More cheatsheets

linux/bofhound.md

@@ -0,0 +1,11 @@
+### Install
+```
+sudo apt-get install libffi-dev
+pipx install bofhound
+```
+
+### Convert LDAP search results to bloodhound JSON
+```
+bofhound --input <ldapSearchFile> --output <resultDirectory>
+```
+

linux/chromium.md

@@ -8,3 +8,8 @@ chromium --ignore-certificate-errors -headless --screenshot="<file>.png" <rhost>
 chromium --proxy-server="socks4://<ip>:<port>
 ```
 
+### Chrome DevTools Protocol port
+```
+9222
+```
+

linux/docker-compose.md

@@ -1,6 +1,13 @@
 ### Source
 https://github.com/docker/compose
 
+### Install
+```
+sudo curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
+sudo chmod +x /usr/local/bin/docker-compose
+docker-compose --version
+```
+
 ### Start docker container using yml file
 ```
 docker-compose -f <file>.yml up

linux/evil-winrm.md

@@ -1,6 +1,11 @@
 ### Source
 https://github.com/Hackplayers/evil-winrm  
 
+### Install
+```
+gem install evil-winrm
+```
+
 ### Start shell on host (port 5985,5986)
 ```
 evil-winrm -i <ip> -u <user> -p <password>

linux/fish.md

@@ -28,3 +28,8 @@ Alt + d
 CTRL + w
 ```
 
+### Set new prompt
+```
+function fish_prompt; echo (whoami)@(hostname) (date +"%Y.%m.%d_%T")" > "; end
+```
+

linux/gowitness.md

@@ -0,0 +1,20 @@
+### Install
+```
+go install github.com/sensepost/gowitness@latest
+```
+
+### Take single screenshot
+```
+gowitness --delay 15 --timeout 30 single --screenshot-path <pathToOutDir> <url>
+```
+
+### Create multiple screenshots using proxy
+```
+gowitness --proxy socks5://127.0.0.1:9050 --delay 15 --timeout 30 --screenshot-path <pathToOutDir> --threads 2 file -f <pathToUrls>
+```
+
+### List reachable hosts
+```
+gowitness report list
+```
+

linux/impacket-netview.md

@@ -0,0 +1,8 @@
+### Source
+https://github.com/fortra/impacket/blob/master/examples/netview.py
+
+### List remote sessions
+```
+netview.py -noloop '<user>:<password>' -target <rhost>
+```
+

linux/ldapsearch.md

@@ -1,20 +1,32 @@
+### Install
+```
+apt install ldap-utils
+```
+
 ### Basic request (works unauthenticated, -L = dont print LDIF version, -s scope of search)
 ```
 ldapsearch -LLL -x -H ldap://<domainController> -b '' -s base '(objectclass=*)'
 ```
 
-### Get all domain joined operating systems (-z result limit, -x simple auth, -W prompt for password, -D binddn, -b basedn)
+### Get information about single user (-b searchbase)
+```
+ldapsearch -H ldap://<domainController> -D "<user>@<domain>" -w '<password>' -b "dc=<domainComponent>,dc=<domainComponent>,dc=<domainComponent>" "(sAMAccountName=<user>)"
+```
+
+### Filter
 ```
-ldapsearch -H ldap://<domainController> -z none -x -W -D "<user>@<domain>" -b "dc=<domainComponent>,dc=<domainComponent>" "(objectclass=computer)" "DNSHostName" "OperatingSystem"
+"(objectclass=computer)" "DNSHostName" "OperatingSystem"
+"(objectclass=user)"
+"(&(<condition1>)(<condition2>))"
 ```
 
-### Get information about all user objects
+### Reference error troubleshooting
 ```
-ldapsearch -H ldap://<domainController> -z none -x -W -D "<user>@<domain>" -b "dc=<domainComponent>,dc=<domainComponent>" "(objectclass=user)"
+RefErr: DSID-0310079C -> wrong DN/searchbase (incorrect domain controller or incorrect searchbase)
 ```
 
-### Logical AND (use | for OR) (use ! NEGATION)
+### Certificate error troubleshooting
 ```
-ldapsearch -H ldap://<domainController> -z none -x -W -D "<user>@<domain>" -b "dc=<domainComponent>,dc=<domainComponent>" "(&(<condition1>)(<condition2>))"
+LDAPTLS_REQCERT=never
 ```
 

linux/numfmt.md

@@ -0,0 +1,5 @@
+### Convert filesize to humand readable formant
+```
+numfmt --to=iec-i --suffix=B <size>
+```
+

linux/openssl.md

@@ -18,6 +18,6 @@ openssl enc -d -aes-256-cbc -pbkdf2 -k <password> <encryptedFile> > <file>
 
 ### Print information
 ```
-openssl x509 -in <file>.pem -text -noout
+openssl x509 -text -noout -in <file>.pem
 ```
 

linux/proxychains.md

@@ -0,0 +1,8 @@
+### Source
+https://github.com/haad/proxychains
+
+### Needs socks5 instead of socks4
+```
+proxychains -f <file>
+```
+

linux/python.md

@@ -29,3 +29,13 @@ export http_proxy=127.0.0.1:8080
 export https_proxy=127.0.0.1:8080
 ```
 
+### Install python2.7 (debian bookworm)
+```
+vim /etc/apt/sources.list
+# insert
+echo "deb http://archive.debian.org/debian/ stretch contrib main non-free"
+
+sudo apt-get update
+sudo apt-get install python2.7
+```
+

linux/rlwrap.md

@@ -0,0 +1,5 @@
+### Restores arrow key function for reverse shells
+```
+rlwrap nc -lvp <port>
+```
+

linux/screen.md

@@ -5,7 +5,8 @@ screen -S <name>
 
 ### Log session to file
 ```
-screen -S <name> -L -Logfile $(date +"%Y.%m.%d_%T")
+screen -S <name> -L -Logfile $(date +"%Y.%m.%d_%T") -s bash
+PS1="$(whoami)@$(hostname)> "
 ```
 
 ### Detach

linux/sqllite3.md

@@ -0,0 +1,14 @@
+### Show table structure
+```
+sqlite3 <file>.sqlite
+sqlite> .tables
+```
+
+### Dump content of table
+```
+sqlite> .headers on
+sqlite> .output <outputFile>.txt
+sqlite> SELECT * FROM <table>;
+sqlite> .exit
+```
+

linux/ssh.md

@@ -59,6 +59,16 @@ ssh -D 9050 <user>@<rhost> -N -v
 ssh -o 'StrictHostKeyChecking=no' -i .\<privateKey> -N -R 9050 <user>@<rhost>
 ```
 
+### Port forward over multiple hosts
+```
+ssh -D 9050 -J <user>@<jumphost1>:<port>,<user>@<jumphost2>:<port> <user>@<rhost> -p <port>
+```
+
+### Port forward over multiple hosts
+```
+ssh -D 9050 -o ProxyCommand="ssh -W %h:%p <user>@<jumphost>" <user>@localhost -p <port>
+```
+
 ### Port forward to local port on remote server
 ```
 ssh -N -L 127.0.0.1:9050:127.0.0.1:9051 <user>@<rhost>
@@ -75,13 +85,3 @@ proxychains <command>
 ssh -o UserKnownHostsFile=/dev/null -T <user>@<rhost> 'bash -i'
 ```
 
-### Port forward over multiple hosts
-```
-ssh -D 9050 -J <user>@<jumphost1>:<port>,<user>@<jumphost2>:<port> <user>@<rhost> -p <port>
-```
-
-### Port forward over multiple hosts
-```
-ssh -D 9050 -o ProxyCommand="ssh -W %h:%p <user>@<jumphost>" <user>@localhost -p <port>
-```
-

linux/xfreerdp.md

@@ -8,3 +8,8 @@ apt install freerdp2-x11
 xfreerdp /u:<user> /d:<domain> /pth:<hash> /v:<rhost> +clipboard /dynamic-resolution
 ```
 
+### Connect using old cyphers and long timeout
+```
+xfreerdp /v:<rhost> /tls-seclevel:0 /timeout:80000
+```
+