Embedded Files
Terms of use
The regular penetration testing could significantly improve the company's security. The auditor shall obtain all necessary rights and permissions to conduct penetration tests from the owner of the target network or from the owner of target system before conducting any audit.
All the content and resources have been provided in the hope that it will be useful. Author does not take responsibility for any misapplication of it. The document is distributed in the hope that will be useful, but WITHOUT ANY WARRANTY.
Linux Security Audit Commands:
-------------------------------------------------------------- Remote Network Commands --------------------------------------------------------------
# Useful commands to be used over network for Linux system
# traceroutetraceroute 8.8.8.8# traceroute using ICMPtraceroute -I 8.8.8.8
# nmap TCP syn scan, all TCP ports with scripts to all nmap output formats# nmap 7.98+nmap -sS -sV -sC -v -p- -oA all-tcp-127.0.0.1 127.0.0.1nmap -sS -sV -A -v -p- -oA all-tcp-127.0.0.1 127.0.0.1# nmap reverse DNS resolutionnmap -Pn -sn -R -oA dns-10.1.0.0_16 10.1.0.0/16# update the nmap scriptsnmap --script-updatedb# list nmap scriptsls -la /usr/share/nmap/scripts/# nmap brute force scriptsnmap -vvv --script http-brute --script-args userdb=users.txt,passdb=pass.txt -p <port> <host>nmap --script vmauthd-brute -p <port> <host>nmap --script ftp-brute -p <port> <host># help for scriptnmap --script-help=ssl-heartbleed# scan using scriptnmap -sV --script=ssl-heartbleed.nse -p <port> <host># scan using set of scriptsnmap -sV --script="smb*" -p <port> <host># nmap used as vulnerability scanner (vulscan - offline DB)cd /usr/share/nmap/scripts/git clone https://github.com/scipag/vulscan.gitnmap -sV --script=vulscan/vulscan.nse 127.0.0.1# nmap vulnerability scanner using vulners (online, real-time CVE data - recommended)nmap -sV --script=vulners 127.0.0.1
# ncrack (unmaintained since 2019 - prefer hydra or nmap NSE brute scripts)ncrack -vv --user root <host>:<port># ncrack RDPncrack -vv -U username.txt -P password.txt <host>:3389# ncrack SSHncrack -vv --user root <host>:22
# crack password used in encrypted zip archive# fcrackzip (unmaintained - prefer john the ripper)fcrackzip -b -l 1-4 -u ./archive.zip# alternative using john the ripper (recommended)zip2john ./archive.zip > hash.txtjohn hash.txt
# hydra# Bruteforce SSHhydra -L <user-list.txt> -P <password-list.txt> ssh://<host># Bruteforce IP router over HTTPhydra -V -l admin -P passwords.txt -t 36 -f -s 80 192.168.1.1 http-get /hydra -V -l admin -P passwords.txt -t 36 -f -s 80 http-get://192.168.1.1:8080# Bruteforce FTPhydra -V -l admin -P passwords.txt -e ns -f -s 21 192.168.1.1 ftp# Bruteforce RDPhydra -t 1 -V -f -l username -P password.lst rdp://192.168.1.1
# wfuzz (still maintained, but consider ffuf or feroxbuster for better performance)# URL brute forcingwfuzz -c -z file,Directories_Common.wordlist --hc 404 http://<host>/FUZZ.php# GET params brute forcingwfuzz -c -z file,users.txt -z file,pass.txt --hc 404 http://<host>/index.php?user=FUZZ&pass=FUZ2Z# ffuf alternative (faster, Go-based)ffuf -w Directories_Common.wordlist -u http://<host>/FUZZ.php -fc 404# feroxbuster alternative (Rust-based, recursive)feroxbuster -u http://<host>/ -w Directories_Common.wordlist
# sqlmapsqlmap -u "http://host.com/vulnerable.php?param=12345"sqlmap -u "http://host.com/vulnerable.php?param=12345" --dbms "Microsoft SQL Server" --sql-query="select name,CONVERT(VARCHAR(MAX),password_hash,1) from master.sys.sql_logins"sqlmap -u "http://host.com/vulnerable.php?param=12345" --dbms "Microsoft SQL Server" --dbssqlmap -u "http://host.com/vulnerable.php?param=12345" --dbms "Microsoft SQL Server" --dump -D database -T tablesqlmap -u "http://host.com/vulnerable.php?param=12345" --cookie "cookie1=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"sqlmap -r POST.txt -p field
# MySQLmysql -u <username> -p --port <port> -h <host>mysqldump -h <host> -u <username> -p -f --port <port> --events --routines --triggers --all-databases > MySQLData.sql
# Oraclesqlplus "username/password@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=hostname)(PORT=port))(CONNECT_DATA=(SERVER=dedicated)(SERVICE_NAME=servicename)))"
# --------- sqlplus commands -----------# improve sqlplus console outputSET PAGESIZE 50000;
# list tablespacesSELECT TABLESPACE_NAME FROM USER_TABLESPACES;
# list all tablesSELECT owner, table_name FROM dba_tables;
# find table with given column nameSELECT owner, table_name, column_name FROM all_tab_columns WHERE UPPER(column_name) = UPPER('PASSWORD');SELECT owner, table_name, column_name FROM all_tab_columns WHERE UPPER(column_name) LIKE '%PASS%';
# find table and count rows for given column nameSET SERVEROUTPUT ONDECLAREval NUMBER;BEGINFOR I IN (SELECT DISTINCT owner, table_name FROM all_tab_columns WHERE UPPER(column_name) LIKE '%PASS%') LOOPEXECUTE IMMEDIATE 'SELECT count(*) FROM ' || i.owner || '.' || i.table_name INTO val;DBMS_OUTPUT.PUT_LINE(i.owner || '.' || i.table_name || ' ==> ' || val );END LOOP;END;/
# find string in whole database for columns type NVARCHAR2SET SERVEROUTPUT ON SIZE 100000
DECLAREmatch_count INTEGER;BEGINFOR t IN (SELECT owner, table_name, column_name FROM all_tab_columns WHERE owner <> 'SYS' and data_type LIKE 'NVARCHAR2') LOOP
EXECUTE IMMEDIATE 'SELECT COUNT(*) FROM ' || t.owner || '.' || t.table_name || ' WHERE '||t.column_name||' = :1' INTO match_count USING 'SEARCH_TEXT';
IF match_count > 0 THEN dbms_output.put_line( t.table_name ||' '||t.column_name||' '||match_count );END IF;
END LOOP;
END;/# --------------------------------------
# Postgrespsql -h 127.0.0.1 -U username -d db_name# connection URI alternativepsql postgresql://username@127.0.0.1/db_name
# SNMP# SNMPv1snmpwalk -mALL -v1 -cpublic <host>snmpwalk -mALL -v1 -cprivate <host>snmpget -mALL -v1 -cpublic <host> sysName.0# SNMPv2snmpwalk -v2c -cprivate <host>:<port>snmpget -v2c -cprivate -mALL <host> sysName.0 sysObjectID.0 ilomCtrlDateAndTime.0snmpset -mALL -v2c -cprivate <host> ilomCtrlHttpEnabled.0 i 1# output: SUN-ILOM-CONTROL-MIB::ilomCtrlHttpEnabled.0 = INTEGER: true(1)# SNMPv3 (legacy MD5/DES shown - for modern deployments use -a SHA -x AES)snmpwalk -v3 -l authPriv -u snmpadmin -a MD5 -A PaSSword -x DES -X PRIvPassWord <host>:<port> systemsnmpwalk -v3 -l authPriv -u snmpadmin -a SHA -A PaSSword -x AES -X PRIvPassWord <host>:<port> system
# LDAP (use -H uri instead of deprecated -h/-p, removed in OpenLDAP 2.5+)ldapsearch -x -b "dc=company,dc=com" -s base -H ldap://<host>LDAPTLS_REQCERT=never ldapsearch -x -D "uid=Name.Surname,OU=People,DC=Company,DC=com" -W -H ldaps://<host> -b "uid=Name.Surname,OU=People,DC=Company,DC=com" -s subldapsearch -x -H ldap://127.0.0.1:389 -b "ou=people,dc=company,dc=com" -s sub "objectClass=*"ldapsearch -x -H ldap://127.0.0.1:1389 -b "dc=company,dc=com" -s one "objectClass=*"
ldapmodify -a -H ldap://127.0.0.1:389 -D "cn=Directory Manager" -w 'password' -f modify.ldifdn: ou=people,dc=company,dc=comobjectClass: topobjectClass: organizationalunitou: people...
ldapdelete -x -D "cn=Directory Manager" -w 'password' -H ldap://127.0.0.1:1389 "uid=identifier,ou=people,dc=company,dc=com"
# Redisredis-cli dbsize# get all keys from DB0 (use only for debugging, blocks the server on large datasets)redis-cli -n 0 keys "*"# production-safe alternative using SCANredis-cli -n 0 --scan --pattern "*"
# NFSshowmount -e 127.0.0.1mount -o ro 127.0.0.1:/ /mnt/nfs
# SIP (SIPVicious v3.x - commands renamed with sipvicious_ prefix)# sipvicious_svmap, send SIP OPTIONSsipvicious_svmap -p 5060,5061,5080-5090 10.0.0.1# legacy: svmap -p5060,5061,5080-5090 10.0.0.1
# sipvicious_svcracksipvicious_svcrack -u 100 -d dictionary.txt udp://10.0.0.1:5060# legacy: svcrack -u100 -d dictionary.txt 10.0.0.1
# SMBsmbclient -L <host> -Nsmbclient //<host>/<dir> -N# netexec (formerly crackmapexec) - modern SMB enumerationnetexec smb <host>netexec smb <host> -u '' -p '' --shares
# SSHFS# mountsshfs user@<host>:/remote/path /mnt/tmp -C -p 22# unmountfusermount3 -u /mnt/tmp
# redir (v3.0+ uses positional args)redir <listen_address>:<listen_port> <connect_address>:<connect_port># legacy v2.x: redir --laddr=<listen_address> --lport=<listen_port> --caddr=<connect_address> --cport=<connect_port>
# sending HTTP post requestcurl --data "param1=value1¶m2=value2" https://host.com/index.php# sending HTTP JSON post request (curl 7.82.0+, auto-sets Content-Type: application/json)curl --json '{"param1":"value1","param2":"value2"}' https://host.com/api
# sending SOAP request by nc#!/bin/sh
HOST=host.comPORT=8888
nc $HOST $PORT << __EOF__POST /services/ HTTP/1.1Host: host.com:8888Content-Type: text/xml;charset=UTF-8SOAPAction: ""
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://host.com/"> <soapenv:Header/> <soapenv:Body> <web:soapRequest> </web:soapRequest> </soapenv:Body></soapenv:Envelope>__EOF__
# sending SOAP request by curlproxychains4 curl --header "Content-Type: text/xml;charset=UTF-8" --header "SOAPAction:" --data @data.xml http://127.0.0.1:8888/
cat data.xml<?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://host.com/"> <soapenv:Header/> <soapenv:Body> <web:soapRequest> </web:soapRequest> </soapenv:Body></soapenv:Envelope>
# send payload using nping, spoof source IP (hex format: 0x prefix or raw hex digits)sudo nping -c 1 --data 0xDEADBEEF --udp -p <dest_port> -S <source_ip> -g <source_port> <dest_ip>
# Bash like SQL group bycat test.txt | sort | uniq -c | sort -n
# Wireshark over SSHssh root@192.168.1.1 "sudo tcpdump -U -s0 -i lo -w - 'not port 22'" | wireshark -k -i -wireshark -k -i <(ssh root@192.168.1.1 tcpdump -U -s0 -i any -w - not port 22)
# HEX to PCAPxxd -r -p test.hex | od -Ax -tx1 | text2pcap - test.pcap
# Parse JSON (prefer jq for structured parsing)grep -Po '"field" : .*?[^\\]",' test.jsonjq '.field' test.json
# tshark to Elasticsearch outputtshark -i any -f tcp -T ek -e "ip.addr" -e "tcp.port"
# tshark display filter to filestshark -r input.pcap -Y "ip.src == 10.1.1.1" -w output.pcap -F pcap
# john the ripper over GPU, OpenCL formats, start session (specify hash-type-opencl)john --session=session_name --format=raw-md5-opencl ~/hash.txt
# john list the GPU OpenCL formatsjohn --list=formats | grep -i opencl
# john the ripper, continue sessionjohn --restore=session_name
# john the ripper, show the cracked passwordsjohn ~/hash.txt --show
# dynamic formats# edit john/JohnTheRipper/run/dynamic.confjohn --fork=16 --session=session_dynamic --format=dynamic_xxxx hash.txt
-------------------------------------------------------------- Local Commands --------------------------------------------------------------
# Useful commands running locally on the Linux system# To quickly analyze the system and possibly help to escalate privileges.
# Before connecting to remote system, enable logging record the interactive session. Only after perform e.g. ssh connect.script <filename>
# loginssh username@hostname
# check current shellecho $0
# check current userwhoami
# current folderpwd
# list history of the userhistory
# check systemuname -a
# check uptimeuptime
# check system variablesexport
# processesps -efps auxfps auxfww
# find in filesfind . -name "*.java" -type f -exec grep -iHnF "textToFind" {} \;find . -regex ".*\.\(c\|java\)" -type f -exec grep -iHnF "textToFind" {} \;find / -maxdepth 4 -name "*.conf" -type f -exec grep -Hn "textToFind" {} \; 2>/dev/null# SUID files owned by rootfind / -uid 0 -perm -4000 -type f 2>/dev/null# SUID files owned by root and world readablefind / -uid 0 -perm -u=s,o=r -type f -exec ls -la {} \; 2> /dev/null# SUID filesfind / -perm -4000 -type f 2>/dev/null# world writable directoriesfind / -perm -2 -type d 2>/dev/null
# find passwords in files and ignore errors and filter out the proc and other foldersfind . ! -path "*/proc/*" -type f -name "*" -exec grep -iHnF password {} \;find . -type f \( -iname \*.conf -o -iname \*.cfg -o -iname \*.xml -o -iname \*.ini -o -iname \*.json -o -iname \*.sh -o -iname \*.pl -o -iname \*.py \) -exec grep -iHnF password {} \; 2> /dev/null
# find using several patterns read from file (patterns are delimited by new line)find . -type f -exec grep -iHFf patterns.txt {} \;
# find password keyword in small filesfind . -type f -size -512k -exec grep -iHnF password {} \;
# reverse java jar files and find passwords therefind . -name "*.jar" -type f -exec ~/jd-cli/jd-cli -oc -l -n -st {} \; | grep -iE -e "Location:" -e "password" | uniq
# check open ports and services listeningss -anp# legacy: netstat -anp (deprecated, part of unmaintained net-tools)
# check defined hostscat /etc/hosts
# check local IP addresses and interfacesip addr show# legacy: ifconfig -a (deprecated, part of unmaintained net-tools)
# check routeip route# legacy: route -v (deprecated, part of unmaintained net-tools)
# check filesystemdf
# check sudo privilegessudo -l
# check crontabcrontab -l
# check inittabcat /etc/inittab
# try to sniff traffictcpdumptcpdump -s0 not port 22 -w trace.pcap
# check known hostscat ~/.ssh/known_hosts
# try access mailshead /var/mail/root
# list groups, userscat /etc/groupcat /etc/passwd# with root privilegescat /etc/shadow
# check shared memoryipcs -mp
# logoutlogout
# close script sessionCtrl + D
-------------------------------------------------------------- SSH tunneling and chaining --------------------------------------------------------------
# Useful to jump or tunnel traffic over several machines
# SSH proxy command# ssh config (~/.ssh/config)Host _first_serverHostname XXX.XXX.XXX.XXPort 22User root
Host _second_serverHostname 127.0.0.1Port 22User root # password is "XXXXXXX"ProxyCommand ssh -v -W 127.0.0.1:22 _first_server# modern alternative (OpenSSH 7.3+):# ProxyJump _first_server
Host _third_serverHostname XXX.XXX.XXX.XXXPort 22User XXXXXProxyCommand ssh _second_server -W %h:%p# modern alternative (OpenSSH 7.3+):# ProxyJump _second_serverHost _host_over_sshpass and ssh key Hostname XXX.XXX.XXX.XXX IdentityFile id_rsa User XXXXX ProxyCommand sshpass -pXXXXXXX ssh -Fssh_config _host_previous_in_chain -W %h:%p# connectssh root@_second_server# modern ProxyJump command-line equivalentssh -J _first_server _second_server
# Proxychains (use proxychains4 / proxychains-ng)# run ssh on background and without executing commandsssh -f -N -D 9050 user@hostproxychains4 telnet hosts
# using local SSH tunneling to access web server on remote serversudo ssh -F ~/.ssh/ssh_config _host_definition -L 127.0.0.1:8080:127.0.0.1:8080 -L 127.0.0.1:8443:127.0.0.1:8443
# torsockstorsocks sshpass -p '********' ssh -C admin@XXX.XXX.XXX.XXX "sudo tcpdump -i any -U -s0 -w - 'not port 22'" | wireshark -k -i -
# allow internet access on remote server over client SSH (reverse SSH tunnel)sudo apt install tinyproxysudo systemctl disable tinyproxysudo systemctl stop tinyproxysudo vi /etc/tinyproxy/tinyproxy.conf# configure listen port (e.g. Port 3128)sudo systemctl start tinyproxy
ssh -R 3128:127.0.0.1:3128 hostexport http_proxy=http://127.0.0.1:3128export https_proxy=http://127.0.0.1:3128
-------------------------------------------------------------- Decompilers --------------------------------------------------------------
# jd-gui (Java decompiler) - also consider jadx or CFR for better output qualitycd ~/Decompilers/Java/java -jar jd-gui-1.6.6.jar
# ghidra (C decompiler)~/Decompilers/ghidra_12.0.3/ghidraRun
# ffdec (Flash decompiler)sudo update-alternatives --config javaThere are 2 choices for the alternative java (providing /usr/bin/java).
Selection Path Priority Status------------------------------------------------------------ 0 /usr/lib/jvm/java-11-openjdk-amd64/bin/java 1111 auto mode* 1 /usr/lib/jvm/java-10-openjdk-amd64/bin/java 1 manual mode 2 /usr/lib/jvm/java-11-openjdk-amd64/bin/java 1111 manual mode
Press <enter> to keep the current choice[*], or type selection number:
~/Decompilers/Flash/ffdec_25.1.2./ffdec.sh
-------------------------------------------------------------- Auxiliary --------------------------------------------------------------
# compress & copy over ssh by rsyncrsync --append-verify -avhzP -e ssh user@host:/source/* dest
# copy locally by rsync, full sync, delete removed filesrsync --append-verify -avhP --delete /source/* dest
# Grep in csvcat some.csv | awk -F, '$3 == "value" {print}'
# Find files in exact datefind . -type f -newermt "YYYY-MM-D1" ! -newermt "YYYY-MM-D2"
-------------------------------------------------------------- Remote Network Commands --------------------------------------------------------------
# Useful commands to be used over network for Linux system
# traceroutetraceroute 8.8.8.8# traceroute using ICMPtraceroute -I 8.8.8.8
# nmap TCP syn scan, all TCP ports with scripts to all nmap output formats# nmap 7.98+nmap -sS -sV -sC -v -p- -oA all-tcp-127.0.0.1 127.0.0.1nmap -sS -sV -A -v -p- -oA all-tcp-127.0.0.1 127.0.0.1# nmap reverse DNS resolutionnmap -Pn -sn -R -oA dns-10.1.0.0_16 10.1.0.0/16# update the nmap scriptsnmap --script-updatedb# list nmap scriptsls -la /usr/share/nmap/scripts/# nmap brute force scriptsnmap -vvv --script http-brute --script-args userdb=users.txt,passdb=pass.txt -p <port> <host>nmap --script vmauthd-brute -p <port> <host>nmap --script ftp-brute -p <port> <host># help for scriptnmap --script-help=ssl-heartbleed# scan using scriptnmap -sV --script=ssl-heartbleed.nse -p <port> <host># scan using set of scriptsnmap -sV --script="smb*" -p <port> <host># nmap used as vulnerability scanner (vulscan - offline DB)cd /usr/share/nmap/scripts/git clone https://github.com/scipag/vulscan.gitnmap -sV --script=vulscan/vulscan.nse 127.0.0.1# nmap vulnerability scanner using vulners (online, real-time CVE data - recommended)nmap -sV --script=vulners 127.0.0.1
# ncrack (unmaintained since 2019 - prefer hydra or nmap NSE brute scripts)ncrack -vv --user root <host>:<port># ncrack RDPncrack -vv -U username.txt -P password.txt <host>:3389# ncrack SSHncrack -vv --user root <host>:22
# crack password used in encrypted zip archive# fcrackzip (unmaintained - prefer john the ripper)fcrackzip -b -l 1-4 -u ./archive.zip# alternative using john the ripper (recommended)zip2john ./archive.zip > hash.txtjohn hash.txt
# hydra# Bruteforce SSHhydra -L <user-list.txt> -P <password-list.txt> ssh://<host># Bruteforce IP router over HTTPhydra -V -l admin -P passwords.txt -t 36 -f -s 80 192.168.1.1 http-get /hydra -V -l admin -P passwords.txt -t 36 -f -s 80 http-get://192.168.1.1:8080# Bruteforce FTPhydra -V -l admin -P passwords.txt -e ns -f -s 21 192.168.1.1 ftp# Bruteforce RDPhydra -t 1 -V -f -l username -P password.lst rdp://192.168.1.1
# wfuzz (still maintained, but consider ffuf or feroxbuster for better performance)# URL brute forcingwfuzz -c -z file,Directories_Common.wordlist --hc 404 http://<host>/FUZZ.php# GET params brute forcingwfuzz -c -z file,users.txt -z file,pass.txt --hc 404 http://<host>/index.php?user=FUZZ&pass=FUZ2Z# ffuf alternative (faster, Go-based)ffuf -w Directories_Common.wordlist -u http://<host>/FUZZ.php -fc 404# feroxbuster alternative (Rust-based, recursive)feroxbuster -u http://<host>/ -w Directories_Common.wordlist
# sqlmapsqlmap -u "http://host.com/vulnerable.php?param=12345"sqlmap -u "http://host.com/vulnerable.php?param=12345" --dbms "Microsoft SQL Server" --sql-query="select name,CONVERT(VARCHAR(MAX),password_hash,1) from master.sys.sql_logins"sqlmap -u "http://host.com/vulnerable.php?param=12345" --dbms "Microsoft SQL Server" --dbssqlmap -u "http://host.com/vulnerable.php?param=12345" --dbms "Microsoft SQL Server" --dump -D database -T tablesqlmap -u "http://host.com/vulnerable.php?param=12345" --cookie "cookie1=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"sqlmap -r POST.txt -p field
# MySQLmysql -u <username> -p --port <port> -h <host>mysqldump -h <host> -u <username> -p -f --port <port> --events --routines --triggers --all-databases > MySQLData.sql
# Oraclesqlplus "username/password@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=hostname)(PORT=port))(CONNECT_DATA=(SERVER=dedicated)(SERVICE_NAME=servicename)))"
# --------- sqlplus commands -----------# improve sqlplus console outputSET PAGESIZE 50000;
# list tablespacesSELECT TABLESPACE_NAME FROM USER_TABLESPACES;
# list all tablesSELECT owner, table_name FROM dba_tables;
# find table with given column nameSELECT owner, table_name, column_name FROM all_tab_columns WHERE UPPER(column_name) = UPPER('PASSWORD');SELECT owner, table_name, column_name FROM all_tab_columns WHERE UPPER(column_name) LIKE '%PASS%';
# find table and count rows for given column nameSET SERVEROUTPUT ONDECLAREval NUMBER;BEGINFOR I IN (SELECT DISTINCT owner, table_name FROM all_tab_columns WHERE UPPER(column_name) LIKE '%PASS%') LOOPEXECUTE IMMEDIATE 'SELECT count(*) FROM ' || i.owner || '.' || i.table_name INTO val;DBMS_OUTPUT.PUT_LINE(i.owner || '.' || i.table_name || ' ==> ' || val );END LOOP;END;/
# find string in whole database for columns type NVARCHAR2SET SERVEROUTPUT ON SIZE 100000
DECLAREmatch_count INTEGER;BEGINFOR t IN (SELECT owner, table_name, column_name FROM all_tab_columns WHERE owner <> 'SYS' and data_type LIKE 'NVARCHAR2') LOOP
EXECUTE IMMEDIATE 'SELECT COUNT(*) FROM ' || t.owner || '.' || t.table_name || ' WHERE '||t.column_name||' = :1' INTO match_count USING 'SEARCH_TEXT';
IF match_count > 0 THEN dbms_output.put_line( t.table_name ||' '||t.column_name||' '||match_count );END IF;
END LOOP;
END;/# --------------------------------------
# Postgrespsql -h 127.0.0.1 -U username -d db_name# connection URI alternativepsql postgresql://username@127.0.0.1/db_name
# SNMP# SNMPv1snmpwalk -mALL -v1 -cpublic <host>snmpwalk -mALL -v1 -cprivate <host>snmpget -mALL -v1 -cpublic <host> sysName.0# SNMPv2snmpwalk -v2c -cprivate <host>:<port>snmpget -v2c -cprivate -mALL <host> sysName.0 sysObjectID.0 ilomCtrlDateAndTime.0snmpset -mALL -v2c -cprivate <host> ilomCtrlHttpEnabled.0 i 1# output: SUN-ILOM-CONTROL-MIB::ilomCtrlHttpEnabled.0 = INTEGER: true(1)# SNMPv3 (legacy MD5/DES shown - for modern deployments use -a SHA -x AES)snmpwalk -v3 -l authPriv -u snmpadmin -a MD5 -A PaSSword -x DES -X PRIvPassWord <host>:<port> systemsnmpwalk -v3 -l authPriv -u snmpadmin -a SHA -A PaSSword -x AES -X PRIvPassWord <host>:<port> system
# LDAP (use -H uri instead of deprecated -h/-p, removed in OpenLDAP 2.5+)ldapsearch -x -b "dc=company,dc=com" -s base -H ldap://<host>LDAPTLS_REQCERT=never ldapsearch -x -D "uid=Name.Surname,OU=People,DC=Company,DC=com" -W -H ldaps://<host> -b "uid=Name.Surname,OU=People,DC=Company,DC=com" -s subldapsearch -x -H ldap://127.0.0.1:389 -b "ou=people,dc=company,dc=com" -s sub "objectClass=*"ldapsearch -x -H ldap://127.0.0.1:1389 -b "dc=company,dc=com" -s one "objectClass=*"
ldapmodify -a -H ldap://127.0.0.1:389 -D "cn=Directory Manager" -w 'password' -f modify.ldifdn: ou=people,dc=company,dc=comobjectClass: topobjectClass: organizationalunitou: people...
ldapdelete -x -D "cn=Directory Manager" -w 'password' -H ldap://127.0.0.1:1389 "uid=identifier,ou=people,dc=company,dc=com"
# Redisredis-cli dbsize# get all keys from DB0 (use only for debugging, blocks the server on large datasets)redis-cli -n 0 keys "*"# production-safe alternative using SCANredis-cli -n 0 --scan --pattern "*"
# NFSshowmount -e 127.0.0.1mount -o ro 127.0.0.1:/ /mnt/nfs
# SIP (SIPVicious v3.x - commands renamed with sipvicious_ prefix)# sipvicious_svmap, send SIP OPTIONSsipvicious_svmap -p 5060,5061,5080-5090 10.0.0.1# legacy: svmap -p5060,5061,5080-5090 10.0.0.1
# sipvicious_svcracksipvicious_svcrack -u 100 -d dictionary.txt udp://10.0.0.1:5060# legacy: svcrack -u100 -d dictionary.txt 10.0.0.1
# SMBsmbclient -L <host> -Nsmbclient //<host>/<dir> -N# netexec (formerly crackmapexec) - modern SMB enumerationnetexec smb <host>netexec smb <host> -u '' -p '' --shares
# SSHFS# mountsshfs user@<host>:/remote/path /mnt/tmp -C -p 22# unmountfusermount3 -u /mnt/tmp
# redir (v3.0+ uses positional args)redir <listen_address>:<listen_port> <connect_address>:<connect_port># legacy v2.x: redir --laddr=<listen_address> --lport=<listen_port> --caddr=<connect_address> --cport=<connect_port>
# sending HTTP post requestcurl --data "param1=value1¶m2=value2" https://host.com/index.php# sending HTTP JSON post request (curl 7.82.0+, auto-sets Content-Type: application/json)curl --json '{"param1":"value1","param2":"value2"}' https://host.com/api
# sending SOAP request by nc#!/bin/sh
HOST=host.comPORT=8888
nc $HOST $PORT << __EOF__POST /services/ HTTP/1.1Host: host.com:8888Content-Type: text/xml;charset=UTF-8SOAPAction: ""
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://host.com/"> <soapenv:Header/> <soapenv:Body> <web:soapRequest> </web:soapRequest> </soapenv:Body></soapenv:Envelope>__EOF__
# sending SOAP request by curlproxychains4 curl --header "Content-Type: text/xml;charset=UTF-8" --header "SOAPAction:" --data @data.xml http://127.0.0.1:8888/
cat data.xml<?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://host.com/"> <soapenv:Header/> <soapenv:Body> <web:soapRequest> </web:soapRequest> </soapenv:Body></soapenv:Envelope>
# send payload using nping, spoof source IP (hex format: 0x prefix or raw hex digits)sudo nping -c 1 --data 0xDEADBEEF --udp -p <dest_port> -S <source_ip> -g <source_port> <dest_ip>
# Bash like SQL group bycat test.txt | sort | uniq -c | sort -n
# Wireshark over SSHssh root@192.168.1.1 "sudo tcpdump -U -s0 -i lo -w - 'not port 22'" | wireshark -k -i -wireshark -k -i <(ssh root@192.168.1.1 tcpdump -U -s0 -i any -w - not port 22)
# HEX to PCAPxxd -r -p test.hex | od -Ax -tx1 | text2pcap - test.pcap
# Parse JSON (prefer jq for structured parsing)grep -Po '"field" : .*?[^\\]",' test.jsonjq '.field' test.json
# tshark to Elasticsearch outputtshark -i any -f tcp -T ek -e "ip.addr" -e "tcp.port"
# tshark display filter to filestshark -r input.pcap -Y "ip.src == 10.1.1.1" -w output.pcap -F pcap
# john the ripper over GPU, OpenCL formats, start session (specify hash-type-opencl)john --session=session_name --format=raw-md5-opencl ~/hash.txt
# john list the GPU OpenCL formatsjohn --list=formats | grep -i opencl
# john the ripper, continue sessionjohn --restore=session_name
# john the ripper, show the cracked passwordsjohn ~/hash.txt --show
# dynamic formats# edit john/JohnTheRipper/run/dynamic.confjohn --fork=16 --session=session_dynamic --format=dynamic_xxxx hash.txt
-------------------------------------------------------------- Local Commands --------------------------------------------------------------
# Useful commands running locally on the Linux system# To quickly analyze the system and possibly help to escalate privileges.
# Before connecting to remote system, enable logging record the interactive session. Only after perform e.g. ssh connect.script <filename>
# loginssh username@hostname
# check current shellecho $0
# check current userwhoami
# current folderpwd
# list history of the userhistory
# check systemuname -a
# check uptimeuptime
# check system variablesexport
# processesps -efps auxfps auxfww
# find in filesfind . -name "*.java" -type f -exec grep -iHnF "textToFind" {} \;find . -regex ".*\.\(c\|java\)" -type f -exec grep -iHnF "textToFind" {} \;find / -maxdepth 4 -name "*.conf" -type f -exec grep -Hn "textToFind" {} \; 2>/dev/null# SUID files owned by rootfind / -uid 0 -perm -4000 -type f 2>/dev/null# SUID files owned by root and world readablefind / -uid 0 -perm -u=s,o=r -type f -exec ls -la {} \; 2> /dev/null# SUID filesfind / -perm -4000 -type f 2>/dev/null# world writable directoriesfind / -perm -2 -type d 2>/dev/null
# find passwords in files and ignore errors and filter out the proc and other foldersfind . ! -path "*/proc/*" -type f -name "*" -exec grep -iHnF password {} \;find . -type f \( -iname \*.conf -o -iname \*.cfg -o -iname \*.xml -o -iname \*.ini -o -iname \*.json -o -iname \*.sh -o -iname \*.pl -o -iname \*.py \) -exec grep -iHnF password {} \; 2> /dev/null
# find using several patterns read from file (patterns are delimited by new line)find . -type f -exec grep -iHFf patterns.txt {} \;
# find password keyword in small filesfind . -type f -size -512k -exec grep -iHnF password {} \;
# reverse java jar files and find passwords therefind . -name "*.jar" -type f -exec ~/jd-cli/jd-cli -oc -l -n -st {} \; | grep -iE -e "Location:" -e "password" | uniq
# check open ports and services listeningss -anp# legacy: netstat -anp (deprecated, part of unmaintained net-tools)
# check defined hostscat /etc/hosts
# check local IP addresses and interfacesip addr show# legacy: ifconfig -a (deprecated, part of unmaintained net-tools)
# check routeip route# legacy: route -v (deprecated, part of unmaintained net-tools)
# check filesystemdf
# check sudo privilegessudo -l
# check crontabcrontab -l
# check inittabcat /etc/inittab
# try to sniff traffictcpdumptcpdump -s0 not port 22 -w trace.pcap
# check known hostscat ~/.ssh/known_hosts
# try access mailshead /var/mail/root
# list groups, userscat /etc/groupcat /etc/passwd# with root privilegescat /etc/shadow
# check shared memoryipcs -mp
# logoutlogout
# close script sessionCtrl + D
-------------------------------------------------------------- SSH tunneling and chaining --------------------------------------------------------------
# Useful to jump or tunnel traffic over several machines
# SSH proxy command# ssh config (~/.ssh/config)Host _first_serverHostname XXX.XXX.XXX.XXPort 22User root
Host _second_serverHostname 127.0.0.1Port 22User root # password is "XXXXXXX"ProxyCommand ssh -v -W 127.0.0.1:22 _first_server# modern alternative (OpenSSH 7.3+):# ProxyJump _first_server
Host _third_serverHostname XXX.XXX.XXX.XXXPort 22User XXXXXProxyCommand ssh _second_server -W %h:%p# modern alternative (OpenSSH 7.3+):# ProxyJump _second_serverHost _host_over_sshpass and ssh key Hostname XXX.XXX.XXX.XXX IdentityFile id_rsa User XXXXX ProxyCommand sshpass -pXXXXXXX ssh -Fssh_config _host_previous_in_chain -W %h:%p# connectssh root@_second_server# modern ProxyJump command-line equivalentssh -J _first_server _second_server
# Proxychains (use proxychains4 / proxychains-ng)# run ssh on background and without executing commandsssh -f -N -D 9050 user@hostproxychains4 telnet hosts
# using local SSH tunneling to access web server on remote serversudo ssh -F ~/.ssh/ssh_config _host_definition -L 127.0.0.1:8080:127.0.0.1:8080 -L 127.0.0.1:8443:127.0.0.1:8443
# torsockstorsocks sshpass -p '********' ssh -C admin@XXX.XXX.XXX.XXX "sudo tcpdump -i any -U -s0 -w - 'not port 22'" | wireshark -k -i -
# allow internet access on remote server over client SSH (reverse SSH tunnel)sudo apt install tinyproxysudo systemctl disable tinyproxysudo systemctl stop tinyproxysudo vi /etc/tinyproxy/tinyproxy.conf# configure listen port (e.g. Port 3128)sudo systemctl start tinyproxy
ssh -R 3128:127.0.0.1:3128 hostexport http_proxy=http://127.0.0.1:3128export https_proxy=http://127.0.0.1:3128
-------------------------------------------------------------- Decompilers --------------------------------------------------------------
# jd-gui (Java decompiler) - also consider jadx or CFR for better output qualitycd ~/Decompilers/Java/java -jar jd-gui-1.6.6.jar
# ghidra (C decompiler)~/Decompilers/ghidra_12.0.3/ghidraRun
# ffdec (Flash decompiler)sudo update-alternatives --config javaThere are 2 choices for the alternative java (providing /usr/bin/java).
Selection Path Priority Status------------------------------------------------------------ 0 /usr/lib/jvm/java-11-openjdk-amd64/bin/java 1111 auto mode* 1 /usr/lib/jvm/java-10-openjdk-amd64/bin/java 1 manual mode 2 /usr/lib/jvm/java-11-openjdk-amd64/bin/java 1111 manual mode
Press <enter> to keep the current choice[*], or type selection number:
~/Decompilers/Flash/ffdec_25.1.2./ffdec.sh
-------------------------------------------------------------- Auxiliary --------------------------------------------------------------
# compress & copy over ssh by rsyncrsync --append-verify -avhzP -e ssh user@host:/source/* dest
# copy locally by rsync, full sync, delete removed filesrsync --append-verify -avhP --delete /source/* dest
# Grep in csvcat some.csv | awk -F, '$3 == "value" {print}'
# Find files in exact datefind . -type f -newermt "YYYY-MM-D1" ! -newermt "YYYY-MM-D2"
Report abuse
This site uses cookies from Google to deliver its services and to analyze traffic. Information about your use of this site is shared with Google. By using this site, you agree to its use of cookies.
Learn more
Got it