' ./file_name > out_file
Look for string in folders/files
find . -type f -iname "*" | xargs grep "string"
## [AWK] ##
Convert output list from multi-line (CRLF) to all on one line with , (comma) seperator.
assume we are piping the output via sort and uniq etc...
sort input_file | uniq| awk 'BEGIN{ORS=", "}1'
or using tr
sort |uniq| tr '\n' ','
Print line numbers in File
awk '{print FNR "\t" $0}' file_name
Get string from file
awk -F"string" {print $NR}' file_name
Get line (23) from file
awk 'FNR==23 {print;exit}' file_name
Remove leading whitespace
awk '{$1=$1}1' file_name
Remove blank lines
awk NR file_name
or
awk 'NR > 0' file_name
Remove leading white space on lines
awk '{sub(/^[ \t]+/, ""); print}' file_name
Get second column from space delim text
awk 'NR!=1{print $2}' file_name
Get email addresses from file - The GREP versions appear to work better!
awk '{for(i=1;i<=NF;i++) { if ($(i) ~ "@") print $i}}' <file_name>
then to get f_name full address
awk -F "." '{print $1 "," $0}' <file_name> > <output.csv>
Find String and print the next 5 lines
awk '/PATTERN/ {for(i=1; i<=5; i++) {getline; print}}' file_name
or
cat file_name | awk '{if(a-->0){print;next}} /PATTERN/{a=5}' file_name
Find dups in a file
awk 'x[$1]++ == 1 { print $1 " is duplicated"}' file_name
awk '!x[$1]++ == 1 { print $1 " is not duplicated"}' file_name
List Unique lines in file
awk 'FNR==NR {a[$0]++; next} !a[$0]' file1 file2
List lines that are present in old.csv and not new.csv
awk 'NR==FNR{a[$0];next} !($0 in a)' old.csv new.csv
List like DIFF command field 1 in CSV
awk -F "," 'NR==FNR{c[$1]++;next};c[$1] == 0' file_one file_two
Add figures on each line (ignores text)
awk '{s=0; for (i=1; i=<NF; i++) s=s+$i; print s}' file_name
Work with CSV file - comma as seperator and output as a comma
awk 'BEGIN { FS = "," ; OFS = ","} ; {print $1,$2}' file_name
Show count for number of comma's per line with line number (the matching char is in the
gsub \,
awk 'BEGIN{print "count", "lineNum"}{print gsub(/\,/,"") "\t" NR}' file_name
Show lines with un-equal number of " on them
good for spotting csv import conversion issues into Excel etc.
awk -F'"' 'NF % 2 == 0 { printf("Line %d has odd quoting: %s\n", NR, $0) }' ./file_name
Sum (count) the totals for first column
awk '{sum+=$1} END {print sum}' file_name
Sum count of string in file
awk -F, '/string/ {sum += } END {print sum}' file_name
Working with csv using , and ; as delimiter
and output as csv (saves doing a $2",",$8)
awk -F "[,;]" -v OFS="," '{print $2,$8}' ./file_name
Print lines with blank 5th field (csv)
awk -F, '$5' ./file_name
Print the 2nd to last field, csv (-F [,])
awk -F "," '{print $--NF}' file_name
Grab 2nd to last field and count total if value over 7
awk -F "," '{print $--NF}' ./file_name | awk '{if ($1>=7){count++;}} END {print count}'
Print lines in CSV where number in field 8 is greater or = to 8
awk -F "," '$8 >=8' ./file_name
or where last column is >=8
awk -F, '$NR >=8' ./file_name
or where col 8 is greater 3 and less than 8 (get numbers 4-7)
awk -F "," '$8 >3 && $8 <8' ./file_name
Sum (count) where field 8 greater= to 7
awk -F "," '{if ($8>=7){count++;}} END {print count}'
Add a semi-colon at the end of each line
awk '{print $0 ";"}' in_file > out_file
Add a comma after first word on each line
awk '{$2="," OFS $2} 1' file_name
Get field 1 and last 5 chars field 2 (passwd hash?) from comma delim file
awk -F, '{print $1",", substr($0, length($0)-4)}' ./file_name
Convert/reverse IP address (output from nslookup for eg) so turn 4.3.2.10 in to 10.2.3.4
First as we want CSV O/P in format 10.2.3.4 , hostname.domain.com and we are working with 10. range
in vi 1,$ s/10/10./g
now awk the file
awk -F. '{print $4"."$3"."$2"."$1","$5}' ./file_name >results_output
## [SED] ##
http://sed.sourceforge.net/sed1line.txt
Take column text (IPs) and build a comma seperated line single line list
paste -d, -s input_file > output_file
this sed sort of works
sed 's/^\|$/"/g'|paste -sd", " - < input_file > output_file
Remove first 2 chars (. = a char)
sed 's/^..//' file_name
Subs 3rd char for an X
cat file_name | sed 's/[a-z]/X/3'
or
cat file_name | sed 's/[a-z]\{3\}/X/g'
Remove first line in file
sed '1d' file_name
Remove first to 5th lines
sed '1,5d' file_name
Remove blank lines
sed '/^$/d' file_name
Delete lines that start with a whitespace
sed 's/ .*//' file_name
Delete leading whitespace from left to first char
sed -e 's/^[ \t]*//' file_name
Replace char's (in this case a leading slash to a space, so esc with a \)
sed 's/\// /' file_name
Remove all text after the first Dot (.)
sed 's/\..*$//' ./input_file > output_file
Remove last xx chars from end of line (2 in this eg)
sed 's/..$//' inout_file > output_file
Convert Unix newlines to DOS format
sed 's/$'"/`echo \\\r`/" <file_in > file_out
Add a semi-colon at the end of each line
sed "s/$/;/g" in_file > out_file
remove comma at end of each line
sed 's/,$//' in_file > out_file
Add comma after first char on each line
sed 's/ / \, /' file_name
Convert newline to space (good for uniq output of IP addresses etc)
uniq | tr '\n' ' '
Remove quote marks on all lines but leaves text
tr -d '"' <file_in
## [VI] ##
Remove blank lines
g/^\s*$/d
remove string
g/string/d
remove evertything bar string
g!/string/d
Delete up to char
:%s/.*\ze\<CHAR\>//
Delete upto last colon (:)
:1,$ s/.*://g
Remove leading white space
at esc :
%s/^\s*//g
Append to end of every line/string
:%s/$/\appended.string/g
[General Stuff]
Get first and fifth col in TAB seperated file
cut -f 1,5 -d "Cntl v <TAB>" file_name
Same for csv "," File
cut -d ',' -f1,5 file_name
get the first 5 chars from lines of text
cut -c 1-5 file_name
use filename (from say $1) as part of O/P file - strip leading ./
NAME="$(basename ${1} /.)"
## [Web site stuff] ##
Spider site
wget -r -np --spider www.site.addr.here
Count files in (open) folder on website without downloading anything
wget -qO -
http://website_address/files/ | grep '^<tr><td' | wc -l
Get/Download files of type .txt and .doc
wget -r -A txt,doc www.website.com
Get Base 64 message body (eml/msg). Cut base64 block out then
run
#base64 -d body_snip > output_file
General random No between 5-10
aa=`echo $(( RANDOM % (10 - 5 + 1 ) + 5 ))` ; echo $aa
## [SMB scannning] ##
smbclient -L 192.168.1.15 -U administrator
smbclient -L 192.168.1.15 -U %
smbclient //192.168.1.15/C$ passwd -U administrator
nmblookup -A 192.168.1.15
## [Windows stuff] ##
Get username (needs admin)
WMIC /Node:<computer_name> ComputerSystem Get UserName
Check for M$ patches
WMIC qfe get | findstr kb_<number>
Powershell NC like usage
Test-NetConnection -ComputerName x.x.x.x -Port 80
## [Block attackers - Linux Box] ##
Add sub-net to routing table
route add -net 10.1.3.0/24 gw 127.0.0.1 lo
check routing table
route -n
Remove blocked sub-net
route del -net 10.1.3.0/24
or
route del -net 10.1.0.0/16
## Service Stuff ##
Little NC HoneyPot
while true
do
nc -l 80 < ./www-server-id.txt >> nc_honey.log
echo "====`date` ====">> nc_honey.log
echo "" >> nc_honey.log
done
Simple HTTPD Server using busybox
busybox httpd -p 80 -h /var/www/
Run busybox on Windows (stand-alone exe)
c:\bin\busybox.exe sh -l
## [TMUX] ##
tmux new session
tmux a attach to session
Cntl B -d detach
Cntl B -p previous window
Cntl B -n next window
Cntl B -c Create new window
Cntl B , Rename Window
Cntl B % Split pane Vertically
Cntl B ; switch between split pane's
## SSH stuff ##
# MobaXterm setup to RDP to Linux over ssh
in terminal on Windows PC run
ssh -L 33389:127.0.0.1:3389 -l <user_name> <remote_rdp_server>
on Windows client run
mstsc 127.0.0.1:33389
# Reverse tunnel
On remote Server_a
ssh -R 2222:localhost:22
[email protected]_workstation -p 22 (or something else less obv's)
or add -nNT to run in background (with & maybe)
on your Workstation/client
ssh server_user@localhost -p 2222
EOF
