Command One-Liners
Command One-Liners

Command One-Liners

One Liners

You know you like them, always handy, these blokes pack a punch. I am compiling some of them here.

LINUX

Network Commands

Get information on ethernet adapters

get eth0 address
ip addr show | grep eth0 | grep inet | sed -e 's/ *inet *//g' -e 's/\/.*//g'

ip link add name X type bridge
ip link set X up
ip set eth0 master X
ip set eth1 master X

Port Redirect

# Note: you can find TCP sockets in /proc/net/tcp !
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp -m multiport ! --dports 22,53,80,443 -j REDIRECT --to-port 80

General

Download the latest release from a Github repo

curl -s https://api.github.com/repos/jgm/pandoc/releases/latest \
| grep "browser_download_url.*deb" \
| cut -d '"' -f 4 \
| wget -qi -

WINDOWS SORCERY

LolBins

rundll32 | Run an arbitrary program with Mimikatz dll

rundll32 c:\path\mimilib.dll,start d:\some_path\stuff.exe

rundll32 | Show saved credentials by the Windows credentials manager

rundll32 keymgr.dll,KRShowKeyMgr

Enumerate Ways a Website can leak HTTP Info

Generic Spells

Some weird Windows native “popup” :D

::Ref: https://twitter.com/TekDefense/status/823204388982362118
wlrmdr.exe -s 60000 -f 1 -t "text" -m "more text" -a o

Open Device Manager

mmc devmgmt.msc

Get List of Local Users or Members of the Local Admin Group

# Powershell v2+
$Computer = “.”
$Computer = [ADSI](“WinNT://” + "." + “,computer”)
$LocalAdminGroup = $Computer.psbase.children.find(“Administrators”)
$LocalAdminGroupMembers = $LocalAdminGroup.psbase.invoke(“Members”) | %{ $_.GetType().InvokeMember(“Name”, ‘GetProperty’, $null, $_, $null) }

# Using Powershell v5+
Get-LocalGroupMember "Administrators"

# Using WMI
Get-WmiObject win32_groupuser -Computer localhost

Network Spells

A series of useful commands to gather network intelligence.

Show clear text password locally for Wireless Lan Connection

netsh wlan dump
netsh wlan show profiles key=clear name="BotConf2016"
netsh wlan show profiles name="BotConf2016" key=clear

PortProxy - Port Redirection

:: Redirect traffic from port 9000 to port 80 on a different IP
netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=9000 connectaddress=192.168.3.30 connectport=80
:: Delete portproxy entry
netsh interface portproxy delete v4tov4 listenaddress=127.0.0.1 listenport=9000

DNS Tricks | PowerShell

# Resolve Hostnames and FQDN
[System.Net.DNS]::GetHostAddresses("quasarops.com")
[System.Net.DNS]::GetHostName("8.8.8.8")
[System.Net.Dns]::GetHostByAddress("10.0.0.1")
[System.Net.Dns]::Resolve("quasarops.com")

Get Network Adapter info | PowerShell

[System.Net.NetworkInformation.NetworkInterface]::GetAllNetworkInterfaces()
[System.Net.NetworkInformation.NetworkInterface]::GetIsNetworkAvailable()

List Proxy info | PowerShell

Get-ItemProperty "HKCU:\software\Microsoft\Windows\CurrentVersion\Internet Settings\"
Get-ItemProperty "HKCU:\software\Microsoft\Windows\CurrentVersion\Internet Settings\" "AutoConfigURL"
Get-ItemProperty "HKCU:\software\Microsoft\Windows\CurrentVersion\Internet Settings\" "ProxyServer"
Get-ChildItem -recurse 'HKCU:\software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\' | % { $_.GetValue("WpadDetectedURL") }  | sort -Unique

List LAN info | PowerShell

wmic nicconfig where ipenabled=true call /?
wmic nicconfig where ipenabled=true call RenewDHCPLease
wmic nicconfig where ipenabled=true call ReleaseDHCPLease
wmic nicconfig where ipenabled=true list brief
wmic nicconfig where ipenabled=true get ipaddress,macaddress,dnsserversearchorder,dnshostname,defaultipgateway,dhcpserver,description /format:list
wmic nicconfig where ipenabled=true list full

Ping a Subnet | PowerShell

$ping = New-Object System.Net.Networkinformation.Ping
1..254 | % { $ping.send("192.168.100.$_") | select address, status }
for ( $i = 0; $i -le 256 ; $i++ ) { ping 192.168.0.$i }

Active Directory

Get a user’s AD Group Membership

# This will only return the names of the groups instead of the FQDN
(Get-ADUser SomeUserYeah -Properties MemberOf).MemberOf | % {$_.split("CN=")[1].split(",")[0]}

Get AD ms-DS-MachineAccountQuota

Useful to understand whether you can leverage this primitive for further mischief

Get-ADDomain | Get-ADObject -Properties 'ms-DS-MachineAccountQuota'

Enumerate Forest and Domain Trusts

NOTE: Good read about this –> http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
# With RSAT Module
Get-ADTrust -Filter *

# Without RSAT Module
## First Enumerate Domain Trusts
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
## Then Enumerate Forest Trusts
([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).GetAllTrustRelationships()

# List all Domain Controllers in the Forest
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Sites | % { $_.Servers } | select Domain,Name,SiteName

Get AD Account Details for account in a trusted Domain

Get-ADUser -Server 'some.domain.com' -Filter { SamAccountName -eq 'some_user' } -Properties *

Enumerate all Domain Controllers

([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).FindAllDomainControllers()

Cryptographic & Encoding Functions

Some General Encoding and Hash Functions | PowerShell

# Convert from Base64

[Convert]::FromBase64String($data)
[Convert]::FromBase64String([System.Text.Encoding]::ASCII.GetBytes($data))
[Convert]::FromBase64String([System.Text.Encoding]::ASCII.GetBytes($data+"="))
[Convert]::FromBase64String([System.Text.Encoding]::ASCII.GetBytes($data+"=="))

# Convert to Base64
[Convert]::ToBase64String($bytes)
[Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($data))

# Convert HEX to DEC
[System.Byte]::Parse("FA",[System.Globalization.NumberStyles]::HexNumber)

# Encode in HEX
[System.BitConverter]::ToString($(Get-Content .\data.bin -encoding Byte))

# Encode Hash in HEX
[System.BitConverter]::ToString(([System.Security.Cryptography.MD5]::Create()).ComputeHash([System.Text.Encoding]::UTF8.GetBytes("SOME-STRING")))
[System.BitConverter]::ToString(([System.Security.Cryptography.SHA1]::Create()).ComputeHash([System.Text.Encoding]::UTF8.GetBytes("SOME-STRING")))
[System.BitConverter]::ToString([System.Security.Cryptography.MD5CryptoServiceProvider]::new().ComputeHash([System.Text.UTF8Encoding]::new().GetBytes("")))
[System.Bitconverter]::ToString(([System.Security.Cryptography.SHA1]::Create()).ComputeHash([System.Text.Encoding]::UTF8.GetBytes("<[email protected]#$%^>")))

# Compute MD5 Hash
[System.Security.Cryptography.MD5CryptoServiceProvider]::new().ComputeHash([System.Text.UTF8Encoding]::new().GetBytes(""))

Compute Hash with .NET Class

([System.Security.Cryptography.SHA1]::Create()).ComputeHash([System.Text.Encoding]::UTF8.GetBytes("<[email protected]#$%^>"))

Generic One-Liners

Extract an archive without “Expand-Archive” | PowerShell

Add-Type -A System.IO.Compression.FileSystem;[IO.Compression.ZipFile]::ExtractToDirectory(src,dst)