More cheatsheets

linux/7z.md

@@ -11,3 +11,9 @@ https://github.com/kornelski/7z
 7z x <file>.7z 
 ```
 
+### Readable formats
+```
+vmdk
+vhdx
+```
+

linux/Certipy.md

@@ -1,9 +1,9 @@
 ### Source
 https://github.com/ly4k/Certipy  
 
-### Check for vulnerable templates
+### Check for vulnerable templates (does only check port 80 in regard of ESC8)
 ```
-certipy find -u <user>@<domain> -p <password> -dc-ip <dcIp> -ns <dnsIp> -dns-tcp -old-bloodhound
+certipy find -u <user>@<domain> -p <password> -dc-ip <dcIp> -ns <dnsIp> -dns-tcp
 ```
 
 ### Create golden certificate

linux/CredMaster.md

@@ -0,0 +1,24 @@
+### Source
+https://github.com/knavesec/CredMaster
+
+### Start password spray (-t threads, -m minimum jitter seconds, -j jitter, -d minute delay between pws)
+```
+python3 credmaster.py --access_key <key> --secret_access_key "<secret>" --plugin <plugin> --url "https://<domain>" -u <userList> -p <passwordList> -a <useragentList> -o <outFile> --region <region> --passwordsperdelay 1 -t 1 -m 30 -j 60 -d 180
+```
+
+### Plugins
+```
+ADFS - Active Directory Federation Services
+AzureSSO - Azure AD Seamless SSO Endpoint
+AzVault - AzVault Module, Azure spray point different to MSOL/AzureSSO
+EWS - Exchange Web Services
+FortinetVPN - Fortinet VPN Client
+HTTPBrute - Generic HTTP Brute Methods (Basic/Digest/NTLM)
+MSGraph - MSGraph Module, msgraph spray point for azure and MSOL credentials
+MSOL - Microsoft Online
+O365Enum - Office365 User Enum (No Authentication Request)
+O365 - Office365 - DEPRECATED
+Okta - Okta Authentication Portal
+OWA - Outlook Web Access
+```
+

linux/aws.md

@@ -50,3 +50,28 @@ aws ec2 authorize-security-group-ingress --group-name <groupName> --protocol tcp
 aws ec2 describe-subnets --query 'Subnets[*].[SubnetId, AvailabilityZone, VpcId, Tags[?Key==`Name`].Value | [0]]'
 ```
 
+### List s3 buckets
+```
+aws s3api list-buckets
+```
+
+### Show content of bucket
+```
+aws s3 ls s3://<name>
+```
+
+### Synchronize content of bucket 
+```
+aws s3 sync s3://<name> <directory>
+```
+
+### Download content of bucket 
+```
+aws s3 cp ./<directory> s3://<name>/<path>
+```
+
+### Get api gateways of region
+```
+aws apigateway --region eu-central-1 get-rest-apis
+```
+

linux/burp.md

@@ -24,7 +24,7 @@ SOCKS proxy port: 9050
 
 ### Restrict traffic to scope
 ```
-Settings > Project > Scopt
+Settings > Project > Scope
 Enable "Use advanced scope control"
 
 Add > .*\.domain\.com
@@ -33,6 +33,15 @@ Out-of-scope request handling:
 Enable: "Drop all out-of-scope requests"
 ```
 
+### Silence Burp
+```
+Settings > Project > Collaborator
+Enable "Dont't use Burp Collaborator"
+
+Settings > Suite > Updates
+Disable "Enable auto-updates (require restart)"
+```
+
 ### Intruder Payload types
 ```
 Sniper - One of the marked parameters tested at a time, with one of the payload items.

linux/date.md

@@ -3,3 +3,8 @@
 date -d @1302401211
 ```
 
+### Convert pwdlast set from LDAP
+```
+date -d "1601/1/1+$(expr <pwdLastSet> / 10000000 )Seconds"
+```
+

linux/docker.md

@@ -49,7 +49,7 @@ docker network create --subnet=192.168.0.0/16 <networkName>
 docker network ls
 ```
 
-### Delte network
+### Delete network
 ```
 docker network rm <networkName>
 ```

linux/dpapi.md

@@ -0,0 +1,8 @@
+### Source
+https://github.com/fortra/impacket/blob/master/examples/dpapi.py
+
+### Decrypt using Data Protection API
+```
+dpapy.py unprotect -file <file> -key <key>
+```
+

linux/find.md

@@ -1,10 +1,15 @@
 ### Remove all files with a specific extension
 ```
-find . -type f -name "*.<bak>" -exec rm -f {} \;
+find . -type f -name "*.<txt>" -exec rm -f {} \;
 ```
 
 ### Remove empty directories (f for files)
 ```
 find . -type d -empty -delete
 ```
 
+### Find biggest files
+```
+find . -type f -exec ls -lh {} + | awk '{ print $9 ": " $5 }' | sort -k2,2h | tail -n 10
+```
+

linux/grep.md

@@ -8,6 +8,11 @@ grep -Eo '([0-9]*\.){3}[0-9]*'
 grep -oiE "<title>(.*)</title>"
 ```
 
+### Grep for subdomains
+```
+grep -RiEo '([a-zA-Z0-9-]+\.)*domain\.com' *
+```
+
 ### Grep logical or
 ```
 grep -E "pattern1|pattern2"

linux/hashcat.md

@@ -1,9 +1,9 @@
 ### Source
 https://github.com/hashcat/hashcat  
 
-### Wordlist crack, -m hash type, -a attack mode
+### Crack using multiple wordlists and rules
 ```
-hashcat -m 0 -a 0 <fileToCrack> <wordlist>
+hashcat --username -a 0 -o <resultFile> -m <mode> <hashFile> <wordlist1> <wordlist2> --potfile-path <potfile> --session <session> -r <rule1> <rule2>
 ```
 
 ### Attack modes
@@ -25,6 +25,11 @@ hashcat -m 0 -a 0 <fileToCrack> <wordlist>
 ?a = ?l?u?d?s
 ```
 
+### Salt format
+```
+hash:salt
+```
+
 ### Example all alphanumeric chars from 1 to 6 chars
 ```
 hashcat -o <outfile> -m <hashType> -a 3 <fileToCrack> -1 ?l?u?d ?1?1?1?1?1?1 -m <hashType> --increment
@@ -43,6 +48,7 @@ hashcat -o <outfile> -m <hashType> -a 3 <fileToCrack> -1 ?l?u?d ?1?1?1?1?1?1 -m
 1400 = SHA256
 1410 = sha256($pass.$salt)
 1420 = sha256($salt.$pass)
+1700 = SHA-512
 1800 = sha512crypt $6$, SHA512 (Unix)
 2100 = Domain Cached Credentials (DCC), MS Cache - format: $DCC2$10240#<user>#<hash>
 2500 = WPA/WPA2
@@ -59,7 +65,7 @@ hashcat -o <outfile> -m <hashType> -a 3 <fileToCrack> -1 ?l?u?d ?1?1?1?1?1?1 -m
 19700 = Kerberos 5 TGS-REP (etype 18)
 ```
 
-### Cracking kerberoast, -O optimize kernel but also limits password length, -w workload high (speeds up but can also affect availability)
+### Crack kerberoast, -O optimize kernel but also limits password length, -w workload high (speeds up but can also affect availability)
 ```
 hashcat -a 0 -o <resultFile> -m 13100 <hashFile> <wordlist> -O -r <ruleFile> -w 3
 ```

linux/ip.md

@@ -8,7 +8,7 @@ ip -br a
 ip -o l show | awk -F': ' '{print $2}'
 ```
 
-### Start interface (use down for stopping)
+### Start interface (up/down)
 ```
 ip l set <interface> up
 ```
@@ -53,3 +53,8 @@ ip route | awk '/default/ { print $3 }'
 ip neigh show dev <interface>
 ```
 
+### Set mtu valu
+```
+ip link set dev <interface> mtu <value>
+```
+

linux/journalctl.md

@@ -13,3 +13,8 @@ journalctl --disk-usage
 journalctl --vacuum-time=2d
 ```
 
+### Show ssh events of last 3 hours
+```
+journalctl -u ssh --since -3h
+```
+

linux/ldd.md

@@ -0,0 +1,5 @@
+### Get dependencies of binary
+```
+ldd <file>
+```
+

linux/lets-encrypt.md

@@ -10,7 +10,7 @@ hostname -f
 
 ### Create certificate
 ```
-certbot --apache
+certbot certonly --register-unsafely-without-email -v --standalone
 ```
 
 ### Renew certificate 

linux/lsof.md

@@ -6,6 +6,6 @@ lsof -Pnl +M -i6
 
 ### Get information for specific port number
 ```
-lsof -i :33991
+lsof -i :<port>
 ```
 

linux/postgresql.md

@@ -0,0 +1,52 @@
+### Install client
+```
+apt install postgresql-client
+```
+
+### Change user password
+```
+sudo -i -u postgres
+psql
+\password postgres
+```
+
+### Create database
+```
+createdb <database>
+```
+
+### Dump database
+```
+pg_dump -h <host> -p -d <database> -U <user> -W
+```
+
+### Import
+```
+psql -h localhost -U postgres -f <file>
+```
+
+### Restore archive
+```
+pg_restore -h localhost -U postgres -d <database> <file>
+```
+
+### Show databases
+```
+\list
+```
+
+### Connect to database
+```
+\c <database>
+```
+
+### Show tables
+```
+\dt
+```
+
+### Dump
+```
+SELECT * FROM <table>
+```
+

linux/python.md

@@ -23,3 +23,9 @@ virtualenv -p /usr/bin/python2.7 <name>
 python -m smtpd -n -c debuggingServer :<lport>
 ```
 
+### Use proxy
+```
+export http_proxy=127.0.0.1:8080
+export https_proxy=127.0.0.1:8080
+```
+

linux/screen.md

@@ -5,7 +5,7 @@ screen -S <name>
 
 ### Log session to file
 ```
-screen -S <name> -L -Logfile $(date +"%Y-%m-%d_%T")
+screen -S <name> -L -Logfile $(date +"%Y.%m.%d_%T")
 ```
 
 ### Detach

linux/ss.md

@@ -0,0 +1,5 @@
+### Install
+```
+apt install iproute2
+```
+

linux/ssh.md

@@ -51,12 +51,17 @@ chown <user>:<user> <key>*
 
 ### Dynamic port forwarding (forward proxychains traffic into server network)
 ```
-ssh -D 9050 <user>@<sshServer> -N -v
+ssh -D 9050 <user>@<rhost> -N -v
 ```
 
 ### Remote port forwarding (forward proxychains traffic into client network)
 ```
-ssh -o 'StrictHostKeyChecking=no' -i .\<privateKey> -N -R 9050 <user>@<sshServer>
+ssh -o 'StrictHostKeyChecking=no' -i .\<privateKey> -N -R 9050 <user>@<rhost>
+```
+
+### Port forward to local port on remote server
+```
+ssh -N -L 127.0.0.1:9050:127.0.0.1:9051 <user>@<rhost>
 ```
 
 ### Proxychains uses port 9050 as default -> /etc/proxychains4.conf)
@@ -72,6 +77,11 @@ ssh -o UserKnownHostsFile=/dev/null -T <user>@<rhost> 'bash -i'
 
 ### Port forward over multiple hosts
 ```
-ssh -D 9050 -J <user>@<rhost>:<port>,<user>@<rhost>:<port> <user>@<rhost> -p <port>
+ssh -D 9050 -J <user>@<jumphost1>:<port>,<user>@<jumphost2>:<port> <user>@<rhost> -p <port>
+```
+
+### Port forward over multiple hosts
+```
+ssh -D 9050 -o ProxyCommand="ssh -W %h:%p <user>@<jumphost>" <user>@localhost -p <port>
 ```
 

linux/vim.md

@@ -228,3 +228,8 @@ zg
 zw
 ```
 
+### Replace last / of each line with -
+```
+:%s/\(.*\)\(\/\)/\1-/g
+```
+

linux/xfreerdp.md

@@ -5,6 +5,6 @@ apt install freerdp2-x11
 
 ### RDP with pass the hash
 ```
-xfreerdp /u:<user> /d:<domain> /pth:<hash> /v:<rhost> +clipboard
+xfreerdp /u:<user> /d:<domain> /pth:<hash> /v:<rhost> +clipboard /dynamic-resolution
 ```
 

other/aws.md

@@ -0,0 +1,23 @@
+### Bucket data
+```
+/?versions - metadata about all versions of the objects inside
+/?uploads - lists of in-progress multipart uploads 
+```
+
+# Storage class for upload influences price
+* https://aws.amazon.com/s3/pricing
+
+```
+aws s3 cp <file> "s3://<bucketname>/<file>" --storage-class <class>
+```
+
+### Check if bucket belongs to a user ID (incorrect ID results in access denied error)
+```
+curl -X GET "https://<bucketname>.amazonaws.com/" -H "x-amz-expected-bucket-owner: <ownerId>"
+```
+
+### Get canonical user ID from bucket (resolve canonical ID to account ID by placing it inside an IAM policy)
+```
+curl "https://<bucketname>.amazonaws.com?fetch-owner=true"
+```
+