Red Team Guide: Cheat Sheet (WIP)

Published Apr 14, 2022

Contents


Linux Network Commands

watch ss --tcp                 # network connections
netstat -ant                   # tcp connections -anu=udp
netstat -tulpn                 # connections with PIDs
lsof -i                        # established connections
ifconfig eth0 ip/cidr          # set ip and netmask
ifconfig eth0:1 ip/cidr        # set virtual interface
route add default gw gw_ip     # set gateway
export MAC=XX:XX:XX:XX:XX      # change mac address
dig -x ip                      # domain lookup for ip
host ip                        # domain lookup for ip
dig @ ip domain -t AXFR        # dns cone xfer
host -i domain namesvr         # dns cone xfer
tcpkill host ip and port port  # block ip:port
/var/log/messages \| grep DHCP # list dhcp assignments
ping                           # send an ICMP ECHO_REQUEST to network hosts
traceroute                     # print the route packets trace to a network host
ip                             # show/manipulate routing, devices, policy routing, and tunnels
netstat                        # print network connections, routing tables, interface statistics, masquerade connections, and multicast memberships
wget                           # non-interactive network downloader
ssh                            # secure shell, OpenSSH client (remote login program)
dig                            # dns lookup utility
nslookup                       # query internet name servers interactively
route                          # view and change the route table
whois                          # internet domain name and network number directory service
curl                           # make any http request you want
httpie                         # like curl but easier ("http get")
tc                             # on a Linux router: slow down your brother's internet (and much more)
scp                            # copy files over a ssh connection
rsync                          # copy only changed files (works over ssh)
ngrep                          # grep for your network
tcpdump                        # show me all packets on port 80
wireshark                      # look at the packets in a GUI
tshark                         # command line super powerful packet analysis
tcpflow                        # capture and assemble tcp streams
ifconfig                       # what is my ip address
arp                            # see your arp table
mitmproxy                      # spy on ssl connections your programs are making
pof                            # identify OS of hosts connecting to you
openvpn                        # a vpn
wireguard                      # a newer vpn
nc                             # netcat! make tcp connections manually
socat                          # proxy a tcp socket to a Unix domain socket + lots more
telnet                         # like ssh but insecure
ftp/sftp                       # copy files, sftp does it over ssh
iptables                       # setup firewalls and NAT
nftables                       # new version of iptables
hping3                         # construct any tcp packet you want
tcptraceroute                  # use tcp packets instead of ICMP to traceroute
openssh                        # do literally anything with ssl certifications
ethtool                        # manage physical ethernet connections + network cards
iw/iwconfig                    # manage wireless network settings
sysctl                         # configure Linux kernel's network stack
stunnel                        # make a ssl proxy for an insecure server

Linux System Info Commands

id                      # current username
w                       # logged on users
who -a                  # user information
last -a                 # last users logged on
ps -ef                  # process listing (top)
df -h                   # disk usage (free)
uname -a                # kernel version/cpu info
mount                   # mounted file systems
getent passwd           # show list of users
kill <pid>              # kills process with pid
cat /etc/issue          # show OS info
cat /etc/release        # show OS version info
cat /proc/version       # show kernel info
nbtstat -A <ip>         # get hostname for ip
PATH=$PATH:/home/mypath # add PATH to variable

Linux File Commands

diff file1 file2                                        # compare files
rm -rf dir                                              # force delete of dir
shred -f -u file                                        # overwrite/delete file
touch -r ref file file                                  # matches ref_file timestamp
touch -t YYYYMMDDHHSS file                              # set file timestamp
sudo fdisk -1                                           # list connected drives
mount /dev/sda0 /mnt/usbkey                             # mount USB key
md5sum -t file                                          # compute md5 hash
echo -n "str" \| md5sum                                 # generate md5 hash
sha1sum file                                            # SHA1 hash of file
sort -u                                                 # sort/show unique lines
grep -c "str" file                                      # count lines w/ "str"
tar cf file.tar files                                   # create .tar from files
tar xf file.tar                                         # extract .tar
tar czf file.tar.gz files                               # create .tar.gz
tar xzf file.tar.gz                                     # extract .tar.gz
tar cjf file.tar.bz2 files                              # create .tar.bz2
tar xjf file.tar.bz2                                    # extract .tar.bz2
gzip file                                               # compress/rename file
gzip -d file.gz                                         # decompress file.gz
upx -9 -o out.exe orig.exe                              # upx packs orig.exe
zip -r zipname.zip \Directory\                          # create zip
dd skip=1000 count=2000 bs=8 if=inputfile of=outputfile # cut block 1K-3K from file
split -b 9K \ file prefix                               # split file into 9K chunks
awk 'sub("$"."\r")' unix.txt win.txt                    # win compatible txt file
find -i -name file -type *.pdf                          # find pdf files
find / -perm -4000 -o -perm -2000 -exec ls - ldb {} \;  # search for setuid files
dos2unix file                                           # convert to nix format
file file                                               # determine file type/info
chattr (+/-)i file                                      # set/unset immutable bit
mount                                                   # mount a file system
unmount                                                 # unmount a files system
fsck                                                    # check and repair a file system
fdisk                                                   # manipulate disk partition table
mkfs                                                    # create a file system
dd                                                      # convert and copy a file
genisoimage (mkisofs)                                   # create an iso 9660 image file
wodim (cdrecord)                                        # write data to optical storage media
md5sum                                                  # calculate an md5 checksum
lshw                                                    # list hardware
lsblk                                                   # lists block devices
lsusb                                                   # lists usb devices
lsof                                                    # lists opened files
lspci                                                   # lists pci devices
lsmod                                                   # program to show the status of modules in the Linux kernel
rmmod                                                   # simple program to remove a module from the Linux kernel
insmod                                                  # simple program to insert a module into the Linux kernel
modprobe                                                # program to add and remove modules from the Linux kernel
locate                                                  # find files by name
find                                                    # search for files in a directory hierarchy
xargs                                                   # build and execute command lines from standard input
touch                                                   # change file times
stat                                                    # display file or file system status
tar                                                     # tape archiving utility
zip                                                     # package and compress files
gzip                                                    # compress files
gunzip                                                  # un-compress files
bzip2                                                   # a block sorting file compressor
bunzip2                                                 # a block sorting file un-compressor
cat                                                     # concatenate files and print on the standard output
sort                                                    # sort lines of text files
uniq                                                    # report or omit repeated lines
cut                                                     # remove sections from each line of files
paste                                                   # merge lines of files
join                                                    # join lines of two files on a common field
comm                                                    # compare two sorted files line by line
diff                                                    # compare files line by line
patch                                                   # apply a diff file to an original
tr                                                      # translate or delete characters
sed                                                     # stream editor for filtering and transforming text
aspell                                                  # interactive spellchecker
nl                                                      # number lines
fold                                                    # wrap each line to a specified length
fmt                                                     # a simple text formatter
pr                                                      # prepare text for printing
printf                                                  # format and print data
groff                                                   # a document formatting system

Linux Utility Commands

rdesktop ip                           # remote desktop to ip
scp /tmp/file user@x.x.x.x:/tmp/file  # put file
scp user@remoteip:/tmp/file /tmp/file # get file
rmuser unarne                         # remove user
script -a outfile                     # record shell : ctrl-D stops
apropos subject                       # find related command
! num                                 # executes line # in history
sudo adduser thor                     # add user
sudo passwd thor                      # change user password
usermod thor --shell /bin/bash        # change user's shell
usermod -l ironman thor               # change user's name
su -l thor                            # login as another user
sudo userdel thor                     # delete user
sudo groupadd infinity                # add user to a group
groups                                # check what groups you're member of
sudo usermod -aG infinity thor        # add user to a group
sudo usermod -G infinity thor         # -G removes the user from every other group
sudo usermod -aG infinity thor        # -aG appends another group to the user
sudo groupdel infinity                # delete group

Linux "Cover Your Tracks" Commands

echo "" > /var/log/auth.log      # clear auth.log file
echo "" > ~/.bash_history        # clear current user bash history
rm ~/.bash_history -rf           # delete .bash_history file
history -c                       # clear current session history
export HISTFILESIZE=0            # set history max lines to 0
export HISTSIZE=0                # set histroy max commands to 0
unset HISTFILE                   # disable history logging (need to logout to take effect)
kill -9 $$                       # kills current session
ln /dev/null -/.bash_historj -sf # permanently send all bash history commands to /dev/null

Linux Misc Commands

unset HISTFILE                                            # disable history logging
ssh user@ip arecord - \| aplay -                          # record remote mic
gee -o outfile myfile.c                                   # compile C,C++
init 6                                                    # reboot (0 = shutdown)
cat /etc/*syslog*.conf \| grep -v "#"                     # list of log files
grep 'href=' file \| cut -d"/" -f3 \| grep url \| sort -u # strip links in url.com
dd if=/dev/urandom of=outputfile bs=314528 count=100      # make random 3MB file
;                                                         # with ";", the second command will run even if the first one fails.
&&                                                        # with "&&", the second command won't run if the first one fails.
&                                                         # normally, when you execute a long-running command, the command line will wait for that command to finish before it allows you to enter another one. putting "&" after a command prevents this from happening, and lets you execute a new command while an older one is still going.
openssl sha1 file.txt
openssl sha256 file.txt
openssl sha512 file.txt
openssl rand -base64 12
openssl aes-256-cbc -e -salt -in <file> -out <outfile>
openssl aes-256-cbc -d -salt -in <file> -out <outfile>

Linux Files

/etc/shadow                 # local users hashes
/etc/passwd                 # local users
/etc/group                  # local groups
/etc/rc.d                   # startup services
/etc/init.d                 # service
/etc/hosts                  # known hostnames and ips
/etc/HOSTNAME               # full hostname with domain
/etc/network/interfaces     # network configuration
/etc/profile                # system environment variables
/etc/apt/sources.list       # Ubuntu source list
/etc/resolv.conf            # nameserver configuration
/home/user/.bash_history    # bash history (also /root/)
/usr/share/wireshark/rnanuf # vendor-mac lookup
~/.ssh/                     # ssh keystore
/var/log                    # system log files (most Linux)
/var/adm                    # system log files (Unix)
/var/spool/cron             # list cron files
/var/log/apache/access.log  # apache connection log
/etc/fstab                  # static file system info

Google Dorking

allintext                    # searches for occurrences of all the keywords given.
intext                       # searches for the occurrences of keywords all at once or one at a time.
inurl                        # searches for a url matching one of the keywords.
allinurl                     # searches for a url matching all the keywords in the query.
intitle                      # searches for occurrences of keywords in title all or one.
allintitle                   # searches for occurrences of keywords all at a time.
site                         # specifically searches that particular site and lists all the results for that site.
filetype                     # searches for a particular filetype mentioned in the query.
link                         # searches for external links to pages.
numrange                     # used to locate specific numbers in your searches.
date                         # search only a range of months
related                      # list web pages that are "similar" to a specified web page.
phonebook                    # display all, residential, business phone listings
cache                        # shows the version of the web page that Google has in its cache.
before/after                 # used to search within a particular date range.
allinanchor/inanchor         # this shows sites which have the keyterms in links pointing to them, in order of the most links.
allinpostauthor/inpostauthor # exclusive to blog search, this one picks out blog posts that are written by specific individuals.

Linux Scripting

Ping sweep

#!/bin/bash
for i in {1..254}; do (ping -c 192.168.1.$i | grep "64 b" &); done

Port sweep

#!/bin/bash
for ip in {1..254};
do for port in {22,80,443,3306,3389};
  do (echo >/dev/tcp/10.10.10.$ip/$port) >& /dev/null \
  && echo "10.10.10.$ip:$port is open";
  done;
done

Automated domain name resolve bash scripting

#!/bin/bash
echo "Entering Class C Range: i.e. 192.168.3"
read range
for ip in {1..254..1}; do
host $range.$ip | grep "name pointer" | cut -d "" -f5
done

Fork Bomb (creates processes until system crashes)

:(){ :|:& };:

DNS resolver lookup

for ip in {1..254..1}; do dig -x 1.1.1.$ip | grep $ip dns.txt; done;

IPv4

Classful IP ranges

A - 0.0.0.0 - 127.255.255.255
B - 128.0.0.0 - 191.255.255.255
C - 192.0.0.0 - 223.255.255.255
D - 224.0.0.0 - 239.255.255.255
E - 240.0.0.0 - 255.255.255.255

Reserved IP ranges

10.0.0.0    - 10.255.255.255
127.0.0.0   - 127.255.255.255
172.16.0.0  - 172.31.255.255
192.168.0.0 - 192.168.255.255

Subnetting

/31 - 255.255.255.254 - 1 Host
/30 - 255.255.255.252 - 2 Hosts
/29 - 255.255.255.248 - 6 Hosts
/28 - 255.255.255.240 - 14 Hosts
/27 - 255.255.255.224 - 30 Hosts
/26 - 255.255.255.192 - 62 Hosts
/25 - 255.255.255.128 - 126 Hosts
/24 - 255.255.255.0   - 254 Hosts
/23 - 255.255.254.0   - 510 Hosts
/22 - 255.255.252.0   - 1022 Hosts
/21 - 255.255.248.0   - 2046 Hosts
/20 - 255.255.240.0   - 4094 Hosts
/19 - 255.255.224.0   - 8190 Hosts
/18 - 255.255.192.0   - 16382 Hosts
/17 - 255.255.128.0   - 32766 Hosts
/16 - 255.255.0.0     - 65534 Hosts
/15 - 255.254.0.0     - 131070 Hosts
/14 - 255.252.0.0     - 262142 Hosts
/13 - 255.248.0.0     - 524286 Hosts
/12 - 255.240.0.0     - 1048574 Hosts
/11 - 255.224.0.0     - 2097150 Hosts
/10 - 255.192.0.0     - 4194302 Hosts
/9  - 255.128.0.0     - 8388606 Hosts
/8  - 255.0.0.0       - 16777214 Hosts

IPv6

Broadcast addresses

ff02::1 - link-local nodes
ff05::1 - site-local nodes
ff01::2 - node-local routers
ff02::2 - link-local routers
ff05::2 - site-local routers

Interface addresses

fe80::         - link-local
2001::         - routable
::a.b.c.d      - IPv4 compatible IPv6
::ffff:a.b.c.d - IPv4 mapped IPv6

THC IPv6 toolkit

Remote Network DoS:
  rsumrf6 eth# remote ipv6

tcpdump

Capture packets on eth0 in ASCII and HEX and write to file

tcpdump -i eth0 -XX -w out.pcap

Capture HTTP traffic to 2.2.2.2

tcpdump -i eth0 port 80 dst 2.2.2.2

Show connections to a specific IP

tcpdump -i eth0 -tttt dst 192.168.1.22 and not net 192.168.1.0/24
tcpdump -i eth0 'icmp[icmptype] == icmp-echoreply'

Capture 50 DNS packets and print timestamp

tcpdump -i eth0 -c 50 -tttt 'udp and port 53'

bash

#!/bin/bash


# val1 -eq val2 Returns true if the values are equal
# val1 -ne val2 Returns true if the values are not equal
# val1 -gt val2 Returns true if val1 is greater than val2
# val1 -ge val2 Returns true if val1 is greater than or equal to val2
# val1 -lt val2 Returns true if val1 is less than val2
# val1 -le val2 Returns true if val1 is less than or equal to val2


# -a FILE      True if file exists.
# -b FILE      True if file is block special.
# -c FILE      True if file is character special.
# -d FILE      True if file is a directory.
# -e FILE      True if file exists.
# -f FILE      True if file exists and is a regular file.
# -g FILE      True if file is set-group-id.
# -h FILE      True if file is a symbolic link.
# -L FILE      True if file is a symbolic link.
# -k FILE      True if file has its sticky bit set.
# -p FILE      True if file is a named pipe.
# -r FILE      True if file is readable by you.
# -s FILE      True if file exists and is not empty.
# -S FILE      True if file is a socket.
# -t FD        True if FD is opened on a terminal.
# -u FILE      True if the file is set-user-id.
# -w FILE      True if the file is writable by you.
# -x FILE      True if the file is executable by you.
# -O FILE      True if the file is effectively owned by you.
# -G FILE      True if the file is effectively owned by your group.
# -N FILE      True if the file has been modified since it was last read.


# ECHO COMMAND
echo "Hello World!"

# VARIABLES
echo "My name is $NAME"
echo "My name is ${NAME}"

# USER INPUT
read -p "Enter your name: " NAME
echo "Hello $NAME, nice to meet you!"
read -p "Do you want to install nginx [y/n]: " GET_NGINX

# IF-ELSE
if [ "$NAME" == "Brad" ]; then
  echo "Your name is Brad"
elif [ "$NAME" == "Jack" ]; then
  echo "Your name is Jack"
else
  echo "Your name is not Brad or Jack"
fi

# IF-ELSE
if { [ ! -f "$(type -P nginx)" ] && [ $GET_NGINX == 'y' ]; }; then
  echo "Install nginx."
fi

# COMPARISON
NUM1=31
NUM2=5
if [ "$NUM1" -gt "$NUM2" ]; then
  echo "$NUM1 is greater than $NUM2"
else
  echo "$NUM1 is less than $NUM2"
fi

# FILE CONDITIONS
FILE="test.txt"
if [ -e "$FILE" ]; then
  echo "$FILE exists"
else
  echo "$FILE does NOT exist"
fi

# CASE STATEMENT
read -p "Are you 21 or over? Y/N " ANSWER
case "$ANSWER" in
  [yY] | [yY][eE][sS])
    echo "You can have a beer :)"
    ;;
  [nN] | [nN][oO])
    echo "Sorry, no drinking"
    ;;
  *)
    echo "Please enter y/yes or n/no"
    ;;
esac

# SIMPLE FOR LOOP
NAMES="Brad Kevin Alice Mark"
for NAME in $NAMES
  do
    echo "Hello $NAME"
done

# FOR LOOP TO RENAME FILES
FILES=$(ls *.txt)
NEW="new"
for FILE in $FILES
  do
    echo "Renaming $FILE to new-$FILE"
    mv $FILE $NEW-$FILE
done

# WHILE LOOP - READ THROUGH A FILE LINE BY LINE
LINE=1
while read -r CURRENT_LINE
  do
    echo "$LINE: $CURRENT_LINE"
    ((LINE++))
done < "./new-1.txt"

# FUNCTION
function sayHello() {
  echo "Hello World"
}
sayHello

# FUNCTION WITH PARAMS
function greet() {
  echo "Hello, I am $1 and I am $2"
}
greet "Brad" "36"

# CREATE FOLDER AND WRITE TO A FILE
mkdir hello
touch "hello/world.txt"
echo "Hello World" >> "hello/world.txt"
echo "Created hello/world.txt"

mysql backup

#!/bin/bash

# crontab -e
# * 0 * * * exec `/bin/bash /home/backup_mysql.sh`

YEAR=`date +%Y`; MONTH=`date +%m`; DAY=`date +%d`; HOUR=`date +%H`;
mkdir -p /backup/$YEAR/$MONTH/$DAY/$HOUR
mysqldump -uroot -proot database_name > /backup/$YEAR/$MONTH/$DAY/$HOUR/backup.sql
mysqldump -uroot -proot database_name | gzip > /backup/$YEAR/$MONTH/$DAY/$HOUR/backup.sql.gz

iptables

Reference:

# -F for flush
iptables -F

# -L for list
iptables -L
iptables -L --line-numbers

# -D for delete
iptables -D INPUT 1

# ACCEPT or DROP every connection
iptables --policy INPUT ACCEPT
iptables --policy INPUT DROP

# -I for insert [adds the rule to the top]
# -A for append [adds the rule to the bottom]
# -s for source
# -j for jump
iptables -I INPUT -s 10.0.0.1 -j DROP
iptables -I INPUT -s 10.0.0.1/24 -j DROP

# -p for protocol
# --dport for destination port
iptables -I INPUT -p tcp --dport 80 -j DROP
iptables -I INPUT -p tcp --dport 80 0s 10.0.0.1 -j ACCEPT

# iptables rules are ephemeral, which means they need to be manually saved for them to persist after a reboot.
sudo /sbin/iptables-save

Sample Script:

#!/bin/bash

# Flush
sudo iptables -P INPUT ACCEPT
sudo iptables -P OUTPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -F
sudo iptables -X
# Set default policies
# Allow outgoing traffic and disallow any passthroughs
sudo iptables -P INPUT DROP
sudo iptables -P OUTPUT ACCEPT
sudo iptables -P FORWARD DROP
# Allow traffic on the loopback interface
sudo iptables -A INPUT -i lo -j ACCEPT
# Allow outbound traffic, previously initiated and accepted exchanges bypass rule checking
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Allow SSH, HTTP, HTTPS
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Ratelimit SSH for attack protection
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 3600 --hitcount 4 -j DROP
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
# Allow ping
sudo iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Drop all other traffic
sudo iptables -A INPUT -j DROP
# Print the activated rules
sudo iptables -nvL
sudo ss -tupln
# Save
sudo apt install iptables-persistent
dpkg-reconfigure iptables-persistent

Cisco Commands

R1>enable
R1#configure terminal
R1(config)#interface fa0/0
R1(config)#no shutdown
R1(config)#ip address 1.1.1.1 255.255.255.0
R1(config)#line vty 0 4
R1(config)#end
R1#show session
R1#show version
R1#dir file systems
R1#dir all-filesystems
R1#dir /all
R1#show running-config
R1#show startup-config
R1#show ip interface brief
R1#show interface e0
R1#show ip route
R1#show access-lists
R1#terminal length 0
R1#copy running-config startup-config
R1#copy running-config tftp

GitHub Repositories