TL;DR Tooling
Objective
Provide a quick reference for running dayly and not-so-common tools.
AWS
Session Manager CLI plugin
bash
$ aws ssm start-session --profile $PROFILE --target $INSTANCE_IDIncus
Quick install
bash
$ curl -fsSL https://pkgs.zabbly.com/get/incus-stable | sudo sh
$ apt-get --install-recommends install curl python3 xorriso spice-client-gtkShare a folder with a container
bash
$ incus config device add <instance_name> <device_name> disk source=<path_on_host> path=<path_in_instance>Blog init
bash
$ incus profile show blog
config:
raw.idmap: both 1000 0
user.user-data: |
#cloud-config
package_update: true
packages:
- vim
- curl
- git
- screen
runcmd:
- mkdir -pv /etc/vim
- curl -o /etc/vim/vimrc.local https://raw.githubusercontent.com/amix/vimrc/master/vimrcs/basic.vim
- echo 'alias ll="ls -l"' >> /root/.bashrc
- curl -Lo /root/nvm_install.sh https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.1/install.sh
- bash /root/nvm_install.sh
- nvm install node --lts
description: blog profile
devices:
eth0:
network: incusbr0
type: nic
gosecure:
path: /blog
source: /home/luser/personnal/novakele.github.io
type: disk
root:
path: /
pool: default
type: disk
name: blog
used_by:
- /1.0/instances/blog
project: defaultbash
$ cd /blog
$ npm run docs:buildWindows VM with TPM
bash
$ incus profile show windows
config:
limits.cpu: "4"
limits.memory: 4GiB
security.secureboot: "false"
description: Windows profile (4 vcpu, 4G RAM, no secureboot, tpm)
devices:
eth0:
name: eth0
network: incusbr0
type: nic
root:
path: /
pool: default
type: disk
vtpm:
path: /dev/tpm0
type: tpm
name: windows
project: defaultPentest profile
bash
config:
raw.idmap: |-
uid 1000 0
gid 1000 0
user.user-data: |
#cloud-config
package_update: true
packages:
- vim
- curl
- git
- screen
runcmd:
- mkdir -pv /etc/vim
- curl -o /etc/vim/vimrc.local https://raw.githubusercontent.com/amix/vimrc/master/vimrcs/basic.vim
- echo 'alias ll="ls -l"' >> /root/.bashrc
- mkdir -pv /root/.nxc
- echo 'W254Y10Kd29ya3NwYWNlID0gZGVmYXVsdApsYXN0X3VzZWRfZGIgPSBzbWIKcHduM2RfbGFiZWwgPSBhZG1pbmlzdHJhdG9yX3ByaXZpbGVnZXMKYXVkaXRfbW9kZSA9ICoKcmV2ZWFsX2NoYXJzX29mX3B3ZCA9IDAKbG9nX21vZGUgPSBUcnVlCmlnbm9yZV9vcHNlYyA9IFRydWUKaG9zdF9pbmZvX2NvbG9ycyA9IFsiZ3JlZW4iLCAicmVkIiwgInllbGxvdyIsICJjeWFuIl0KCltCbG9vZEhvdW5kXQpiaF9lbmFibGVkID0gRmFsc2UKYmhfdXJpID0gMTI3LjAuMC4xCmJoX3BvcnQgPSA3Njg3CmJoX3VzZXIgPSBuZW80agpiaF9wYXNzID0gbmVvNGoKCltFbXBpcmVdCmFwaV9ob3N0ID0gMTI3LjAuMC4xCmFwaV9wb3J0ID0gMTMzNwp1c2VybmFtZSA9IGVtcGlyZWFkbWluCnBhc3N3b3JkID0gcGFzc3dvcmQxMjMKCltNZXRhc3Bsb2l0XQpycGNfaG9zdCA9IDEyNy4wLjAuMQpycGNfcG9ydCA9IDU1NTUyCnBhc3N3b3JkID0gYWJjMTIzCgo=' | base64 -d > /root/.nxc/nxc.conf
description: pentest
devices:
eth0:
network: incusbr0
type: nic
gosecure:
path: /work
source: /home/luser/work
type: disk
root:
path: /
pool: default
type: disk
name: gosecure
project: defaultAdding DNS records to a network
bash
$ incus network edit incusbr0
config:
raw.dnsmasq: |
srv-host=_VLMCS._tcp.incus,kms.incus,1688,0,5Create L2 profile for Responder
bash
# incus profile device add ${profile_name} ${name_of_the_nic_inside_container} nic nictype=macvlan parent=${physical_lan_nic}
$ incus profile device add l2 eth0 nic nictype=macvlan parent=eno1Git
Clone a repo with a specific SSH key
bash
$ git clone --config core.sshCommand='ssh -i ~/.ssh/<ssh_private_key>' git@<git_server>:<git repo>Manual Windows Reconnaissance
Most of these are really bad OPSEC
List remote shares
cmd
net view \\<FQDN || IP>Spawn process as domain user on non domain computer
cmd
runas /user:<user>@<domain> /netonly <process>Rubeus
Load TGT from NT || AES256 hash
Useful when trying to use built-in Windows tools
cmd
Rubeus.exe asktgt /rc4:<NT hash> /user:<user> /domain:<domain> /ptt
Rubeus.exe asktgt /aes256:<aes256-cts-hmac-sha1-96> /user:<user> /domain:<domain> /pttTMUX
<= 2.0
setw -g mode-mouse on
set -g mouse-select-pane on
set -g mouse-resize-pane on
set -g mouse-select-window off=> 2.1
set-option -g mouse onReload configuration file
CTRL-a source ~/.tmux.confImpacket
Check the state of RDP sessions
shell
$ getTGT.py -hashes 'NT hash' <domain>/<user>
$ KRB5CCNAME=<ccache> atexec.py -k <fqdn> qwinstaUser management
Create a group
shell
$ sudo groupadd <name>Create a system user
shell
$ sudo useradd -c "system user" --gid <name> --no-create-home --no-user-group -s /usr/sbin/nologin --systemApache
Boilerplate for reverse HTTP proxy
apache
<virtualhost *:80>
ServerName <SERVER NAME>
ErrorLog ${APACHE_LOG_DIR}/${SERVER_NAME}.error.log
CustomLog ${APACHE_LOG_DIR}/${SERVER_NAME}.access.log combined
ProxyPass / http://localhost:8080/ nocanon
ProxyPassReverse / http://localhost:8080/
ProxyRequests Off
AllowEncodedSlashes NoDecode
</virtualhost>xinetd
Simple TCP forward
bash
$ cat /etc/xinetd.d/smb
service smdb_forward
{
disable = no
type = UNLISTED
socket_type = stream
protocol = tcp
user = nobody
wait = no
redirect = 10.55.141.26 445
port = 445
}SSH
Common SSH block options
host *
addkeystoagent yes
host engagement
proxyjump jump
port 40219
identityfile ~/.ssh/main
userknownhostsfile /dev/null
user user@domain.tld
hostname localhost
ServerAliveCountMax 99
ServerAliveInterval 0
TCPKeepAlive no
RemoteForward 9000
dynamicforward 1338
# bad idea
StrictHostKeyChecking no
TunnelDevice 1337:1337
Tunnel point-to-point
remoteforward localhost:2222 192.0.2.250:2222
LocalForward 192.0.2.250:8998 127.0.0.1:8998~/.ssh/authorized_keys
https://manpages.debian.org/unstable/openssh-server/authorized_keys.5.en.html
bash
expiry-time=20250506 no-pty command=/usr/sbin/nologin permitlisten=1337 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGe0Ryfm9hgYoCb9tJxKOEuYrVlBHh8o3dYUHbMWUD6oWSL2
Build a custom kernel
Check the official instructions at https://github.com/microsoft/WSL2-Linux-Kernel.git.
Here is a TL;DR
bash
$ sudo apt install build-essential flex bison dwarves libssl-dev libelf-dev cpio qemu-utils curl wget vim git python3 bc
$ git clone https://github.com/microsoft/WSL2-Linux-Kernel.git
$ cd WSL2-Linux-Kernel/
$ make -j $(nproc) KCONFIG_CONFIG=Microsoft/config-wsl && make INSTALL_MOD_PATH="$PWD/modules" modules_install
$ sudo bash ./Microsoft/scripts/gen_modules_vhdx.sh "$PWD/modules" $(make -s kernelrelease) modules.vhdx
$ mkdir /mnt/c/wsl
$ cp vmlinux /mnt/c/wsl/
$ sudo ./Microsoft/scripts/gen_modules_vhdx.sh "$PWD/modules" $(make -s kernelrelease) modules.vhdx
$ cp modules.vhdx /mnt/c/wsl/
$ cat << EOF | sudo tee /etc/modules-load.d/incus.conf
kvm
vhost-net
bridge
tun
tpm
EOFGlobal Configuration %USERPROFILE/.wslconfig%
ini
[wsl2]
networkingMode=mirrored
kernel=c:\\wsl\vmlinux
kernelModule=c:\\wsl\modules.vhdx # requires version 2.5+Windows
Packet Forward
powershell
PS> Get-NetIPInterface | select ifIndex,InterfaceAlias,AddressFamily,ConnectionState,Forwarding | Sort-Object -Property IfIndex | Format-Table
PS> Set-NetIPInterface -ifindex <required interface index from table> -Forwarding Enabled
# Set-NetIPInterface -Forwarding Enabled
PS> Set-Service RemoteAccess -StartupType Automatic; Start-Service RemoteAccessDatabase
Postgresql
create admin user
postgresql
CREATE USER ladmin WITH ENCRYPTED PASSWORD '1318f5f7b9f0bb3375de191e4457fbb237028fca9a9c47ab0fd841dd681012da';
ALTER USER ladmin WITH SUPERUSER;Create new DB and provide all privileges to a user
postgresql
CREATE DATABASE zitadel;
CREATE USER zitadel WITH ENCRYPTED PASSWORD '1895b32fa94cedbbd1414bc40f35addae9aa9fe8f5fa2cdd0db668a7ec264eb9';
GRANT ALL PRIVILEGES on DATABASE zitadel to zitadel;Show all DBs
postgresql
\lShow all users and their privileges
postgresql
\duAllow network connection
bash
# /etc/postgresql/17/main/pg_hba.conf
host zitadel zitadel 10.1.194.0/24 scram-sha-256
host all ladmin 0.0.0.0/0 scram-sha-256OpenSSL
Generate secure strings for passwords
bash
openssl rand -hex 32Generate self-signed certificates for local services
bash
openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-521 -out ./tls.key
openssl req -new -key tls.key -out tls.csr
openssl x509 -req -days 3650 -in tls.csr -signkey tls.key -out tls.crt