🌍 Network

Website Analysis



πŸ— Cryptography

πŸ“· Images

πŸ—Ώ Alternate Search

β€πŸ‘©β€πŸ’» Code & Reverse Engineering


πŸ› Virus and Malware Research


πŸ”§ Utilities




πŸ—£ Usernames

πŸ–Ό Reverse Image Search

πŸ’¬ Social Media




βœ‰ IMs


    🧾 Public Records

    Geographic Specific Searches

    ✈ Air Traffic

    🚒 Sea/Land

    This is a collection of quick cheat sheets containing search engine syntax.

    Twitter πŸ”—
    Twitter uses AND searching by default.
    "search phrase"results with the exact phrase
    a OR bresults with either "a", "b", or both
    -termexcludes term from results
    #fucktrumpcontains hashtag
    from:usernamesent from @username
    to:usernamesent to @username
    @usernameresults with reference to @username
    near:nycresults with geolocation near named location (or lat/long, more)
    within:15miresults inside distance radius (when paired with near:)
    since:2010-01-01search time earliest
    until:2014-06-22search time latest
    source:twitterfeedtweets posted using TwitterFeed (there's others, unknown names)
    lang:jptweets posted with a specific language (ISO 639-1 language code)
    :), :(, ?likely not strictly keywords, but might gauge question/mood results
    filter:type⭐ tweets filtered by various things; see type table below
    Filter Types
    linksresults with links
    mentionsresults with mentions
    mediaresults with media (video, images, etc)
    imagesresults with images
    videosresults with videos
    hashtagsresults with any hashtag
    verifiedresults from verified users
    quoteresults that quote other tweets

    Adapted from

    πŸ—ΊοΈ Nmap
    🦈 Wireshark
    πŸ—ΊοΈ Nmap πŸ”—
    Scan Types
    -sLList scan, goes through the target list ONLY doing DNS resolution
    -snPing-only scan; show which hosts are up (formerly -sP)
    -sTTCP Connect scan (default non-root scan)
    -sSTCP SYN "stealth" scan* (default if priv, otherwise -sT; req. root if forced)
    * easily detected nowadays
    -sU -p 111,222,333UDP scan on specific ports
    -PnSkip discovery, assume all open (will be SLOW)nmap -Pn -F
    nmap single IP
    nmap hostname.tldTarget hostname
    nmap range
    nmap subnet
    -iL ip-list.txtImport list of IPs as targets
    Port Selection
    By default, nmap scans the first 1000 ports.
    -p 22Target single port
    -p 22-80Target range of ports
    -p 22,80,443Target specific ports
    -FScans the first 100 only ("fast")
    -p-Scans all 65535 ports (not "fast")
    Timing and Performance
    -T0 - -T5Specifies a timing template, default 3.
    (0 = paranoid [ASBURDLY SLOW], 1 = sneaky [REAL SLOW!], 2 = polite [SLOW], 3 = default/normal, 4 = aggressive [A FAVORITE], 5 = insane)
    Service and OS Detection
    -AEnable OS detection, version detection, script scanning, and traceroute (-O -sV -sC --traceroute)
    -sVVersion detection (--version-intensity (0-9, def: 7) adjusts aggressiveness)
    Scripts and Script Directory
    -sCPerforms script scan with default set of scripts. Likely intrusive!
    --script filename|category|directoryRuns a specific script
    Useful Non-default Scripts
    ssl-enum-ciphersThis script repeatedly initiates SSLv3/TLS connections, each time trying a new cipher or compressor while recording whether a host accepts or rejects it. The end result is a list of all the ciphersuites and compressors that a server accepts.
    Output Formats
    -oN filename.txtOutput normal
    -oX filename.xmlOutput XML
    -oG filename.gnmapOutput for grepable
    -oA basenameOutput all at once (normal, XML, greppable)
    🦈 Wireshark πŸ”—

    Display Filters Capture Filters

    Comparison Operators
    eq / ==Equalip.dest ==
    ne / !=Not equalip.addr !=
    * use this instead! ->!(ip.addr ==
    gt / >Greater thanframe.len > 10
    lt / <Less thanframe.len < 10
    ge / >=Greater than or equalframe.len >= 10
    le / <=Less than or equalframe.len <= 10
    Logical Operators
      and / &&Match both
       or / ||Match either
      xor / ^^One of the two, not both
      not / !Not equal to
    [ n ] / [ ... ]Substring; filter specific word or text
    {foo, bar, baz}Membership; includes one of these
    Common Display Filter Examples
    ip.addr == by IP (src and dst)
    ip.dst == by Destination IP
    ip.src == by Source IP
    !(ip.addr == Out by IP
    ip.addr >= and ip.addr <= by IP Range
    ip.addr == and ip.addr == by Multiple IPs
    ip.addr == by Subnet
    tcp.port == 25Filter by Port
    tcp.dstport == 25Filter by Destination Port
    protocol == 25Filter by Destination Port"hostname"Hostname filter == "hostname"Filter by URL
    http.request.method in {"HEAD" "GET"}Show HEAD and GET http requests
    frame.time >= "June 02, 2019 00:00:00"Filter by Timestamp
    tcp.flags.syn == 1 and tcp.flags.ack == 0Show only SYN packets
    wlan.fc.type_subtype==0x08Show only beacon frames
    eth.dst==de:ad:be:ee:ee:ffMAC filter
    eth.dst!=ff:ff:ff:ff:ff:ffFilter out broadcast
    (eth.dst[0] & 1)Filter by multicast
    tcp.flag.reset==1RST flag filter
    tcp.time_delta > .250Displays packets with delta time > 250ms in their stream context
    frame contains potatoDisplays packets containing string 'potato'
    tcp.analysis.flags && !tcp.analysis.window_updateRetransmissions, duplicate acks, zero windows, and more; for debugging performance issues
    dns | http | ftp | ssh | icpSearch by protocol name (examples given)
    frame contains "(attachment|tar|exe|zip|pdf)"Find files by type
    tcp contains facebookFilter traffic by keyword
    !(arp or icmp or stp)Filters out stuff you might not care about
    Reverse Shells


    Adapted from monkey-shell


    Privilege Escalation