26/02/2025
## [NMAP hints] ##

https://hackertarget.com/nmap-cheatsheet-a-quick-reference-guide/

Update nmap scripts etc
nmap --script-updatedb

nmap -sC -sV # get protocols and version data runs Safe scripts
nmap -Pn -sV --script vuln # VA type scan
nmap -A #runs like the -sC -sV option

https://github.com/ernw/nmap-parse-output
https://github.com/laconicwolf/Nmap-Scan-to-CSV

Instal vulners from Github
nmap -Pn -sV --script=nmap-vulners x.x.x.x

Install Vulscan from Github
git clone https://github.com/scipag/vulscan

Run against local CVE database - the supplied CVE are all very old now...
nmap -Pn -sV --script=vulnscan/vulscan.nse --script-args vulscandb=./cve.csv x.x.x.x

Passive scan using Shodan
nmap -sn -Pn -n --script shodan-api.nse <target>

Brute force ssh using nselib/data lst files (edit to add more names/passwd)
nmap -p 22 -Pn --script ssh-brute --script-args userdb=usernames.lst,passdb=passwords.lst <X.X.X.X> --script-args ssh-brute.timeout=4s

Wordpress
nmap --script http-wordpress-enmu x.x.x.x -p 80,443

Ping scan discovery list live ip's
namp -sn 192.168.0.0/16 | awk '/Nmap scan/{gsub(/[()]/,"",$NF); print $NF > "nmap_scanned_ips"}'

nmap -sA -P0 -g 25  -f -oN output.txt fw_ip
-r don't rand ports
try -sA or -sT (if stateful FW) and -vv for verbose o/p
-n don't reverse dns

Use the O/P from a -sV scan (saved as xml) -oX and run it through searchsploit (exploitDB)
searchsploit -x --nmap ./nmap-scan.xml

https://github.com/offensive-security/exploitdb
/opt/exploit-database/searchsploit local (get Vuln/sploits on local machine - or Openssh to get these Vulns)


## [Get SSL CERT] ##

openssl s_client -connect www.google.co.uk:443 -showcerts > outfile.txt
or
echo | openssl s_client -connect google.com:443 2>/dev/null | openssl x509 -noout 
-text||dates

Nmap Get Cert dates
nmap -p 443 --script ssl-cert <ip>

scan for TLS/SSL protocol with nmap
nmap -sV --script ssl-enum-ciphers -p 443 <ip>
or
nmap -Pn --script ssl-enum-ciphers x.x.x.x -p443

This scripts up from a cli list and spits out dns and TLS versions found

nmap -Pn -p443 -sV --script=ssl-enum-ciphers "$@" -oN tls-out
cat ./tls-out |awk '/Nmap scan report for/{ip=$NF; print ip} /TLS/{print $0; next} {if (ip) print}' | grep -E 'scan report for|TLSv'

Get sub-domains using google's crt.sh site
nmap -Pn -sn --script=hostmap-crtsh fqdn

Check HTTP Options
nmap -pn -p 443 --script http-security-headers x.x.x.x 
nmap -pn -p 443 --script http-headers x.x.x.x 
nmap -pn -p 443 --script http-cookie-flags x.x.x.x 
curl -I www.ip.addr.here
curl -X OPTIONS www.ip.addr.here -i

Look for VHosts NB the shodan-api get Vhosts info as well.
nmap --script http-vhosts --script-args http-vhosts.collapse=200 -p80,443 x.x.x.x
remove the --script-args to get collapsed results ans it 200 then add back in to see

## Format Nmap output ##

xsltproc nmap-out.xml -o nmap-out.html

#Convert XML scan to CSV only lists main details but good Service/port overview.
# git clone the Nmap-Scan-to-CSV
python3 ../Nmap-Scan-to-CSV/nmap_xml_parser.py -f ./nmap-results.xml -csv nmap-results.csv

# Parse XML output and list ports/services/groups etc, etc
# git clone nmap-parse-output
../nmap-parse-output/nmap-parse-output ./ppte-sites.xml service http

#Get Domain from IP
dig -x ip_address +short
dig +search ip_address +noall +answer

#Find who holds to DNS records
dig ip.domain NS

#Get ANY
dig ip.domain A

# or use Host or Nslookup

## [NetCat] ##

NC proxy
mkfifo 2way
ncat -l 8080 0<2way | ncat target.ip.addr.here 80 1>2way

keeps nc server listerning
nc -l 80 -k 

Simple nc scan
nc -v -z -w 2 target.ip.addr port

Simple Proxy with Socat
Socat proxy - Listen 55600/tcp localhost forward to google:80
socat TCP-LISTEN:55600,fork TCP:www.google.co.uk:80

#############################################################################
##################### SHELL SCRIPT ONE LINERS ###############################
#############################################################################

[Shell script checker]
This is a great site that checks the syntax etc of a shell script.
https://www.shellcheck.net
http://mywiki.wooledge.org/FullBashGuide


## [Search for strings from a list file] ##

Simple version,
grep -Fiwf file_1 file_2

or try -

for aa in $(cat ./list_file)
do
	grep -i ${aa} Data_file
done

OR BETTER VERSION FOR GETTING "string1 string2"
cat ./list_file | while read -r line
do	
	grep -i "$line" ./Other_file
	#or ping -c 1 "${line}" >>output_file
done 

AWK Version (appears to work well)
awk 'NR==FNR{arr[$0];next} $0 in arr' file1 file2


Grep exact string from any location in lines of Text (using Grep Perl func)
good for getting patch numbers etc from a dump
grep -oP 'string.*' in_file

or get matching count
grep -o -f pattern_file log_file | sort | uniq -c


## [Check DUPs] ##

To list the strings that are common to both files
comm -12 x1 x2
or
grep -f x2 x1 items in RED are common to both files

To get just a count of strings that are common over both files
comm -12 x1 x2 | wc
or
grep -f x2 x1 | wc
grep -cf x2 x1

To list new strings that have appeared but were not in the previous dump 
comm -13 x1 x2
grep -ivf x2 x1

Sort csv file by column (first) and uniq
sort -t "," -k 1,1 -u file_name


## [GREP] ##

Either or string
grep 'string1\|string2\|string3' <file_name>

Find string and print 2 lines before and after the sting match
grep -A 2 -B 2 PATTERN file_name

Get the match and (10) chars after it note the '.' after the string
grep -oP 'CVE.{0,10}'
Get the (3) chars before the string
grep -oP '.{0,3}CVE'
or grep CVE- and the next . chars
grep -oP '(CVE-)..........' ./file_name

Get just the string with wild card - so to get CVE-2022-1234
grep -oh "\w*CVE-2022-\w*" file_name

Get Email addresses from text files (full of crap)
grep -o '[[:alnum:]+\.\_\-]*@[[:alnum:]+\.\_\-]*' file_name

Get IP address(s) from text file
grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' file_name
Get IP addresses with 10 as the first octet
grep -Eo '10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' 
This is a fudge - but works :)
grep '10\. ' ./input_file

Get URL from text file
cat source_file.txt |grep -Eo "(http|https)://[a-zA-Z0-9./?=_%:-]*" | sort -u

Grep text between two quotes "
grep -o '".*"' <file_name> | sed 's/"//g'

Convert file of text (column) to CSV comma seperated output
cat file_name | tr '\n' ',' > out_file
same but puts a space after the comma
perl -p -e 's/\n/, /' ./file_name > out_file

Look for string in folders/files
find . -type f -iname "*" | xargs grep "string"

## [AWK] ##

Convert output list from multi-line (CRLF) to all on one line with , (comma) seperator.
assume we are piping the output via sort and uniq etc...
sort input_file | uniq| awk 'BEGIN{ORS=", "}1'

or using tr
sort |uniq| tr '\n' ','

Print line numbers in File
awk '{print FNR "\t" $0}' file_name

Get string from file
awk -F"string" {print $NR}' file_name

Get line (23) from file
awk 'FNR==23 {print;exit}' file_name

Remove leading whitespace
awk '{$1=$1}1' file_name

Remove blank lines
awk NR file_name
or
awk 'NR > 0' file_name

Remove leading white space on lines
awk '{sub(/^[ \t]+/, ""); print}' file_name

Get second column from space delim text
awk 'NR!=1{print $2}' file_name

Get email addresses from file - The GREP versions appear to work better!
awk '{for(i=1;i<=NF;i++) { if ($(i) ~ "@") print $i}}' <file_name>
then to get f_name full address
awk -F "." '{print $1 "," $0}' <file_name> > <output.csv>

Find String and print the next 5 lines
awk '/PATTERN/ {for(i=1; i<=5; i++) {getline; print}}' file_name
or
cat file_name | awk '{if(a-->0){print;next}} /PATTERN/{a=5}' file_name

Find dups in a file
awk 'x[$1]++ == 1 { print $1 " is duplicated"}' file_name
awk '!x[$1]++ == 1 { print $1 " is not duplicated"}' file_name

List Unique lines in file
awk 'FNR==NR {a[$0]++; next} !a[$0]' file1 file2

List lines that are present in old.csv and not new.csv
awk 'NR==FNR{a[$0];next} !($0 in a)' old.csv new.csv

List like DIFF command field 1 in CSV
awk -F "," 'NR==FNR{c[$1]++;next};c[$1] == 0' file_one file_two

Add figures on each line (ignores text)
awk '{s=0; for (i=1; i=<NF; i++) s=s+$i; print s}'  file_name

Work with CSV file - comma as seperator and output as a comma
awk 'BEGIN { FS = "," ; OFS = ","} ; {print $1,$2}' file_name

Show count for number of comma's per line with line number (the matching char is in the 
gsub \,
awk 'BEGIN{print "count", "lineNum"}{print gsub(/\,/,"") "\t" NR}' file_name

Show lines with un-equal number of " on them
good for spotting csv import conversion issues into Excel etc.
awk -F'"' 'NF % 2 == 0 { printf("Line %d has odd quoting: %s\n", NR, $0) }' ./file_name

Sum (count) the totals for first column 
awk '{sum+=$1} END {print sum}' file_name

Sum count of string in file
awk -F, '/string/ {sum += } END {print sum}' file_name

Working with csv using , and ; as delimiter
and output as csv (saves doing a $2",",$8)
awk -F "[,;]" -v OFS="," '{print $2,$8}' ./file_name

Print lines with blank 5th field (csv)
awk -F, '$5' ./file_name

Print the 2nd to last field, csv (-F [,])
awk -F "," '{print $--NF}' file_name

Grab 2nd to last field and count total if value over 7
awk -F "," '{print $--NF}' ./file_name | awk '{if ($1>=7){count++;}} END {print count}'

Print lines in CSV where number in field 8 is greater or = to 8
awk -F "," '$8 >=8' ./file_name
or where last column is >=8
awk -F, '$NR >=8' ./file_name
or where col 8 is greater 3 and less than 8 (get numbers 4-7)
awk -F "," '$8 >3 && $8 <8' ./file_name

Sum (count) where  field 8 greater= to 7
awk -F "," '{if ($8>=7){count++;}} END {print count}' 

Add a semi-colon at the end of each line
awk '{print $0 ";"}' in_file > out_file

Add a comma after first word on each line
awk '{$2="," OFS $2} 1' file_name

Get field 1 and last 5 chars field 2 (passwd hash?) from comma delim file
awk -F, '{print $1",", substr($0, length($0)-4)}' ./file_name

Convert/reverse IP address (output from nslookup for eg) so turn 4.3.2.10 in to 10.2.3.4
First as we want CSV O/P in format 10.2.3.4 , hostname.domain.com and we are working with 10. range
in vi 1,$ s/10/10./g
now awk the file
awk -F. '{print $4"."$3"."$2"."$1","$5}' ./file_name >results_output 

# remove last octet inc period dot from list of IP addresses
# turns 10.1.1.1 in to 10.1.1 
awk 'BEGIN{FS=OFS="."} NF--' ./file_name 

## [SED]  ##

http://sed.sourceforge.net/sed1line.txt

Take column text (IPs) and build a comma seperated line single line list
paste -d, -s input_file > output_file
this sed sort of works
sed 's/^\|$/"/g'|paste -sd", "  - < input_file > output_file

Remove first 2 chars (. = a char)
sed 's/^..//' file_name

Subs 3rd char for an X
cat file_name | sed 's/[a-z]/X/3'
or
cat file_name | sed 's/[a-z]\{3\}/X/g'

Remove first line in file
sed '1d' file_name
Remove first to 5th lines
sed '1,5d' file_name

Remove blank lines
sed '/^$/d' file_name

Delete lines that start with a whitespace
sed -r '/^\s*$/d' ./File_name (GNU Sed)
sed '/^[[:space:]]*$/d' ./File_name (POSIX Sed)

Delete leading whitespace from left to first char
sed -e 's/^[ \t]*//' file_name

Replace char's (in this case a leading slash to a space, so esc with a \)
sed 's/\// /' file_name

Remove all text after the first Dot (.)
sed 's/\..*$//' ./input_file > output_file

Remove last xx chars from end of line (2 in this eg)
sed 's/..$//' inout_file > output_file

Wrap each line of text with a "...*"
sed "s/;/\";\"/g;s/^/\"/;s/$/\*\"/" ./file_name

Convert Unix newlines to DOS format
sed 's/$'"/`echo \\\r`/" <file_in > file_out

Add a semi-colon at the end of each line
sed "s/$/;/g" in_file > out_file

remove comma at end of each line
sed 's/,$//' in_file > out_file

Add comma after first char on each line
sed 's/ / \, /' file_name

Convert newline to space (good for uniq output of IP addresses etc)
uniq | tr '\n' '  '

Remove quote marks on all lines but leaves text
tr -d '"' <file_in

Remove leading white space
tr -d '[ ]'

## [VI] ##

Remove  blank lines
g/^\s*$/d

remove string
g/string/d
remove evertything bar string
g!/string/d

Delete up to char
:%s/.*\ze\<CHAR\>//

Delete upto last colon (:)
:1,$ s/.*://g

Remove leading white space
at esc :
%s/^\s*//g

Append to end of every line/string
:%s/$/\appended.string/g

[General Stuff]

Get first and fifth col in TAB seperated file
cut -f 1,5 -d "Cntl v <TAB>" file_name
Same for csv "," File
cut -d ',' -f1,5 file_name
get the first 5 chars from lines of text
cut -c 1-5 file_name

use filename (from say $1) as part of O/P file - strip leading ./
NAME="$(basename ${1} /.)"


## [Web site stuff] ##

Spider site
wget -r -np --spider www.site.addr.here

Count files in (open) folder on website without downloading anything
wget -qO - http://website_address/files/ | grep '^<tr><td' | wc -l

Get/Download files of type .txt and .doc
wget -r -A txt,doc www.website.com


Get Base 64 message body (eml/msg). Cut base64 block out then
run 
#base64 -d body_snip > output_file

[API]
curl -v https://site - get headers etc
curl -X GET https://site?code=api_key - get api page
curl -H "Authorization: Bearer 5e4403b6af2a82db574e33a5349d7ae9" https://site.api - get data with api key


General random No between 5-10
aa=`echo $(( RANDOM % (10 - 5 + 1 ) + 5 ))` ; echo $aa

## [SMB scannning] ##

smbclient -L 192.168.1.15 -U administrator
smbclient -L 192.168.1.15 -U %
smbclient //192.168.1.15/C$ passwd -U administrator
nmblookup -A 192.168.1.15

## [Windows stuff] ##

Get username (needs admin)
WMIC /Node:<computer_name> ComputerSystem Get UserName

Check for M$ patches 
WMIC qfe get | findstr kb_<number>

Powershell NC like usage
Test-NetConnection -ComputerName x.x.x.x -Port 80

## [Block attackers - Linux Box] ##

Add sub-net to routing table
route add -net 10.1.3.0/24 gw 127.0.0.1 lo
check routing table
route -n
Remove blocked sub-net
route del -net 10.1.3.0/24
or
route del -net 10.1.0.0/16

## Service Stuff ##

Little NC HoneyPot
while true
	do
		nc -l 80 < ./www-server-id.txt >> nc_honey.log
		echo "====`date` ====">> nc_honey.log
		echo "" >> nc_honey.log
	done

Simple www server using python
python3 -m http.server 8080
this server files/folders from your CWD you ran the cmd from. 

Simple HTTPD Server using busybox
busybox httpd -p 80 -h /var/www/

Run busybox on Windows (stand-alone exe)
c:\bin\busybox.exe sh -l

## [TMUX] ##
tmux	new session
tmux a	attach to session
Cntl B -d	detach
Cntl B -p	previous window
Cntl B -n	next window
Cntl B -c	Create new window
Cntl B ,	Rename Window
Cntl B %	Split pane Vertically
Cntl B ;	switch between split pane's

## SSH stuff ##
# MobaXterm setup to RDP to Linux over ssh
in terminal on Windows PC run
ssh -L 33389:127.0.0.1:3389 -l <user_name> <remote_rdp_server>
on Windows client run
mstsc 127.0.0.1:33389

# Reverse tunnel
On remote Server_a
ssh -R 2222:localhost:22 user_name@ip.of.my_workstation -p 22 (or something else less obv's)
or add -nNT to run in background (with & maybe)
on your Workstation/client
ssh server_user@localhost -p 2222

Back-ground a job in the case you forgot to nohup <cmds> &
Use disown  you need to be ROOT
$<cmds> & disown
if the cmd is running  Cntl-Z ; jobs -l ; disown -h JobID

EOF