Cheat sheet for the Blue Team 🧢
Hopefully, this is not Bull S***!!!
I prioritize the simplest commands. Most of the time, you don't need all the things.
While this is a cheat sheet, this is not exhaustive at all. TO BE CONTINUED indefinitely...
These are my favorite Nmap commands:
# Simple way to enumerate open ports
nmap --open {IP}
# Simple scan for services
nmap -sV {IP}
# Simple UDP + TCP scan
nmap -Pn -sU -sT {IP}
However, it's best if you can send the output to a txt file or use the export option -o
with additional formats to customize the output. For example, -oG
followed by the path to your output files allows saving all results in a structured format.
chmod +x myexec.sh
./myexec.sh
sh myexec.sh
bash myexec.sh
script.bat
binary.exe
script.ps1
Just type the path to your exec on the console and press enter.
ifconfig
ip add
lsof -i
arp -a
netstat -na | egrep 'LISTEN|ESTABLISH'
ifpconfig
ifpconfig /all
net view /all
arp -a
The following filter can spot half-open TCP connections that are used to bypass basic detection and logging systems:
tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size <= 1024
hostnamectl
Get-ComputerInfo
# files that have been recently modified
ls -lat | less /
lsof -u {USER}
# list dotfiles in sensitive directories
find / -name ".*" -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2> /dev/null
# text files that have been recently modified
forfiles /S /M *.txt /C "cmd /c echo @path @file @fdate @ftime"
# view unsigned files in system32
sigcheck -u -e c:\windows\system32
# only modify the password for user
passwd {USER}
# unlock password for user
passwd -u {USER}
# delete password for user
passwd -d {USER}
net {USER} *
# if it's a domain account
net {USER} * /{DOMAIN}
ps -aux
ps -aux | grep ^root
kill -9 {PID}
tasklist /NH | sort
wmic process {PROCESS} delete
Stop-Process -Name {PROCESS}
systemctl list-units --type service
systemctl disable {SERVICE}
sc query
sc stop {SERVICE}
strings {FILE} | head -7
strings {FILE} | less
file -i {FILE}
debug {FILE}
# view 250 first bytes of file
hexdump -C -n 250 {FILE}
# check file with Virus Total
sigcheck.exe -vt {FILE}
# dump
head /dev/mem | hexdump -C
# analysis
gcore -o {file} {PID}
cat /proc/{PID}/smaps > results.txt
Use Volatility for analysis.
Use Volatility for analysis.
- Volshell: direct introspection and access to all features of the volatility library from within a command line environment
- Valgrind: the memcheck tool can analyze memory errors (overflows, leaks)
poweroff
shutdown /s /t 0
whowatch
(very handy)htop
(instead of the pre-packagedtop
on some distros)