HackSheet


Nmap

nmap --top-ports 5000 ip

Fast scan

nmap -T4 -F ip
nmap -sV -T4 -O -F -A --version-light ip

Scan all port

nmap -p- -T4 -v ip

Scan With Script & Version

nmap -A -T4 -sC -sV ip 

Scan All Local

nmap 192.168.1.1/24 -sn -T4 ip

Scan with scripts

nmap -sC ip
nmap --script "default,discovery,exploit,version,vuln" ip
nmap --script "default,discovery,exploit,version,vuln,servicetags,ntp-monlist,dns-recursion,snmp-sysdescr" ip

Scan udp

sudo nmap -sU -T4 ip
sudo nmap -sUV -T4 -F --version-intensity 0 ip
sudo nmap -sU -A -PN -n -pU:19,53,123,161 -script=ntp-monlist,dns-recursion,snmp-sysdescr ip
sudo nmap -sU -pU:19,53,123,161 -Pn -n --max-retries=0 ip

Scan SCTP

nmap -T4 -sY -n --open -Pn ip

Hardcore scan

sudo nmap -sS -sU -p- -PN -O -sV -sC --allports --version-all -T4  ip -vv

DNS

Port: 53

Domain Name System (DNS) is the hierarchical and distributed naming system used to identify computers reachable through the Internet. These are most commonly used to map human-friendly domain names to the numerical IP addresses computers need to locate services.

Any Information

dig ANY @dns_ip domain

Information

dig TXT @dns_ip domain

Tranfert Zone

dig axfr @dns_ip domain

Reverse Lookup

dig -x ip @dns_ip

Reverse All Address

dnsrecon -r 127.0.0.0/24 -n ip_dns

SNMP

Port: 161 / 162

SNMP is used to monitor the network, detect network faults, and sometimes even used to configure remote devices.

List devices

snmp-check ip

RPCBind

The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. - redhat

Port: 111

Info

rpcinfo -p ip

NFS

A Network File System (NFS) allows remote hosts to mount file systems over a network and interact with those file systems as though they are mounted locally. - redhat

Port: 2049

To bypass permission change your uid

Show NFS

showmount -e squashed.htb

Mount

mount -t nfs squashed.htb:/ nsf_mount -o nolock

Scan Local Network

ARP Scannner Tools shows every active IPv4 device on your Subnet. Since ARP is non-routable, this type of scanner only works on the local LAN.

Address Resolution Protocol (ARP) is the Dynamic mapping technique used to map the logical address (IP) to a physical address (MAC).

Arp

sudo arp
Address                  HWtype  HWaddress           Flags Mask            Iface
NameHost                 ether   xx:xx:xx:xx:xx:xx   C                     INTRFC

Netdiscover

netdiscover

Arp-scan

arp-scan -l

List opened port localy

SS

ss -lntu

Netstat

netstat -tulpn

Hydra

Proxy

export HYDRA_PROXY=connect://localhost:8080

Basic HTTP Auth

hydra -C wordlist.txt SERVER_IP -s PORT http-get /

Post HTTP Login

hydra -l admin -P wordlist.txt -f ip -s port http-post-form "/login.php:username=^USER^&password=^PASS^:F=<form name='login'"

SSH

hydra -L user.txt -P pass.txt -u -f -t 4 ssh://ip:port

FTP

hydra -l m.gates -P /usr/share/wordlists/rockyou.txt ftp://127.0.0.1

Packet Analyzer

Wireshark

Run

sudo wireshark

Get all Files

Filters

smb || smb2 || http || tcp ||
ip.src == 1.1.1.1 && ip.dst == 1.1.1.1 && tcp.port == 80

TCPflow

Export File of pcap

tcpflow -r capture.pcap

Tcpdump

Basic

sudo tcpdump -i any

Max Argument

sudo tcpdump -i any -c <MAX_PACKETS> host 192.168.1.1 '&&' port 80 '&&' src 1.1.1.1
sudo tcpdump -i any -c10 -nn -A port 80

Save

sudo tcpdump -i any -w file.pcap

Python

from scapy.all import *

scapy_cap = rdpcap('file.pcap')
i = 0
for packet in scapy_cap:
	if type(packet[TCP].payload) == scapy.packet.Raw:
		try:
			print(i, ':', packet[TCP].payload.load.decode())
		except:
			print(i, ':', packet[TCP].payload.load)
	i += 1