The way it works is that you use your browser's search function to quickly find commands for a tool you need. In Firefox for example this is done by using CTRL+F

Let's try it! Let's use the search phrase "hydra". Hit CTRL+F and then type in the search bar hydra you'll see that the first result will be this very line because that's the first occurence for that word but if you use your up and down arrows next to the search bar you can quickly jump to the next occurence where you'll find the most commonly used switches and a little explanation about the program.

Alternatively you can just browse through these commands using your slider in your browser or your mouse wheel in the middle. Anyways, I hope this repo can serve you well, let me know if you have any comments or suggestions, you can reach me here or on LinkedIn or Twitter @codetorok thanks for checking out the Command-Center!

amass is really good if you need to enumerate subdomains, just make sure you start it at night before going to bed :)

binwalk extracts files hidden in pictures, pretty good for stegonograpy.

If you wan't full anonimity (as much as you can get, don't go crazy here) you need to know how to change dns. If you combine this with proxychains using tor, you're pretty much good to go.

These are not commands, I just thought it might come in handy if you need a quick refresher to find a port or ports.

You can do some great things with curl, it's worth going through it's man page, this is one of the great techniques I use quite often.

So let's say you have to crack a password that's from a website that uses just a 4 characters long passphrase. To save up time you can just make a copy of your rockyou.txt or whatever monstrous passlist your using and then filter the copy into a new file that has only the 4 characters long entries (hence this grep one liner) from your rockyou-copy.txt. Copy is needed to not to mess up the original one, you can never be cautious enough ;)

SUID or Set-user Identification are files with special root priv permissions. It happens when root doesn't want to make a user root user just in certain cases when user runs some files that requires sudo permissions. Finding these files are imporant as SUID can be abused. SUID starts with a 4 and SGID -which is similar to SUID starts with a 2. The only difference between the two is that when a script or command with SGID (Set-group Identification) permission runs, it runs as if it were a member of the same group in which the file is a member.

If a lowercase letter “l” appears in the group’s execute field, means that the setgid bit is on, and the execute bit for the group is off or denied.

fping helps you to ping a range of IP addresses.

I wanted to share this one too as at first I couldn't get the binary from the ftp server. First I have to use the command binary and then I can get it like I normally would.

There are different ways you can use gobuster this is the one I use most of the times. The -u is for the host name -w is for the wordlist and -t 40 is for the threads so it won't take forever. The tee gobuster-initial is so I can redirect the output to this file and can analyze it later if needed, or just to put it into my pentest report if on an assasment.

To simplify things this gpg example is for the symmetric type of encryption, but you can check out the man page and discover a lot more options to encrypt/decrypt.

Cracking hashes with hashcat basic synthax. Again this is not a tutorial page, just a quick look up on the different and mostly used switches until you learn it by muscle memory.

How to locate the hashcat.potfile where the cracked hashes are stored.

I mainly created this image for the web login crack part only. Sometimes it's hard to remember how it's done using hydra.

Cracking some SHA256 hashes with john, using the rockyou.txt as a wordlist, redirecting the output into the johncracked.txt

Passing a private key to gpg2john to prep it and then passing the output file to john to crack it :) once it's done you can use the cracked password and the private key to try to log in to the target's system via ssh: ssh -i id_rsa username@IP

Decoding MD5 hashes, just don't forget to use echo with the -n switch.

msfvenom reverse shell, -p for payload and -f for the format in this case it's raw so I can send the output into a .php file.

How to connect and display info from mysql database.

The most used switches with nmap, also you can use the -A switch to get all the services and their version number at once. If working on a network, not just a single IP, I prefer to know what's what before starting to focus on one machine or the other as it saves up time.

Extract the email address from a public key.

When I started out I got confused a lot in how to use smbclient and smbmap so I made these screenshots, one is to connect and the second one is to list the available services.

List services with smbclient.

How to add your generated ssh key to your known hosts. It helps with Github also.

SSH port forwarding.

Extract a file from a picture with steghide.

sublist3r is a subdomain enumeration tool, quite good actually.

No big deal, just had to remember how to extract a .tar.gz package at the beginning. Hope this helps you too!

You can add an IP to your /etc/hosts file but this simple one liner using the command tee is easier than opening it up in nano every time you need it.

Quite good for subdomain enumeration, with theharvester you can even choose your preferred search engine!

Classic! You popped a shell, now it's time to upgrade it and this is how to upgrade reverse shell the proper way so you'll have autocomplete with TAB etc etc... :)

In case you have to bypass AppLocker in Windows.

Checking Windows PowerShell history of commmands, it's like bash_history in Linux.

Whenever you encounter a juicy WordPress blog wpscan is there for you :) The first pic shows how to enumerate users, the second one takes the user names, saves it in a text file and use it with the wordlist fasttrack.txt against the website's login.

Enumerating users with wpscan:

Using a wordlist to find vulnerable passwords with wpscan:

How to connect to a remote desktop via xfreedp

Prepping a zip file with zip2john to crack it with john.

This is the end of the list, remember, it's not the commands, it's what you do with those commands and how do you use the information you get out of theses swites, that's all that matters. This repo is for educational purposes only, anything you do with this is on you, so be responsable.

Github, Twitter, LinkedIn: @codetorok