General/Common

🌍 Network

Archives/Preservation

Website Analysis

Domains

Threat

πŸ— Cryptography

πŸ“· Images

πŸ—Ώ Alternate Search

β€πŸ‘©β€πŸ’» Code & Reverse Engineering

Search

πŸ› Virus and Malware Research

Sandboxes

πŸ”§ Utilities

Chronology

Images

General

πŸ—£ Usernames

πŸ–Ό Reverse Image Search

πŸ’¬ Social Media

Twitter/X

Facebook

YouTube

Instagram

Reddit

Snapchat

Tiktok

LinkedIn

Pinterest

GitHub

βœ‰ IMs

    Telegram

    🧾 Public Records

    Geographic Specific Searches

    ✈ Air Traffic

    🚒 Sea/Land

    πŸ—ΊοΈ Nmap
    🦈 Wireshark
    πŸ—ΊοΈ Nmap πŸ”—
    Scan Types
    -sLList scan, goes through the target list ONLY doing DNS resolution
    -snPing-only scan; show which hosts are up (formerly -sP)
    -sTTCP Connect scan (default non-root scan)
    -sSTCP SYN "stealth" scan* (default if priv, otherwise -sT; req. root if forced)
    * easily detected nowadays
    -sU -p 111,222,333UDP scan on specific ports
    -PnSkip discovery, assume all open (will be SLOW)nmap -Pn -F 192.168.1.1
    Targets
    nmap 192.168.1.1Target single IP
    nmap hostname.tldTarget hostname
    nmap 192.168.1.25-50Target range
    nmap 192.168.1.1.0/24Target subnet
    -iL ip-list.txtImport list of IPs as targets
    Port Selection
    By default, nmap scans the first 1000 ports.
     
    -p 22Target single port
    -p 22-80Target range of ports
    -p 22,80,443Target specific ports
    -FScans the first 100 only ("fast")
    -p-Scans all 65535 ports (not "fast")
    Timing and Performance
    -T0 - -T5Specifies a timing template, default 3.
    (0 = paranoid [ASBURDLY SLOW], 1 = sneaky [REAL SLOW!], 2 = polite [SLOW], 3 = default/normal, 4 = aggressive [A FAVORITE], 5 = insane)
    Service and OS Detection
    -AEnable OS detection, version detection, script scanning, and traceroute (-O -sV -sC --traceroute)
    -sVVersion detection (--version-intensity (0-9, def: 7) adjusts aggressiveness)
    Scripts and Script Directory
    -sCPerforms script scan with default set of scripts. Likely intrusive!
    --script filename|category|directoryRuns a specific script
    Useful Non-default Scripts
    ssl-enum-ciphersThis script repeatedly initiates SSLv3/TLS connections, each time trying a new cipher or compressor while recording whether a host accepts or rejects it. The end result is a list of all the ciphersuites and compressors that a server accepts.
    Output Formats
    -oN filename.txtOutput normal
    -oX filename.xmlOutput XML
    -oG filename.gnmapOutput for grepable
    -oA basenameOutput all at once (normal, XML, greppable)
    🦈 Wireshark πŸ”—

    Display Filters Capture Filters

    Comparison Operators
    eq / ==Equalip.dest == 192.168.1.1
    ne / !=Not equalip.addr != 192.168.1.1
    * use this instead! ->!(ip.addr == 192.168.1.1)
    gt / >Greater thanframe.len > 10
    lt / <Less thanframe.len < 10
    ge / >=Greater than or equalframe.len >= 10
    le / <=Less than or equalframe.len <= 10
    Logical Operators
      and / &&Match both
       or / ||Match either
      xor / ^^One of the two, not both
      not / !Not equal to
    [ n ] / [ ... ]Substring; filter specific word or text
    {foo, bar, baz}Membership; includes one of these
    Common Display Filter Examples
    ip.addr == 10.10.50.1Filter by IP (src and dst)
    ip.dst == 10.10.50.1Filter by Destination IP
    ip.src == 10.10.50.1Filter by Source IP
    !(ip.addr == 10.10.50.1)Filter Out by IP
    ip.addr >= 10.10.50.1 and ip.addr <=10.10.50.100Filter by IP Range
    ip.addr == 10.10.50.1 and ip.addr == 10.10.50.100Filter by Multiple IPs
    ip.addr == 10.10.50.1/24Filter by Subnet
    tcp.port == 25Filter by Port
    tcp.dstport == 25Filter by Destination Port
    protocol == 25Filter by Destination Port
    ip.host=="hostname"Hostname filter
    http.host == "hostname"Filter by URL
    http.request.method in {"HEAD" "GET"}Show HEAD and GET http requests
    frame.time >= "June 02, 2019 00:00:00"Filter by Timestamp
    tcp.flags.syn == 1 and tcp.flags.ack == 0Show only SYN packets
    wlan.fc.type_subtype==0x08Show only beacon frames
    eth.dst==de:ad:be:ee:ee:ffMAC filter
    eth.dst!=ff:ff:ff:ff:ff:ffFilter out broadcast
    (eth.dst[0] & 1)Filter by multicast
    tcp.flag.reset==1RST flag filter
    tcp.time_delta > .250Displays packets with delta time > 250ms in their stream context
    frame contains potatoDisplays packets containing string 'potato'
    tcp.analysis.flags && !tcp.analysis.window_updateRetransmissions, duplicate acks, zero windows, and more; for debugging performance issues
    dns | http | ftp | ssh | icpSearch by protocol name (examples given)
    frame contains "(attachment|tar|exe|zip|pdf)"Find files by type
    tcp contains facebookFilter traffic by keyword
    !(arp or icmp or stp)Filters out stuff you might not care about
    Reverse Shells

     
     

    Adapted from monkey-shell

    Other

    Misc
    Privilege Escalation
    Explots

    CTFPanel