Penetration testing tools cheat sheet, a quick reference high level overview for typical engagements. Designed as a quick reference cheat sheet providing a high level overview of the typicalcommands you would run when performing a penetration test. For more in depth information I’d recommend the man file for the tool or a more specific .
Recon and Enumeration
NMAP Commands
For more commands, see .
COMMAND | DESCRIPTION |
---|---|
| Nmap verbose scan, runs syn stealth, T4 timing (should be ok on LAN), OS and service version info, traceroute and scripts against services |
| As above but scans all TCP ports (takes a lot longer) |
| As above but scans all TCP ports and UDP scan (takes even longer) |
| Nmap script to scan for vulnerable SMB servers - WARNING: unsafe=1 may cause knockover |
| Search nmap scripts for keywords |
SMB enumeration
Also see, .
COMMAND | DESCRIPTION |
---|---|
| Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain |
| Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing |
Other Host Discovery
Other methods of host discovery, that don’t use nmap…
COMMAND | DESCRIPTION |
---|---|
| Discovers IP, MAC Address and MAC vendor on the subnet from ARP, helpful for confirming you're on the right VLAN at $client site |
SMB Enumeration
Enumerate Windows shares / Samba shares.
COMMAND | DESCRIPTION |
---|---|
| Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain |
| Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing |
Python Local Web Server
Python local web server command, handy for serving up shells and exploits on an attacking machine.
COMMAND | DESCRIPTION |
---|---|
| Run a basic http server, great for serving up shells etc |
Mounting File Shares
How to mount NFS / CIFS, Windows and Linux file shares.
COMMAND | DESCRIPTION |
---|---|
| Mount NFS share to |
| Mount Windows CIFS / SMB share on Linux at |
| Mount a Windows share on Windows from the command line |
| Install smb4k on Kali, useful Linux GUI for browsing SMB shares |
Basic Finger Printing
Manual finger printing / banner grabbing.
COMMAND | DESCRIPTION |
---|---|
| Basic versioning / finger printing via displayed banner |
SNMP Enumeration
COMMAND | DESCRIPTION |
---|---|
| SNMP enumeration |
DNS Zone Transfers
COMMAND | DESCRIPTION |
---|---|
| Windows DNS zone transfer |
| Linux DNS zone transfer |
DNSRecon
DNS Enumeration Kali - DNSRecon
root:~# dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml
HTTP / HTTPS Webserver Enumeration
COMMAND | DESCRIPTION |
---|---|
| Perform a nikto scan against target |
| Configure via GUI, CLI input doesn't work most of the time |
Packet Inspection
COMMAND | DESCRIPTION |
---|---|
| tcpdump for port 80 on interface eth0, outputs to output.pcap |
Username Enumeration
Some techniques used to remotely enumerate users on a target system.
SMB User Enumeration
COMMAND | DESCRIPTION |
---|---|
| Enumerate users from SMB |
| RID cycle SMB / enumerate users from SMB |
SNMP User Enumeration
COMMAND | DESCRIPTION |
---|---|
| Enmerate users from SNMP |
| Enmerate users from SNMP |
| Search for SNMP servers with nmap, grepable output |
Passwords
Wordlists
COMMAND | DESCRIPTION |
---|---|
| Kali word lists |
Brute Forcing Services
Hydra FTP Brute Force
COMMAND | DESCRIPTION |
---|---|
| Hydra FTP brute force |
Hydra POP3 Brute Force
COMMAND | DESCRIPTION |
---|---|
| Hydra POP3 brute force |
Hydra SMTP Brute Force
COMMAND | DESCRIPTION |
---|---|
| Hydra SMTP brute force |
Use -t
to limit concurrent connections, example: -t 15
Password Cracking
John The Ripper - JTR
COMMAND | DESCRIPTION |
---|---|
| JTR password cracking |
| JTR forced descrypt cracking with wordlist |
| JTR forced descrypt brute force cracking |
Exploit Research
Ways to find exploits for enumerated hosts / services.
COMMAND | DESCRIPTION |
---|---|
| Search exploit-db for exploit, in this example windows 2003 + local esc |
| Use google to search exploit-db.com for exploits |
| Search metasploit modules using grep - msf search sucks a bit |
Windows Penetration Testing Commands
See Windows Penetration Testing Commands.
Linux Penetration Testing Commands
See for a list of Linux Penetration testing commands, useful for local system enumeration.
Compiling Exploits
Some notes on compiling exploits.
Identifying if C code is for Windows or Linux
C #includes will indicate which OS should be used to build the exploit.
COMMAND | DESCRIPTION |
---|---|
| Windows exploit code |
| Linux exploit code |
Build Exploit GCC
Compile exploit gcc.
COMMAND | DESCRIPTION |
---|---|
| Basic GCC compile |
GCC Compile 32Bit Exploit on 64Bit Kali
Handy for cross compiling 32 bit binaries on 64 bit attacking machines.
COMMAND | DESCRIPTION |
---|---|
| Cross compile 32 bit binary on 64 bit Linux |
Compile Windows .exe on Linux
Build / compile windows exploits on Linux, resulting in a .exe file.
COMMAND | DESCRIPTION |
---|---|
| Compile windows .exe on Linux |
SUID Binary
Often SUID C binary files are required to spawn a shell as a superuser, you can update the UID / GID and shell as required.
below are some quick copy and pate examples for various shells:
SUID C Shell for /bin/bash
int main(void){ setresuid(0, 0, 0); system("/bin/bash");}
SUID C Shell for /bin/sh
int main(void){ setresuid(0, 0, 0); system("/bin/sh");}
Building the SUID Shell binary
gcc -o suid suid.c
For 32 bit:
gcc -m32 -o suid suid.c
Reverse Shells
See for a list of useful Reverse Shells.
TTY Shells
Tips / Tricks to spawn a TTY shell from a limited shell in Linux, useful for running commands like su
from reverse shells.
Python TTY Shell Trick
python -c 'import pty;pty.spawn("/bin/bash")'
echo os.system('/bin/bash')
Spawn Interactive sh shell
/bin/sh -i
Spawn Perl TTY Shell
exec "/bin/sh";perl —e 'exec "/bin/sh";'
Spawn Ruby TTY Shell
exec "/bin/sh"
Spawn Lua TTY Shell
os.execute('/bin/sh')
Spawn TTY Shell from Vi
Run shell commands from vi:
:!bash
Spawn TTY Shell NMAP
!sh
Metasploit
Some basic Metasploit stuff, that I have found handy for reference.
Basic Metasploit commands, useful for reference, for pivoting see - techniques.
Meterpreter Payloads
Windows reverse meterpreter payload
COMMAND | DESCRIPTION |
---|---|
| Windows reverse tcp payload |
Windows VNC Meterpreter payload
COMMAND | DESCRIPTION |
---|---|
| Meterpreter Windows VNC Payload |
Linux Reverse Meterpreter payload
COMMAND | DESCRIPTION |
---|---|
| Meterpreter Linux Reverse Payload |
Meterpreter Cheat Sheet
Useful meterpreter commands.
COMMAND | DESCRIPTION |
---|---|
| Meterpreter upload file to Windows target |
| Meterpreter download file from Windows target |
| Meterpreter download file from Windows target |
| Meterpreter run .exe on target - handy for executing uploaded exploits |
| Creates new channel with cmd shell |
| Meterpreter show processes |
| Meterpreter get shell on the target |
| Meterpreter attempts priviledge escalation the target |
| Meterpreter attempts to dump the hashes on the target |
| Meterpreter create port forward to target machine |
| Meterpreter delete port forward |
Common Metasploit Modules
Top metasploit modules.
Remote Windows Metasploit Modules (exploits)
COMMAND | DESCRIPTION |
---|---|
| MS08_067 Windows 2k, XP, 2003 Remote Exploit |
| MS08_040 Windows NT, 2k, XP, 2003 Remote Exploit |
| MS09_050 Windows Vista SP1/SP2 and Server 2008 (x86) Remote Exploit |
Local Windows Metasploit Modules (exploits)
COMMAND | DESCRIPTION |
---|---|
| Bypass UAC on Windows 7 + Set target + arch, x86/64 |
Auxilary Metasploit Modules
COMMAND | DESCRIPTION |
---|---|
| Metasploit HTTP directory scanner |
| Metasploit JBOSS vulnerability scanner |
| Metasploit MSSQL Credential Scanner |
| Metasploit MSSQL Version Scanner |
| Metasploit Oracle Login Module |
Metasploit Powershell Modules
COMMAND | DESCRIPTION |
---|---|
| Metasploit powershell payload delivery module |
| Metasploit upload and run powershell script through a session |
| Metasploit JBOSS deploy |
| Metasploit MSSQL payload |
Post Exploit Windows Metasploit Modules
COMMAND | DESCRIPTION |
---|---|
| Metasploit show privileges of current user |
| Metasploit grab GPP saved passwords |
| Metasplit load Mimikatz |
| Idenitfy other machines that the supplied domain user has administrative access to |
Networking
TTL Fingerprinting
OPERATING SYSTEM | TTL SIZE |
---|---|
Windows | |
Linux | |
Solaris | |
Cisco / Network | |
IPv4
Classful IP Ranges
E.g Class A,B,C (depreciated)
CLASS | IP ADDRESS RANGE |
---|---|
Class A IP Address Range | |
Class B IP Address Range | |
Class C IP Address Range | |
Class D IP Address Range | |
Class E IP Address Range | |
IPv4 Private Address Ranges
CLASS | RANGE |
---|---|
Class A Private Address Range | |
Class B Private Address Range | |
Class C Private Address Range | |
| |
IPv4 Subnet Cheat Sheet
CIDR | DECIMAL MASK | NUMBER OF HOSTS |
---|---|---|
/31 | | |
/30 | | |
/29 | | |
/28 | | |
/27 | | |
/26 | | |
/25 | | |
/24 | | |
/23 | | |
/22 | | |
/21 | | |
/20 | | |
/19 | | |
/18 | | |
/17 | | |
/16 | | |
/15 | | |
/14 | | |
/13 | | |
/12 | | |
/11 | | |
/10 | | |
/9 | | |
/8 | | |
ASCII Table Cheat Sheet
Useful for Web Application Penetration Testing, or if you get stranded on Mars and need to communicate with NASA.
ASCII | CHARACTER |
---|---|
| Null Byte |
| BS |
| TAB |
| LF |
| CR |
| ESC |
| SPC |
| ! |
| " |
| # |
| $ |
| % |
| & |
| ` |
| ( |
| ) |
| * |
| + |
| , |
| - |
| . |
| / |
| 0 |
| 1 |
| 2 |
| 3 |
| 4 |
| 5 |
| 6 |
| 7 |
| 8 |
| 9 |
| : |
| ; |
| < |
| = |
| > |
| ? |
| @ |
| A |
| B |
| C |
| D |
| E |
| F |
| G |
| H |
| I |
| J |
| K |
| L |
| M |
| N |
| O |
| P |
| Q |
| R |
| S |
| T |
| U |
| V |
| W |
| X |
| Y |
| Z |
| [ |
| \ |
| ] |
| ^ |
| _ |
| ` |
| a |
| b |
| c |
| d |
| e |
| f |
| g |
| h |
| i |
| j |
| k |
| l |
| m |
| n |
| o |
| p |
| q |
| r |
| s |
| t |
| u |
| v |
| w |
| x |
| y |
| z |
CISCO IOS Commands
A collection of useful Cisco IOS commands.
COMMAND | DESCRIPTION |
---|---|
| Enters enable mode |
| Short for, configure terminal |
| Configure FastEthernet 0/0 |
| Add ip to fa0/0 |
| Add ip to fa0/0 |
| Configure vty line |
| Cisco set telnet password |
| Set telnet password |
| Show running config loaded in memory |
| Show sartup config |
| show cisco IOS version |
| display open sessions |
| Show network interfaces |
| Show detailed interface info |
| Show routes |
| Show access lists |
| Show available files |
| File information |
| SHow deleted files |
| No limit on terminal output |
| Copys running config to tftp server |
| Copy startup-config to running-config |
Cryptography
Hash Lengths
HASH | SIZE |
---|---|
MD5 Hash Length | |
SHA-1 Hash Length | |
SHA-256 Hash Length | |
SHA-512 Hash Length | |
Hash Examples
Likely just use hash-identifier for this but here are some example hashes:
HASH | EXAMPLE |
---|---|
MD5 Hash Example | |
MD5 $PASS:$SALT Example | |
MD5 $SALT:$PASS | |
SHA1 Hash Example | |
SHA1 $PASS:$SALT | |
SHA1 $SALT:$PASS | |
SHA-256 | |
SHA-256 $PASS:$SALT | |
SHA-256 $SALT:$PASS | |
SHA-512 | |
SHA-512 $PASS:$SALT | |
SHA-512 $SALT:$PASS | |
NTLM Hash Example | |
SQLMap Examples
COMMAND | DESCRIPTION |
---|---|
| Automated sqlmap scan |
| Targeted sqlmap scan |
| Scan url for union + error based injection with mysql backend |
| sqlmap check form for injection |
| sqlmap dump and crack hashes for table users on database-name. |